Decoding the change: BS 25999-2 to make way for ISO 22301

Article by Sunil Gupta

A standard approach to Business Continuity Management (BCM) has been mooted and suggested for decades. Prototype draft standards have been published, but never really quite gained the momentum to succeed. This void has therefore been obvious and glaring for a long time. However, this landscape finally changed dramatically late in 2006, with the publication of the first part of BS 25999, a code of practice for business continuity management. Since its publication, the standard has been frequently referenced and, more importantly, the terminology, principles and methodology used in its two parts have been absorbed in many other documents. The result is that good business continuity disaster recovery management practice is generally agreed and is being understood and implemented by increasing numbers of organizations worldwide.

Organizations are now keen to compare ISO 22301 and BS 25999, especially those that have already achieved certification to BS 25999 or are considering certification. ISO 22301 contains all of the principles and processes present in BS 25999 and it seems unlikely that any additional significant requirements will be included in the final standard. This will be good news for many but there will be some changes as a result of the public commenting period.


From the start, it is evident that the structure of ISO 22301 is very different from BS 25999-2, although all the basic elements of BS 25999-2 still do exist in ISO 22301. Like BS 25999, the ISO standard will be published in two parts. ISO 22301 is a specification standard and is expected to be available in October 2011. An as yet unnamed guidance standard is hoped to be published by the end of 2012. All core business continuity elements in BS 25999-2 will be present in ISO 22301 too.

A review of the two standards confirms that each includes the following sections:

  1. Setting the policy
  2. Scope and objectives for business continuity
  3. Establishing management commitment
  4. Conducting a business impact analysis
  5. Control of documents and records
  6. Establishing resource requirements and the need to exercise
  7. Review and to continually improve the business continuity


Although BS 25999-2 does not clearly state the Plan-Do-Check-Act (PDCA) model, it is even less clearly stated in ISO 22301. However, this won’t affect the clarity of the process through which the standard should be implemented since the main sections of the standard are organized in a rather logical way. ISO 22301 puts greater emphasis on setting the objectives, monitoring performance and metrics, sets clearer expectations on management and summarizes them in a single section. ISO 22301 will be more precise and more demanding when compared to BS 25999-2. Certification bodies will push certification against this standard much harder, so it will gain its popularity much faster as it is aimed at being an international standard. Organizations that have already achieved the BS 25999-2 standards will have to work on finer details if they are to achieve the new ISO 22301 standard.