ISO 22301 – Misconceptions and Clarifications

Guest Post by Barry Cardoza, CBCP
Original Publish Date: September 2012 (before ISO 22313 was published)

For those who had hoped (as I had) that the final version of the International Organization for Standardization’s ISO 22301 would be the comprehensive and very detailed replacement for BS 25999 parts 1 and 2, giving clear instructions regarding how to actually create the elements of a Business Continuity Program, it is definitely not that.  In reality, it is replacing BS 25999-2, which will no longer be published after November of 2012, and it does provide very valuable guidance for an organization as it relates to the elements of a best practice-oriented business continuity management system; it’s just “different” in its purpose and scope than what many business continuity professionals might have expected.

I had a lot of misconceptions about the standard.  Fortunately, Brian Zawada, of Avalution Consulting, who is an international expert and extensively involved in the development of ISO standards as the head of the U.S. delegation to ISO’s Technical Committee 223, has been good enough to spend a great deal of time correcting my misunderstandings.

ISO 22301 is titled, “Societal Security — Business continuity Management Systems — Requirements.”  Its purpose is to create a “management system” that will ensure your business continuity planning efforts meet business objectives which, in turn, will meet the objectives of a company’s executive management.  It is very high-level and designed to be applicable to a company of any size and type.  And, ISO 22301 is very much designed to get the attention of executive management by communicating in terms of their objectives and the way in which they measure organizational performance.

The standard is based on the Plan/Do/Check/Act model with “Plan” being what you do to ensure that your program has elements that align with your company’s objectives.  “Do” is about ensuring that your program has implemented controls to accomplish the objectives within “Plan.”  “Check” is about continuously monitoring the program to ensure that it is meeting the objectives, and identifying opportunities for process improvement.  “Act” is about continuously improving the program to ensure that its scope is appropriate to the company and that the business objectives are being met.

Regarding consistent terminology, there is a glossary of terms, but many of those terms (and particularly acronyms) are not used within the body of this document.  The document describes common terms in clear language, avoiding acronyms.  So, for instance, there is a definition of “RTO” in the glossary, but (to their credit) that acronym is not used within the main document (it, like many other terms, is used in the accompanying ISO guidance document, 22313).  “Recovery objectives” are clearly described without using the acronym.  This approach makes the standard more applicable to the many countries, and types of businesses within those countries, for which it was written.  Brian has clarified that the (soon to be published) ISO 22313 standard is designed to be more of a “how to” guidance and uses the terms in the glossary because they are familiar to BC professionals.

But, what about a company seeking certification against this standard?  My fear was that it is too high-level and subjective for certification.  BS 25999-2 was designed to be an “auditable” standard, meaning you can break it down into a checklist of specific “shall do this” and “consider this” line items.  Using a similar approach, ISO 22301 talks about the elements your program must have.  But, to what extent have you met those requirements and how effective are they?  From an audit perspective, I was afraid that there could be a great deal of dependency on the auditor’s (or certifying authority’s) opinion.  Brian’s clarification:  “That’s not what an auditor does – they do not judge performance of the solutions!  They judge the existence of the elements of the management system and the involvement of management – its management then must judge the performance of the response and recovery solutions based on their objectives, and they will do so through a review of metrics as communicated during the management review.”

I was concerned that when a company asks to be certified against any standard they are assuming some degree of risk.  If they apply for a certification and fail, could that become public record, documenting for customers and insurers that they are not prepared to deal with a crisis, even though they may have a very robust Business Continuity Program in place?  Brian had this to say:  “Actually, nothing can be further from the truth – feedback from a management system is not discoverable based on US case law.  Certifying bodies do not publish failed certification audits – they only publish a list of those that successfully receive certification.”

So, I then had to wonder if it wouldn’t make sense to wait for ISO 22313, which is supposed to be more of a “how to” guidance document.  Seemed like it might be more objectively auditable.  But, Brian clarified that, “Unfortunately, it won’t do anything to help from an audit perspective – it is solely focused on helping someone implement ISO 22301 – it is not available for certification as it’s a guidance document to accompany 22301.”

Regarding my impression that there is the risk of ISO 22301 being too high-level to be auditable, Brian says that, “You either do something or you don’t – it’s not the degree to which it’s accomplished.  The biggest problem with a certification is that it doesn’t judge the viability of the preparedness solution or its performance in a test or crisis; it judges the fact that an organization implemented a management system and went through a process consistent with the standard.  That’s really the bottom-line.”

Brian has also said that, “Having gone through a few of these certification audits internally and with our clients, you must provide evidence associated with each clause; that is each clause with the word ‘shall.’  If the evidence does not exist, it will likely result in a major or minor non-conformity.  ISO 22301 is not written in any way to be subjective; it can’t be.”

So, even being the paranoid person that I am (hey…doesn’t a little paranoia come with the profession) I now feel a lot more comfortable with ISO 22301 thanks to all of Brian’s great feedback (and patience with me).  Brian has also offered his email address for those who have other questions or concerns about ISO 22301, which is [email protected].

Additionally, Brian Zawada and Robert Giffin of Avalution Consulting did two excellent presentations on ISO 22301 during the 2012 DRJ Fall World Conference (one as a General Session and the other as a Workshop) and Brian has offered to share the slides from those presentations with people who could not attend.  You can find “Build an ISO 22301 Management System to Capture Executive Attention” and “DRJ Fall 2012 General Session” on the BRMA website in the Document Repository in the “Members Only” section of the website.  It is stored under the “Establishing a Measure of Control” category.

You can also purchase a full version of ISO 22301 from the American National Standards Institute (ANSI).

Additional Resource:
Implementing ISO 22301: The Business Continuity Management System Standard


Guest Post by Barry Cardoza, CBCP
[email protected]