IRCA Briefing note ISO/FDIS 22301: 2012

IRCA Briefing note: ISO/FDIS 22301:2012 Societal security Business continuity management systems - Requirements
Introduction The International Register of Certificated Auditors (IRCA) has prepared this briefing note to communicate to IRCA Certificated Auditors, IRCA Approved Training Organisations and other interested parties our understanding of ISO/FDIS 22301:2012. The content of this briefing note is provided in good faith and is IRCAs opinion. It should not be reproduced nor used for commercial purposes. IRCA certificated auditors and IRCA Approved Training Organisations are advised to familiarise themselves with ISO 22301:2012 when it is published. FDIS released to the National Standards bodies 1 February 2012. ISO 22301:2012 expected to be issued May 2012. In recognition of the rapidly growing global interest in business continuity management systems, ISO has developed through the Technical Committee known as ISO/TC 223 Societal security, ISO 22301; Societal security Business continuity management systems Requirements. It is a specification standard to which certification bodies may offer third party certification to their clients. It forms part of the wider Societal security Business continuity management system series of documents which also consists of ISO 22300 Vocabulary and ISO 22313 Guidance. Over recent years a number of national and regional business continuity standards have been produced, most notably BS 25999-1:2006 Part 1 Code of Practice and BS 259992:2007 Part 2 Specification. The Part 2 Specification has led the way in developing business continuity management system requirements considered credible by both business continuity practitioners and interested bodies forming part of the Technical Committee. It is therefore not surprising that the British Standard has played a significant part in the development of the ISO Societal security series. Summary of the contents of ISO FDIS 22301:2012 Overview ISO is currently developing a high level structure and standardised text suitable for all ISO management system standards. The intention is to help those organisations which, in particular, wish to implement more than one management system standard and up until now, may have been faced with different terminology and requirements for essentially what are the fundamental elements of a management system. Notable shifts in emphasis include; Top Management leadership shall be more demonstrable towards the management system
WWW.IRCA.ORG

Preventive action has been replaced with actions to address risks and opportunities and feature at an earlier stage in the development of a management system than preventive action used to (Planning phase). Greater specification and requirement for internal and external communications relevant to the management system Strong emphasis on performance evaluation It is anticipated that ISO 22301 will be the first new ISO management system standard to be structured in this format and will lead the way for all new and revised versions of existing ISO standards. The document under development at the time of publication of this briefing note is called ISO Guide 83 and is at draft status. Publication is anticipated in 2012. Whilst there has been no reason to change the core elements of business continuity management as recognised by BCM practitioners and industry related bodies, there are elements of ISO 22301 which have re emphasised some of the fundamental aspects of BCM, such as the need for a proactive approach to planning, taking into consideration the organisations attitude towards risk as well as demonstrating a clear link with its strategic objectives as well as the needs and expectations of key stakeholders. To reflect the Societal security approach some new terminology has been introduced and once published readers of ISO 22301 should also familiarise themselves with the vocabulary in ISO 22300. Detailed review Terms and definitions have been included which are both new to business continuity management systems as well as some definitions which have been revised for the ISO standard. Look out for the following terms and make sure you consider the implications any change in definition may have on the organisation; Audit Business continuity plan Business continuity programme Corrective action Interested party Maximum acceptable outage (MAO) Maximum tolerable period of disruption (MTPD) Minimum business continuity objective (MBCO) Monitoring Outsource Performance Products and services Recovery point objective (RPO) Risk management Top management
Page 2 of 4

