The implementation of and certification to global best practice standards can be quite challenging for most organizations given the resources (e.g., manpower, time, finances) required. Consequently, implementing two standards concurrently may be an ordeal.
Undoubtedly, a prerequisite to any successful implementation is a detailed, comprehensive understanding and implementation experience of the standards, which, in this case, are the ISO 27001:20131 standard for information security management systems (ISMSs) and the ISO 22301:2012 for business continuity management systems (BCMSs). Armed with this, the focus should be on understanding the similarities between these standards given that their intent is to provide the requirements for establishing, implementing, maintaining and continually improving either an ISMS or a BCMS. These similarities are being brought to light given the recent revision to ISO 27001:2013 and publication of ISO 22301:2012 (superseding the BS 25999—Part 2).2 These two new standards are influenced by the new ISO requirement that all new and/or revised management system standards (MSS) must conform to the high-level structure, identical core text, common terms and core definition, which are defined in Annex SL 9 of the ISO/IEC Directives, Part 1.3
This new structure is reflected in the table of contents of both standards. An extract is shown in figure 1 and is a good starting point for integrating the two management systems within a single implementation effort, thereby addressing both issues.
One of the ways to address this is to incorporate the similar requirements from both standards in the same policy and/or procedure set. This saves time and increases productivity and operational efficiency by greatly reducing duplicate efforts given the immense documentation requirements typical of most management system standards. As such, a single set of separate policies, procedures, processes and activities can be used to address the similar clauses from both standards, such that the context of the organization, leadership, planning, support, performance evaluation and improvement can be handled separately within a single implementation approach for both standards. Given that the selection of the scope of the information security management system is the organization’s most critical information, the integration of the ISMS to the BCMS would be greatly enhanced if the physical location of the ISMS scope is the same as that of the BCMS. As such, the scope of the BCMS should be focused on the organization’s key products and services operating within the physical scope of the ISMS. Given this scenario, the scope of the ISMS and the BCMS can be documented within a single document. The same approach applies to information under the section Context of the Organization; Understanding the Needs and Expectations of the Interested Parties.
Nonetheless, there exists some divergence, which is noticeable in section 8 and the availability of annex A’s (normative) reference control objectives and controls in only the ISO 27001:2013 standard. These areas, among other areas of inconspicuous difference, need to be treated distinctively. Nevertheless, the risk assessment aspect of section 8 can be harmonized. The harmonization comes as a result of both standards’ reference to ISO 31000:2009 Risk management—Principles and guidelines for risk assessment and treatment. While the information security risk assessment applies to identify risk associated with the loss of confidentiality, integrity and availability for the information assets within the scope of the ISMS, the business continuity risk assessment, which is conducted after the business impact analysis, is concerned with identifying the risk of disruption to the organization’s prioritized activities or critical processes, including the internal and external supporting resources (e.g., people, information systems, outsourced partners). A recommendation is to define the same scope for both management systems so that the risk not covered by the business continuity risk assessment are identified and assessed as part of the information security risk assessment. Of course, it is not enough to assess the risk; an integral part of the risk management process is risk treatment, which is subliminal in ISO 22301:2012. Hence, the rationale behind the other items in section 8 in ISO 22301:2012, such as business continuity strategy, establishing and implementing business continuity procedures, and exercising and testing, which are basically for business continuity risk treatment as it is called. These clauses, similar to the organization’s controls, and the annex A control objectives and controls adopted for information security risk treatment in ISO 27001:2012 are meant to address the requirements for protecting, stabilizing, continuing, resuming, recovering, mitigating, responding to and managing impacts to prioritized activities or processes critical to business continuity.
By leveraging these similarities, an organization intending implementation and certification to these standards, or any other MSS, can do so seamlessly and concurrently given the same scope, while managing the other two constraints associated with every project to ensure reduced cost and speedy implementation time. Above all, the aim should not be certification, as it is in most cases, but embedding and continually improving the best practice standards into the organization’s culture. This is the real value provided to the client upon completion of months of diagnostics, design, implementation and certification during such a project.
Endnotes
1 International Organization for Standardization, ISO/IEC 27001, Information technology—Security techniques—Information security management systems—Requirements, Switzerland, 2013
2 British Standards Institute, British Standards Limited, BS ISO 22301:2012, Societal security—Business continuity management systems—Requirements, UK, 2012
3 International Organization for Standardization, ISO/IEC Directives, Part 1 Consolidated ISO Supplement—Procedures specific to ISO, 5th Edition, Switzerland, 2014
Nurudeen Odeshina, CISA, CISM, CRISC, ISO 27001 LI, ITSM, is an information security and assurance consultant and trainer with Digital Jewels Limited. When he is not working on implementing and certifying organizations to best practice standards, he is focused on developing individual capability through the organization’s training and customizing best practices methodologies, standards and frameworks to meet clients’ needs. Prior to joining Digital Jewels, Odeshina worked in the compliance and internal control group and the information systems security and control group of one of the leading new-generation banks in Nigeria. He can be reached at nurudeen@digitaljewels.net.