Integrated auditing is available to organisations implementing both ISO 27001 and ISO 22301, but it is not automatic. A CB can conduct ISO 22301 and ISO 27001 audits sequentially in the same site visit, or can conduct them as separate engagements with separate teams on separate dates. The organisations that derive maximum value from integrated auditing deliberately design the audit programme to align the two standards, employ dual-qualified auditors, and structure the audit report to reflect the integrated assessment. Done well, integrated auditing is more efficient than sequential audits and provides better coverage of shared requirements.
This article addresses the design of integrated internal audit programmes and the design of combined certification audits with a single CB. The cost and timeline benefits of integrated auditing are substantial, but they require deliberate planning. An organisation that allows the ISO 27001 and ISO 22301 audits to proceed as separate engagements with different auditors may spend more time and money without any improvement in the quality of the audits.
The Case for Integrated Auditing
ISO 27001 and ISO 22301 share common management system clauses: Clause 4 (context), Clause 5 (leadership), Clause 7 (support), Clause 9 (performance evaluation), and Clause 10 (improvement). These clauses govern the BCMS and ISMS respectively as management systems but apply the same logic: context analysis, policy, planning, support (resources, competence, awareness, communication, document management), operational controls, performance measurement, and improvement. If these clauses are audited twice, by two separate auditors, against the two separate standards, the organisation is conducting redundant audit work and duplicate testing of the same processes.
Integrated auditing eliminates this redundancy. Shared clauses are audited once by a single auditor, and findings are attributed to both standards simultaneously. Only the standard-specific operational content — ISO 27001 Annex A controls and ISO 22301 Clause 8 BCPs and exercises — are audited separately. This integration typically reduces the combined audit duration by 25–35% compared to two sequential audits and provides better coverage because the auditor sees the full management system context rather than ISO 27001 in isolation and ISO 22301 in isolation.
Integrated auditing also enables surveillance cycle alignment. If ISO 27001 and ISO 22301 are certified by the same CB with Stage 2 audits conducted in the same month, the annual surveillance audits can be combined in each subsequent year, further reducing the total audit cost and the disruption to the organisation. Over a 3-year certification cycle, integrated auditing with the same CB produces 40–50% savings in total audit costs compared to separate certifications with different CBs.
Designing the Combined Internal Audit Programme
An integrated internal audit programme begins with a combined audit checklist that covers both standards. Rather than one checklist for ISO 27001 and one for ISO 22301, a single checklist groups requirements by clause, allows the auditor to assess both standards against the shared clauses, and separates out the standard-specific operational content. This structure reduces the length of the checklist and ensures that shared processes (e.g. document management, competence assessment) are audited once rather than twice.
The auditor of a combined internal audit programme must hold competence in both standards. This auditor is often an internal employee with IS security knowledge who has obtained BCM training, or a BCM specialist who has obtained ISMS training. Not all organisations have dual-competent internal auditors available; in this case, the organisation may engage an external auditor to conduct the combined audit, or may accept that internal audits will remain separate and focus on ensuring that the certification audits are combined.
Table 1 illustrates how audit areas map to shared and standard-specific clauses. For example, Clause 4 (context) is shared; a single audit session assesses context adequacy against both standards simultaneously. Clause 8 is split: Clause 8.1 and 8.2 (operational planning and control general requirements) are shared; Clause 8.3–8.5 (ICT continuity, BCP, exercises) are ISO 22301-specific. This split structure allows the auditor to assess operational control adequacy once, then separately assess the specific implementations of ICT continuity controls and BCPs.
| Audit Area | ISO 27001 Clauses | ISO 22301 Clauses | Combined Efficiency |
|---|---|---|---|
| Context and scope | 4.1-4.3 | 4.1-4.3 | Single interview covers both; one context document assessed |
| Leadership | 5.1-5.3 | 5.1-5.3 | Single leadership interview; one policy set reviewed |
| Planning | 6.1-6.2 | 6.1-6.2 | IS risk assessment and BIA assessed separately but in same audit session |
| Support | 7.1-7.5 | 7.1-7.5 | Single document management review; combined competence assessment |
| Operations | 8.1-8.3 | 8.1-8.2 | IS controls and BCP operations assessed in sequence; same operational teams |
| IS/BCM continuity overlap | A.5.29, A.5.30 | 8.3-8.5 | ICT continuity assessed once; findings inform both ISMS and BCMS |
| Performance evaluation | 9.1-9.3 | 9.1-9.3 | Single management review assessed; combined KPI dashboard reviewed |
| Improvement | 10.1-10.2 | 10.1-10.2 | Single corrective action register reviewed; improvement culture assessed once |
Running the Combined Certification Audit
A genuine combined certification audit requires explicit design with the CB. When procuring audit services for both ISO 27001 and ISO 22301, the organisation should request that the CB provide a single combined audit proposal, not two separate proposals that happen to be conducted by the same CB. The CB should nominate a single lead auditor (who holds competence in both standards) and clearly identify which audit activities are combined and which are standard-specific.
