Get 4 FREE months of Conformio to implement ISO 27001

Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed?

On October 31, 2019, the new revision of the ISO 22301 standard was published. This is the latest revision of the standard on which organizations base their Business Continuity Management Systems (BCMS).

This new revision follows an approach similar to that of other ISO management systems, such as ISO 9001 and ISO 27001, with less prescriptive requirements. In this article, you’ll find a brief ISO 22301:2019 vs. ISO 22301:2012 comparison.

Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed?

Structure has remained the same

The old 2012 revision of ISO 22301 was one the first ISO management standards that was developed considering ISO/IEC Directives part 1 Annex SL, which prescribes how ISO Management System Standards (MSS) must be written. Therefore, unlike frameworks reviewed since 2012, the new 2019 revision of ISO 22301 has not undergone any major changes to its structure, because it is already similar to those of ISO 9001, ISO 14001, ISO 27001, and other ISO management standards released after 2012.

Broader approach from strategy-based to solution-based

The ISO 22301:2019 standard requires organizations to not only develop high-level strategies to ensure business continuity, but also to define solutions to handle specific risks and impacts relevant to continuity.

This is the most significant change for top management, because the identification of required resources is now related to solutions, not strategies (see standard clause 8.3.4). Defining resources in terms of strategies is not as precise as when you define them in terms of the solutions, which greatly affects the budget planning for the BCMS.

When you define resources based on strategy, you may find yourself limiting solutions because of an under-planned budget, or unexpectedly having to increase investments, compromising the whole organizational budget.

Managing changes to the BCMS

The single new requirement of ISO 22301:2019 requires organizations to make changes in the BCMS in a planned manner, which can be achieved by considering:

  • the purpose of the change and its consequences
  • how the integrity of the Business Continuity Management System is impacted by the change
  • the resources available to perform the change
  • the definition or change of responsibilities and authorities

Although it is something implicitly expected from organizations in the last version, by making this a mandatory requirement it adds more confidence to organizations to resume, continue, and recover the delivery of services and products to their customers.

ISO 22301:2019 introduces greater flexibility and pragmatism to achieve results

Although most people are not fond of change, the modifications to the ISO 22301 standard should not be too difficult for organizations to implement, and are actually meant to introduce greater flexibility and better understanding. Additionally, due to the recognition that solutions are as important as strategies, there is a greater focus in this revision on ensuring that organizations develop proper responses to specific risks and impacts.

Furthermore, you can have a reduced number of documents for the same thing: managing your service continuity during and after disruptive incidents.

For sure, the new ISO 22301 is not a unique option for the management of business continuity, but it can give you useful tools in the form of processes to ensure the continuity of your services, helping you to achieve the best customer satisfaction.

To learn more about ISO 22301:2019 implementation, download this free Diagram of ISO 22301 Implementation Process.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.