Get 4 FREE months of Conformio to implement ISO 27001

How to use ISO 22301 for the implementation of business continuity in ISO 27001

One of the biggest mysteries in ISO 27001 implementation is the Annex A section A.17, which speaks about business continuity management. How does business continuity relate to information security, and why is it included in ISO 27001? Unfortunately, ISO 27001 does not provide much detail when it comes to business continuity.

To add to the confusion, ISO 27001 speaks of “information security aspects of business continuity management” – what does this mean? This basically means that a company should enable its information security to continue its operations after an incident; however, since information security by itself (without main business and IT processes) makes no sense, companies typically plan their business continuity for all the important operations (both business and IT).

How are ISO 27001 and ISO 22301 similar?

First of all, information security and business continuity have one very important thing in common: they both protect the availability of the information – this is why ISO 27001 needed to include business continuity controls in its Annex A.

ISO 22301 is the leading international business continuity standard (see the overview here: What is ISO 22301?), and like all ISO management standards, it is based on the Plan-Do-Check-Act cycle. This means it has practically the same management elements as ISO 27001 and other ISO standards: document control, internal audit, corrective actions, management review, training & awareness, etc.

So, if you already implemented all these elements for ISO 27001, then you’re already fully compliant with ISO 22301 when it comes to managing the system. There are also some other elements of ISO 27001 that are fully compatible with ISO 22301 – e.g., the risk management – see this article for details: Can ISO 27001 risk assessment be used for ISO 22301?

Where they are different

ISO 27001 is rather poor when it comes to business continuity documentation – it is basically enough to write a Disaster recovery plan to cover the control A.17.1.2 (which requires the implementation of continuity procedures) and control A.17.2.1 (which requires the availability of IT, i.e., the redundancy). See also: List of mandatory documents required by ISO 27001 (2013 revision).

On the other hand, as might be expected, ISO 22301 requires the development of more documents, most of them for these core business continuity elements:

So, what does this mean in practice? Although ISO 27001 allows you to implement your business continuity with one document only; in reality, if you want to prepare your company properly, you’ll need more. And ISO 22301 gives you the know-how.

How to use ISO 22301 for ISO 27001

In my opinion, the best way to use this know-how from ISO 22301 is to implement it as a sub-project of ISO 27001 – this means, you should implement your ISO 27001 as you have planned for, and when it comes to section A.17 you should implement the above-mentioned core business continuity elements from ISO 22301.

In effect, since all the other elements of ISO 22301 are the same as in ISO 27001, you will implement both of these standards at the same time. And, the best thing of all – this additional effort is only 10% of the whole ISO 27001 implementation effort.

So, it is true that you can achieve compliance with section A.17 in ISO 27001 by writing a single document – the Disaster recovery plan. However, ISO 22301 enables you to do much more – to prepare your company to really continue all of its crucial operations if a real disaster struck. Is this worth the additional 10% effort?

Check out this free webinar ISO 27001 & ISO 22301: Why is it better to implement them together? that will explain the similarities of these two standards in more detail.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.