The combined Stage 2 audit typically spans 12–16 man-days (depending on BCMS scope and complexity) compared to approximately 18–22 man-days for two sequential audits. The reduction comes from shared clauses being audited once. The opening meeting is joint, covering both standards and the combined audit scope. The closing meeting is also joint, with findings attributed to the relevant standard(s). During the audit, the lead auditor will spend time on shared clauses (context, leadership, support, performance evaluation, improvement) that applies to both standards, then allocate additional time to ISO 27001-specific Annex A controls and ISO 22301-specific BCPs and exercises.
To maximise the efficiency benefit, the organisation should ensure that the audit logistics support the combined approach: process owners and operational teams should be available for interviews that cover both ISMS and BCMS topics; the auditor should have access to consolidated documentation (risk assessment and BIA, if they exist in separate documents, should be reviewed together); and the organisation should schedule separate time for ISO 27001-specific control testing and ISO 22301-specific BCP and exercise evidence review.
The Combined Audit Report
A well-structured combined audit report presents findings clearly attributed to the relevant standard(s). Shared clause findings (e.g. management review not held) are documented once and attributed to both standards. Standard-specific findings are documented for the relevant standard only. For example, a finding that a specific Annex A control is not implemented is attributed to ISO 27001; a finding that a BCP lacks activation criteria is attributed to ISO 22301.
In cases where a finding affects both standards differently, the report should document the finding clearly. For example, if the BIA and IS risk assessment are not linked, this may be a finding for both standards (Clause 6.1 and 6.2 for both): the organisation’s risk identification approach does not address how ISMS risks affect BCMS decisions and vice versa. A single corrective action may close this finding if the organisations integrates the BIA and IS risk assessment; if separate corrective actions are needed (e.g. because the two assessments address different scopes), the report should reflect this.
| Finding Type | Attribution | Closure Requirement |
|---|---|---|
| Shared clause finding (e.g. management review not conducted) | Both ISO 27001 and ISO 22301 | Single corrective action closes finding for both standards |
| ISO 27001-specific finding (e.g. Annex A control not implemented) | ISO 27001 only | Corrective action closes ISO 27001 finding; ISO 22301 not affected |
| ISO 22301-specific finding (e.g. BCP activation criteria missing) | ISO 22301 only | Corrective action closes ISO 22301 finding; ISO 27001 not affected |
| Finding in shared area with different impact per standard (e.g. BIA affecting IS risk assessment and BCMS) | Both | Single root cause; separate corrective actions if remediation differs per standard |
Managing the Dual Surveillance Calendar
Surveillance cycle alignment is a procurement decision that should be made before Stage 2. If ISO 27001 is certified in Month 5 of Year 0 and ISO 22301 is certified in Month 10 of Year 0, the two standards will have different surveillance audit dates. Surveillance 1 for ISO 27001 will be due in Month 5 of Year 1, while Surveillance 1 for ISO 22301 will be due in Month 10 of Year 1. The organisation will conduct two separate surveillance audits 5 months apart.
If, instead, both standards are certified within the same month by the same CB, the surveillance audits can be scheduled together: Surveillance 1 in Month X of Year 1 (covering both standards), Surveillance 2 in Month X of Year 2, and Recertification in Month X of Year 3. This alignment reduces the organisation’s annual audit disruption and approximately halves the surveillance audit cost (one combined audit instead of two separate audits).
To achieve surveillance cycle alignment, the organisation should schedule both Stage 2 audits in the same month. If ISO 27001 Stage 2 is planned for Month 8, schedule ISO 22301 Stage 2 for Month 8 or Month 9 (close enough that the CB will align subsequent surveillance audits). The CB should confirm in the contract that surveillance audits will be combined and scheduled for the same month in each subsequent year.
| IMPORTANT | Surveillance cycle alignment is a procurement decision that should be made before initial certification. If ISO 27001 and ISO 22301 are certified in the same year with the same CB, surveillance audits can be combined, halving the annual surveillance cost. If they are certified in different years or with different CBs, combined surveillance may not be possible. Organisations implementing both standards should specifically request cycle alignment with their CB at the time of Stage 2 scheduling. |
| BITLION INSIGHT | The financial case for integrated auditing in Indonesia is straightforward: combined Stage 2 audits typically save 25–35% compared to two separate audits; combined annual surveillance saves 40–50%. Over a 3-year certification cycle, the savings from integrated auditing typically offset 20–30% of the implementation cost of the second standard. For Indonesian financial institutions pursuing both ISO 27001 and ISO 22301, integrated auditing is the standard recommendation in our implementation programmes. |