New standards for business continuity management take a while to define, vote and promulgate, so a schedule that has changed slightly for ISO 22301 in the course of its development isn’t necessarily a problem. What was originally planned as a Q1 release of the standard now appears to be scheduled for May, although by this stage the contents of the standard should be more or less firm. How much the standard will consolidate the “sea change” of societal security has yet to be determined; a concluding remark in a presentation on the subject by the British Standards Institute (BSI) in 2011 could be interpreted in a number of different ways.
For the standards buffs among you, ISO 22301, a new standard for “Societal security – Preparedness and continuity management systems” is similar to BS 25999 – 2, the Business Continuity Management Specification from the BSI. The principal differences are in two areas: new requirements for BCM metrics, such as the frequency of updates of business impact analysis, and the number of test exercises completed; and the upgraded priority on operational planning and control.
At the time of the presentation, the degree of overlap between ISO 22301 and BS 25999 – 2 was unknown, and the discussion was on different possibilities, including varying lengths of time for organisations to transition. The closing statement in the presentation from the BSI, pragmatic as ever, was that organisations should continue to progress their business continuity management system and maturity in any case – “Keep calm and carry on”, to cite the exact phrase used. One interpretation is that the BSI is smart enough to realise that standards, while potentially of great help in getting BCM in place, are still only tools and that it is the final result (an organisation that keeps on functioning) that counts.