Is ISO 27001:2013 Clarification of Business Continuity Driving ISO 22301 Certification?

November 14, 2013

Last Updated on January 13, 2024

One of the interesting elements of ISO 27001:2013 is its “clarifications” regarding ISO 27001’s requirements for a Business Continuity Management System. (I’ve illustrated the major changes in the table below.)
With ISO 27001:2005 there was definitely some ambiguity regarding Business Continuity, most notably with respect to these two interrelated questions:

View our free ISO 27001 downloadable resources »

View Now!

Do we need a full-blown Business Continuity Management System (BCMS) to become ISO 27001 certified?
Does an ISO 27001 certificate provide assurance that the organization has a reasonable Business Continuity Management System in place?

The confusion was only exacerbated when ISO released its own certifiable Business Continuity Management System standard, ISO 22301.
While our guidance has been that your obligation under ISO 27001:2005 was only to ensure that Information Security Continuity was included in your BCMS, there was enough latitude in the standard’s language that most clients felt more comfortable addressing BCMS to a more complete level. Another complication was that there was that different ISO 27001 Certification Auditors also interpreted the standard differently. One auditor in particular emphasized BCMS during his audits, while most other auditors only addressed it in a very limited manner.
ISO 27001:2013 greatly reduces that ambiguity—the shift from “Business Continuity Management” to “Information Security Aspects of Business Continuity “ says it all. I think this clarification will have three significant impacts:

It will slightly reduce the time required to prepare for ISO 27001 certification, as the only elements of the BCMS that need to be assessed/corrected are those specific to the continuity of the ISMS. So ISO 27001:2013 reduces the “just-in-case” broader BCMS assessment that was common previously.
It will reduce the perceived level of BCMS assurance that an ISO 27001 certificate provides, because the clarification makes it clear that ISO 27001 does not provide BCMS assurance.
It will drive higher levels of ISO 22301 adoption where availability is a critical requirement (e.g., SaaS. HaaS, transaction processing)

In the last three weeks (following the release of ISO 27001:2013) we have seen traffic on the ISO 22301 related pages of our website increase approximately 20%—which tells me this issue is of concern to many businesses.
Here’s a table summarizing the key changes:

Information	ISO-27001: 2005	ISO-27001:2013
Clause Description	A14. Business Continuity ManagementObjective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.	A17. Information Security Aspects of Business ContinuityObjective: Information security continuity shall be embedded in the organization’s business continuity management systems.
Clause Specifics	A.14.1.1 – Including information security in the business continuity management processA.14.1.2 – Business continuity and risk assessmentA.14.1.3 – Developing and implementing continuity plans including information securityA.14.1.4 – Business continuity planning framework A.14.1.5 -Testing, maintaining and reassessing business continuity plans	A.17.1.1 – Planning information security continuityA.17.1.2 – Implementing information security continuityA.17.1.2 – Verify, review, and evaluate information security continuity

Business Continuity Management

Ensures that your organizations critical business functions will continue to operate in spite of incident or disaster. The ISO 22301 roadmap will help you understand what a Business Continuity Information Security Management System is and guide you, step by step, from preparation through certification.

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Is ISO 27001:2013 Clarification of Business Continuity Driving ISO 22301 Certification?

Business Continuity Management

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security