New 22301:2019 Business Continuity standard - All major changes explained

New 22301:2019 standard launched

Recently, the International Organization for Standardization (ISO) has published the new version of the 22301:2019 standard. The first edition of Business Continuity Management Systems (BCMS) standard was launched in May 2012 (22301:2012). It was the first ISO standard on business continuity, and it consists of requirements to implement a BCMS. 

Most changes are improving the readability and practical application of the document. The standard has been simplified and has a more pragmatic approach. The terminology section is improved, and there are only a few minor new requirements.  

Terminology – Better reflecting today’s approach 
The terminology has been improved to better reflect today’s approach in the industry.

An example is how 'Business Continuity Strategy” has been section 8.3 is renamed to “Business continuity strategies and solutions”. This new terminology demonstrates how the new standard is more pragmatic. Instead of focusing on one strategy for the whole organisation, it is now a requirement to find solutions for specific risks and impacts. 

In addition, some abbreviations and terms in the terminology section have been removed (such as BCM, BCP and document), new terminology has been introduced (such as resilience and supply chain) and other terms have been redefined (such as “RTO and RPO” are now “Recovery”, “Testing” is now “Test”)

Simplification – More pragmatic
The improved standard makes it easier to implement a BCMS. 

Clause 4.1 (Understanding the organisation and its context) is an excellent example of simplification. The 2012 version of the standard has a list of what an organisation needs to do and document to meet this requirement. The 2019 release only states the need to “determine external and internal issues” without a prescription what this requires or a list of what needs to be documented. 

Another example is clause 7.4 (Communication): the new version is far less prescriptive, with only five instead of ten bullet points of requirements.

Structure – Streamlined with other ISO standards
The structure of the standard has been improved to make the document easier to use and less repetitive in content. 

The 22301:2019 version separates the steps required to deliver business continuity capability from steps to implement and maintain the management system. The new standard is also streamlined to be more in line with all other ISO management system standards.

 This makes it easier to implement this management system when you already implemented another ISO management system standard, such as the related ISO 27001 (Information Security) and ISO 31000 (Risk Management) standards.

Redefined requirements - Aligned with best practice
A few new requirements can be found in 8.4.2.3 (Response structure). This requirement states the requirements for the response teams. The bullet points “establish priorities (using life safety as the first priority)”, the task of monitoring the effects of the disruption and response, and the requirement to have alternates and documented procedures for the response teams are all new. Elements of these bullet points were in the old standard as descriptive content and are more clearly structured as new bullet points.

Another change we’d like to highlight is related to section 8.2.2 (Business Impact Analysis (BIA)). The new version states the BIA has to take impact categories (such as unavailability of assets, staff, IT, connectivity, supplier, etc.) as a starting point. So instead of planning for a wide range of detailed scenarios, the new standard makes defining impact categories mandatory. Scenario-based planning is not only 

What to do with the 22301:2012 standard
There is a three-year transitioning period (from publication date) for the new standard. This means that certificates provided for the 2012 version would lose their validity in November of 2022.

So, you can still use the 22301:2012 version for now. However, anyone buying a version of the standard will likely be using the 22301:2019 version. Moving to the new version will ensure your Business Continuity Management System continues to be aligned with certification bodies, other stakeholders who use the 22301:2019 version and you are up to speed with the latest good practice. 

A complete list of changes can be found on the website of our certification body, the Professional Evaluation and Certification Board.

Any questions about the new standard? We specialise in Business Continuity Consulting and Training. 

All Business Continuity courses in 2020 are updated and aligned to the 2019 standard, and the exams are progressively moved towards the new version. Subscribe to our newsletter if you’d like to be kept informed or contact us if you are interested in a free consultation.