Context of the organisation The organisation is required to demonstrate an appreciation and understanding of its raison detre and how this is aligned to the needs and expectations of its stakeholders. This will determine its business continuity policy and objectives and how it will consider risk and the effect of risk on its business. Consideration of an appropriate scope for the BCMS is required and a link with core objectives and stakeholder requirements should be evident. Leadership Top Management responsibility and commitment has been a feature of management system standards for many years. ISO 22301 re emphasises this in a more pronounced way, mandating specific ways in which commitment shall be demonstrated (from strategic direction through to directing and supporting continual improvement to name but two of the ten requirements). As well as the current requirements to set policy and objectives, roles and responsibilities, Top Management are now expected to define the criteria for accepting risks, actively engage in exercise and testing and take responsibility for ensuring that the performance of the BCMS is reviewed through internal audits and management reviews. Planning Having fully understood the context of the organisation, planning activities are introduced to address the risks and opportunities of the business. (Formerly incorporated under Preventive Action). This proactive approach, if carried out properly, will reduce the need for corrective action at a later date as it will focus on planning for successfully achieving BCM objectives and realising opportunities for improvement. Ownership of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed. Support The organisation (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS. Appropriateness is often determined through competency analysis, an area which continues to draw attention from both accreditation and certification bodies following changes to the requirements in ISO 17021:2011. BCMS communications both internally and externally to the organisation must be considered and include the method and timing of such communication as well as the content. This underlines the need for adequate planning of the BCMS. BCMS documentation requirements follow the usual requirements for management systems including the creation, amendment and control of documents. Operation Having considered the actions to address risks and opportunities as part of the BCMS planning phase, the organisation is now in a position to plan and control the operation of its business continuity management requirements. Most importantly this will include; A methodology and documented process for conducting a business impact analysis (BIA) A systematic methodology and documented process for
WWW.IRCA.ORG

conducting risk assessments A methodology for selecting business continuity strategies which will protect the most important activities of the business and ensure their resumption in the event of disruption. Resource requirements will form part of this process Business continuity procedures and plans required to maintain prioritised activities and their dependencies. ISO 22301 places greater emphasis on the procedure required to detect an incident, early communication thereof and the need to regularly monitor the incident than previously seen in other BC management system standards. There is also a requirement to consider how the organisation will recover its activities from a temporary state back to normal (if appropriate). Exercises and tests to demonstrate the effectiveness of BCM arrangements Performance evaluation As with all management system standards there is a need to look back at what has been achieved. ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organisation. Performance metrics (to be selected by the business) are to be appropriate to the needs of the organisation. Whilst this is a new requirement for management system standards, it is likely that organisations will already produce certain metrics and these may be able to be tailored to cover the BCMS performance. Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement. Impact on IRCA certificated training courses IRCA will issue revised training course criteria at the earliest opportunity following publication of the standard in 2012. In summary, we will require training organisations to; Bring to the attention of students the changes (planned) for how management system standards will be standardised and how this will impact on the implementation and maintenance of a management system. Provide students with a general overview of business continuity management and how this sits within the Plan Do Check Act (PDCA) cycle of management systems. Describe clearly each element of business continuity management system cycle as described in ISO 22301 and the BCM Lifecycle first described in BS 25999 Part 1. Identify methods of developing BCM awareness throughout the organisation and manage student expectations when required to determine its effectiveness. How will the changes affect IRCA certificated auditors? Auditors will need to be able to demonstrate competence in ISO 22301 before carrying out audits against it. This may be achieved by completing a suitable training course or other personal development activity that addressed both knowledge of ISO 22301 and its application in an audit situation. For BCM auditors who work for certification bodies evidence
Page 3 of 4

of competence in ISO 22301 will be especially important to satisfy the requirements of ISO 17021:2011. For certification body auditors it is likely that evaluation of auditor competence will include periodic monitoring of auditor performance through observation and evaluation of audit outputs. When ISO 22301:2012 is published and arrangements for transition from BS 25999 to ISO 22301 are established IRCA may issue a more detailed technical review to support the CPD of IRCA certificated BCMS auditors. Will there be changes to the IRCA auditor certification criteria? Currently we require applicants to have successfully completed an IRCA certificated training course, have completed a minimum number of years of relevant workplace experience and completed a minimum number of audits, at least one of which must have been under the direction and guidance of an auditor currently certificated as a lead auditor. IRCA intends to revise the work experience requirements for BCMS Provisional Internal Auditors and BCMS Internal Auditors to that of one year of BCM experience. This is to reflect what IRCA considers a more realistic requirement for this group of applicants. All other requirements are expected to remain unchanged.

International Register of Certificated Auditors (IRCA) 2nd Floor North Chancery Exchange 10 Furnival Street London EC4A 1AB United Kingdom Email: irca@irca.org Tel: +44 (0) 20 7245 6833 Fax: +44 (0) 20 7245 6755
WWW.IRCA.ORG