ISO 22301 Transition Gap Guide
ISO 22301:2019 Timescales
ISO 22301:2019 was published in October 2019 and is the replacement for ISO 22301:2012. For organizations currently using ISO 22301:2012 there is a 3 ½ year transition period (extended due to the pandemic) to switch to ISO 22301:2019.
Major Revisions in ISO 22301:2019
Planning Changes to the BCMS (6.3)
Awareness inclusive of before, during & after disruptions (7.3)
BIA process more detailed (8.2)
Business Continuity Strategies and Solutions (8.3)
Response Structure Teams (8.4.2)
Exercises focused on program and teams (8.5)
- Cleaner & expanded Management Review inputs (9.3)
ISO 22301:2019 Transition TimelineMajor Differences in Terminology
You will find that some of the familiar terminology of ISO 22301:2012 has either been changed or removed.
|ISO 22301:2012||ISO 22301:2019 (new terms and changes)|
|MAO, MTPD, MBCO||Removed|
|RPO, RTO||Now: Recovery|
Gap Analysis and Guidance
|ISO 22301:2019 CLAUSES||ISO 22301:2012 CLAUSES||GUIDANCE|
|4 Context of the organization|
|4.1 Understanding the organization and its context||4.1||Slimmed down requirement removing documents and requirements specified elsewhere. Also dropped reference to the term risk appetite (throughout the standard), but uses the definition (i.e. “the amount and type of risk tha it may or may not take”) to address the same intent.|
|4.2 Understanding the needs and expectations of interested parties||4.2||Similar intent; changed procedure to process; dropped reference to interested parties under legal and regulatory requirements; dropped reference to communication in this section.|
|4.3 Determining the
scope of the business continuity management system
|4.3||Mission and Goals moved here; re-organized and less specific; added “location” to be taken into account of scope; still requires documentation.|
|4.4 Business continuity management system||4.4||No material change.|
|5.1 Leadership and commitment||5.1 & 5.2||Combined 5.1 & 5.2; re-organized with various statements moved to other sections (e.g. 4, 9, 10); dropped requiremnt for top management active engagement in testing and exercises; dropped requirements to provide evidence and roles assigned (including management representative) - these are inferred elsewhere through authority and competence.|
|5.2 Policy||5.3||Similar intent; re-organized into two sub-sections (5.2.1 & 5.2.2). Dropped [redundant] statement regarding review for suitability, but this remains a management review input (9.3.e)|
|5.4||No material change.|
|6.1 Actions to
address risks and
|6.1||Same requirements broken out into two sections (6.1.1 & 6.1.2); no material change.|
|6.2 Business continuity
planning to achieve
|6.2||Requirements broken out into two sub-sections (6.2.1 & 6.2.2); added
communication and updates; dropped MBCO; responsibility expanded to organization vs. top management.
|6.3 Planning changes
to the business
|8.1||Expanded requirement from a brief mention in 8.1. Depending upon how the organization had previously addressed changes, this may require additional level of effort.|
|7.1 Resources||7.1||No material change.|
|7.2 Competence||7.2||No material change.|
|7.3 Awareness||7.3||Modified to include roles and responsibilities before, during, and after disruptions.|
|7.4 Communication||7.4||Re-structured and streamlined; dropped specific procedural requirements from this section, but they remain within section 8.4.3.|
|7.5||Minor re-organization and streamlining to eliminate redundancies.|
|8.1||No major changes; added reference to outsourced processes and supply
chain (potential flow-down).
|8.2 Business impact
analysis and risk
|8.2||(8.2.1) Re-organized and re-phrased to “systematic processes” and “analyzing Business impacts” for BIA and RA; eliminated use of ‘risk appetite’ term (although the concept remains throughout the standard); added requirement to review BIA/RA at planned intervals or with significant changes to the organization.
(8.2.2) BIA requirements are more prescriptive with regard to BIA requirements; added a) impact types and criteria; c) “impact types and criteria”; separated MTPD and RTO intents; added f) identification of prioritized activities.
(8.2.3) Risk Assessment is simplfied with no material changes.
|8.3 Business continuity
|8.3||(8.3.1) NEW CLAUSE: Addition of solutions is the main theme of this revised requirement. In general, consider that an organization will have various BC strategies; and each strategy may be supported by one or more solutions to achieve the given objective. Organizations should ensure that their existing BC strategies include adequate solutions to meet their needs for continuity and recovery.
(8.3.2) comes from the previous 8.3.1 and 8.3.3 with expanded considerations including added provision of adequate resources (further expanded upon in 8.3.4). Requirement to conduct evaluations of suppliers is moved from this section to 8.6.
(8.3.3) separated out from previous 8.3.1 and added consideration of amount and type of risk [aka. appetite] along with costs and benefits.
(8.3.4) Resource requirements largely moved over from previous 8.3.2; some considerations added (e.g. logistics).
(8.3.5) NEW CLAUSE: Implementation of solutions added as a new specific requirement.”
|8.4 Business continuity
|8.4||(8.4.1) Re-worded and better explained; added assignment of roles to list.
(8.4.2) Reponse Structure expanded with subsections to include focus on teams, the make-up thereof, competencies, and roles required to implement business continuity plans. Also added specific call-out for “”alternate”” personnel to be identified. Dropped requirement for external communication regarding significant risks.
(8.4.3) Warning & Communication requires a “”documented”” procedure that was not previously explicitly required.
(8.4.4) BC Plans add consideration of impacts on the environment. Also
requires that plans specifically required to be usable and available at time and place where required. Emphasis added on a more holisitic or planned out exercise “program” and developing teamwork.
|8.5||Emphasis added on a more holisitic or planned out exercise “program” and developing teamwork.|
|8.6 Evaluation of
|9.1.2/8.3.2||NEW CLAUSE: Created from content moved from 9.1.2 with better
explanation of intents. Intended to add emphasis to strengthen concept that evaluation of BCMS capabilities/effectiveness should done regularly (not just evaluation of procedures). Also adds evaluations of partners’ and suppliers’ business continuity capabilities -i.e. business continuity flow-down (previously referenced in 8.3.2).
|9 Performance Evaluation|
|9.1||Similar intent; less specific. 9.1.2 moved to 8.6 (see above).|
|9.2 Internal Audit||9.2||Same intent;(9.2.2) expanded emphasis regarding audit program with creation of new sub-section (though made up of existing requirements).|
|9.3||Split list into Inputs and Outputs; Increased Input list to include: d) feedback from Interested Parties, g) information from the BIA and Risk Assessment, and h) evaluation of BCMS capabilities (8.6); Re-organized to 3 subsections; 9.3.3 added modification of procedures to respond to impacts on the BCMS, and how effectiveness will be measured; dropped list of potential changes.|
|10.1 Nonconformity and corrective action||10.1||Same intent; Re-organized to 3 subsections; cleaned up redundancies.|
|10.2 Continual improvement||10.2||More emphasis on results of analysis, evaluation and management review as considerations for continual improvement activity.|
ISO 22301:2019 incorporates more business management terminology and concepts and will ensure that systems will be integrated into the organization’s overall business processes rather than being separate entities.
We will help you understand the changes, interpret the new concepts and act on the implications.
Please get in touch if you have any questions here.
You can download the PDF of this ISO 23301:2019 Transition Guide here.
Are you considering NQA Training but not sure which way to turn or which course to book? Our Journey Guide will will point you in the right direction.