ISO 22301 to Replace BS 25999-2

Tuesday, March 01, 2011

Dejan Kosutic


According to various sources, the leading business continuity standard BS 25999-2 will be replaced by an international standard ISO 22301 by the end of 2011.

This kind of transition is normal - the same thing happens with most management standards, for instance with ISO 27001 when in 2005 it succeeded BS 7799-2. So what are the main changes that ISO 22301 will bring when compared to BS 25999-2?

One important note here - since ISO 22301 hasn't been published yet, the final version of the standard still doesn't exist, so some of the things I've written here may not exist in the final version. I am using a draft version published in February 2011 on the BSi Draft Review website.

ISO 22301 will have this title: ISO 22301, Societal security - Business continuity management systems - Requirements. Although "Societal security" may sound a little strange in relation to business continuity, here is how ISO defines it:

"...standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties."

At first sight, it is obvious that the structure of ISO 22301 is very different from BS 25999-2, although all the basic elements of BS 25999-2 still do exist in ISO 22301.

Let's take a deeper look.


The biggest similarity is that all core business continuity elements in BS 25999-2 will be present in ISO 22301 too: business continuity policy, business impact analysis, risk assessment, business continuity strategy (in ISO 22301 it will be called "business continuity options"), business continuity plans, exercising and testing etc.

Business impact analysis will probably be broken down in several clauses, demanding more precision. The requirements for business continuity plans, including response procedures and recovery plans, are much more detailed too - e.g. the communication part.

The management part of BS 25999-2 will also be transferred to the new standard - document control, internal audit, management review, corrective and preventive actions, human resources management etc. (by the way, these elements exist in all other management standards - ISO 9001, ISO 14001, ISO 27001...).

However the documentation will be called "documented information", and preventive actions will be called "actions to address issues and concerns".

...and differences

Plan-Do-Check-Act (PDCA) model is even less clearly stated in ISO 22301 compared to BS 25999-2, although BS 25999-2 is not as clear in that respect as ISO 27001. However, in my view that won't affect the clarity of the process through which the standard should be implemented since the main sections of the standard are organized in a rather logical way.

ISO 22301 will obviously put much greater emphasis on setting the objectives, monitoring performance and metrics - therefore bringing business continuity much closer to top management way of thinking.

Following that line, ISO 22301 puts clearer expectations on management and summarizes them in a single section.

ISO 22301 will resolve one of the shortcomings of BS 25999-2, and will require much more careful planning for and preparing the resources needed for ensuring business continuity - those requirements are now extended and more clearly structured.

Finally, what will be different about ISO 22301, being an international standard, is that certification bodies will push certification against this standard much harder, so it will gain its popularity much faster.

As a conclusion, all the basic elements of BS 25999-2 will probably be present in ISO 22301 too, only ISO 22301 will be more precise and more demanding. Organizations that have already implemented BS 25999-2, and want to "upgrade" to ISO 22301, will have to pay more attention to detail and will have to invest more time into preparing and maintaining their system.

On the other hand, ISO 22301 will certainly help them raise their level of resilience and their level of credibility - the same thing that ISO 27001 did 6 years ago when it replaced BS 7799-2.

Update: ISO 22301 was published on May 15, 2012 - for detailed explanation about the differences between these two standards see Infographic ISO 22301 vs. BS 25999-2

Cross posted from ISO 27001 & BS 25999 blog - 

Complete ISO 27001 and BS 25999 Webinar Schedule:

March 8, March 21 - Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

March 9 - BS 25999-2 Foundations Part 2: Business Continuity Strategy 

FREE WEBINAR - March 9 - BS 25999-2: An Overview of BCM Implementation Process

March 9, March 22 - How to Become ISO 27001 / BS 25999-2 Consultant

March 10, March 23 - BS 25999-2 Foundations Part 3: Business Continuity Planning

March 22, April 4 - Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

FREE WEBINAR - March 23 - ISO 27001 Implementation: How to Make It Easier Using ISO 9001

March 23, April 6 - ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

March 24, April 18 - How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

April 5, April 19 - ISO 27001 A.6 & A.8: Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

April 5, April 20 - ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

FREE WEBINAR - April 6 - ISO 27001/BS 25999-2: The Certification Process

April 6, April 19 - ISO 27001 A.7: Asset Management and Classification

Possibly Related Articles:
Compliance Security Audits Webinar BS 25999-2 ISO Standards ISO 22301
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.