Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

An Update on TC 223 and ISO 22301 (Updated November 11, 2011)

[EDITOR'S NOTE – Brian Zawada is a member of the US Technical Advisory Group to ISO Technical Committee 223. Zawada participated in the June 2011 Berlin and November 2011 Beijing meetings as a member of Working Group 4, the team charged with developing ISO 22301, 22313 and 22323.]

There are numerous articles and conversations currently taking place regarding ISO 22301 and ISO Technical Committee (TC) 223 in general – some based on fact, but many based on assumption and rumor. So, what’s the real story on ISO 22301 and the work being performed related to societal security?

The purpose of this article is to provide updated information to help business continuity professionals better understand the ISO TC 223 standards development efforts underway and when to expect final work product that can help organizations better prepare for disruption.

What is Technical Committee 223?
According to the ISO website, TC 223 is pursuing international standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities (i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, among all interested parties). The committee will use an all-hazards approach covering all necessary activities in the key phases of crisis management and business continuity. Approximately 45 countries are participating, with 17 observing. At this time, there are five workgroups working on a variety of initiatives:

  • Workgroup 1: Framework Standard

  • Workgroup 2: Terminology

  • Workgroup 3: Command and Control

  • Workgroup 4: Business Continuity Management System (BCMS)/Organizational Resilience (OR)

  • Workgroup 5: Video Surveillance

What is ISO 22301?
ISO 22301 is one of the many standards currently under development by TC 223. Its official title is, Societal Security – Business Continuity Management Systems – Requirements. As the name implies, it’s a standard for implementing a business continuity management system and continuously improving business continuity capabilities based on management priorities and feedback.

Although the content isn’t officially finalized, the purpose and intent of this standard is to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from disruptive incidents when they arise.

ISO 22301 is being written in a manner that will allow organizations to pursue organizational certification.

Are there other standards being developed by TC 223?
Yes. In addition to ISO 22301, here is an informal listing of some of the standards currently being worked on (some of the titles may change based on TC 223 discussion and public comment):

  • ISO 22300: Societal Security – Vocabulary

  • ISO 22311: Societal Security – Video Surveillance

  • ISO 22313: Societal Security – Business Continuity Management Systems – Guidance*

  • ISO 22320: Societal Security – Emergency Management – Requirements for Incident Response (approved on 22 October 2011 – the first TC 223 standard approved for publication)

  • ISO 22322: Societal Security – Emergency Management – Public Warning

  • ISO 22323: Societal security – Organizational Resilience Management Systems – Requirements with Guidance for Use**

  • ISO 22351: Societal Security – Emergency Management – Shared Situational Awareness

  • ISO 22397: Societal Security – Guideline to Set Up a Public Private Partnership

  • ISO 22398: Societal Security – Guideline for Exercises and Testing

  • ISO 22399: Societal Security – Guideline for Incident Preparedness and Operational Continuity Management

* Regarding ISO 22313, this is the guidance document for ISO 22301, which describes strategies to implement a business continuity management system.

** Regarding ISO 22323, this standard is also written for certification (with embedded guidance as an annex), and it is based on ISO 31000 and the ASIS SPC.1-2009 Organizational Resilience Standard.

Defining ISO Acronyms

There are a numerous acronyms used to describe the stage of a document in the ISO standards development process. The primary stages include:

  • NWIP – New Work Item Proposal
    The first stage of the standards development process

  • WD – Workgroup Draft
    The working draft that reflects the technical content an assigned workgroup or project team develops before seeking broader comment by the sponsoring committee

  • CD – Committee Draft
    The first “complete” version that the full technical committee votes and comments on until consensus is reached

  • DIS – Draft International Standard
    Sent to all ISO member bodies, voting is performed and comments made; 2/3 of technical committee “primary” members must vote yes, and no more than ¼ of all ISO member bodies can vote no

  • FDIS – Final Draft International Standard
    Sent to all ISO member bodies, voting is performed and if comments are received, they are saved for future revision; 2/3 of technical committee “primary” members must vote yes, and no more than ¼ of all ISO member bodies can vote no)

Is ISO 22301 really based on BS 25999-2 (2007)?
Yes. BS 25999-2 was certainly an input in the development of ISO 22301, although there were many other sources of input, as well as public comment. As a matter of fact, there were over 450 public comments submitted that Working Group 4 considered in June 2011 during the Berlin meeting.

