Take the ISO 27001 course exam and get the EU GDPR course exam for free
  • (0)

    ISO 27001 & ISO 22301 Blog

    ISO 22301 vs. ISO 22313

    I was quite skeptical when I started to read ISO 22313, the guidance standard on business continuity management, but I was proved to be wrong. It can be quite useful as a supplement to ISO 22301 – here’s what I found:

    Similarities and differences

    If you are familiar with ISO 27001 and ISO 27002 (see ISO 27001 vs. ISO 27002), a very similar relationship exists between ISO 22301 (published in May 2012) and ISO 22313 (published in December 2012): ISO 22301 is the main standard, which defines the framework for business continuity management, whereas ISO 22313 is an auxiliary standard that helps with the ISO 22301 implementation.

    The main difference is that ISO 22301 specifies requirements – in other words, you need to comply fully with everything that is written in this standard if you want to get your company certified. This is why this standard uses words like “shall” and “must.” Learn more here: 17 steps for implementing ISO 22301.

    As opposed to that, ISO 22313 gives only the guidance, or best practices, on how the requirements from ISO 22301 could be implemented; however, implementation doesn’t have to be done exactly that way. You’ll notice that terminology here is different – “should” and “may” are used. Consequently, a company can be certified only against ISO 22301, not against ISO 22313.

    Where is ISO 22313 particularly useful?

    My impression is that ISO 22313 is most helpful in these sections, because this is where ISO 22301 is not very detailed:

    • Description of strategy options for resources (clauses 8.3.1 and 8.3.2): suggested strategic options for protecting prioritized activities, suggested strategies for resources/activities, suggestion on what can be excluded from the BCMS scope based on cost of mitigation, options to mitigate the impact and duration of an incident, techniques for evaluating business continuity capabilities of suppliers, types of resources an organization should establish, resources strategies for people, what to take into account for procedures of relocation of staff, explanation on when RPO is used, suggested backup types, strategies for worksites, facilities and supplies strategies, strategies for ICT systems, strategies for transportation, suggestion of finance needed during an incident, etc.
    • Content of business continuity procedures/plans (clause 8.4): what to include in incident communication procedures, what to include in business continuity procedures, content of business continuity plans, location for incident management team, content of the communication procedure, elements of safety and welfare procedures, list of resources that may be required for the welfare of employees, content of salvage and security procedures, content of procedures for resuming activities, content of ICT continuity procedures, etc.

    Here are also a few clauses where ISO 22313 gives useful guidance for implementation:

    • 4.2.1 – Figure 4 – examples of interested parties
    • 4.2.2 – list of legislation that should be taken into account
    • 5.3 – list of items to write in Business continuity policy
    • 5.4 – explanation of BCMS roles and responsibilities
    • 6.2 – examples of goals for the BCMS
    • 7.1 – BCMS resources that are required
    • 7.2 and 7.3 – competence development program, types of trainings, types of teams, what to include in awareness programs, etc.
    • 7.5.1 – list of all documentation required by the standard
    • 8.1.4 – examples of metrics that may be used for measuring the effectiveness of BCMS
    • 8.2.2 – elements of assessing the impact in BIA
    • 8.2.2 – explanation of RTO and what it is used for
    • 8.2.3 – typical elements to be included in risk assessment
    • 8.4.5 – content of assessment procedure for determining the impact and tasks needed
    • 8.5.2 – content of exercise program
    • 8.5.3 – suggested objectives for the business continuity exercises
    • 9.1.2 – checklist of what evaluation of business continuity procedures should verify
    • 9.1.2 – content of post-incident review

    In any case, unless you are an experienced BCM consultant and/or implementer, I would recommend getting both of these standards. They may be expensive, but return on investment will be quite quick.

    Click here to download a free preview of  Business Continuity Plan template.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.