Business Continuity Management ISO 22301

The revision of the ISO 22301 was published in October 2019. Starting October 31, 2019, companies have three years to be certified according to the new version.

Our experts can still certify you according to the old ISO 22301:2012 until October 31, 2021. From November 1, 2021, certification and re-certification audits will be conducted according to the new standard only.

The ISO 22301:2019 “Security and Resilience – Business Continuity Management Systems – Requirements” wants organizations to implement and maintain a management system for measures and capabilities to ensure that they are able to continue to operate their core business in the event of disruption.

The standard specifies and outlines the minimum requirements that an organization must establish to demonstrate its ability to manage failure safety.

With the new edition of the ISO 22301:2019, some requirements are now more stringent, such as the focus on failure safety from a business perspective.

• Chapter 8 now contains discipline-specific guidelines for a Business Continuity Management System.
• Resilience is viewed from the perspectives of business, finance, interested parties and internal processes.
• Top management has the clear mandate to understand the critical internal and external needs and expectations. Security objectives should be defined and critical processes, resources and interdependencies should be supported.
• The management should also promote the understanding of BCM within the organization.
• A Business Impact Analysis (BIA) with the time periods for prioritization needs to be developed.
• The business continuity documentation including that of partners must be reviewed on a regular basis.
• A separate chapter is now dedicated to audit planning for internal audits.
• A Business Continuity Management System (BCMS) only needs to be considered for the relevant part of the organization, not for the entire organization.
• Emphasis is placed on specifications and objectives, resources, review of effectiveness and CIP.
• Changes to the alignment of the BCM should be planned.
• The wording has been streamlined overall and was phrased in a more targeted manner.
• Like in other management system standards, essential documents must exist. These are:
  • Guideline
  • Roles, responsibilities and authorizations
  • Emergency planning, communication
  • Business continuity plans
  • Internal audit
  • Management review
  • Measurement results and CIP measures

No, the changes do not have any direct influence on an existing certification until the transition. The transition period, which has been extended by 6 months based on international agreements, ends on April 30, 2023.

In addition, starting November 1st, 2021, all certification and re-certification audits will be carried out based on the new standard. For surveillance audits, you have a choice between the old and the new standard.

There may be additional one-time audit expenditures. They vary depending on the organization and the timing of the transition:

• Re-certification and surveillance: 2 hours additional on-site audit time.
• Special audits for the transition to the new standard: 4 hours additional on-site audit time.

Yes, with our GAP analysis, we can together clarify questions such as: Will there be changes necessary within the organization? Is training required? Do essential documents or the management system documentation have to be adapted?

The unified definitions and texts in the High Level Structure (HLS) create synergies between ISO 27001 and the revision of ISO 22301.

The ISO 22301 standard is suitable for all companies that will have to continue working despite and during a disruption. It also provides proof to customers and insurance companies. These can be companies from industries where quality is critical as well as organizations that require proof of their failure safety and resilience. They include, for example, companies in the automotive industry, insurance companies, banks and of course IT service providers.

Certification according to ISO 22301 will give you control over your ability to avoid and, if necessary, to control failures.

No. Generally, any company can be certified according to ISO 22301. Our experts will be happy to provide you with information about how a certification will benefit your company. However, ISO 22301 certification does not apply to products such as BCM tools.

• Appropriate measures increase your failure safety and resilience.
• It provides a structured approach in the case of an incident.
• It increases the stability of business processes.
• It lets you show the performance capability and efficiency of your business activities.
• It increases the satisfaction of your customers.
• Your critical infrastructure becomes apparent.
• Your business-critical risks become apparent.