Rapport du Projet

Detailed Comparison between ISO 22301

Versions (2012 vs 2019) - Key Changes

Réaliser Par :
Saadani Hadir
Chebbi Mohanned

Année Universitaire : 2023-2024

Table des matières

1 Detailed Comparison between ISO 22301 Versions (2012 vs 2019) 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 The Relationship With ISO 22301 :2012 . . . . . . . . . . . . . . . . . . . 2
1.2.1 Comparison between the Two Versions . . . . . . . . . . . . . . . . 2
1.2.2 Advantages of Migrating to ISO 22301 :2019 . . . . . . . . . . . . . 2
1.3 ISO 22301, What is the Latest Version of the Standard ? . . . . . . . . . . 2
1.3.1 What has Changed ? . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3.2 What is BCMS ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3.3 Structure Has Remained the Same . . . . . . . . . . . . . . . . . . 3
1.3.5 Broader Approach from Strategy-Based to Solution-Based . . . . . 3
1.3.6 ISO 22301 :2019 Introduces Greater Flexibility and Pragmatism to
Achieve Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 How to Implement ISO 22301 . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 What are the Benefits of ISO 22301 ? . . . . . . . . . . . . . . . . . . . . . 6
1.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table des figures

1.1 The 10 Clauses of ISO 22301 . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.2 Visualizing the PDCA Cycle : Implementing Continuous Improvement with
ISO 22301 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 PDCA Integration with ISO 22301 Sections : A Visual Guide . . . . . . . 6

Liste des tableaux

Chapitre 1

Detailed Comparison between ISO

22301 Versions (2012 vs 2019)

1.1 Introduction
ISO 22301 is a global standard that outlines business continuity planning require-
ments to help organizations protect themselves against disruptions. The latest version,
ISO 22301 :2019, titled "Security and Resilience - Business Continuity Management Sys-
tems - Requirements," provides a comprehensive framework for achieving this objective.
Context of ISO 22301
ISO 22301 addresses the critical need for organizations to effectively prepare for and
manage disruptions, whether they stem from natural disasters or technological incidents.
By adopting this standard, organizations recognize the importance of maintaining opera-
tions even in adverse circumstances, and they take proactive measures to ensure continuity.
ISO 22301 :2012 - Key Features
The 2012 version emphasized the establishment, implementation, and maintenance of
BCMS. This included documenting a BCMS, identifying potential impacts on operations,
setting specific continuity objectives, and formalizing a response plan for disruptions. Ad-
ditionally, it underscored the importance of staff training and awareness to ensure an
effective emergency response. ISO 22301 :2012 - Key Features The 2012 version emphasi-
zed the establishment, implementation, and maintenance of BCMS. This included docu-
menting a BCMS, identifying potential impacts on operations, setting specific continuity
objectives, and formalizing a response plan for disruptions. Additionally, it underscored
the importance of staff training and awareness to ensure an effective emergency response.
ISO 22301 :2019 - Key Innovations The 2019 version signifies a substantial advan-
cement in business continuity management. It adopts a broader view of risk management,
encompassing a wider range of potential threats beyond traditional scenarios. Moreo-
ver, it advocates alignment with other management system standards, promoting a more
consistent and integrated approach within the organization. The 2019 version also places
particular emphasis on ongoing performance assessment and continuous improvement.
This translates into regular evaluation of continuity plans and procedures to ensure their
optimal effectiveness.

1.2 The Relationship With ISO 22301 :2012

ISO 22301 :2012 was published in May 2012 and amended in June of the same year.
The management system requirements established in ISO 22301 business continuity ma-
nagement apply to all organizations. The extent to which the criteria are implemented
depends on the operating environment and the scope of the organization, similar to how
one would develop their range for other management system standards like ISO 27001.
The aim of ISO 22301 2012 was to protect against, reduce the likelihood of occurrence,
prepare for, respond to, and recover from disruptive incidents as and when they arise.

1.2.1 Comparison between the Two Versions

The 2012 version of ISO 22301 focused on reactive planning for incidents, while the
2019 version adopts a more proactive and holistic approach to business continuity ma-
nagement. The latter substantially expands the scope and emphasizes the importance of
integration with other management systems, promoting a comprehensive approach to risk
management within the organization. Additionally, the 2019 version underscores the need
for regular assessment and continual improvement, contributing to the maintenance of
relevance and effectiveness of the BCMS.

1.2.2 Advantages of Migrating to ISO 22301 :2019

AMigrating to the 2019 version offers a range of substantial benefits. Firstly, it enables
more effective identification and anticipation of potential threats, thereby enhancing the
organization’s ability to respond to various disruption scenarios. Additionally, integra-
tion with other management system standards promotes process consistency and synergy
across different functions of the organization. Furthermore, the 2019 version emphasizes
ongoing performance and BCMS improvement, encouraging organizations to evolve with
ever-changing challenges.

