Gartner Blog Network

New ISO 22301:2012 BCM Standard Places Executive Governance Front and Center

by Roberta J. Witty  |  May 18, 2012  |  Comments Off on New ISO 22301:2012 BCM Standard Places Executive Governance Front and Center

The new ISO business continuity management standard’s heightened focus on executive governance may make it more rigorous to implement than its predecessor, but will result in BCM program improvements for most organizations.

Event Facts: On 16 May 2012, the International Organization for Standardization (ISO) published the new 22301 standard (full name: “ISO 22301:2012 Societal security — Business continuity management systems — Requirements”). The new standard will supersede the BS 25999-2 (25999-2) standard, which will have “withdrawn” status as of November 2012. BS 25999-1, which provides business continuity management (BCM) program implementation guidance, will remain in place. (An additional standard, ISO 22313, providing specific implementation guidance on the new 22301 standard, will likely be published in late 2012 or early 2013.) 22301 is now subject to review by various countries’ accreditation bodies (ABs). The U.S. PS-Prep organizational certification program is expected to adopt 22301 as a replacement for 25999-2 before that standard expires. Once the ABs finish their reviews and issue a transition statement, organizations will typically have two years to transition to 22301. All certification bodies and their certified auditors will need to qualify to conduct 22301 certification audits, and this could take until YE12.

Analysis: This long-awaited standard is one of more than 100 BCM standards, frameworks, sets of best practices, laws and regulations worldwide. However, an ISO standard typically has more credibility because it is developed by a global group of domain experts, and 22301 is no exception. The ISO determined that 22301 needed to be both translatable and applicable for implementation in every country, and auditable (as is 25999-2). As a result of the rationalization across all views and other standards as input, some terminology is more business-oriented and its requirements are less ambiguous than 25999-2’s.

The new standard represents an improvement over 25999-2 in areas such as disaster response and crisis communications, and more robust use of the ISO Plan — Do — Check — Act management system. It also makes executive governance the focal point of a BCM program, and this may make it more rigorous for some organizations to implement. Like 25999-2, it has a limited focus on prevention/risk mitigation actions.

National Fire Protection Association (NFPA) 1600:2010’s focus, by comparison, is primarily disaster response. It follows the U.S. National Incident Management System/Incident Command System (NIMS/ICS) framework and is limited in its recovery and restoration requirements and management system. ASIS SPC.1-2009 focuses on risk management; it includes information security, preparedness and continuity, but its risk focus means that it can take longer to implement and it is less familiar to BCM professionals.

By YE14, 25999-2 will no longer be a certification option. The choices will be 22301, NFPA 1600:2010 and ASIS SPC.1-2009. Gartner advises all organizations to choose a standard/framework for BCM program implementation. (Some industries, such as financial services in the U.S., must follow specific guidance superseding all three standards.) The result over time will be an improvement in BCM maturity for all organizations.

BS 25999-2-certified organizations: Use the two-year transition period to assess the differences between the standards, determine whether organizational certification is still appropriate and build a transition plan.

Organizations with certification under PS-Prep in progress: Determine whether 25999-2 is still appropriate for your needs within the one-year post-adoption transition period for in-process applications.

Organizations considering certification: Assess each standard to determine which is most appropriate for your organization’s business drivers and investments.

Recommended Reading
“Predicts 2012: Business Continuity Management Maturity Takes Two Steps Forward and One Step Back Due to Technology and Cultural Changes”
“ITScore for Business Continuity Management, 2012”
“ITScore for Business Continuity Management: Results Through January 2012 Show Midlevel BCM Program Maturity”

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: advisory  bcm-process  event  standardsframeworks  

Tags: bcm  bcm-standard  bcp  business-continuity-management  business-continuity-planning  disaster-recovery  iso  it-disaster-recovery  roberta-witty  

Roberta J. Witty
Research VP
11 years at Gartner
33 years IT industry

Roberta Witty is a research VP in Gartner Research, where she is part of the Compliance, Risk and Leadership group. Her primary area of focus is business continuity management and disaster recovery. Ms. Witty is the role specialty lead for… Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.