[EDITOR'S NOTE – Brian Zawada is a member of the US Technical Advisory Group to ISO Technical Committee 223. Zawada participated in the June 2011 Berlin and November 2011 meetings as a member of Working Group 4, the team charged with developing ISO 22301, 22313 and 22323.]
There are numerous articles and conversations currently taking place regarding ISO 22301 and ISO Technical Committee (TC) 223 in general – some based on fact, but many based on assumption and rumor. So, what’s the real story on ISO 22301 and the work being performed related to societal security?
The purpose of this article is to provide updated information to help business continuity professionals better understand the ISO TC 223 standards development efforts underway and when to expect final work product that can help your organization better prepare for disruption.
What is Technical Committee (TC) 223?
According to the ISO website, TC 223 is pursuing international standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties. The committee will use an all-hazards approach covering all necessary activities in the key phases of crisis management and business continuity. Approximately 45 countries are participating, with 17 observing. At this time, there are six workgroups working on a variety of initiatives:
- Workgroup 1: Framework Standard on Societal Security Management
- Workgroup 2: Terminology
- Workgroup 3: Emergency Management
- Workgroup 4: Preparedness and Continuity
- Workgroup 5: Video Surveillance
- Workgroup 6: Mass Evacuation
What is ISO 22301?
Its official title is, “Societal Security – Business Continuity Management Systems – Requirements”. As the name implies, it’s a standard for implementing a business continuity management system and continuously improving business continuity capabilities based on management priorities and feedback. The purpose and intent of this standard is to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of, occurrence of, prepare for, respond to and recover from a disruptive incident when it arises. ISO 22301 was written in a manner that will allow organizations to pursue organizational certification.
ISO 22301 was officially approved for publication as an international standard on April 2, 2012. ISO expects to publish the final version of the standard by the end of May 2012.
Are there other standards being developed by TC 223?
Yes. In addition to ISO 22301, here is an informal listing of some of the standards currently being worked on (some of the titles may change based on TC 223 discussion and public comment):
- ISO 22300: Societal Security – Vocabulary
- ISO 22311: Societal Security – Video Surveillance
- ISO 22313: Societal Security – Business Continuity Management Systems – Guidance*
- ISO 22320: Societal Security – Emergency Management – Requirements for Incident Response (approved on 22 October 2011 – the first TC 223 standard approved for publication)
- ISO 22322: Societal Security – Emergency Management – Public Warning
- ISO 22323: Societal security – Organizational Resilience Management Systems – Requirements with Guidance for Use**
- ISO 22351: Societal Security – Emergency Management – Shared Situational Awareness
- ISO 22397: Societal Security – Guideline to Set Up a Public Private Partnership
- ISO 22398: Societal Security – Guideline for Exercises and Testing
- ISO 22399: Societal Security – Guideline for Incident Preparedness and Operational Continuity Management
* Regarding ISO 22313, this is the guidance document for ISO 22301, which describes strategies to implement a business continuity management system.
** Regarding ISO 22323, this standard is also written for certification (with embedded guidance as an annex), and it is based on the ASIS SPC.1-2009 Organizational Resilience Standard and ISO 31000.
There are a lot of acronyms that describe the stages of a document in the ISO standards development process. What are the primary stages?
- NWIP – New Work Item Proposal (the first stage of the standards development process)
- WD – Workgroup Draft (the working draft that reflects technical content that an assigned workgroup or project team develops before seeking broader comment by the sponsoring committee)
- CD – Committee Draft (the first “complete” version that the full technical committee votes and comments on until consensus is reached)
- DIS – Draft International Standard (sent to all ISO member bodies, voting is performed and comments made; 2/3 of technical committee “primary” members must vote yes and no more than ¼ of all ISO member bodies can vote no)
- FDIS – Final Draft International Standard (sent to all ISO member bodies, voting is performed and if comments are received, they are saved for future revision; 2/3 of technical committee “primary” members must vote yes and no more than ¼ of all ISO member bodies can vote no)
Is ISO 22301 really based on BS 25999-2 (2007)?
