Get 4 FREE months of Conformio to implement ISO 27001

Do we need to make the transition from ISO 22301:2012 to the 2019 revision?

The new revision of ISO 22301 was finally published on October 31, 2019, and you are probably asking yourself whether you need to implement the whole standard all over again. Well, a new implementation is not quite necessary – although the 2019 revision did bring some changes, they are not so drastic. For differences between the 2019 and 2012 versions, see this Infographic ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed?

Timing of compliance with the new revision

First of all, let’s see how much time you have. According to UKAS, companies already certified against the ISO 22301 2012 revision will have a transition period of three years to “upgrade” their Business Continuity Management System (BCMS) to the new 2019 revision.

Since the 2019 revision was published on October 30, 2019, this means that according to UKAS, companies will be able to transition until October 31, 2022. If your existing ISO 22301 certificate expires after October 31, 2022, then the certification bodies will check if you are compliant with the new revision during the regular surveillance visits; if your certificate expires before October 31, 2022, then you must transition by your next re-certification.


Main differences

“More streamlined and practical.” These words define well what this new 2019 revision of ISO 22301 brings for business continuity management.

  • Many documents are not mandatory anymore, like the Procedure for identification of applicable legal and regulatory requirements, and documents for business impact analysis and risk assessment (although it would be a good practice to use them).
  • Some requirements are less prescriptive (e.g., 4.1 – Understanding the organization and its context, and 7.4 – Communication), which means that organizations now have more freedom to adopt approaches that best fit their contexts.
  • A new clause was added, which requires planning the changes to the BCMS (clause 6.3).
  • Required resources are now identified based on continuity solutions instead of continuity strategies.

Do we need to make the transition from ISO 22301:2012 to the 2019 revision?

For more information about mandatory documents and records for the 2019 revision of ISO 22301, please read: Mandatory documents required by ISO 22301 revision 2019.

Transition or adaptation?

Most changes in the 2019 revision aimed to make the standard less complex, and only one new small clause was included (6.3), so you may be wondering what is needed for a successful transition to the 2019 revision of the standard.

In fact, this could be hardly called a “transition” at all. All the changes to be made to fill gaps are not enough to justify a project-based approach like you might use for transitions of other management standards, like was the case with the ISO 27001 2005 revision to the 2013 revision.

This situation is closer to the regular effort of maintaining your compliance with the standard, where you can plan less-complex activities to make the few smaller adaptations to achieve compliance with the new revision of the standard.

Changes put a system in place to show the usefulness of your BCMS

And, this is it. It might seem like there’s little to do (clauses like document control, performance evaluation, and continual improvement basically did not change), but that’s because:

  • Updates to the new revision were made to make the standard leaner (eliminating redundancies in the text and placing requirements in more appropriate sections).
  • Mandatory documents are reduced, although related clauses are still mandatory.
  • The ISO 22301 2012 revision was one of the first to follow the high-level structure for ISO management systems standards as defined by Annex SL, so it was already aligned with the structure of other management system standards that were published in the meantime, like ISO 9001, ISO 14001, and ISO 27001.

These changes in the standard really do make sense – they will not only bring your Business Continuity Management System (BCMS) closer to the needs of your business, but you will also have a system in place to show the usefulness of your business continuity management.

To learn more about ISO 22301 implementation, visit our Free downloads page.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.