Integration of ISO 22301 with ISO 27001 is not mandatory, but it is efficient. An organisation that runs Information Security Management System (ISMS) and BCMS as completely separate programmes duplicates governance structure, policy frameworks, document control processes, internal audit programmes, and management reviews. Integration eliminates this duplication without compromising the independence or clarity of either system. An integrated ISMS/BCMS operates as a single management system with specialised components rather than as two separate systems.
The integration opportunity arises because the two standards share common management system infrastructure: context analysis, leadership commitment, risk management methodology, internal audit, management review, document control, and continuous improvement. They differ in their subject matter: ISO 27001 focuses on information security (confidentiality, integrity, availability of information assets), while ISO 22301 focuses on business continuity (continuity of critical activities despite disruption). The overlaps are in the control areas: IS continuity (ISO 27001 controls A.5.29 and A.5.30) directly supports business continuity objectives.
This article describes the integration architecture, the control overlaps, the shared evidence library, the combined internal audit approach, and the efficiency gains that come from integration.
The Integration Architecture — What an Integrated ISMS/BCMS Looks Like
An integrated ISMS/BCMS has a single management system context (context analysis covers both IS and BCM scope), single governance structure (one policy, one leadership role for both systems), shared risk management infrastructure (one risk platform, though with separate IS and BCM risk methodologies), separate specialised components (BIA is BCM-specific; asset inventory is IS-specific), and single evidence library (exercise records are evidence for both the BCM exercise requirement and the IS continuity control).
Integration requires clarity about which elements are shared and which are separate. Context analysis is shared; it covers the organisation’s scope, stakeholders, and objectives from both an IS and a BCM perspective. Risk assessment methodology is separate; IS uses the ISO/IEC 27005 methodology (asset-threat-vulnerability-consequence) while BCM uses ISO 31000 methodology (threat-likelihood-consequence). But both risk assessments feed into a shared risk register platform, so the organisation can see all risks (IS, BCM, operational, strategic) in one view. The BIA is BCM-specific and has no IS equivalent; the IS asset inventory is IS-specific and is not part of the BIA.
Integration at the operational level includes: shared document management system (single system for storing and controlling all ISMS and BCMS documents), shared audit programme (one audit schedule that covers both systems), shared management review (one quarterly or biannual review that covers both systems), and shared improvement register (one system for tracking corrective actions and observations).
| Management System Element | Integration Approach | Separate or Shared |
|---|---|---|
| Context analysis (Clause 4) | Single context document covering both IS and BCM scope and stakeholders | Shared — one analysis informs both systems |
| Policies | Single integrated IS/BCM policy or two policies under one governance framework | Usually shared framework; separate policy documents for clarity |
| Risk assessment | Separate methodologies (IS risk on assets; BCM risk on critical activities) but shared risk register platform | Separate process; shared tool |
| BIA | BCMS-specific; IS risk assessment does not replace BIA | Separate — BIA has no equivalent in ISO 27001 |
| Documented information | Single document management system; shared version control and document control procedure | Shared system; separate document sets |
| Competence and awareness | Combined BCM/IS awareness programme; role-specific training maintained separately | Shared awareness; separate role training |
| Internal audit | Combined audit programme; auditors trained in both standards; combined audit schedule | Shared programme; separate checklists per standard |
| Management review | Single management review agenda covering both ISMS and BCMS performance | Shared review; separate KPI sections |
| Corrective action | Single corrective action register; root cause and actions tagged by standard | Shared register |
ISO 27001 Controls That Directly Support ISO 22301
ISO 27001 Control A.5.29 (Information Security for Continuity of Operation) requires the organisation to maintain information security during an interruption and recover to the required level following an interruption. Control A.5.30 (ICT Readiness for Business Continuity) requires the organisation to ensure that ICT facilities and services can support business continuity objectives based on RTO and RPO. These controls are directly connected to the BCMS: they presuppose that business continuity objectives (RTO and RPO) have been determined through the BCMS (specifically, the BIA), and they implement the IS component of the BC strategy.
An organisation that has ISO 27001 certification with controls A.5.29 and A.5.30 implemented has addressed the IS dimension of business continuity but not the full BCMS requirement. The organisation has ensured that information security is maintained during a disruption and that ICT can support the recovery timelines. But the organisation may not have: (a) a complete BIA identifying all critical activities and their resource dependencies; (b) a BC strategy addressing people, premises, suppliers, and vital records (not just technology); (c) BCPs for critical activities; (d) an exercise programme testing the plans; (e) crisis communication procedures; (f) management commitment and governance for BCM (as opposed to IS). ISO 22301 adds all of these.
The integration point is that the IS continuity controls (5.29 and 5.30) are subsumed into the BCMS framework. The RTO and RPO that are determined by the BIA become the specification for IS continuity; the ICT continuity plan (from the BCMS strategy phase) is the implementation of controls A.5.29 and A.5.30. An integrated approach avoids duplication: there is one RTO/RPO determination (from the BIA), not separate IS RTOs and BCMS RTOs; there is one ICT continuity plan, not separate IS continuity procedures and BCMS technology strategy.
| KEY IDEA | IS continuity (ISO 27001 controls 5.29 and 5.30) is not a substitute for ISO 22301 compliance — it is a component of it. Control 5.29 requires information security to be maintained during disruption; control 5.30 requires ICT readiness for business continuity based on business continuity objectives. Both presuppose that business continuity objectives have been determined through a BCMS process. An organisation with ISO 27001 certification that has implemented 5.29 and 5.30 has addressed the IS dimension of business continuity but not the full BCMS requirement. ISO 22301 adds the BIA, the BC strategy, the full BCP suite, and the exercise programme. |
The Shared Evidence Library — Avoiding Duplication of Evidence Across Certifications
An integrated ISMS/BCMS shares evidence where possible, avoiding the requirement to produce duplicate documentation for the same capability. For example: the exercise programme satisfies both the BCMS exercise requirement (Clause 8.5) and the IS continuity control requirement (A.5.29). Exercise records (scenarios, participants, results, findings) are evidence for both requirements. The management review agenda covers both ISMS and BCMS performance, producing a single management review record that evidences both governance requirements. The improvement register tracks corrective actions for both systems, tagged by which standard requires the action.
