ISO 27001 and ISO 22301: When You Need Both
ISO 27001 already covers some business continuity - but not all of it
If you have an ISO 27001 certified ISMS, you are already doing some business continuity work. Annex A controls A.5.29 (information security during disruption) and A.5.30 (ICT readiness for business continuity) require you to plan for how information security is maintained when things go wrong.
But ISO 27001’s business continuity controls are scoped specifically to information security. They address questions like “how do we protect data during an outage?” and “can our IT systems recover within acceptable timeframes?” They do not cover the broader question of how your entire organization continues to operate when a major disruption hits - that is where ISO 22301 comes in.
Understanding the boundary between the two standards helps you decide whether your ISO 27001 controls are enough or whether a full business continuity management system makes sense for your organization.
What ISO 22301 adds beyond ISO 27001
ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). Where ISO 27001 focuses on protecting information assets, ISO 22301 focuses on ensuring your organization can continue delivering its critical products and services during and after a disruption.
The key additions include:
Business Impact Analysis (BIA). ISO 22301 requires a formal BIA that identifies your critical activities, the resources they depend on, and the maximum acceptable downtime for each. ISO 27001 does not require a BIA - you assess information security risks, but not necessarily the broader operational impact of losing a business function.
Business continuity plans for all critical functions. Not just IT recovery, but plans for how the organization operates when key people are unavailable, when offices are inaccessible, when supply chains break, or when communication systems fail.
Exercising and testing. ISO 22301 requires regular exercises - tabletop scenarios, simulation drills, or full-scale tests - to validate that your plans actually work. ISO 27001 requires testing of ICT continuity plans (A.5.30), but ISO 22301 goes much further in scope and rigor.
Crisis communication. Structured plans for communicating with employees, customers, regulators, media, and other stakeholders during a crisis. This is barely touched by ISO 27001.
Where the two standards overlap
Both standards share the same high-level management system structure (the Annex SL framework), which makes integration straightforward. The overlapping areas include:
| Area | ISO 27001 | ISO 22301 |
|---|---|---|
| Risk assessment | Clause 6.1 - information security risks | Clause 6.1 - business continuity risks |
| Leadership commitment | Clause 5 | Clause 5 |
| Documented information | Clause 7.5 | Clause 7.5 |
| Internal audit | Clause 9.2 | Clause 9.2 |
| Management review | Clause 9.3 | Clause 9.3 |
| Continual improvement | Clause 10 | Clause 10 |
| Incident management | Annex A.5.24-A.5.28 | Clause 8.4 |
| ICT continuity | Annex A.5.29-A.5.30 | Clause 8 (broader scope) |
The shared structure means that if you already have an ISO 27001 ISMS, roughly 60-70% of the management system requirements for ISO 22301 are already in place. Your policy framework, document control, internal audit process, management reviews, and continual improvement cycle all carry over.
Do you actually need ISO 22301?
Not every organization does. Here is how to think about it:
ISO 27001’s BC controls are probably enough if:
- Your primary concern is IT and data availability
- Your organization can operate from anywhere (fully remote, cloud-native)
- Your clients have not specifically asked for ISO 22301 certification
- Regulatory requirements only mention information security, not broader operational resilience
You should consider ISO 22301 if:
- You provide critical services where downtime has serious consequences for customers or the public
- Regulations require business continuity management (financial services, healthcare, critical infrastructure sectors under NIS2)
- Your organization depends on physical locations, manufacturing, or supply chains that could be disrupted
- Clients or partners explicitly require ISO 22301 certification
- You have experienced a disruption and realized your ISO 27001 continuity plans were not broad enough
Practical approach to integration
If you decide to pursue both, here is how to do it efficiently:
Build on what you have
Do not create a separate management system. Extend your existing ISMS to cover business continuity. Use the same policy framework, the same document control system, the same audit and review cycle. Add the ISO 22301-specific elements on top.
Expand your risk assessment
Your existing risk assessment process already covers information security risks. Add a Business Impact Analysis alongside it. The BIA identifies which business activities are critical and how long you can afford to lose them. This drives the scope of your business continuity plans.
Write business continuity plans that go beyond IT
For each critical activity identified in the BIA, develop a plan that covers:
- How to continue the activity with reduced capacity
- Who has authority to activate the plan and make decisions
- Alternative resources (people, locations, suppliers, systems)
- Recovery steps and target timelines
- Communication protocols for internal and external stakeholders
Test regularly
Tabletop exercises are the most practical starting point. Gather the relevant people, present a disruption scenario, and walk through your response. These take 2-3 hours and reveal gaps that look invisible on paper. Graduate to more complex simulations as your program matures.
Run a combined audit
When both systems share the same framework, your internal audit can cover both ISO 27001 and ISO 22301 in a single cycle. Many certification bodies also offer combined audits, which reduces cost and disruption compared to separate assessments.
How 27kay can help
We help organizations decide whether they need ISO 22301 alongside their ISO 27001 certification, and if so, how to integrate both without duplicating work. Whether you are extending an existing ISMS or building both from scratch, we focus on practical implementation that works for your organization’s size and complexity.
Not sure if your current business continuity controls are enough? Let’s talk - we can assess your situation and give you a straight answer.