Iso22301:2019 new version of the standard changes

2022-05-02 0 By

Key improvements in the latest version, LSO22301:2019, include clearer structure and terminology to promote a better understanding of what is required, and updates to bring it into line with all other lSO management system standards.Since its first release in 2012, the ISO22301 standard has become an international benchmark for business continuity management systems.According to ISO surveys, more than 4,000 organizations hold ISO22301 certificates.The standard’s popularity has spread across very different industries – DQS owns certified banks, chemical plants, IT service providers, and auto parts manufacturers, to name just a few.Given this popularity, it is only appropriate for ISO to review its standards and combine their experience in the first few years of use.The new version of ISO22301:2019 was released in November 2019.Good News: Changes are limited Let’s start with the main points: If you are already ISO22301:2012 certified, then the transition to ISO22301:2019 should not have any problems.Iso22301:2019 side-by-side comparison with 2012 shows that there are no significant structural changes to the ISO22301:2019 standard.One of the main reasons revisions to ISO management systems standards have been challenging over the past few years has been the adoption of a high-level structure, which is the unified structure and core text for all ISO management systems standards.However, the 2012 version of ISO22301:2012 already has a high-level structure, which is one of the first ISO standards to adopt this new structure.Instead of rewriting the entire standard, the working group could focus on wording and clarity.Many superfluous parts have been reduced, definitions have become more consistent and the text more logical.Iso22301:2019 Good News: Getting back to the essence of BCM What is particularly interesting is how many requirements have been reduced to the essentials.Section 4.1 is a good example: THE ISO22301:2012 version specifies what organizations need to do (and record!).To understand the organization and its context, and the new VERSION of ISO22301:2019 only states the need to “identify external and internal issues” without specifying what this means.Iso22301:2019 does not say what aspects need to be considered, nor does it include a requirement to document the process.A similar thing happens in section 7.4 on communications: the new version of ISO22301:2019 is significantly less declaratory.Another requirement that has been reduced is the involvement of senior management (5.2).Both require top management to adhere to the BCM strategy.But while the old version of ISO22301:2012 even required senior management to “actively participate in exercises and tests,” the new version of ISO22301:2019 has a more practical approach and focuses on the practical needs of maintaining an effective BCMS.Lso22301:2019 Other Changes In addition to a number of minor tweaks that will have little or no impact on certified sites, there are some changes worth mentioning: Section 6.3 is one of the few new requirements that requires organizations to make changes to BCMS “in a planned manner.”Although technically this requirement is new, the content of the clause should come as no surprise to anyone.Now, Section 8.2.2 on business Impact Analysis (BIA) states that the BIA should start with the impact category.While many organizations have defined impact categories in their BIAs, the new standard makes this requirement mandatory.Section 8.3 has been renamed from “Business Continuity Policies” to “Business Continuity Policies and Solutions”.This reflects the increasing pragmatism of ISO22301:2019: the focus is not on developing grand strategies to ensure business continuity, but on finding solutions to specific risks and impacts: “Organizations should identify and select business continuity strategies based on the outputs of business impact analysis and risk assessment.A business continuity strategy should consist of one or more solutions.”The word “risk appetite” was removed from the standard.In the 2012 version, “risk appetite” was defined as “the amount and type of risk an organization is willing to take or retain.”However, the new ISO22301:2019 standard has removed the term.”Risk appetite” is not only a fairly subjective matter, but ultimately irrelevant: what matters is not the risk an organization is willing to take, but the impact of not resuming activity is unacceptable to the organization.By reducing standards to their essentials, ISO has achieved a clearer separation between requirements (what) and guidelines (how).The ISO22313 guidelines, which date back to 2012, will also be updated to reflect the changes to the ISO22301 standard.It is expected to be released shortly after the release of the new version of ISO22301.