Let us consider the following two statements:
- ISO 27001 for Information Security Management System can help in business continuity, which is the essence of ISO 22301.
- The business continuity guidelines, as mentioned in ISO 22301 can be helpful in the implementation of ISO 27001.
This article talks about the above two statements or simply, the usefulness of ISO 22301 for ISO 27001 and vice-versa.
The A.17 section of Annex A of ISO 27001 standard talks about business continuity management. Now, it is quite obvious for many of us that in the modern times, where all our critical data are digitally stored, data-security becomes the key to a business’s survival and its continuity. However, the framework of ISO 27001 does not include the details about the methods to ensure business continuity. It mentions something about “information security aspects of business continuity management”, which basically means that the organizations are required to maintain information security so that the business operations do not get affected due to any incidence of data breach or loss.
What are the similarities between ISO 27001 and ISO 22301?
Protection of data is necessary for continuity of business. Therefore, both ISO 27001 and ISO 22301 address this aspect in any organization. That is the reason why ISO 27001 has a section for business continuity controls in its Annex A.
Both ISO 22301 and ISO 27001 follow a common High -level Structure (HLS) that makes it easier to integrate the management systems. It can be said that both of these standards are based on the Plan-Do-Check-Act cycle and they both have the same elements of management: document controls, internal audit, management review, corrective actions, awareness, training, etc. Therefore, if you have implemented the controls mentioned in ISO 27001 for Information Security Management System, you become automatically compliant to the requirements of ISO 22301 for business continuity management system. In addition to that, certain elements of ISO 27001 are fully compatible with ISO 22301, such as risk management.
How are ISO 22301 and ISO 27001 different?
When it comes to business continuity documentation, ISO 27001 is not very resourceful. It can only be used to frame a Disaster recovery plan that would cover control A.17.1.2 (that requires implementation of continuity procedures) and control A.17.2 (that requires the availability of IT).
However, implementation of ISO 22301 for business continuity requires the development of more documents that cover the core business continuity elements, such as:
- Business continuity policy
- Business continuity strategy
- Business impact analysis
- Business continuity plans
- Exercising and testing
Therefore, it is obvious that ISO 27001 alone cannot help you with establishing procedures for business continuity, it can only help you with a single document. For preparing your organization against any incident that would affect the continuity of your business, you are required to implement ISO 22301.
Using ISO 22301 for ISO 27001
The common and best way to include the essence of ISO 22301 in ISO 27001 is by using the know-how of the former as a sub-project of the later. This means that you must implement ISO 27001 as planned in your organization and when it comes to section A.17, you can implement the core concepts of business continuity from ISO 22301.
Since both ISO 22301 and ISO 27001 follow the same High-level Structure (HLS), it becomes easier for you to implement both of these standards simultaneously. Once you implement ISO 22301 for business continuity, the additional effort for implementing ISO 27001 is only 10%.
Although you can comply with the requirements of section A.17 of ISO 27001 by writing a single document, i.e Disaster Recovery Plan, implementing ISO 22301 takes care of your business holistically. It is a very important tool for making your organization resilient to any unforeseen situation.