BS 25999-2 to ISO 22301: Will Your Business Continuity Certification Still Be Valid?

Being able to show a valid certificate for business continuity management is becoming increasingly important. Firstly, you can expect to parlay your hard-won certificate into financial advantage for your company in several ways. Secondly, many customer organisations also now insist that you demonstrate business continuity certification as a condition for doing business. The BS 25999-2 standard has been a popular benchmark of excellence in this area. However, this standard has now been superseded by ISO 22301:2012. If you currently hold BS 25999-2 certification, the BSI (British Standards Institution) states it will expire by 31st of May, 2014. The solution is to re-certify under ISO 22301:2012.

What does that mean in terms of impact?

To use the words of the BSI, “the good news… is that the additional requirements are not too difficult”. ISO 22301:2012 already draws on much of what is already in BS 25999-2. In fact, the British standard inspired a number of other business continuity standards besides the ISO one; other examples include the US ASIS/BSI BCM.01 standard adopted by ANSI.  Half the BS 25999-2 certifications have been granted to organisations in other countries outside Britain. The ISO standard builds on this pervasive influence, making it an upgrade rather than a complete replacement.

Nevertheless, some observers point out that the number of ‘shalls’ (as in ‘you shall do this…’) has increased markedly. In the British standard, there were 56 requirements to be met, whereas in the ISO standard, that number increases to 105.  Particular changes, besides the terminology, include the greater precision in business impact analysis activities, response procedures and recovery plans. More emphasis is also laid on the communications process and how it should include additional interested parties (the term that replaces ‘stakeholders’); as well as defining objectives and metrics for measuring performance. So be prepared for some effort at least in making the move from BS 25999-2 (then) to ISO 22301 (now).