Shared evidence does not mean the two systems are identical; it means that evidence is produced once and labelled as satisfying requirements from both standards. An exercise on ransomware response is evidence for: (a) BCMS Clause 8.5 (exercise and testing); (b) IS Control A.5.29 (information security during disruption); and (c) IS Control A.5.30 (ICT readiness for BC). The exercise is produced once; the certification audit evidence file references the exercise record with multiple requirement tags.
The shared evidence library is typically a database or structured document library where evidence is indexed by standard requirement. When an auditor asks for evidence of compliance with BCMS Clause 8.5, the system returns: exercise records (with dates and results), improvement action log tracking findings to closure, and management review evidence that exercise findings were reviewed. When an auditor asks for evidence of A.5.29/A.5.30 compliance, the same exercise records are retrieved.
Combined Internal Audit Programme — How to Design and Run Combined ISMS/BCMS Audits
A combined internal audit programme schedules audits against both standards using a single audit calendar. Auditors are trained in both standards and use a combined audit checklist that covers relevant clauses from both standards in a single audit activity. The combined approach is significantly more efficient than separate IS and BCMS internal audit programmes; the combined programme requires 30–40% fewer audit days because the same audit activities provide evidence for both standards.
Combined audits typically follow a functional or risk-based audit plan: instead of auditing “ISMS Clause 5” and “BCMS Clause 5” as separate audits, the audit plan might have a single audit on “Leadership and governance” that assesses both standards’ leadership and governance requirements in one audit activity. Another audit might be on “Risk management”, covering both IS risk assessment and BCM risk assessment. Another might be on “Operational resilience”, covering IS continuity controls, BCM contingency planning, and exercise programmes.
Combined audits require auditors who are trained and certified (or experienced) in both standards. An auditor trained only in ISO 27001 cannot conduct a combined audit because they lack the BCM knowledge to assess BIA adequacy or exercise programme effectiveness. Many certification bodies offer combined audit training; organisations with internal audit functions should invest in training internal auditors in both standards if they intend to operate an integrated system.
| Audit Area | ISO 27001 Clause | ISO 22301 Clause |
|---|---|---|
| Context and scope | 4.1, 4.2, 4.3 | 4.1, 4.2, 4.3 |
| Leadership and policy | 5.1, 5.2, 5.3 | 5.1, 5.2, 5.3 |
| Risk assessment | 6.1.2, 6.1.3 | 6.1, 6.2 |
| Resources and competence | 7.1, 7.2, 7.3 | 7.1, 7.2, 7.3 |
| Communication and documented information | 7.4, 7.5 | 7.4, 7.5 |
| Operational controls | 8.1, 8.2, 8.3 | 8.1, 8.2 |
| IS continuity | A.5.29, A.5.30 | 8.3, 8.4, 8.5 |
| Performance evaluation | 9.1, 9.2, 9.3 | 9.1, 9.2, 9.3 |
| Improvement | 10.1, 10.2 | 10.1, 10.2 |
The Business Case for Integration — Cost Savings, Auditor Coordination, Staff Efficiency
The efficiency gains from integration are quantifiable. If implementing ISO 27001 alone requires 100 units of effort (gap assessment, policy, risk assessment, control implementation, documentation, internal audit, management review), implementing ISO 22301 as a standalone system would require approximately 100 units (BIA, strategy, BCPs, exercises, internal audit, management review). Implementing both as separate systems would require approximately 200 units of effort. Implementing them as an integrated system typically requires 140–150 units of effort: the management system infrastructure is shared (30–40% reduction), but the specialised components (BIA, IS risk assessment, BCPs) are maintained separately.
Combined certification audits (both standards certified by the same certification body on the same Stage 1 and Stage 2 audits) produce additional cost savings: one audit team, one audit schedule, one audit report covering both standards. Combined certification audit costs are typically 25–35% lower than conducting separate IS and BCMS certifications. Most major certification bodies (LRQA, TÜV SÜD, Dekra, and others) offer combined ISO 27001+ISO 22301 certification audits.
Staff efficiency gains come from reduced training (one combined awareness programme instead of two separate awareness programmes), reduced management time (one management review instead of two), and reduced operational overhead (one document management system, one risk register, one improvement tracking system). Over a three-year cycle, the cumulative staff time savings from an integrated system are substantial.
| IMPORTANT | Combined certification audits (ISO 27001 + ISO 22301 by the same CB on the same visit) are available from most major certification bodies and produce significant cost and time savings. For the combined audit to be effective, the management system must actually be integrated — a combined audit of two separate systems simply runs two audits back to back. Indonesian organisations considering both certifications should plan for integration from the beginning of the implementation programme, not as an afterthought after separate certifications are achieved. |
| BITLION INSIGHT | The efficiency ratio we consistently observe in integrated ISMS/BCMS implementations in Indonesia is approximately 60:40 — if implementing ISO 27001 alone takes 100 units of effort, adding ISO 22301 to the same programme costs approximately 60 additional units, not 100. The management system infrastructure is shared; the incremental cost is the BIA, BC strategy, BCP development, and exercise programme. Organisations that have already invested in ISO 27001 are closer to ISO 22301 readiness than they typically realise. |