An Update on TC 223 and ISO 22301
Updated June 2012
[EDITOR'S NOTE – Brian Zawada is a member of the US Technical Advisory Group to ISO Technical Committee 223. Zawada participated in the 2011 and 2012 meetings as a member of Working Group 4, the team charged with developing ISO 22301, 22313 and 22323.]
There are numerous articles and conversations currently taking place regarding ISO 22301 and ISO Technical Committee (TC) 223 in general – some based on fact, but many based on assumption and rumor. So, what’s the real story on ISO 22301 and the work being performed related to societal security?
The purpose of this article is to provide updated information to help business continuity professionals better understand the ISO TC 223 standards development efforts underway and when to expect final work product that can help your organization better prepare for disruption.
What is Technical Committee (TC) 223?
According to the ISO website, TC 223 is pursuing international standardization in the area of societal security, aimed at increasing crisis management and business continuity capabilities, i.e. through improved technical, human, organizational, and functional interoperability as well as shared situational awareness, amongst all interested parties. The committee will use an all-hazards approach covering all necessary activities in the key phases of crisis management and business continuity. Approximately 45 countries are participating, with 17 observing. At this time, there are six workgroups working on a variety of initiatives:
- Workgroup 1: Framework Standard on Societal Security Management
- Workgroup 2: Terminology
- Workgroup 3: Emergency Management
- Workgroup 4: Preparedness and Continuity
- Workgroup 5: Video Surveillance
- Workgroup 6: Mass Evacuation
What is ISO 22301?
Its official title is, “Societal Security – Business Continuity Management Systems – Requirements”. As the name implies, it’s a standard for implementing a business continuity management system and continuously improving business continuity capabilities based on management priorities and feedback. The purpose and intent of this standard is to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of, occurrence of, prepare for, respond to and recover from a disruptive incident when it arises. ISO 22301 was written in a manner that will allow organizations to pursue organizational certification.
ISO 22301 was officially approved for publication as an international standard on April 2, 2012, and ISO published the final version of the standard on May 15, 2012.
Are there other standards being developed by TC 223?
Yes. In addition to ISO 22301, here is an informal listing of some of the standards currently being worked on (some of the titles may change based on TC 223 discussion and public comment):
- ISO 22300: Societal Security – Vocabulary (published)
- ISO 22311: Societal Security – Video Surveillance
- ISO 22313: Societal Security – Business Continuity Management Systems – Guidance*
- ISO 22320: Societal Security – Emergency Management – Requirements for Incident Response (approved on 22 October 2011 – the first TC 223 standard approved for publication)
- ISO 22322: Societal Security – Emergency Management – Public Warning
- ISO 22323: Societal security – Organizational Resilience Management Systems – Requirements with Guidance for Use
- ISO 22351: Societal Security – Emergency Management – Shared Situational Awareness
- ISO 22397: Societal Security – Guideline to Set Up a Public Private Partnership
- ISO 22398: Societal Security – Guideline for Exercises and Testing
- ISO 22399: Societal Security – Guideline for Incident Preparedness and Operational Continuity Management
* Regarding ISO 22313, this is the guidance document for ISO 22301, which describes strategies to implement an ISO 22301 “compliant” business continuity management system.
There are a lot of acronyms that describe the stages of a document in the ISO standards development process. What are the primary stages?
- NWIP – New Work Item Proposal (the first stage of the standards development process)
- WD – Workgroup Draft (the working draft that reflects technical content that an assigned workgroup or project team develops before seeking broader comment by the sponsoring committee)
- CD – Committee Draft (the first “complete” version that the full technical committee votes and comments on until consensus is reached)
- DIS – Draft International Standard (sent to all ISO member bodies, voting is performed and comments made; 2/3 of technical committee “primary” members must vote yes and no more than ¼ of all ISO member bodies can vote no)
- FDIS – Final Draft International Standard (sent to all ISO member bodies, voting is performed and if comments are received, they are saved for future revision; 2/3 of technical committee “primary” members must vote yes and no more than ¼ of all ISO member bodies can vote no)
Is ISO 22301 really based on BS 25999-2 (2007)?