Yes. BS 25999-2 was certainly an input in the development of ISO 22301, although there were many other sources of input, as well as public comment. As a matter of fact, there were over 450 public comments submitted that Working Group 4 considered in June 2011 during the Berlin workgroup meeting.
What are the specific similarities?
The biggest similarity is that both BS 25999-2 and ISO 22301 are business continuity management systems (BCMS) standards – leveraging Plan-Do-Check-Act concepts – and written for voluntary organizational certification. The content is very similar in that the document outlines BCMS requirements, but does not prescribe how to plan in a prescriptive manner.
What are the key differences?
Beyond the document’s organization, I think ISO 22301 has less jargon (for example, acronyms such as MTPOD are gone). Additionally, there is more content specific to life/safety and risk mitigation, common criticisms of BS 25999. Lastly, I think that there is a good description of how the ISO 22301 process addresses all organizational resources as it relates to in-scope products and services, with one type of resource being technology. Many practitioners expressed a concern that technology recovery was omitted from BS 25999 – hopefully the clarification helps.
I heard there’s a new format for this ISO standard – is that true?
Yes. ISO commissioned a group called the JTCG, which standards for Joint Technical Coordination Group. They created a standard approach for management systems specification standards, with some standard language. The organization is based on the following ten sections:
- Normative References
- Terms and Definitions
- General Requirements
- Performance Evaluation
It should be expected that other management systems specifications will follow a similar organization when they are authored or revised.
Of note, many practitioners saw a December 2010 version that was published as a Draft International Standard for comment. Beyond changing the title, a good amount of change that has taken place since, with some content moved to better align to the PDCA model, as well as other content removed to avoid unnecessary duplication.
When will ISO 22301 be approved as an official, “final” standard?
ISO 22301 was officially approved for publication as an international standard on April 2, 2012. ISO 22301’s guidance document, ISO 22313, was published as a Draft International Standard (DIS) for comment/vote and the results of the commenting and voting process will be known in May 2012.
ISO 22323 was reissued as a Workgroup Draft following the November 2011 Beijing meeting, and experts participating on the technical committee will offer another round of comments in the first half of 2012.
Will ISO 22301 replace BS 25999 and other business continuity-related standards?
Perhaps (most likely). Ultimately, withdrawal decisions depend on the Standards Development Organizations that authored the original standards. In the past, the British Standards Institution (the authors of BS 25999) retired their standards when the topic or content transitions to an ISO standard.
Will organizations be able to obtain certification to ISO 22301?
Yes. Organizations will be able to obtain certification to ISO 22301 similar to other certifiable standards such as ISO 9000, 14000, 27001 and 28000 (as well as BS 25999).
Will I have another chance to provide commentary on ISO 22301 before it’s released as an international standard?
No. However, all international standards work through a review and comment period, typically every few years. Practitioners will be asked to comment during the next maintenance period by their country’s delegation.
Will ISO 22301 become available as a certifiable standard under PS-PREP?
To be determined. That is a decision entirely up to the US Department of Homeland Security and FEMA following the publication of ISO 22301. According to the FEMA website:
“DHS will continue to accept comments on PS-Prep, the three adopted standards, and/or proposals to adopt any other similar standard that satisfies the target criteria of the December 2008 Federal Register notice which announced the program. DHS will review any comments received or proposals for DHS adoption of additional standards and, when merited, will publish a Federal Register notice providing the results of that review or notifying the public of an intention to adopt additional standards.”
Please visit www.avalution.com for future updates on ISO 22301 and TC 223, as well as upcoming perspectives and white papers on how to plan to implement this standard in your organization. Avalution is actively working on a white paper regarding strategies to leverage ISO 22301 to improve business continuity performance.
Brian Zawada, Director of Consulting
Avalution Consulting: Business Continuity Consulting