ISO 22301 vs. ISO 22313

I was quite skeptical when I started to read ISO 22313, the guidance standard on business continuity management, but I was proved to be wrong. It can be quite useful as a supplement to ISO 22301 – here’s what I found:

Similarities and differences

If you are familiar with ISO 27001 and ISO 27002 (see ISO 27001 vs. ISO 27002), a very similar relationship exists between ISO 22301 (published in May 2012) and ISO 22313 (published in December 2012): ISO 22301 is the main standard, which defines the framework for business continuity management, whereas ISO 22313 is an auxiliary standard that helps with the ISO 22301 implementation.

The main difference is that ISO 22301 specifies requirements – in other words, you need to comply fully with everything that is written in this standard if you want to get your company certified. This is why this standard uses words like “shall” and “must.” Learn more here: 17 steps for implementing ISO 22301.

As opposed to that, ISO 22313 gives only the guidance, or best practices, on how the requirements from ISO 22301 could be implemented; however, implementation doesn’t have to be done exactly that way. You’ll notice that terminology here is different – “should” and “may” are used. Consequently, a company can be certified only against ISO 22301, not against ISO 22313.


Where is ISO 22313 particularly useful?

My impression is that ISO 22313 is most helpful in these sections, because this is where ISO 22301 is not very detailed:

  • Description of strategy options for resources (clauses 8.3.1 and 8.3.2): suggested strategic options for protecting prioritized activities, suggested strategies for resources/activities, suggestion on what can be excluded from the BCMS scope based on cost of mitigation, options to mitigate the impact and duration of an incident, techniques for evaluating business continuity capabilities of suppliers, types of resources an organization should establish, resources strategies for people, what to take into account for procedures of relocation of staff, explanation on when RPO is used, suggested backup types, strategies for worksites, facilities and supplies strategies, strategies for ICT systems, strategies for transportation, suggestion of finance needed during an incident, etc.
  • Content of business continuity procedures/plans (clause 8.4): what to include in incident communication procedures, what to include in business continuity procedures, content of business continuity plans, location for incident management team, content of the communication procedure, elements of safety and welfare procedures, list of resources that may be required for the welfare of employees, content of salvage and security procedures, content of procedures for resuming activities, content of ICT continuity procedures, etc.

Here are also a few clauses where ISO 22313 gives useful guidance for implementation:

  • 4.2.1 – Figure 4 – examples of interested parties
  • 4.2.2 – list of legislation that should be taken into account
  • 5.3 – list of items to write in Business continuity policy
  • 5.4 – explanation of BCMS roles and responsibilities
  • 6.2 – examples of goals for the BCMS
  • 7.1 – BCMS resources that are required
  • 7.2 and 7.3 – competence development program, types of trainings, types of teams, what to include in awareness programs, etc.
  • 7.5.1 – list of all documentation required by the standard
  • 8.1.4 – examples of metrics that may be used for measuring the effectiveness of BCMS
  • 8.2.2 – elements of assessing the impact in BIA
  • 8.2.2 – explanation of RTO and what it is used for
  • 8.2.3 – typical elements to be included in risk assessment
  • 8.4.5 – content of assessment procedure for determining the impact and tasks needed
  • 8.5.2 – content of exercise program
  • 8.5.3 – suggested objectives for the business continuity exercises
  • 9.1.2 – checklist of what evaluation of business continuity procedures should verify
  • 9.1.2 – content of post-incident review

In any case, unless you are an experienced BCM consultant and/or implementer, I would recommend getting both of these standards. They may be expensive, but return on investment will be quite quick.

Click here to download a free preview of  Business Continuity Plan template.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.