• Home /
• Do you have BS 25999-2?

Find out your options in relation with the new International Standard ISO 22301

Business Continuity Management

Making the move from BS 25999-2 to ISO 22301?

If you're new to business continuity management, ISO 22301 Business Continuity Management follows the very latest best practice for business continuity. You may wish to align and certify to this International Standard.

For more information, please click here to see our FAQ for certification and assessment customers around making the transition from BS 25999-2 to ISO 22301.

How does ISO 22301 compare to BS 25999-2?

All core BS 25999-2 business continuity requirements are present in ISO 22301. These include:

• business continuity policy
• business impact analysis
• risk assessment
• business continuity strategy (business continuity plans, exercising and testing)
• management review
• internal audit
• non-conformity and corrective action.

What’s different?

Objectives, monitoring performance and metrics
ISO 22301 puts greater emphasis on the setting of objectives, monitoring performance and metrics – bringing business continuity much closer to top management. These may be new requirements, but many organizations already produce metrics to quantify their business performance and can extend these to cover BCMS performance.

Top management commitment
ISO 22301 gives top management clearer BCM leaderships responsibilities and outlines specific ways in which management must demonstrate its commitment to the system.

Planning
ISO 22301 requires specific resource planning and preparation. It aims to integrate the BCMS with the organization’s objectives and risk appetite. Requirements are extended and more clearly structured.  

Requirements around Supply Chain
ISO 22301 specifies more requirements relating to suppliers. These make it a useful tool for validating supply chains and client and contractual requirements.

Interested parties
The new international standard requires organizations to consider their interested parties more widely than BS 25999-2, bringing about closer alignment with organisational objectives for corporate social responsibility.

International adoption and acceptance
ISO 22301 is likely to lead to wider use of international BCMS best practice. It aims to standardize the approach to and language of BCM, creating a level playing field for international business. 

I’m aligned to the standard BS 25999-2. Can I still use it?

While BS 25999-2 should be withdrawn, it remains relevant and you can still use it. The standard has simply been superseded by ISO 22301 based on the way BCM best practice has evolved over the past five years. 

BS 25999-2 should be withdrawn on 1 November 2012 (a six month period after ISO 22301 publication).

I’m certified to the standard BS 25999-2. How quickly do I need to change from BS 25999-2 to the new ISO 22301?

ISO 22301 isn't going to be considered a new scheme, but rather it will be considered a transition. Clients with BS 25999 certification with BSI can undertake a transfer assessment aligned to their current planned surveillance visits. These will be of the same duration, and the process will start soon after publication of the standard.

While I’m making the move from BS 25999-2 to ISO 22301, is my BS 25999-2 certificate still valid?

Yes, certificates issued to BS 25999-2 will remain valid during the transitional period. No further certification or renewals will be issued to BS 25999-2 after May 2014 (to be confirmed)

Will there be an ISO guidance standard to 22313?

Yes, this is ISO 22313 Societal security - Business continuity management systems - Guidance. It is due in late 2012/2013. In the interim BS 25999-1 will still act as useful guidance.

What will happen to BS 25999-1?

This will be determined in the future based on the developments of ISO 22313 Societal security - Business continuity management systems – Guidance.

Who do I contact if I have further queries?

Email talkingbusinesscontinuity@bsigroup.com.

For more detailed FAQ's please click here...