What are the specific similarities?
The biggest similarity is that both BS 25999-2 and ISO 22301 are business continuity management systems (BCMS) standards – leveraging Plan-Do-Check-Act (PDCA) concepts – and written for voluntary organizational certification. The content is very similar in that the document outlines BCMS requirements, but does not prescribe how to plan in a prescriptive manner.

What are the key differences?
Beyond the document’s organization, I think ISO 22301 has less jargon (for example, acronyms such as MTPOD are gone). Additionally, there is more content specific to life/safety, which was a common criticism of BS 25999. Lastly, I think that there is a good description of how the ISO 22301 process addresses all organizational resources as it relates to in-scope products and services, with one type of resource being technology. Many practitioners expressed a concern that technology recovery was omitted from BS 25999 – hopefully the clarification helps.

I heard there’s a new format for this ISO standard – is that true?
Yes. ISO commissioned a group called the JTCG, which stands for Joint Technical Coordination Group. They created a standard approach for management systems specification standards, with some standard language. The organization is based on the following ten sections:

  1. Scope

  2. Normative References

  3. Terms and Definitions

  4. General Requirements

  5. Leadership

  6. Planning

  7. Support

  8. Operation

  9. Performance Evaluation

  10. Improvement

It should be expected that other management systems specifications will follow a similar organization when they are authored or revised.

Many business continuity practitioners reviewed and commented on the ISO 22301 Draft International Standard (published December 2010). That version of ISO 22301 reflected the new ISO document organization. Since that time, a number of changes were made in order to address submitted comments and move the document to FDIS. Beyond technical edits, changes included:

  1. Some content duplication was removed, and some content was shifted to more appropriate sections in order to better align to the PDCA model

  2. The title changed – it’s now called “Societal security — Business continuity management systems — Requirements”

When will ISO 22301 be approved as an official, “final” standard?
During the Beijing meeting that concluded November 11, 2011, Workgroup 4 released a proposed timeline for approval:

  • Publish the Final Draft International Standard (FDIS) in December 2011 for member review

  • Review results of member country voting, which will be completed by April 2012

  • If approved, ISO to publish shortly thereafter (however not immediately)

ISO 22301’s guidance document, ISO 22313, will soon be published as a Draft International Standard (DIS) for comment/vote and the results of the commenting and voting process will be known in May 2012.

ISO 22323 is being reissued as a Workgroup Draft following the Beijing meeting, and experts participating on the technical committee will offer another round of comments in the first half of 2012.

Will ISO 22301 replace BS 25999 and other business continuity-related standards?
Perhaps (most likely). Ultimately, withdrawal decisions depend on the Standards Development Organizations that authored the original standards. In the past, the British Standards Institution (the authors of BS 25999) retired their standards when the topic or content transitions to an ISO standard.

Will organizations be able to obtain certification to ISO 22301?
Yes. Organizations will be able to obtain certification to ISO 22301 similar to other certifiable standards such as ISO 9000, 14000, 27001 and 28000 (as well as BS 25999).

Will I have another chance to provide commentary on ISO 22301 before it’s released as an international standard?
No. Based on the fact that ISO 22301 is now being moved forward as a Final Draft International Standard, all countries participating as “primary” members will simply vote for or against releasing 22301 as an ISO standard. If comments are made, they are saved for a future revision.

Will ISO 22301 become available as a certifiable standard under PS-PREP?
To be determined. That is a decision entirely up to the US Department of Homeland Security and FEMA following the publication of ISO 22301. According to the FEMA website:

“DHS will continue to accept comments on PS-Prep, the three adopted standards, and/or proposals to adopt any other similar standard that satisfies the target criteria of the December 2008 Federal Register notice which announced the program. DHS will review any comments received or proposals for DHS adoption of additional standards and, when merited, will publish a Federal Register notice providing the results of that review or notifying the public of an intention to adopt additional standards.”

Please visit www.avalution.com for future updates on ISO 22301, as well as upcoming perspectives and white papers on how to plan to implement this standard in your organization.
—————————
Brian Zawada, Director of Consulting
Avalution Consulting: Business Continuity Consulting