Bulletin / Where do ISOs...

Where do ISOs come from?

Author: Charlie Maclean Bristol, Training Director, FBCI, FEPS

After spending a week observing a series of ISO meetings in Bangkok, Charlie shares his experience of how ISOs are developed.

Is this a conundrum that has kept you awake at night for years or have you only just thought about it now, after being prompted by this bulletin? I am very familiar with ISO 22301, having helped PlanB Consulting and a number of other organisations get certified to the standard, as well as both PlanB Consulting and BC Training certified to ISO 9001. I knew there must be a committee to develop them, but I had no idea how the process worked. I was aware my wife Kim had been involved in standards, as she would suddenly announce she was off to a meeting in London, and more lately in Norway and Sydney, to attend a standards working group, but I didn’t really want to ask what she got up to there!

A couple of months ago, Kim announced she was going to Thailand for a meeting and asked if I would like to come along, so we could have a few days holiday before the meeting. I jumped at the chance. The holiday went well, and we headed to Bangkok for the week-long ISO meeting.

70788079_796284670790018_1141701168834019328_n.png#asset:4905As everyone knew Kim and they knew I was also a business continuity consultant, I was invited along officially as an observer and was able to witness the process of a number of standards being developed. Feeling like a new boy at school, thinking I better make an impression, I put on my suit and set off for the first meeting. So, for this week’s bulletin I thought I would give you a little flavour of how an ISO is developed and who does it. My analysis of the process might be not 100% accurate, but it will hopefully give you a rough idea of how it is done.

‘The International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations. Founded on 23 February 1947, the organization promotes worldwide proprietary, industrial and commercial standards.’ For the UK, BSI is the recognised standards body and each major nation has their own standards body. The way the process seems to work is that a national standards body decides which standards they would like to write. The proposal goes through a series of gates of approval and then the standard starts to be written. A working group, often of worldwide experts, is formed and the standard goes through a series of comments and stages until it is signed off and becomes a worldwide standard, like ISO 22301. The group may also decide to write a guidance document such as 22313, the guidance on ISO 22301 or 22317, the guidance on how to carry out a BIA.

I was invited to observe a number of the meetings of Work Group 2, who were updating the ISO 22301 guidance and the BIA guidance, as well as developing a new guidance on writing business continuity plans. The process was fascinating, the chair with Kim as his assistant, sat at the head of a large horseshoe table surrounded by about 30 business continuity experts from around the world. Each nation sends 2-3 experts, plus there is the chair, support and a number of professionals from BSI or ISO who facilitate the group and process.

For the meetings focusing on the ISO 22301 guidance, the chair had a list of about 360 comments on the latest iteration of 22313 (I hope you are following all these numbers!). The comments being reviewed were from the group, as well as from members of the public, so you have the chance to influence the BC world if your comment or amendment on a document is accepted. One by one the comments were reviewed and either accepted and written into an amended version of the document, noted or rejected. It took most of the week for the working group to grind through all the comments. ISOs are translated into many different languages and at various times there were fierce debates on whether to use a particular word and then further debates on if the word chosen would translate meaningfully into the different languages or whether the word didn’t work and the debate had to start from the beginning again.

I also attended meetings regarding updating the BIA guidance and developing the completely new guidance on BC plans. What I saw from all of the groups I attended was the calibre of the people who were there. Lots of people self-proclaim that they are global experts or thought leaders, but these people around the table were really global experts and very quickly I had a lot of respect for their knowledge and wisdom. Apart from their expertise, they had a real art of being able to express arguments very concisely, listen to and understand other people’s views and methodologies, as well as the ability to push their own ideas. There were strong arguments and positions taken, but all of them were volunteers with a desire to put something back into the industry they work in, so there was compromise. As a number were consultants, it was fascinating to see how they deliver consultancy and to understand their methodologies. I was also pleased to see their methodology was not very different in principle to what we do.

Having been here for a week, I am impressed with the people and the quality of thought and rigour which goes into the development of standards. There is a well-defined process to develop the standards, with lots of checks and balances, as ISO is an international organisation. The politics of it all were high and there seemed to be quite a lot of manoeuvring behind the scenes, but I suspect it is the same in many multinational organisations. So, if you are wondering where an ISO comes from, you can be assured there is a dedicated band of experts spending a lot of time and effort to ensure the quality of all ISO standards and guidance.



20% off ISO 22301 Courses Booked in September

During September, we are offering 20% discount on the following courses:

If you would like further information, please get in touch with the BC Training team.


You might be interested in the following stories

ISO 22301 and the Business Continuity Octopus

When is an ISO not an ISO?

Tips on an ISO22301 audit

You may be interested in the following course

PECB Certified ISO 22301 Lead Implementer course

Sign-up to our weekly bulletin

Twitter feed

Bulletin
An approach to cyber resiliency: unifying cyber security, incident response and business continuity

This week's bulletin has been written by guest author Chandrasekar S, who suggests that bringing cyber security, incident response and business continuity teams together will enable organisations to better manage cyber resiliency.

11 October 2019

“I thought the trainer [James Royds] was excellent and certainly knew his subject. He challenged us to really think about organisational resilience. The breakout sessions were most effective.”

Rebecca Thomson
The Scottish Parliament
View further testimonials