ISO 22301’s Relationship to BS 25999-2 and Other Standards

Brian Zawada, FBCI Brian Zawada, FBCI | Jan 14, 2013

Similar to other management systems standards, ISO 22301 is based on the ‘Plan-Do-Check-Act’ model that seeks to improve – in a continual manner – the effectiveness of the organization’s performance through proficient planning, implementation, supervision, review and maintenance.

As such, it is only proper that we discuss the relationship of ISO 22301 with other management systems standards.  The following summary offers a high-level comparison between ISO 22301 and another widely-adopted management systems standard, British Standard (BS) 25999-2 (2007). 

BS 25999-2 was the first standard to address the concept of a business continuity management system, which provided the foundation for ISO 22301.  Like BS 25999, ISO 22301 addresses the design, implementation and continual improvement of a business continuity management system in the form of a “requirements” standard, meaning it is written for optional audit and certification.

A comparison of ISO 22301 to BS 25999-2 will note that both standards include many of the same core elements, including:

  • The ‘Plan Do Check Act’ Cycle
  • Business Continuity Policy
  • Business Impact Analysis
  • Risk Assessment and Risk Treatment
  • Business Continuity Plans and Strategy
  • Exercising
  • Internal Audit
  • Management Review
  • Non-conformity and Corrective Action
  • Continuous Improvement

Although ISO 22301 includes what many business continuity professionals note as improvements, the content (not the organization of the document) is very similar to BS 25999-2.  Some of the key differences (or improvements) include the following:

  • Unlike BS 25999-2, ISO 22301 is a “true” international standard (it was developed by dozens of country representations and facilitated by the International Standardization Organization as opposed to the British Standards Institute), which will likely result in broader international acceptance and use.
  • ISO 22301 was published by an ISO group that looks at overall societal security responsibility, acknowledging the important role that business continuity has in protecting society and ensuring the ability to respond to incidents, emergencies and disasters.
  • ISO 22301 better articulates the relationship between business continuity and risk management (as defined in ISO 31000), calling out the need to understand risk appetite.
  • ISO 22301 offers more complete descriptions of processes, activities and outcomes, rather than relying on difficult-to-understand jargon.
  • ISO 22301 offers expanded content focused on:
      • Performance monitoring and metrics
      • Supply chain considerations
      • Clarity regarding top (senior) management participation (however, the roles performed by “top management” remain the same at a high level)
  • ISO 22301 clarifies the role of leadership.  BS 25999 often times uses the phrase “The organization shall” or high-level descriptions to state top management’s (leadership’s) role in the business continuity management system.  ISO 22301 is more specific, offering approximately 91 “Top management shall” related statements, compared to 56 in BS 25 999.  Although this may sound like an expansion, Avalution concludes the expanded number reflects clarity on activities that were – or should be – performed by top management regardless.   Overall, the role of leadership did not materially change when comparing the two standards.
  • ISO 22301 also reflects changes in ISO standards content in general (this is the first international standard that follows the format prescribed by ISO Guide 83), namely the removal of the term “stakeholders” in lieu of “interest parties”, as well as the removal of preventative actions.
  • ISO 22301 has a clear relationship with other international management system standards. This relationship allows for the integration and sharing of some management processes, thereby offering the opportunity to lower costs of business management while enhancing other business systems.  Examples include ISO 27001 (Information Security) and ISO 20000 (Service Management).

If you have questions or would like to discuss this topic further, please reach out to us. Our team has been a longtime proponent of standards and always welcomes a conversation about how certification (if there’s a business case) or alignment to a standard can benefit your organization.

For additional information on ISO 22301, check out:

Brian Zawada
Avalution Consulting