1.3 ISO 22301, What is the Latest Version of the

Standard ?
1.3.1 What has Changed ?
On 31 October 2019, the latest version of the ISO 22301 standard was published – ISO
22301 :2019. This is a revised version of ISO 22301 :2012, aiming to make the standard
more streamlined and practical, according to the ISO. Companies can transition from ISO
22301 :2012 to ISO 22301 :2019 up until 30 April 2023, an exception due to the Covid-19
situation. The 2019 version has been generally well-received.

1.3.2 What is BCMS ?

If your company was affected by a catastrophe or a crisis, would your business be able
to continue ? When incidents and natural disasters strike, there is little time to prepare a
response structure, particularly when the key people, processes, networks, infrastructure,
and other essential services get disrupted. A disaster has no bounds. It could impact your
business continuity internally and externally, affecting your customers and the supply

chain too. Whether you are a small or a large business, you can face impact. The primary
purpose of business continuity management is to reduce the likelihood of threats and
guarantee that the company reacts to significant disturbances that could endanger its
future. Business continuity management is about responsible and effective leadership. It
should provide a foundation for developing resilience to incidents as well as the ability to
respond successfully, safeguarding the interests of your key stakeholders, reputation, and
value-creating operations of your company.

1.3.3 Structure Has Remained the Same

The old 2012 revision of ISO 22301 was one of the first ISO management standards that
was developed considering ISO/IEC Directives part 1 Annex SL, which prescribes how
ISO Management System Standards (MSS) must be written. Therefore, unlike frameworks
reviewed since 2012, the new 2019 revision of ISO 22301 has not undergone any major
changes to its structure, because it is already similar to those of ISO 9001, ISO 14001,
ISO 27001, and other ISO management standards released after 2012.

1.3.4 Broader Approach from Strategy-Based to Solution-Based

The ISO 22301 :2019 standard requires organizations to not only develop high-level
strategies to ensure business continuity but also to define solutions to handle specific risks
and impacts relevant to continuity. This is the most significant change for top mana-
gement, because the identification of required resources is now related to solutions, not
strategies (see standard clause 8.3.4). Defining resources in terms of strategies is not as
precise as when you define them in terms of the solutions, which greatly affects the bud-
get planning for the BCMS. When you define resources based on strategy, you may find
yourself limiting solutions because of an under-planned budget, or unexpectedly having
to increase investments, compromising the whole organizational budget.

1.3.5 Broader Approach from Strategy-Based to Solution-Based

The single new requirement of ISO 22301 :2019 requires organizations to make changes
in the BCMS in a planned manner, which can be achieved by considering :
— The purpose of the change and its consequences
— How the integrity of the Business Continuity Management System is impacted by
the change
— The resources available to perform the change
— The definition or change of responsibilities and authorities
— Although it is something implicitly expected from organizations in the last version,
by making this a mandatory requirement it adds more confidence to organizations
to resume, continue, and recover the delivery of services and products to their

1.3.6 ISO 22301 :2019 Introduces Greater Flexibility and Prag-

matism to Achieve Results
Although most people are not fond of change, the modifications to the ISO 22301
standard should not be too difficult for organizations to implement and are actually

meant to introduce greater flexibility and better understanding. Additionally, due to the
recognition that solutions are as important as strategies, there is a greater focus in this
revision on ensuring that organizations develop proper responses to specific risks and
impacts. Furthermore, you can have a reduced number of documents for the same thing :
managing your service continuity during and after disruptive incidents. For sure, the new
ISO 22301 is not a unique option for the management of business continuity, but it can
give you useful tools in the form of processes to ensure the continuity of your services,
helping you to achieve the best customer satisfaction.

1.4 How to Implement ISO 22301

If you are thinking about implementing ISO 22301, here are a few guidelines to get
you started :
- Complete an analysis of your organization’s framework that is relevant to Business
Continuity (such as interested parties) as well as the internal and external factors that
might impact your business. - Determine the scope of the system, considering what you
would like the management system to achieve. - Set your Business Continuity policy and
objectives. - Define the time frame in which you wish to implement your system and plan
how to achieve it. - Determine any competence and/or resource gaps that need addressing
before you can implement the standard.
The 10 Clauses of ISO 22301
The ISO 22301 standard uses a structure of ten clauses and follows the Plan, Do,
Check, Act (PDCA) model.
Clause 1 Scope
This section sets the intent and parameters within which the ISO 22301 Business
Continuity management standard can be used to attain its intended outcome.
Clause 2 Normative References
Reference to ‘normative references’ is common across all management system stan-
dards however, in the case of ISO 22301 there are no normative references.
Clause 3 Terms and Definitions
Clause 3 of the standard provides prescriptive terms of definition to prevent the wrong
Clause 4 Context of the Organization
Section 4 requires each organization to analyse and understand the context of its
activities, both externally and internally, and understand the needs of interested parties.
Among other things, this will include understanding legislation, employee, stakeholder
and shareholder requirements. It will also go a long way towards defining the scope of
your Business Continuity management system.
Clause 5 Leadership
The Leadership section encourages both management commitment and involvement
from employees. For example, sharing tasks and responsibilities across the team can ensure
that knowledge is shared, and multiple team members become proficient in running the
system. This allows consolidation of the culture and reinforcing the importance of Business
Continuity within the organization.
Clause 6 Planning
Implementing any management system requires planning and the establishment of
objectives for the project to ensure these are achieved at every stage.
Clause 7 Support

