The Final Draft International Standard (FDIS) for ISO 22301 was released on the 1st of February so it seems almost certain now that the new standard will be formally approved in the next few months. There has already been a significant drop in BS 25999 certifications over the last year or so and, as in previous similar cases, it is anticipated that once the ISO has been approved the British Standard will be completely phased out. So, whilst a full post-mortem is a little premature, it is maybe a suitable moment to reflect on the impact of BS 25999 over the last 4 years.
In terms of the number of certifications, BS 25999 has undoubtedly been somewhat disappointing. There don’t appear to be any official figures; but a search of numerous media databases and the internet reveals less than 100 organisations worldwide that have announced that they have achieved certification. Obviously this search strategy will have missed some organisations, particularly smaller ones, but it still gives an order of magnitude. It may be a little unfair to compare directly with ISO standards, but in the first year after release ISO 14001 (Environmental Management) had 14 000 certifications and ISO 27001 (IT Security) nearly 6000. It will be interesting to see how ISO 22301 compares with these figures once it is released.
Notwithstanding the lack of interest in certification, it would be wrong to say that BS 25999 has been a failure for it has in fact been extraordinarily successful in terms of spreading good practice in Business Continuity. Whilst the principles contained in the standard were already contained in, for example, the BCI’s ‘Good Practice Guidelines’; encapsulating this good practice in a British Standard has vastly increased both the awareness and acceptance of these principles.
One of the most interesting aspects of the BS 25999 story has been the way it has been accepted globally, with roughly half of certifications being awarded outside the UK. Perhaps BS 25999’s lasting legacy will be the stimulation of this international convergence on good practice in Business Continuity which has paved the way for ISO 22301.