1ISACA JOURNAL Volume 3, 2015©2015 ISACA. All rights reserved. www.isaca.org

The implementation of and certification to global best practice standards can be quite challenging for most organizations given the resources (e.g., manpower, time, finances) required. Consequently, implementing two standards concurrently may be an ordeal.

Undoubtedly, a prerequisite to any successful implementation is a detailed, comprehensive understanding and implementation experience of the standards, which, in this case, are the ISO 27001:20131 standard for information security management systems (ISMSs) and the ISO 22301:2012 for business continuity management systems (BCMSs). Armed with this, the focus should be on understanding the similarities between these standards given that their intent is to provide the requirements for establishing, implementing, maintaining and continually improving either an ISMS or a BCMS. These similarities are being brought to light given the recent revision to ISO 27001:2013 and publication of ISO 22301:2012 (superseding the BS 25999—Part 2).2 These two new standards are influenced by the new ISO requirement that all new and/or revised management system standards (MSS) must conform to the high-level structure, identical core text, common terms and core definition, which are defined in Annex SL 9 of the ISO/IEC Directives, Part 1.3

This new structure is reflected in the table of contents of both standards. An extract is shown in figure 1 and is a good starting point for integrating the two management systems within a single implementation effort, thereby addressing both issues.

One of the ways to address this is to incorporate the similar requirements from both standards in the same policy and/or procedure set. This saves time and increases productivity and operational efficiency by greatly reducing duplicate efforts given the immense documentation requirements typical of most management system standards. As such, a single set of separate policies, procedures, processes and activities can be used to address the similar clauses from both standards, such that the context of the organization, leadership,

planning, support, performance evaluation and improvement can be handled separately within a single implementation approach for both standards. Given that the selection of the scope of the information security management system is the organization’s most critical information, the integration of the ISMS to the BCMS would be greatly enhanced if the physical location of the ISMS scope is the same as that of the BCMS. As such, the scope of the BCMS should be focused on the organization’s key products and services operating within the physical scope of the ISMS. Given this scenario, the scope of the ISMS and the BCMS can be documented within a single document. The same approach applies to information under the section Context of the Organization; Understanding the Needs and Expectations of the Interested Parties.

Nonetheless, there exists some divergence, which is noticeable in section 8 and the availability of annex A’s (normative) reference control objectives and controls in only the ISO 27001:2013 standard. These areas, among other areas of inconspicuous difference, need to be treated distinctively. Nevertheless, the risk assessment aspect of section 8 can be harmonized. The harmonization comes as a result of both standards’ reference to ISO 31000:2009 Risk management—Principles and guidelines for risk assessment and treatment. While the information security risk assessment applies to identify risk associated with the loss of confidentiality, integrity and availability for the information assets within the scope of the ISMS, the business continuity risk assessment, which is conducted after the business impact analysis, is concerned with identifying the risk of disruption to the organization’s prioritized activities or critical processes, including the internal and external supporting resources (e.g., people, information systems, outsourced partners). A recommendation is to define the same scope for both management systems so that the risk not covered by the business continuity risk assessment are identified and assessed as part of the information security risk assessment.

Nurudeen Odeshina, CISA,

CISM, CRISC, ISO 27001

LI, ITSM, is an information

security and assurance

consultant and trainer with

Digital Jewels Limited.

When he is not working on

implementing and certifying

organizations to best practice

standards, he is focused

on developing individual

capability through the

organization’s training and

customizing best practices

methodologies, standards

and frameworks to meet

clients’ needs. Prior to joining

Digital Jewels, Odeshina

worked in the compliance and

internal control group and the

information systems security

and control group of one of

the leading new-generation

banks in Nigeria. He can

be reached at nurudeen@

digitaljewels.net.

Simultaneous Implementation of an Integrated ISMS and a BCMS

Feature

2ISACA JOURNAL Volume 3, 2015©2015 ISACA. All rights reserved. www.isaca.org

Of course, it is not enough to assess the risk; an integral part of the risk management process is risk treatment, which is subliminal in ISO 22301:2012. Hence, the rationale behind the other items in section 8 in ISO 22301:2012, such as business continuity strategy, establishing and implementing business continuity procedures, and exercising and testing, which are basically for business continuity risk treatment as it

is called. These clauses, similar to the organization’s controls, and the annex A control objectives and controls adopted for information security risk treatment in ISO 27001:2012 are meant to address the requirements for protecting, stabilizing, continuing, resuming, recovering, mitigating, responding to and managing impacts to prioritized activities or processes critical to business continuity.

Figure 1—Comparison of ISO 27001 and ISO 22301

ISO 27001:2013 ISO 22301:2012

Section: 0.1-3: Introduction et al.Section 4: Context of the organization• Understanding the organization and its context• Understanding the needs and expectations of interested parties• Determining the scope of the information security management system• Information security management system

Section 5: Leadership• Management commitment• Policy• Organizational roles, responsibilities and authorities

Section 6: Planning• Actions to address risk and opportunities• Information security objectives and planning to achieve them

Section 7: Support• Resources• Competence• Awareness• Communication• Documented information

Section 8: Operation• Operational planning and control• Information security risk assessment• Information security risk treatment

Section 9: Performance evaluation• Monitoring, measurement, analysis and evaluation• Internal audit• Management review

Section 10: Improvement• Nonconformity and corrective action• Continual improvement

Section: 0.1-3: Introduction et al.Section 4: Context of the organization• Understanding the organization and its context• Understanding the needs and expectations of interested parties• Determining the scope of the business continuity management system• Business continuity management system

Section 5: Leadership• Leadership and commitment• Management commitment• Policy• Organizational roles, responsibilities and authorities

Section 6: Planning• Actions to address risk and opportunities• Business continuity objectives and plans to achieve them

Section 7: Support• Resources• Competence• Awareness• Communication• Documented information

Section 8: Operation• Operational planning and control• Business impact analysis and risk assessment• Business continuity strategy• Establish and implement business continuity procedures• Exercising and testing

Section 9: Performance evaluation• Monitoring, measurement, analysis and evaluation• Internal audit• Management review

Section 10: Improvement• Nonconformity and corrective action• Continual improvement

Annex A (normative) Reference control objectives and controls

Based on: ISO 27001 and ISO 22301. Compiled by Nurudeen Odeshina.

3ISACA JOURNAL Volume 3, 2015©2015 ISACA. All rights reserved. www.isaca.org

By leveraging these similarities, an organization intending implementation and certification to these standards, or any other MSS, can do so seamlessly and concurrently given the same scope, while managing the other two constraints associated with every project to ensure reduced cost and speedy implementation time. Above all, the aim should not be certification, as it is in most cases, but embedding and continually improving the best practice standards into the organization’s culture. This is the real value provided to the client upon completion of months of diagnostics, design, implementation and certification during such a project.

ENDNOTES1 International Organization for Standardization, ISO/IEC

27001, Information technology—Security techniques—Information security management systems—Requirements, Switzerland, 2013

2 British Standards Institute, British Standards Limited, BS ISO 22301:2012, Societal security—Business continuity management systems—Requirements, UK, 2012

3 International Organization for Standardization, ISO/IEC Directives, Part 1 Consolidated ISO Supplement—Procedures specific to ISO, 5th Edition, Switzerland, 2014

• Learn more about, discuss and collaborate on business continuity/disaster recovery planning and information security management in the Knowledge Center.

www.isaca.org/knowledgecenter