Covers elements such as communication, competence and awareness and documented

information as well as resources.
Clause 8 Operation
This is the development of the actual business continuity arrangements within the
organization, involving the identification of activities and operations that need to be pro-
tected. It includes Risk Assessment and Business Impact Analysis, designing the program
utilizing appropriate business continuity strategies, and then implementing arrangements
such as the incident response structure and communication plans. Clause 8 is also concer-
ned with the ongoing maintenance, testing, and monitoring of the business continuity
Clause 9 Performance Evaluation
Monitoring and measuring the Business Continuity management system performance,
including compliance with legislation and internal audit results, is covered in Clause 9.
This section also emphasizes that management must review the Business Continuity ma-
nagement system performance to ensure effective performance.
Clause 10 Improvement
The last clause sets out how an organization must ensure that continual improvement
is derived from the Business Continuity management system. This can include dealing
effectively with non-conformance and employing a good corrective action process.
Sections 1 to 3 of the ISO standard provide details on the scope of the standard, nor-
mative references, and explanations or terminology that help better your understanding
of the standard, while sections 4 to 10 contain the requirements.

Figure 1.1 – The 10 Clauses of ISO 22301

How does ISO 22301 relate to Plan-Do-Check-Act ?

PDCA (Plan-Do-Check-Act) is an iterative, four-stage approach for continually impro-
ving processes, products, or services, and for resolving problems. It involves systematically
testing possible solutions, assessing the results, and implementing those shown to work.

Its adoption in any management system should ensure that it continues to evolve and
improve in its performance.
Diagram of PDCA (Plan-Do-Check-Act).

Figure 1.2 – Visualizing the PDCA Cycle : Implementing Continuous Improvement with
ISO 22301
The diagram below shows how PDCA relates to the sections of IS0 22301.

Figure 1.3 – PDCA Integration with ISO 22301 Sections : A Visual Guide

1.5 What are the Benefits of ISO 22301 ?

ISO 22301 ultimately protects the value of the organization by minimizing the likeli-
hood and impact of being unable to deliver its products and services to its customers and
thus generating its income and profit.
- Framework : By its nature, Business Continuity can be a complex process when
trying to address all of the risks, known and unknown, that could cause disruption. ISO

Chapitre 1. Detailed Comparison between ISO 22301 Versions (2012 vs1.6.

22301 provides a framework for implementing business continuity. - Internationally Re-

cognized Standard : This allows you to easily communicate your approach to Business
Continuity and Resilience with other parties with which your organization engages, such
as supply chains. - Ability to Meet Legal and Regulatory Requirements : ISO 22301 can
help you establish operational controls which take into account risks and opportunities, as
well as legal and other requirements. - Leadership Commitment to Business Continuity :
The standard provides a systematic approach for senior leadership to assess Business
Continuity risk and opportunities, monitor and review performance, and set objectives
for continual improvement within the context of organizational activities. Implementation
is a demonstration and commitment from senior leadership to internal and external sta-
keholders of the intent to protect workers from accidents including short- and long-term
ill health effects. This commitment also provides assurances to the Board of Directors,
Trustees, or owners that management controls regarding Business Continuity are inherent
within the organization. - Resilient Environment : The standard will help you to deter-
mine causes of interruption with your activities ; seeking to either eliminate them or put
controls in place to minimize their effects and maintain the supply of your products and
services to customers. Creation of a Business Continuity and Resilience Culture : The bu-
siness continuity management system helps organizations to increase employee awareness
of risks and promotes workers to take an active role in continuity and resilience matters.
- Customers Retention : If customers fail to receive your products and services this can
disrupt the relationship and cause them to seek alternatives elsewhere. - Supply Chain
Participation : Supply chain resilience is critical to many organizations, so the ability to
demonstrate robust business continuity arrangements can create opportunities for supply
chain participation. - Enhanced Reputation : Achieving certification to this standard is a
recognition that you have achieved an international benchmark, getting you noticed by
customers who are concerned about their social responsibilities. - Crisis Management :
The standard will enable the business to respond to crises better which can enhance both
the reputation and value of its brand. - Opportunity : Business Continuity is not just
about managing negative disruptions, it can also deal with positive disruptions, for ins-
tance having to rapidly upscale to take on an influx of work to deal with a competitor’s

1.6 Conclusion
Migrating to the 2019 version of ISO 22301 marks a significant step in enhancing
business continuity management for organizations. By embracing the new principles of
the 2019 version, organizations can more effectively anticipate, respond, and recover from
an expanded range of potential threats. It is imperative for businesses to consider these
changes and plan their transition to the 2019 version to bolster their operational resilience
and ensure effective business continuity.

