As ideal as it would be to comprehensively plan for and preemptively pinpoint every threat, uncertainty, by its very nature, looms perennially. For any organization, these threats—ranging from natural disasters to cyberattacks—can cause serious business disruptions. Organizational resilience, assured by a business continuity management system (BCMS), can prepare any business for a world of chaos.
The positive impact of resiliency is abundant. For instance, the technical committee responsible for the development of ISO 22301:2019, ISO/TC 292 Security and resilience, follows the mission:
“to produce high quality standards to support nations, societies, industry, organisations and people in general. The purpose of these standards is to enhance and sustain the state of being free from danger or threat and to feel safe, stable, and free from fear or anxiety.”
What is ISO 22301:2019?
This international standard, ISO 22301:2019 – Security And Resilience – Business Continuity Management Systems – Requirements, in enabling any organization, regardless of size, industry, or the nature, to implement, maintain, and improve a business continuity management system, is the first of its kind. The standard specifies the structure and requirements for a BCMS, which ultimately helps an organization protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptions.
With such a system in place, organizations can see reduced costs, less impact on business performance when something goes wrong, fortified resilience, a better understanding of their business, and the ability to assure various stakeholders, including clients, that the organization has sound systems in place for business continuity.
As a management system standard, ISO 22301:2019 includes numerous components that might be familiar to users ISO 9001 and ISO 14001. This includes the involvement of competent persons, documented information, management review, continual improvement, and the Plan-Do-Check-Act (PCDA) cycle. In fact, PCDA concepts are present in most clauses of ISO 22301:2019.
Changes to ISO 22301:2019
Ideas from other management system standards actually comprise many of the primary changes made to ISO 22301:2019. The first edition of this standard was released in 2012, and, since that time, numerous other ISO management system standards have been revised. To better allow for these various management topics to be integrated into an organization’s established management processes, these newer revisions are better harmonized with a High-Level Structure (HLS). This consists of identical core text, terms, and definitions.
Following this trend, ISO 22301:2019, the second edition of this international standard, was changed to streamline the High-Level Structure.
Other changes to ISO 22301:2019 revolve around clarification, with the structure of the standard being easier to read and implement, and language and terminology was simplified as well. In all, these revisions allow the standard to better reflect today’s thinking in the business continuity industry.
How to Get Started with ISO 22301
For any organization considering implementing a business continuity management system, step one is to acquire ISO 22301:2019 – Security And Resilience – Business Continuity Management Systems – Requirements, which is available on the ANSI Webstore. If you need several standards in the societal security area, you might be interested in the ISO 22300 – Societal Security Package or the Community and Organizational Emergency Resilience Package.
ISO also suggests some tips, including having buy-in from top management, doing a readiness assessment to establish where you are in relation to meeting the standard and what resources you need, and undertaking a business recovery exercise. This exercise, in which you consider what you currently would do in the event of a business disruption, helps clear up how capable your organization can respond and how ISO 22301:2019 can help.
Accreditation and Certification for Preparedness and PS-Prep Under ISO 22301
Under an agreement with the Department of Homeland Security, the ANSI National Accreditation Board (ANAB) accredits qualified third party certification bodies (CBs) that issue certifications to private sector entities for disaster preparedness, emergency management, and business continuity. CBs can be accredited not only to ISO 22301 but also ASIS SPC.1 and NFPA 1600, or all of these three PS-Prep designated standards.
Please note that ANAB is an accreditation body and therefore does not offer certification. If you are seeking PS-Prep certification for your organization, please refer to the ANAB CB Directory and select either “ISO 22301,” “ASIS SPC.1,” or “NFPA 1600” with the dropdown “Standard” form to find an ANAB-accredited certification body suitable for your needs.