First of all, information security and
business continuity have one very important thing in common: they both protect
the availability of the information – this is why ISO 27001 needed to include
business continuity controls in its Annex A. In my opinion, the best way to use
this know-how from ISO 22301 is to implement it as a sub-project of ISO 27001 –
this means, you should implement your ISO 27001 as you have planned for, and
when it comes to section A.17. ISO 22301 requires the development of more
documents, most of them for these core business continuity elements:-
*Business continuity policy
*Business impact analysis
*Business continuity strategy
*Business continuity plans
*Exercising and testing
According to ISO 22301, business continuity
plan is defined as “documented procedures that guide organizations to respond,
recover, resume, and restore to a pre-defined level of operation following
disruption.â€This basically means that BCP focuses on developing
plans/procedures, but it doesn’t include the analysis that forms the basis of
such planning, nor the means of maintaining such plans – all these are required
elements of business continuity management that are necessary for enabling
successful contingency planning.
Since the elements of ISO 22301 are the same
as in ISO 27001, it can be implement both of these standards at the same time.
And, the best thing of all – this additional effort is only 10% of the whole
ISO 27001 implementation effort. So, it is true that you can achieve compliance
with section A.17 in ISO 27001 by writing a single document – the Disaster
recovery plan. However, ISO 22301 enables you to do much more – to prepare your
company to really continue all of its crucial operations if a real disaster
struck. ISO 22301 requires an organization to pre-empt risks and put in place
contingency plans and tested responses to more effectively respond to
unexpected threats should they arise. It helps your team agree timeframes
within which you will resume your activity following an adverse event. The
standard also requires you to make resources available to implement, maintain
and test plans to ensure operational continuity regardless of the conditions. A
BCM practice can safeguard an organisation against the proceeding reputation
damage which can occur from missed deadlines, data leakages, operational or IT
outages, industrial actions, disappointed clients or direct financial losses
due to the disruption. Universal Registrars recommends that every business has
a plan in place to deal with potential disruptions and to avoid excessive
downtime and reduced productivity during the disruption.
User questions & answers