Business continuity and information security – a good fit?

During my interaction with senior management as a business continuity/information security consultant, especially amongst IT centric organisations, I am invariably asked a question: "We come across too many ISO standards which have common themes. In your opinion, which are some of the Standards that come very close especially from an implementation perspective?"

As you can see this is a very loaded question from the senior management who are typically fed up with too many rules, regulations and standards trying to govern their lives. Also, whilst they want to adhere to all applicable regulations and standards they want some optimisation of their costs in implementation.

My typical answer to this is as follows: "If your emphasis is on service management please combine ISO 9001:2008 and ISO 20000:2011. In fact implement only one standard and ignore the other. If your emphasis is on information security and business continuity please combine ISO 27001:2013 (ISMS) and ISO 22301:2012 (BCMS) implementation."

From historical perspective both ISO 27001 and ISO 22301 have emerged from British Standards and have a sort of a common past. Leaving that aside, information security, as the pundits drum into us, is all about confidentiality, integrity and availability of information. Business continuity, on the other hand, is about availability (of information or business) in case of a disaster. In companies where information is business, these two standards merge quite well.

All this however, has to start with scope of the ISMS/BCMS. What is the context of the organisation that is planning to implement the BCMS/ISMS and does the context match in both cases? If the context matches we have a winner and we can choose to implement both management systems together with a common project plan/team. Typically, BCMS and ISMS (at least in mature organisations), come under the ‘Risk Department’ organisationally. If this is not the case, it would be worthwhile to make organisational changes before commencing implementation of BCMS/ISMS.
In my address at the BCI World Conference and Exhibition, I will be looking at this from a practical perspective to explain how we can implement BCMS and ISMS together along with common features of both the standards.

So …happy interactions!

Ramesh Ramani will be discussing 'Business continuity and information security – a good fit?' on day one of the BCI World Conference and Exhibition on Wednesday 5th November. You will find him in seminar room 3 starting at 9.20.