ISO 22301:2019 Transition Guidance for Clients
ISO 22301:2019 "Security and resilience – Business continuity management systems - Requirements" was released in October 2019 and is set to replace ISO 22301:2012 via a three plus-year transition period. All organizations that wish to remain certified to ISO 22301 will need to transition to the 2019 revision of the standard within the set transition period which now ends in April 2023.
It is NQA’s goal to maintain a straightforward transition approach that is easy for all of our clients to apply, along with the guidance and tools to make the transition from ISO 22301:2012 to ISO 22301:2019 as smooth as possible.
QUICK LINK - DOWNLOAD NQA CLIENT TRANSITION CHECKLIST TOOL
The overall allowable transition period was originally three years (i.e. from October 2019 through October 31, 2022); but that transition period has since been extended by six months due to the COVID pandemic. As such, the current transition period is from October 2019 through April 30, 2023.
During that period both versions of the ISO 22301 standard remain valid and audits to either version of the standard may be conducted subject to the rules noted below, but plans should be made for an organization’s transition to fully occur prior to the transition period ending.
Detailed Transition Period
-
October 2019 – Transition period begins
-
April 2020 – Transition periods extended by IAF
-
October 31, 2021 – CB’s must cease conducting initial and recertification audits to ISO 22301:2012 certificates after this date. As such, all initial and recertification audits occurring after this date must be conducted against the 2019 revision.
-
NQA will continue to accept applications for ISO 22301:2012 only for organizations with plans for initial audits prior to that deadline, although preference will be for adoption of ISO 22301:2019. There is not expected to be any difference in quoted time or cost for organizations initially certifying to the new standard.
-
-
January 31, 2023 – Any remaining transition audits should be completed by this date (allowing suitable time for corrective actions and certification issuance).
-
April 30, 2023 – Transition period ends
-
Certificates for ISO 22301:2012 will no longer be valid.
-
ISO 22301:2019 Timeline
ISO 22301:2019 Change Analysis
NQA considers ISO 22301:2019 to be a fairly minor change. The majority of requirements and intents have been left intact, some with minor modifications for improved clarity. Additionally, certain portions of the standard have been re-organized to eliminate redundancies and focus business continuity-specific requirements within Section 8 of the standard.
Section 8 itself was restructured but its intents have otherwise not been significantly changed, although certain requirements have been expanded upon or modified. Organizations are also afforded more flexibility in terms of documentation specifics. Finally, the list of terms and definitions has been modified.
Top Revisions in ISO 22301:2019 include:
-
Planning Changes to the BCMS (6.3)
-
Awareness inclusive of before, during & after disruptions (7.3)
-
BIA process more detailed (8.2)
-
Business Continuity Strategies and Solutions (8.3)
-
Response Structure Teams (8.4.2)
-
Exercises focused on program and teams (8.5)
-
Cleaner & expanded Management Review inputs (9.3)
NQA has developed the ISO 22301:2019 Transition Checklist in order to provide more detailed interpretation and guidance on the changes within the standard. We encourage organizations to use this checklist as a tool to facilitate and record the changes within their management system and to retain this document for review at their transition audit. NQA auditors will use this very same Transition Checklist within their transition audits.
In order to ensure that clients are successful with their transition NQA advises the following steps:
Preparing for your ISO 22301 Transition
-
Organizations must transition their management system in accordance with the requirements to ISO 22301:2019 before their transition audit is conducted. This should include any documentation changes, along with evidence of any new or changed process requirements.
-
Of note, organizations must conduct an internal audit and management review of the new/changed requirements prior to the NQA transition audit being conducted.
-
Organizations may have a transition gap assessment conducted by NQA prior to their official transition audit. This could be conducted in conjunction with an earlier ISO 22301:2012 surveillance, or at any other stand-alone time prior to their transition audit.
Your ISO 22301 Transition Audit
-
All organizations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit, or may be a stand-alone audit.
-
If the transition audit is conducted in conjunction with an existing surveillance (i.e. transition surveillance) or recertification audit (i.e. transition re-assessment), additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO 22301:2019.
-
If a stand-alone audit is carried out for the transition audit, the duration be calculated on an individual organization basis.
Note: Specific audit durations for transition will depend on the actual situation of the organization including the organization’s size and the complexity of the BCMS. Your NQA CSR will advise you of your specific transition audit duration
Revised ISO 22301:2019 Certificates
-
As with any audit, non-conformances identified during a transition audit will require a corrective action to be submitted and approved. An updated ISO 22301:2019 certification will be issued following corrective action approval.
-
Updated ISO 22301:2019 certificate issuance and validity will be as follows:
- Transition surveillance – The organization’s existing ‘Valid Until Date’ will be maintained.
- Transition re-assessment – A new ‘Valid Until Date’ will be issued for the renewed 3 year period.
- Stand-alone transition – The organization’s existing ‘Valid Until Date’ will be maintained.
NQA ISO 22301:2019 Transition Checklist
The NQA ISO 22301:2019 Transition Checklist provides a simple framework for evaluating your management system against the requirements of ISO 22301:2019.
QUICK LINK - DOWNLOAD NQA CLIENT TRANSITION CHECKLIST TOOL
NQA encourages organizations to use this checklist as a tool to facilitate and record the changes within their management system and to retain this document for review at their transition audit.
Additional Support
We are here to support you throughout the transition process. If you have any questions or need any help we can support you with:
-
Technical Advice. Please call us with any questions you have.
-
Gap Assessment. Please contact us to schedule a gap assessment of your revised BCMS to determine the level of conformance to the requirements of ISO 22301:2019 prior to your transition audit.
-
Transition Gap Guide. You can also download our free ISO 22301 Transition Gap Guide here.
If you have any questions or just want to speak to someone regarding your transition please contact us.