IRCA Briefing note ISO/FDIS 22301: 2012

Look out for the following terms and make sure you consider the implications any change in definition may have on the organisation. It should not be reproduced nor used for commercial purposes. IRCA Approved Training Organisations and other interested parties our understanding of ISO/FDIS 22301:2012. most notably BS 25999-1:2006 Part 1 – Code of Practice and BS 259992:2007 Part 2 – Specification. It is a specification standard to which certification bodies may offer third party certification to their clients. Societal security – Business continuity management systems – Requirements. • Greater specification and requirement for internal and external communications relevant to the management system • Strong emphasis on performance evaluation It is anticipated that ISO 22301 will be the first “new” ISO management system standard to be structured in this format and will lead the way for all new and revised versions of existing ISO standards. such as the need for a proactive approach to planning.IRCA. in particular. FDIS released to the National Standards bodies 1 February 2012. • Audit • Business continuity plan • Business continuity programme • Corrective action • Interested party • Maximum acceptable outage (MAO) • Maximum tolerable period of disruption (MTPD) • Minimum business continuity objective (MBCO) • Monitoring • Outsource • Performance • Products and services • Recovery point objective (RPO) • Risk management • Top management Page 2 of 4 . wish to implement more than one management system standard and up until now. there are elements of ISO 22301 which have re emphasised some of the fundamental aspects of BCM. The content of this briefing note is provided in good faith and is IRCA’s opinion. Over recent years a number of national and regional business continuity standards have been produced.Requirements Introduction The International Register of Certificated Auditors (IRCA) has prepared this briefing note to communicate to IRCA Certificated Auditors. The Part 2 Specification has led the way in developing business continuity management system requirements considered credible by both business continuity practitioners and interested bodies forming part of the Technical Committee. The document under development at the time of publication of this briefing note is called ISO Guide 83 and is at draft status. ISO has developed through the Technical Committee known as ISO/TC 223 Societal security. • Top Management leadership shall be more demonstrable towards the management system WWW.ORG • Preventive action has been replaced with “actions to address risks and opportunities” and feature at an earlier stage in the development of a management system than preventive action used to (Planning phase). It is therefore not surprising that the British Standard has played a significant part in the development of the ISO Societal security series. Whilst there has been no reason to change the core elements of business continuity management as recognised by BCM practitioners and industry related bodies.IRCA Briefing note: ISO/FDIS 22301:2012 – Societal security – Business continuity management systems . The intention is to help those organisations which. Notable shifts in emphasis include. Publication is anticipated in 2012. IRCA certificated auditors and IRCA Approved Training Organisations are advised to familiarise themselves with ISO 22301:2012 when it is published. To reflect the Societal security approach some new terminology has been introduced and once published readers of ISO 22301 should also familiarise themselves with the vocabulary in ISO 22300. taking into consideration the organisations’ attitude towards risk as well as demonstrating a clear link with its strategic objectives as well as the needs and expectations of key stakeholders. Summary of the contents of ISO FDIS 22301:2012 Overview ISO is currently developing a high level structure and standardised text suitable for all ISO management system standards. Detailed review Terms and definitions have been included which are both new to business continuity management systems as well as some definitions which have been revised for the ISO standard. ISO 22301:2012 expected to be issued May 2012. In recognition of the rapidly growing global interest in business continuity management systems. ISO 22301. may have been faced with different terminology and requirements for essentially what are the fundamental elements of a management system. It forms part of the wider Societal security – Business continuity management system series of documents which also consists of ISO 22300 – Vocabulary and ISO 22313 – Guidance.

