What to implement first: ISO 22301 or ISO 27001?

Implementing ISO management system standards, even with the help of toolkits and consultants, may be a challenging task. In practice, sometimes it seems appropriate to enhance preparedness and protection in several areas of an organization, covering multiple processes and disciplines. While a security-oriented approach demanding an immediate protection from a great variety of threats is desirable (i.e., simultaneous implementation of both standards at the same time), practical limitations most often demand a sequential approach (i.e., implementation of the first of the two standards, then the other).

When to implement information security first

This might be the conclusion in IT-heavy industries in trade- and service-oriented organizations. If the main deliverables of such an organization predominantly are services and not physical products, this might be an indication that information technology is crucially important for providing added value.

Examples might be telecommunication companies, financial institutions, insurance companies, e- commerce sites, etc. These organizations have in common that information processing and storage are extremely important for the operation. Loss or leakage of information, non-availability of information, or loss of integrity of information must be prevented in order to create value for customers and preserve trust in the organization.

As there is a trend toward an increasing threat landscape to data and information assets (willful, intentional interference with and destruction of these assets), such as denial to sites, blockage of access, data theft, and/or blackmailing, putting more weight and priority on information security as a precautionary measure will be ever more important in the future.

Read the article ISO 27001 implementation checklist to see ISO 27001 implementation steps.


When to implement business continuity first

In industries and organizations where information processing is a necessary backbone of the operation, but where an impact analysis reveals that important processes and resources (supporting key products and services) depend on inputs other than IT only, we face a different challenge. Just “fixing” IT or information security may leave many other processes and resources vulnerable to non-IT-related threats.

If we choose to have a closer look at a typical manufacturing company, even before performing a business impact analysis, we see processes of raw materials or half-finished goods flowing into the production site, we see the production facilities at the heart of the organization, and there is a flow of products to storage facilities (warehousing) and/or just-in-time shipping to customers or subsequent manufacturing facilities. While this process in most cases is supported by IT resources, there are certainly other threats to this production process. In a nutshell, the organization depends on suppliers and a supply chain; the production and warehousing facilities might be endangered by fire, flood, sabotage, etc.; and the delivery supply chain will also need to be secured.

If operating in an area experiencing an increase in natural hazards, such as storms, fires, or floods, an immediate implementation of business continuity measures might be of prime importance. The same holds true if a threat and vulnerability analysis has shown that the organization is going to experience increased threats from physical sabotage or terrorism.

Read the article 17 steps for implementing ISO 22301 to make your ISO 22301 implementation easier.

When to implement both management systems simultaneously?

If your organization does not clearly fall into one of the categories as described above (or if you just can’t decide), you might try a combined implementation. While this sounds crazy and overwhelming in the first place, there are obvious synergies when trying to run a simultaneous implementation.

Why? Modern ISO management system standards have been designed to be nearly identical in structure. For example, the main headings of the standards are general and not specific to the management system standard. This means that the procedures to follow the implementation are very similar and implementing two standards in a quasi-simultaneous way results in a significantly reduced implementation effort. On top of that, modern implementation tools and toolkits offer excellent support for implementation management.

See the free webinar ISO 27001 & ISO 22301: Why is it better to implement them together? to learn more about the implementation of both standards.

How to decide?

If your organization faces a multitude of non-IT threats (each of them being capable to stop operations), and if your IT is just supporting your business processes, you might get more “bang for your buck” focusing on implementing business continuity management, based on ISO 22301.

On the other hand, if you’re not offering any physical deliverables, but you just deal with digital products, and information technology processes are the heart of your organization – you would rather implement an Information Security Management System according to ISO 27001 as soon as reasonably possible.

Most organizations fall somewhere in the middle, which means that implementing a BCMS with a comprehensive treatment of information security issues might constitute a completely reasonable approach after all.

Use this free  Project plan for ISO 27001 / ISO 22301 implementation to define steps and timing in the implementation.