ISO 22301 Transition Gap Guide
26 February 2021
This blog will provide an overview of the key changes between the 2012 and 2019 versions of ISO 22301. Some portions of the standard have been reorganised, with various requirements modified, and there are changes to key definitions.
ISO 22301:2019 Timescales
ISO 22301:2019 was published in October 2019 and is the replacement for ISO 22301:2012. For organizations currently using ISO 22301:2012 there is a 3 ½ year transition period (extended due to the pandemic) to switch to ISO 22301:2019.
Major Revisions in ISO 22301:2019
-
Planning Changes to the BCMS (6.3)
-
Awareness inclusive of before, during & after disruptions (7.3)
-
BIA process more detailed (8.2)
-
Business Continuity Strategies and Solutions (8.3)
-
Response Structure Teams (8.4.2)
-
Exercises focused on program and teams (8.5)
- Cleaner & expanded Management Review inputs (9.3)
ISO 22301:2019 Transition Timeline
Major Differences in Terminology
You will find that some of the familiar terminology of ISO 22301:2012 has either been changed or removed.
| ISO 22301:2012 | ISO 22301:2019 (new terms and changes) |
|---|---|
| BCMS | Redefined |
| Consequence | |
| Disruption | |
| Document | Removed |
| Impact | |
| Infrastructure | Removed |
| Information | |
| Invocation | Removed |
| Likelihood | |
| Management | |
| Measurement | |
| MAO, MTPD, MBCO | Removed |
| Planning | |
| Protection | |
| RPO, RTO | Now: Recovery |
| Resilience | |
| Review | |
| Risk appetite | Removed |
Gap Analysis and Guidance
| ISO 22301:2019 CLAUSES | ISO 22301:2012 CLAUSES | GUIDANCE |
|---|---|---|
| 4 Context of the organization | ||
| 4.1 Understanding the organization and its context | 4.1 | Slimmed down requirement removing documents and requirements specified elsewhere. Also dropped reference to the term risk appetite (throughout the standard), but uses the definition (i.e. “the amount and type of risk tha it may or may not take”) to address the same intent. |
| 4.2 Understanding the needs and expectations of interested parties | 4.2 | Similar intent; changed procedure to process; dropped reference to interested parties under legal and regulatory requirements; dropped reference to communication in this section. |
| 4.3 Determining the scope of the business continuity management system |
4.3 | Mission and Goals moved here; re-organized and less specific; added “location” to be taken into account of scope; still requires documentation. |
| 4.4 Business continuity management system | 4.4 | No material change. |
| 5 Leadership | ||
| 5.1 Leadership and commitment | 5.1 & 5.2 | Combined 5.1 & 5.2; re-organized with various statements moved to other sections (e.g. 4, 9, 10); dropped requiremnt for top management active engagement in testing and exercises; dropped requirements to provide evidence and roles assigned (including management representative) - these are inferred elsewhere through authority and competence. |
| 5.2 Policy | 5.3 | Similar intent; re-organized into two sub-sections (5.2.1 & 5.2.2). Dropped [redundant] statement regarding review for suitability, but this remains a management review input (9.3.e) |
| 5.3 Roles, responsibilities and authorities |
5.4 | No material change. |
| 6 Planning | ||
| 6.1 Actions to address risks and opportunities |
6.1 | Same requirements broken out into two sections (6.1.1 & 6.1.2); no material change. |
| 6.2 Business continuity objectives and planning to achieve them |
6.2 | Requirements broken out into two sub-sections (6.2.1 & 6.2.2); added communication and updates; dropped MBCO; responsibility expanded to organization vs. top management. |
| 6.3 Planning changes to the business continuity management system |
8.1 | Expanded requirement from a brief mention in 8.1. Depending upon how the organization had previously addressed changes, this may require additional level of effort. |
| 7 Support | ||
| 7.1 Resources | 7.1 | No material change. |
| 7.2 Competence | 7.2 | No material change. |
| 7.3 Awareness | 7.3 | Modified to include roles and responsibilities before, during, and after disruptions. |
| 7.4 Communication | 7.4 | Re-structured and streamlined; dropped specific procedural requirements from this section, but they remain within section 8.4.3. |
| 7.5 Documented information |
7.5 | Minor re-organization and streamlining to eliminate redundancies. |
| 8 Operation | ||
| 8.1 Operational planning and control |
8.1 | No major changes; added reference to outsourced processes and supply chain (potential flow-down). |
| 8.2 Business impact analysis and risk assessment |
