ISO 22301 - How different is it from BS 25999? - 3
‘Leadership’ is a new section in ISO 22301. The content of the sections under ‘leadership’ are not drastically different from what BS 25999 expects from the top management. ISO 22301, however, has combined it into a single section. It divides ‘Leadership’ into three key sub-sections. Management commitment, policy and organizational roles, responsibilities and authorities. This essentially means that when an ISO 22301 auditor conducts and audit, he will grill the top management on these aspects, and they are all at one place in ISO 22301, unlike BS 25999 where they are scattered across different sections.
There is another new section called ‘Support’. This section, like leadership, has mainly grouped logically, the sections of ‘Provision of resources’ competency of BCM personnel, awareness trainings and documentation requirements into one. Although there is a sub-section for documented information, there is no comprehensive list of documents that an organization is required to have. The only reference is ‘documented information required by this organization’ and ‘documented information determined by this organization as being necessary for the effectiveness of the BCMS’. There is a little note below it which mentions that the documentation will differ from organization to organization based on various factors including the competence of persons! An organization’s BCMS documentation may vary based on size, type and complexity of activities, processes, products and services, but how will they be dependent on the competence of persons? How will this be audited?
Auditor: “Mr. CEO, you have a very poorly drafted BCMS policy. I doubt it is of any use to you.”
CEO: “Yes, I know. Thanks. It is just that we do not have competent persons and hence our documentation is commensurate to that.
Auditor: “In that case, it is OK. I will accept this policy.”
It appears that ISO 22301 shies away from asking organizations for a certain set of documents as in section 188.8.131.52 of BS 25999. Not good news for the implementers.
Finally, we reach to the meat of the BCMS in section 8, ‘Operation’. The definitions section of ISO 22301 defines RTO, RPO, MTPD and MBCO. The business impact analysis section happily chooses to ignore all of these. If you would follow the business impact analysis of ISO 22301, you will only ‘setup prioritized timeframes for resuming the critical activities that support key products and services’ . You would probably not calculate RTO (as per the definition, not any other parameter. You will have a list of dependencies, timeframes, etc, but you would not have the RTO, RPO, MTPD or MBCO. I wonder why they have treated business impact analysis so shabbily. Perhaps, there is a new ISO standard planned for business impact analysis that they want us to buy.
Determining choices, which was a part of Understanding the organization in BS 25999 is now a part of strategy, A wise strategy. ‘Determining choices’ now becomes ‘Protection and Mitigation’, a sub-section of business continuity strategy, the way it should ideally be. There is a detailed section on establishing resource requirements. It basically asks the implementing organization to list down all the resources that would be required to implement a particular strategy.
The business continuity response part of BS 25999 which included incident response and continuity plans, gets a makeover with a section in ISO 22301 called ‘Establish and implement business continuity procedures’. Not only does this section include both incident response and plans, it also includes ‘Warning and communication’ and ‘recovery’. There is a very nice addition in incident response which asks you to ‘identify impact thresholds that justify initiation of a formal response’. This will solve the confusing bit “When do I declare a disaster?” that is not addressed in BS 25999. Also, the plans in ISO 22301 cannot be as per the organization’s fancy, they need to have a set of topics that are mandated.
All in all ISO 22301 seems to be a lot more organized so far, except for a few slips. The last section of the blog will cover the parts where the organization goes from BCMS being a project to being a run-and-maintain. This will the testing, exercising, management reviews etc.