Last Updated on January 13, 2024
One of the interesting elements of ISO 27001:2013 is its “clarifications” regarding ISO 27001’s requirements for a Business Continuity Management System. (I’ve illustrated the major changes in the table below.)
With ISO 27001:2005 there was definitely some ambiguity regarding Business Continuity, most notably with respect to these two interrelated questions:
- Do we need a full-blown Business Continuity Management System (BCMS) to become ISO 27001 certified?
- Does an ISO 27001 certificate provide assurance that the organization has a reasonable Business Continuity Management System in place?
The confusion was only exacerbated when ISO released its own certifiable Business Continuity Management System standard, ISO 22301.
While our guidance has been that your obligation under ISO 27001:2005 was only to ensure that Information Security Continuity was included in your BCMS, there was enough latitude in the standard’s language that most clients felt more comfortable addressing BCMS to a more complete level. Another complication was that there was that different ISO 27001 Certification Auditors also interpreted the standard differently. One auditor in particular emphasized BCMS during his audits, while most other auditors only addressed it in a very limited manner.
ISO 27001:2013 greatly reduces that ambiguity—the shift from “Business Continuity Management” to “Information Security Aspects of Business Continuity “ says it all. I think this clarification will have three significant impacts:
- It will slightly reduce the time required to prepare for ISO 27001 certification, as the only elements of the BCMS that need to be assessed/corrected are those specific to the continuity of the ISMS. So ISO 27001:2013 reduces the “just-in-case” broader BCMS assessment that was common previously.
- It will reduce the perceived level of BCMS assurance that an ISO 27001 certificate provides, because the clarification makes it clear that ISO 27001 does not provide BCMS assurance.
- It will drive higher levels of ISO 22301 adoption where availability is a critical requirement (e.g., SaaS. HaaS, transaction processing)
In the last three weeks (following the release of ISO 27001:2013) we have seen traffic on the ISO 22301 related pages of our website increase approximately 20%—which tells me this issue is of concern to many businesses.
Here’s a table summarizing the key changes:
Information | ISO-27001: 2005 | ISO-27001:2013 |
Clause Description | A14. Business Continuity ManagementObjective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. | A17. Information Security Aspects of Business ContinuityObjective: Information security continuity shall be embedded in the organization’s business continuity management systems. |
Clause Specifics | A.14.1.1 – Including information security in the business continuity management processA.14.1.2 – Business continuity and risk assessmentA.14.1.3 – Developing and implementing continuity plans including information securityA.14.1.4 – Business continuity planning framework A.14.1.5 -Testing, maintaining and reassessing business continuity plans |
A.17.1.1 – Planning information security continuityA.17.1.2 – Implementing information security continuityA.17.1.2 – Verify, review, and evaluate information security continuity |