ISO 22301 - How different is it from BS 25999?
With the release of every new standard, the average consultant, feels his adrenalin rush. She makes funky presentations and tries to convince her clients that the standard is the best thing since sliced bread. If the standard has been a much awaited standard the presentations get funkier and the noise made for clients to implement it reaches cacophony levels. This seems to be the case with ISO 22301 as well.
Let us take a look at what ISO 22301 is and how different it is from BS 25999. We will also try to analyze if you need to do anything different to get yourself compliant to ISO 22301.
1. Introduction and Scope
There have been minor changes in the initial references of ISO 22301 vs. BS 25999. Most of these changes are to enable an organization to better interpret the wordings of the standard. There is no major deviation in ISO 22301 from BS 25999 in the introduction and scope.
2. Terms and Definitions
If you are a true connoisseur of standards, this is something you should never skip. The devil, as they say, is hidden in the detail. ISO 22301 has surreptitiously introduced a term called ‘Maximum Acceptable Outage’ MAO (a tribute to the Australian National Audit Office BCM Document?)
The MAO is defined as the “time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.” and the old reliable MTPD (maximum tolerable period of disruption) of BS 25999 also has a change in definition. In BS 25999, MTPD is defined as “duration after which an organization’s viability will be irrevocably threatened if product or service delivery cannot be resumed.” In ISO 22301, MTPD takes the exact same definition of MAO. My guess is that ISO has introduced two definitions for consultants to be able to confuse clients and make things more complex than they usually are.
We move ahead to another new term introduced in ISO 22301, which is missing in BS 25999, but is present in Singapore’s SS540, ‘MBCO’ Minimum Business Continuity Objective. This is defined as “minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during a disruption. This is indeed a welcome addition. This should hopefully resolve the doubts over the three part definition of MTPD in BS25999 (RTO, minimum level upon resumption and time required for full recovery). Prima Facie, these definitions looks like they will impact the BIA methodology for the better.
ISO 22301 has defined a term ‘event’ in addition to ‘incident’. The purpose could be to remove the clouds over what is classified as an event or an incident. However, the definition itself “occurrence or change of a particular set of circumstances” does not provide more clarity, though there is are examples mentioned in 4 notes to the definition.
Another welcome definition, that was conspicuously missing in BS 25999, is RPO. Thanks heavens for that. Good job ISO 22301.
So far, the new ISO 22301 seems to be better researched and provides for a better understanding of business continuity, especially with the terms of MBCO and RPO added in the definitions. With the exception for duplicate definitions for MAO and MTPD, it makes more sense than BS 25999. Does this impact your implementation of BS 25999? Wait for the second part of this series for my take on that.