Yes. BS 25999-2 was certainly an input in the development of ISO 22301, although there were many other sources of input, as well as public comment. As a matter of fact, there were over 450 public comments submitted that Working Group 4 considered in June 2011 during the Berlin workgroup meeting that led to the final version published in May 2012.
What are the specific similarities?
The biggest similarity is that both BS 25999-2 and ISO 22301 are business continuity management systems (BCMS) standards – leveraging Plan-Do-Check-Act concepts – and written for voluntary organizational certification. The content is very similar in that the document outlines BCMS requirements, but does not dictate how to plan in a prescriptive manner.
What are the key differences?
Beyond the document’s organization, I think ISO 22301 has less jargon (for example, acronyms such as MTPOD are gone). Additionally, there is more content specific to management involvement, life/safety and risk mitigation, common criticisms of BS 25999. Lastly, I think that there is a good description of how the ISO 22301 process addresses all organizational resources as it relates to in-scope products and services, with one type of resource being technology. Many practitioners expressed a concern that technology recovery was omitted from BS 25999 – hopefully the clarification helps.
I heard there’s a new format for this ISO standard – is that true?
Yes. ISO commissioned a group called the JTCG, which standards for Joint Technical Coordination Group. They created a standard approach for management systems specification standards, with some standard language. The organization is based on the following ten sections:
- Normative References
- Terms and Definitions
- General Requirements
- Performance Evaluation
It should be expected that other management systems specifications will follow a similar organization when they are authored or revised.
When will ISO 22301 be approved as an official, “final” standard?
ISO 22301 was officially approved for publication as an international standard on April 2, 2012, and the final version was released for purchase on May 15, 2012.
ISO 22301’s guidance document, ISO 22313, was published as a Draft International Standard (DIS) for comment/vote, with comments addressed in Bogota, Colombia during the week of May 28, 2012. TC 223 member countries approved the DIS, and although not yet formally determined, it is likely ISO 22313 will move forward as an FDIS for voting later this year.
ISO 22323 was reissued as a Workgroup Draft following the November 2011 Beijing meeting, and experts participating on the technical committee offered another round of comments in the first half of 2012. In Bogota, the workgroup recommended that the standard change from a Requirements and Guidance document to a Guidance-only document, in addition to moving away from a management systems standard. As a result, ISO will likely cancel the project due to the scope change, and restart immediately with a new ISO number (223XX).
Will ISO 22301 replace BS 25999 and other business continuity-related standards?
BSI announced that it will withdraw BS 25999-2 in November 2012. For other standards, withdrawal decisions depend on the Standards Development Organizations that authored the original standards.
Will organizations be able to obtain certification to ISO 22301?
Yes. Organizations will be able to obtain certification to ISO 22301 similar to other certifiable standards such as ISO 9000, 14000, 27001 and 28000 (as well as BS 25999-2).
Will I have another chance to provide commentary on ISO 22301 in the future?
Typically, every few years, all international standards work through a review and comment period.. Practitioners will be asked to comment during the next maintenance period by their country’s delegation. Many experts expect that ISO 22301 will go through a formal review and comment period within two to three years.
Will ISO 22301 become available as a certifiable standard under PS-PREP?
To be determined. That is a decision entirely up to the US Department of Homeland Security and FEMA following the publication of ISO 22301. According to the FEMA website:
“DHS will continue to accept comments on PS-Prep, the three adopted standards, and/or proposals to adopt any other similar standard that satisfies the target criteria of the December 2008 Federal Register notice which announced the program. DHS will review any comments received or proposals for DHS adoption of additional standards and, when merited, will publish a Federal Register notice providing the results of that review or notifying the public of an intention to adopt additional standards.”
Please visit www.avalution.com for future updates on ISO 22301 and TC 223, as well as upcoming perspectives and white papers on how to plan to implement this standard in your organization. Avalution is actively working on a white paper regarding strategies to leverage ISO 22301 to improve business continuity performance that will be available in July 2012.
Brian Zawada, Director of Consulting