{"id":4346,"date":"2015-06-15T21:49:04","date_gmt":"2015-06-15T21:49:04","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/015\/06\/15\/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001\/"},"modified":"2025-07-10T16:52:04","modified_gmt":"2025-07-10T16:52:04","slug":"how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2015\/06\/15\/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001\/","title":{"rendered":"How to use ISO 22301 for the implementation of business continuity in ISO 27001"},"content":{"rendered":"

One of the biggest mysteries in ISO 27001<\/a>\u00a0implementation is the Annex A section A.17, which speaks about business continuity management. How does business continuity relate to information security, and why is it included in ISO 27001? Unfortunately, ISO 27001 does not provide much detail when it comes to business continuity.<\/p>\n

To add to the confusion, ISO 27001 speaks of \u201cinformation security aspects of business continuity management\u201d \u2013 what does this mean? This basically means that a company should enable its information security to continue its operations after an incident; however, since information security by itself (without main business and IT processes) makes no sense, companies typically plan their business continuity for all the important operations (both business and IT).<\/p>\n

How are ISO 27001 and ISO 22301 similar?<\/h2>\n

First of all, information security and business continuity have one very important thing in common: they both protect the availability of the information \u2013 this is why ISO 27001 needed to include business continuity controls in its Annex A.<\/p>\n

ISO 22301 is the leading international business continuity standard (see the overview here: What is ISO 22301?<\/a>), and like all ISO management standards, it is based on the Plan-Do-Check-Act cycle. This means it has practically the same management elements as ISO 27001 and other ISO standards: document control, internal audit<\/a>, corrective actions<\/a>, management review<\/a>, training & awareness<\/a>, etc.<\/p>\n

So, if you already implemented all these elements for ISO 27001, then you\u2019re already fully compliant with ISO 22301 when it comes to managing the system. There are also some other elements of ISO 27001 that are fully compatible with ISO 22301 \u2013 e.g., the risk management \u2013 see this article for details: Can ISO 27001 risk assessment be used for ISO 22301?<\/a>
\n

<\/div>