ISO 22301 - How different is it from BS 25999? - 2
We continue with our analysis of ISO 22301 vs. BS 25999. We reviewed the initial parts of the standards and the definitions. There have been interesting additions (MAO, RPO, MBCO), some of which are welcome additions while some are uncalled for. Let us begin where we left off:
- Context of the organization
Context establishment seems to be a running theme with recent ISO standards. ISO 27005 describes context establishment with a block diagram. ISO 22301 too spends many paragraphs on ‘context’. The scope of BCMS is a part of context establishment now.
While BS 25999 jumps straight to the point and makes us write down a scope, ISO 22301 first wants you to ‘Understand the organization and its context’, ‘Understand the needs and expectations of interested parties’ and then ‘Determine the scope of the BCMS’. The headings seem promising. In the first step, you are asked to document the organizations activities, functions, services, products, partnerships, supply chains, relationship with interested parties, and the potential impact related to a disruptive event. This is good. This is something BS 25999 should have asked us to do, but does not. This makes for a good starting point. In case you want to get certified on ISO 22301, and have skipped this step (formally of course, informally, everyone had to do this step to begin a proper BCMS anyway), it is time to bring out the excel sheets and list all this down. There is a bit about identifying ‘internal and external issues’ without getting into the details, which lacks clarity, but I am prepared to ignore it as ISO 22301 has got a great starting point.
ISO 22301 wants you to articulate your objectives, and has a hilarious statement “define the external and internal factors that create the uncertainty that gives rise to risk” Please write to me if you comprehend that statement. I could not make head or tail of it.
A subtle change, which I find is an improvement is that ISO 22301 asks us to list down all the activities, functions, etc, first and then ‘establish the parts of the organization to be included in the BCMS’. This forces us to think of the entire organization first and then to move on to establishing the scope. BS 25999, however, asked us to list the scope first and then identify the key products and services within the scope of the BCMS. A definite improvement and maybe a better way for us to implement a BCMS.
ISO 22301 never asks us to define our ‘key products and services’ something BS 25999 is very bold
about (pun unintended). I assume that the word ‘establish’ in ‘establish the parts of the organization to be included in the BCMS’ to be the key word here. When I ‘establish’ i try to identify what is ‘key’, which may or may not be how the authors of ISO 22301 intended. I feel, this is a major miss in ISO 22301. I was expecting more clarity on how
to identify key products and services, not confuse us further.
To implement, you might not have to do any major changes to your documents, but more to your thought process. In case you have approached it wrong in the first place, then you have some rework to do. An additional document of a list of all things mentioned above needs to be created.
We shall soon see what ISO 22301’s views on ‘Leadership’ are. Please await the next section of this blog.