8.2 | (8.2.1) Re-organized and re-phrased to “systematic processes” and “analyzing Business impacts” for BIA and RA; eliminated use of ‘risk appetite’ term (although the concept remains throughout the standard); added requirement to review BIA/RA at planned intervals or with significant changes to the organization. (8.2.2) BIA requirements are more prescriptive with regard to BIA requirements; added a) impact types and criteria; c) “impact types and criteria”; separated MTPD and RTO intents; added f) identification of prioritized activities. (8.2.3) Risk Assessment is simplfied with no material changes. |
| 8.3 Business continuity strategies and solutions |
8.3 | (8.3.1) NEW CLAUSE: Addition of solutions is the main theme of this revised requirement. In general, consider that an organization will have various BC strategies; and each strategy may be supported by one or more solutions to achieve the given objective. Organizations should ensure that their existing BC strategies include adequate solutions to meet their needs for continuity and recovery. (8.3.2) comes from the previous 8.3.1 and 8.3.3 with expanded considerations including added provision of adequate resources (further expanded upon in 8.3.4). Requirement to conduct evaluations of suppliers is moved from this section to 8.6. (8.3.3) separated out from previous 8.3.1 and added consideration of amount and type of risk [aka. appetite] along with costs and benefits. (8.3.4) Resource requirements largely moved over from previous 8.3.2; some considerations added (e.g. logistics). (8.3.5) NEW CLAUSE: Implementation of solutions added as a new specific requirement.” |
| 8.4 Business continuity plans and procedures |
8.4 | (8.4.1) Re-worded and better explained; added assignment of roles to list. (8.4.2) Reponse Structure expanded with subsections to include focus on teams, the make-up thereof, competencies, and roles required to implement business continuity plans. Also added specific call-out for “”alternate”” personnel to be identified. Dropped requirement for external communication regarding significant risks. (8.4.3) Warning & Communication requires a “”documented”” procedure that was not previously explicitly required. (8.4.4) BC Plans add consideration of impacts on the environment. Also requires that plans specifically required to be usable and available at time and place where required. Emphasis added on a more holisitic or planned out exercise “program” and developing teamwork. |
| 8.5 Exercise programme |
8.5 | Emphasis added on a more holisitic or planned out exercise “program” and developing teamwork. |
| 8.6 Evaluation of business continuity documentation and capabilities |
9.1.2/8.3.2 | NEW CLAUSE: Created from content moved from 9.1.2 with better explanation of intents. Intended to add emphasis to strengthen concept that evaluation of BCMS capabilities/effectiveness should done regularly (not just evaluation of procedures). Also adds evaluations of partners’ and suppliers’ business continuity capabilities -i.e. business continuity flow-down (previously referenced in 8.3.2). |
| 9 Performance Evaluation | ||
| 9.1 Monitoring, measurement, analysis and evaluation |
9.1 | Similar intent; less specific. 9.1.2 moved to 8.6 (see above). |
| 9.2 Internal Audit | 9.2 | Same intent;(9.2.2) expanded emphasis regarding audit program with creation of new sub-section (though made up of existing requirements). |
| 9.3 Management Review |
9.3 | Split list into Inputs and Outputs; Increased Input list to include: d) feedback from Interested Parties, g) information from the BIA and Risk Assessment, and h) evaluation of BCMS capabilities (8.6); Re-organized to 3 subsections; 9.3.3 added modification of procedures to respond to impacts on the BCMS, and how effectiveness will be measured; dropped list of potential changes. |
| 10 Improvement | ||
| 10.1 Nonconformity and corrective action | 10.1 | Same intent; Re-organized to 3 subsections; cleaned up redundancies. |
| 10.2 Continual improvement | 10.2 | More emphasis on results of analysis, evaluation and management review as considerations for continual improvement activity. |
ISO 22301:2019 incorporates more business management terminology and concepts and will ensure that systems will be integrated into the organization’s overall business processes rather than being separate entities.
Our Values
We will help you understand the changes, interpret the new concepts and act on the implications.
Please get in touch if you have any questions here.
You can download the PDF of this ISO 23301:2019 Transition Guide here.
Are you considering NQA Training but not sure which way to turn or which course to book? Our Journey Guide will will point you in the right direction.