ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


Can ISO 27001 risk assessment be used for ISO 22301?

'By 'Dejan Kosutic on March 11, 2013

A few days ago I received the following question from one of our clients: “What is the difference between ISMS Risk Assessment and BCM Risk Assessment?” And, although the answer to this question might seem easy, in actuality it is not.

Here’s the rest of his question: “… Because on your blog I found that if I’ve done ISMS it should be fine for BCM. On the other hand, ISO 22301 recommends to use ISO 31000 standard.”

Why ISO 27001 risk management framework is a good solution

It is true that ISO 22301 refers to ISO 31000 regarding risk assessment, but ISO 31000 is written very generally since it covers all kinds of risks (not only business continuity, but information security, financial, market, credit, and other risks).

On the other hand, risk assessment framework is described much better in ISO 27001, and even more precisely in ISO 27005; the focus of information security risk assessment is on preserving confidentiality, integrity and availability. And availability is the key link between information security and business continuity – when performing ISMS risk assessment, all the business continuity risks will be taken into account.

And the good thing is, risk assessment as it is described in ISO 27001 and ISO 27005 is perfectly aligned with ISO 31000.

Possible differences in approach

But this is where it might get complicated – my client had another question because he wanted everything to be cleared out: “I think that another difference between those two Risk Assessment approaches is – with ISMS we deal with assets (both primary and supportive); however, with BCM we deal with critical activities and processes.”

And he was basically right – business continuity risk assessment does not have to be so detailed; it can be made high-level for activities and processes. But, although this approach is fine from the point of view of the standard itself, in my view the problem is in the implementation – how would you mitigate the risks if you don’t know exactly where the problems are?

This is where I think ISO 27001 risk assessment framework is better – it forces you to pinpoint where the weaknesses are, which assets should be protected better, etc. If you kept the risk assessment on the process level you probably wouldn’t get all this valuable information.

Risk mitigation compatibility

It is worth mentioning here – ISO 27001 risk treatment options are completely aligned with risk mitigation requirements in ISO 22301 and ISO 31000. Basically, business continuity mitigation comes down to 4 options described in ISO 27001: (1) applying appropriate controls, (2) accepting risks, (3) avoiding risks, and (4) transferring risks. There are no options listed in ISO 22301, while in ISO 31000 they are named a bit differently and organized a bit differently, but they are essentially the same:  changing the likelihood and the consequence, retaining the risk, avoiding the risk, and sharing the risk.

Further, ISO 22301 requires you to “plan actions to address these risks and opportunities,” while ISO 27001 asks for developing the Risk Treatment Plan – again, very similar requirement­ with a slightly different name.

And to finish with this: there is another good thing about ISO 27001 – in Annex A it gives you a catalogue of possible safeguards to choose from; this is something that neither ISO 22301 nor ISO 31000 has.

Hope I managed to persuade him. What do you think?


Click here to see a Risk Assessment and Treatment Methodology template.

  • Parin

    Hi, the answer to this is very precise. Just one more point – ISO 31000 has one more treatment option which says increase the level of risk exposure in expectation of more business returns. I dont have copy of the standard in hand right now, so cant tell exact words, but the meaning remains the same.

  • Dejan Kosutic

    Parin, you are right – ISO 31000 has a risk treatment option called “taking or increasing the risk in order to pursue an opportunity” – thanks!

  • Tom Mellor

    I think that using the BCP impact analysis to determine RTO for critical processes and then allowing the assets which support those processes to inherit the RTO provides a useful time component to include in the Availability part of an ISO27001 (or 27005) impact analysis. That should mean more informed architectural decisions on resilience (clustering, failover etc).

  • Dejan Kosutic

    Good point – thanks, Tom!

  • Armando Becerra

    I agree, however I found some differences because ISMS is based on ISO27005 (wich is based on 31000) and BCM is based directly on 31000, as we can se here (is in spanish, but the important thing is the diagram), 22301 is a circle completly inside Risk management, and 27005 is just partially inside. What I mean is that for small or medium companies there is no difference between ISMS and BCM, however for large analysis and big companies we can use ISMS and then complete the assesment with BCM.

  • Dejan Kosutic

    Armando, thank you for your comment! By the way, I’m the author of the diagram you’re referring to :) so I agree there are some differences with BCM. But the question is, which kind of risks should be included in BCM and not in ISMS?

  • Rajkuamr


    thanks for sharing nice document very good to see those document are very well structured and ease to understand with lot of tips embared in the document.

    Thanks once again for sharing such a document once i go through i will give my feed back .

    like to hear more information about and realy time changellenges in following ISMS best practicse across the globe.