1. BS25999-2:2007
Certification & Transition to new
ISO22301 BCM Standard
John Zeppos
OTE Group Business Continuity Management Deputy Director
August 2012

2. How has Business Continuity Management Developed?
 Holistic approach  BS25999 formed the
 USA - Natural Disasters
intended to reduce risks key input to the
and resulting impacts ISO22301
 UK - Irish Terrorist attacks
resulted in the “Disaster-  US standard NFPA
1600 – a recommended  ISO22301 Standard
Recovery” approach in the
approach for Disaster May 2012
UK to deal with the
aftermath of an event Management – based on
Natural, Human or
Technological disasters
Current
1970s 1990s situation
1980s 2000s
 Standards Start to be developed
 2003/2004 PAS56 - UK - never
developed into a full standard
 NFPA1600 USA – became programme
based
 BCM professionals  BS25999 – Code of Practice &
recognised the need to Specification (2006/7) – organisations able
understand the Impact to to be independently certified
the Business – hence BIA, o Management System approach aligned
Risk Assessment etc with existing Management Systems
o Lifecycle to ensure that the business is
protected – not Disaster and then Recover
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 2

3. 2006/2007
2003 2012
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 3

4. BCMS Certification
 Why should one decide to undertake certification ?
 BS25999 / ISO22301 is the most appropriate standard containing both the Continuity and Crisis Management
 They are is based on a Management System approach fully aligned with ISO9001 and ISO27001
 They provide independent proof that one’s BCMS is fit for purpose
 Senior Management confidence that the approach that they are being asked to underwrite is appropriate.
 Certificate could significantly reduce Insurance costs
 Certification Programme
 Initial pre-assessment by qualified independent auditors ( gap analysis )
 Certification project internal kick off meeting with all relevant functions
 Stage 1 Assessment – finalise scope and agree timing
 Stage 2 Assessment – Certification Audit
 1 Month later - Certificate can be officially issued
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 4

5. ISO22301:2012
 ISO22301 published w/b May 15
UKAS transition project under way
1st May 2012 with internal actions, document
 BS25999-2 will be withdrawn in November 2012 preparation, internal training etc.
No new applications accepted for
 No new applications for certification after 22nd 31st October 2012 accreditation to BS 25999-2
October 2012
Transition Assessments begin as part
 Scope extensions for existing certifications 1st November 2012 of the normal surveillance cycle
supported to end October 2013
No new BS 25999-2 scope extensions
31st October 2013 accepted by UKAS
 After 1st November 2012 all visits based on ISO
22301 No new BS 25999-2 certificates to be
31st December 2013 issued by CABs
 Existing certificates remain valid until the end of All CABS to have transitioned to ISO
30th May 2014
transitional period (30th May 2014) 22301
All CAB clients to have transitioned
 No new certificates or renewals after 31st within one year of Accreditation to
December 2013 ISO 22301.
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 5

6. ISO TC 223
 ISO TC 223 is the Technical Committee responsible
 TC 223 deals with all matters regarding Societal Security
o provision of International Standards to enhance all actors capacity in society to handle all
phases before, during and after disruptive events
 45 countries are participating members
 All standards from this committee are prefixed “Societal Security” and are number 223xx
 Other standards being developed include:
o Mass evacuation
o Emergency Management Command and Control
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 6

7. Contributors
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 7

8. ISO22301:2012
 Source documents included
o BS25999-2
o NFPA 1600
o ASIS OR standard
o Singapore standards
o ISO27031
o ISO Guide 73
o ISO/PAS22399
 So ISO 22301 is not simply an international version of BS25999-2:2007
 ISO moving towards standardization of management systems headings and text
o In development as it was being written
o Agreed now and published as ISO Guide 83
o Rules on how to apply this were not always clear so had to be changed
 Hence our interpretation may differ in detail from others like ISO 27001 – all management systems
standards will follow Guide 83’s standardized headings and text
 Integration of management systems will be easier
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 8

9. ISO22301:2012
 ISO 22301 is the requirements document
 ISO 22313 is the guidance document that accompanies ISO22301
o It was originally planned to publish these together but in practicality 22301 has run ahead of
the guidance
o It is aligned to 22301, clearly BS25999-1 was not
 ISO 22313 should be published early next year
o Currently at DIS
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 9

10. John Zeppos Twitter : @jzeppos
yzeppos@cosmote.gr http://www.linkedin.com/in/johnzeppos
+30 697 9666844
John Zeppos / BS25999-2:2007 Certification & Transition to new ISO22301 BCM Standard / 31.08.2012 @ Davos 10