The document discusses transitioning from BS25999 to ISO 22301 for business continuity management systems. It recommends taking a pragmatic approach that focuses on the genuine needs of the organization rather than strictly adhering to standards. Key points include developing management systems aligned with corporate culture, ensuring top management support, and using nonconformities and corrective actions to continually improve the program. Following these guidelines can help simplify certification while maintaining an effective system over time.

1. Transition: BS25999 to ISO 22301
ISO22301: Societal Security – Business Continuity Management Systems – Requirements has now
been published for almost 2 years, yet certification is still seen as a black art by some.
As someone who worked as a Technical Expert on BS25999 audits, and is an ISO22301 Lead Auditor, I
have seen a wide variety of Management Systems. More recently, I have been assisting 2 small
businesses with their transition to the new standard. In this article, I would like to share some
personal knowledge and experience with ISO22301 which may be a guide for your efforts towards
compliance.
Complicated?
Many of the problems associated with implementing Management Systems result from trying to
slavishly adhere to a standard rather than seeing it as an opportunity to effectively implement and
operate a process. Put simply, an effective Management System will enable a single and uniform
approach to, for example, documentation, internal audit and improvements. It is up to you as an
organisation to decide what is right for the size and complexity of your organisation, and for the risks
that are present.
The Management System essentially specifies what you will do. Write your Management System to
the requirements of your organisation, and fit the requirements of the standard around that, not vice
versa.
Don’t write to the Standard
BS25999 could be easily followed, and a Management System could be written that simply
considered each clause in turn. ISO22301 is very different in nature. There are intrinsic links
throughout the document, such as Clause 6.1 (Planning) referring to Clause 4.1 (Context of the
organisation), and Clause 8.1 (Operation) referring to Clause 6.1. This requires a different approach.
Develop a Management System that is closely aligned to your corporate culture; if you usually use
‘Standard Operating Procedures’ for example, then follow this route. However, if your documents
and instructions normally follow a different format, then utilise this; this will assist in embedding the
Management System into the organisational culture. Also, use this opportunity to fully meld
Business Continuity into the existing practices; why have one method for maintaining records of
Business Continuity training when there are other methods already in place, and already being
followed? Don’t re-invent the wheel!
Pragmatism
Think about the genuine requirements of your company. For an SME, with a small number of staff, is
it practical or realistic to expect quarterly Internal Audits or Management Reviews? Equally, for a
small business operating in a low-risk sector, do you need to exercise all elements of your Business
Continuity plan on an annual basis? Based on an understanding of the business, the risks inherent to
the business processes and the speed of growth, change and development, it may be that an 18 or
Cambridge Risk Solutions Ltd
39 The Glades, Huntingdon, Cambridgeshire PE29 6JS
Company Number: 05534745 VAT Number: 872 5569 85
+44 (0)1223 906039 info@cambridge-risk.com www.cambridge-risk.com

2. 24 month cycle is more sensible and achievable. Many of the problems that I have seen with
Management Systems have occurred when organisations specified an unrealistic cycle frequency for
Management Review, Internal Audit and exercises which they have then been unable to follow, and
which has not really added value.
Awareness
Much of the focus of BS2599 embedding was ensuring that staff knew about issues pertaining to
Business Continuity, such as the Policy. ISO22301 requires an amount of Awareness activity,
ensuring that staff and contractors, for example, are aware of the Policy and their own role during a
disruptive influence. However, ISO22301 requires that staff are aware of ‘their contribution to the
effectiveness of the BCMS, including the benefits of improved business continuity management
performance’, and requires that top management shall communicate the importance of…conforming
to the BCMS requirements. Note the reference to the BCMS; this is not just about Business
Continuity, but more about the wider Management System
Leadership
One of the big changes for ISO22301 is the heavy emphasis on leadership. If you cannot gain real
Top Management support and commitment, you will not be able to achieve success in your
certification efforts. Leadership has to be visible.
Nonconformities and Corrective Actions
This is the area that consistently causes the greatest difficulties, yet it is this process that drives the
improvement and on-going development of the Business Continuity programme. By effectively
identifying issues and potential problems, and completing a root cause analysis, nonconformities and
corrective actions can help to develop and continually improve your programme. These actions may
even be related to the Management System itself, and not just the Business Continuity elements. As
an example, a business that I have worked with was struggling to achieve 4 Management Reviews a
Year, as specified in their Management System. By considering the root cause, it was realised that
their whole Management System was too complex, cumbersome and inflexible, and so a rethink and
re-structure has been implemented with the aim of producing a more agile, comprehensive and
combined Management System.
Summary
Implementation of Management Systems with the aim of gaining certification is a lengthy process.
However, by observing some of these key points, the process can be simplified and made more
applicable to your organisation. Slavish adherence to the standard, clause by clause, could lead to
procedures that are unlikely to be adopted and followed over time, whereas a pragmatic approach
which is based on your existing culture will lead to an effective and straightforward Management
System which is easily implemented and utilised by all staff, and which satisfies the requirements of
the standard.
Cambridge Risk Solutions Ltd
39 The Glades, Huntingdon, Cambridgeshire PE29 6JS
Company Number: 05534745 VAT Number: 872 5569 85
+44 (0)1223 906039 info@cambridge-risk.com www.cambridge-risk.com