One of the biggest mysteries in ISO 27001 implementation is the Annex A section A.17, which speaks about business continuity management. How does business continuity relate to information security, and why is it included in ISO 27001? Unfortunately, ISO 27001 does not provide much detail when it comes to business continuity.
To add to the confusion, ISO 27001 speaks of “information security aspects of business continuity management” – what does this mean? This basically means that a company should enable its information security to continue its operations after an incident; however, since information security by itself (without main business and IT processes) makes no sense, companies typically plan their business continuity for all the important operations (both business and IT).
How are ISO 27001 and ISO 22301 similar?
First of all, information security and business continuity have one very important thing in common: they both protect the availability of the information – this is why ISO 27001 needed to include business continuity controls in its Annex A.
ISO 22301 is the leading international business continuity standard (see the overview here: What is ISO 22301?), and like all ISO management standards, it is based on the Plan-Do-Check-Act cycle. This means it has practically the same management elements as ISO 27001 and other ISO standards: document control, internal audit, corrective actions, management review, training & awareness, etc.
So, if you already implemented all these elements for ISO 27001, then you’re already fully compliant with ISO 22301 when it comes to managing the system. There are also some other elements of ISO 27001 that are fully compatible with ISO 22301 – e.g., the risk management – see this article for details: Can ISO 27001 risk assessment be used for ISO 22301?
Where they are different
ISO 27001 is rather poor when it comes to business continuity documentation – it is basically enough to write a Disaster recovery plan to cover the control A.17.1.2 (which requires the implementation of continuity procedures) and control A.17.2.1 (which requires the availability of IT, i.e., the redundancy). See also: List of mandatory documents required by ISO 27001 (2013 revision).
On the other hand, as might be expected, ISO 22301 requires the development of more documents, most of them for these core business continuity elements:
- Business continuity policy (see also: The purpose of Business continuity policy according to ISO 22301)
- Business impact analysis (see also: How to implement business impact analysis (BIA) according to ISO 22301)
- Business continuity strategy (see also: Can business continuity strategy save your money?)
- Business continuity plans (see also: Business continuity plan: How to structure it according to ISO 22301)
- Exercising and testing (see also: How to perform business continuity exercising and testing according to ISO 22301)
So, what does this mean in practice? Although ISO 27001 allows you to implement your business continuity with one document only; in reality, if you want to prepare your company properly, you’ll need more. And ISO 22301 gives you the know-how.
How to use ISO 22301 for ISO 27001
In my opinion, the best way to use this know-how from ISO 22301 is to implement it as a sub-project of ISO 27001 – this means, you should implement your ISO 27001 as you have planned for, and when it comes to section A.17 you should implement the above-mentioned core business continuity elements from ISO 22301.
In effect, since all the other elements of ISO 22301 are the same as in ISO 27001, you will implement both of these standards at the same time. And, the best thing of all – this additional effort is only 10% of the whole ISO 27001 implementation effort.
So, it is true that you can achieve compliance with section A.17 in ISO 27001 by writing a single document – the Disaster recovery plan. However, ISO 22301 enables you to do much more – to prepare your company to really continue all of its crucial operations if a real disaster struck. Is this worth the additional 10% effort?
Check out this free webinar ISO 27001 & ISO 22301: Why is it better to implement them together? that will explain the similarities of these two standards in more detail.