There is also a requirement to consider how the organisation will recover its activities from a temporary state back to “normal” (if appropriate). roles and responsibilities. Whilst this is a new requirement for management system standards. ISO 22301 also requires that this analysis is evaluated and conclusions drawn by the organisation. • Exercises and tests to demonstrate the effectiveness of BCM arrangements Performance evaluation As with all management system standards there is a need to look back at what has been achieved. actively engage in exercise and testing and take responsibility for ensuring that the performance of the BCMS is reviewed through internal audits and management reviews. As well as the current requirements to set policy and objectives. This will determine its business continuity policy and objectives and how it will consider risk and the effect of risk on its business. Resource requirements will form part of this process • Business continuity procedures and plans required to maintain prioritised activities and their dependencies. BCMS communications both internally and externally to the organisation must be considered and include the method and timing of such communication as well as the content. Appropriateness is often determined through competency analysis.ORG conducting risk assessments • A methodology for selecting business continuity strategies which will protect the most important activities of the business and ensure their resumption in the event of disruption. ISO 22301 places greater emphasis on the procedure required to detect an incident. • Provide students with a general overview of business continuity management and how this sits within the Plan Do Check Act (PDCA) cycle of management systems. • Identify methods of developing BCM awareness throughout the organisation and manage student expectations when required to determine its effectiveness. early communication thereof and the need to regularly monitor the incident than previously seen in other BC management system standards. • Describe clearly each element of business continuity management system cycle as described in ISO 22301 and the BCM Lifecycle first described in BS 25999 Part 1. • Bring to the attention of students the changes (planned) for how management system standards will be standardised and how this will impact on the implementation and maintenance of a management system. if carried out properly. • A methodology and documented process for conducting a business impact analysis (BIA) • A systematic methodology and documented process for WWW. (Formerly incorporated under Preventive Action). amendment and control of documents. Internal audits and management review continue to be key methods of reviewing the performance of the BCMS and tools for its continual improvement. mandating specific ways in which commitment shall be demonstrated (from strategic direction through to directing and supporting continual improvement to name but two of the ten requirements). the organisation is now in a position to plan and control the operation of its business continuity management requirements. Operation Having considered the actions to address risks and opportunities as part of the BCMS planning phase. Consideration of an appropriate scope for the BCMS is required and a link with core objectives and stakeholder requirements should be evident. For BCM auditors who work for certification bodies evidence Page 3 of 4 . Planning Having fully understood the context of the organisation. Performance metrics (to be selected by the business) are to be appropriate to the needs of the organisation. Impact on IRCA certificated training courses IRCA will issue revised training course criteria at the earliest opportunity following publication of the standard in 2012. This proactive approach. planning activities are introduced to address the risks and opportunities of the business. Top Management are now expected to define the criteria for accepting risks. Most importantly this will include. we will require training organisations to.Context of the organisation The organisation is required to demonstrate an appreciation and understanding of its raison d’etre and how this is aligned to the needs and expectations of its stakeholders. ISO 22301 re emphasises this in a more pronounced way. BCMS documentation requirements follow the usual requirements for management systems including the creation. This underlines the need for adequate planning of the BCMS. will reduce the need for corrective action at a later date as it will focus on planning for successfully achieving BCM objectives and realising opportunities for improvement.IRCA. Ownership of BC objectives will be allocated and a clear direction to accomplishing these objectives will be agreed. an area which continues to draw attention from both accreditation and certification bodies following changes to the requirements in ISO 17021:2011. Leadership Top Management responsibility and commitment has been a feature of management system standards for many years. it is likely that organisations will already produce certain metrics and these may be able to be tailored to cover the BCMS performance. In summary. How will the changes affect IRCA certificated auditors? Auditors will need to be able to demonstrate competence in ISO 22301 before carrying out audits against it. This may be achieved by completing a suitable training course or other personal development activity that addressed both knowledge of ISO 22301 and its application in an audit situation. Support The organisation (generally acknowledged to be through its Top Management) has a responsibility to ensure that sufficient and appropriate resource is available for the BCMS.

of competence in ISO 22301 will be especially important to satisfy the requirements of ISO 17021:2011. For certification body auditors it is likely that evaluation of auditor competence will include periodic monitoring of auditor performance through observation and evaluation of audit outputs. When ISO 22301:2012 is published and arrangements for transition from BS 25999 to ISO 22301 are established IRCA may issue a more detailed technical review to support the CPD of IRCA certificated BCMS auditors. IRCA intends to revise the work experience requirements for BCMS Provisional Internal Auditors and BCMS Internal Auditors to that of one year of BCM experience.IRCA. at least one of which must have been under the direction and guidance of an auditor currently certificated as a lead auditor. Will there be changes to the IRCA auditor certification criteria? Currently we require applicants to have successfully completed an IRCA certificated training Tel: +44 (0) 20 7245 6833 Fax: +44 (0) 20 7245 6755 WWW. International Register of Certificated Auditors (IRCA) 2nd Floor North Chancery Exchange 10 Furnival Street London EC4A 1AB United Kingdom Email: irca@irca.ORG . This is to reflect what IRCA considers a more realistic requirement for this group of applicants. have completed a minimum number of years of relevant workplace experience and completed a minimum number of audits. All other requirements are expected to remain unchanged.

Sign up to vote on this title
UsefulNot useful