No standard exists in isolation. ISO 22301 is one node in a broader resilience ecosystem. The ecosystem includes ISO 27031 (ICT readiness for business continuity), ISO 27001 (information security management), ISO 31000 (enterprise risk management), ISO 22361 (crisis management), the BCI Good Practice Guidelines, and NFPA 1600 (emergency management). Understanding the relationships prevents duplication, enables integration, and clarifies which standard addresses which question.
An organisation implementing only ISO 22301 in isolation will face gaps. Which standard specifies how to design ICT backup strategy? ISO 27031. Which standard covers information security during disruption? ISO 27001 Annex A controls 5.29 and 5.30, integrated with ISO 22301 Clause 8. Which standard provides the risk management methodology? ISO 31000. Which framework provides practitioner guidance? The BCI Good Practice Guidelines.
This article maps the resilience ecosystem, explains the relationships, and shows how to build an integrated resilience system rather than a collection of separate programmes.
The Resilience Standards Landscape
The resilience ecosystem comprises multiple standards and frameworks, each addressing a specific aspect of organisational resilience. Some are management system standards (ISO 22301, ISO 27001, ISO 9001). Some are guidelines or best practice frameworks (BCI Good Practice Guidelines, NFPA 1600). Some are methodology standards (ISO 31000 for risk, ISO 22361 for crisis management).
The challenge is integration. An organisation cannot certify to "integrated resilience." But an organisation can build a resilience programme that is coherent, integrated across standards, avoiding duplication while addressing the specific requirements of each. The foundation for integration is the High Level Structure: standards that share the HLS architecture can share policy, governance, training, internal audit, and management review.
This section maps each standard and framework, explains its relationship to ISO 22301, and identifies integration opportunities.
| Standard / Framework | Scope | Relationship to ISO 22301 | Integration Opportunity |
|---|---|---|---|
| ISO 22301:2019 | Business continuity management system requirements | Primary standard | Parent framework |
| ISO 27031:2011 | ICT readiness for business continuity (IRBC) | Provides detailed guidance for the ICT continuity component of ISO 22301 Clause 8.5 | ICT continuity plans in the BCMS reference ISO 27031 methodology |
| ISO 27001:2022 | Information security management system requirements | Shares HLS architecture; IS continuity controls in Annex A (5.29, 5.30) align with ISO 22301 | Combined ISMS/BCMS reduces duplication; joint audit scope |
| ISO 31000:2018 | Risk management—Guidelines | Provides risk management methodology applicable to BC risk assessment in ISO 22301 Clause 6.1 | BCM risk assessment methodology aligned with enterprise risk management framework |
| ISO 22361:2022 | Crisis management—Guidelines | Provides guidance for crisis management protocols that ISO 22301 Clause 8.4 requires | Crisis management framework built on ISO 22361 integrated with BCMS activation |
| BCI Good Practice Guidelines (GPG) | Business continuity management best practice | Non-certifiable; provides practitioner guidance that complements ISO 22301 requirements | GPG methodology (especially BIA and exercise design) used to implement ISO 22301 operational requirements |
| NFPA 1600 | Emergency management and business continuity | US-centric; overlaps with ISO 22301 in many areas | Relevant for Indonesian organisations with US parent companies or US clients |
ISO 27031 and ICT Readiness for Business Continuity
ISO 27031 is the detailed methodology for the ICT continuity component of ISO 22301. ISO 22301 Clause 8.5 requires "planning and implementing ICT continuity," but does not specify how. ISO 27031 fills that gap. It provides: the Information and Communications Technology Readiness for Business Continuity (IRBC) programme framework, the ICT RTO/RPO architecture, backup and recovery procedures, business continuity data centre strategies, ICT continuity testing and validation, and the relationship between ICT continuity and the overall BCP.
In most organisations, ICT continuity is the largest single component of the overall BCMS because business-critical activities are now technology-dependent. A banking system, an e-commerce platform, a telecommunications network—all require ICT continuity capability. Without ISO 27031 guidance, organisations developing ICT continuity plans typically lack the technical depth to survive a Stage 2 audit or an actual ICT disruption.
The relationship is clear: ISO 22301 sets the management system requirements. ISO 27031 provides the technical methodology for ICT continuity. An organisation implementing ISO 22301 should reference ISO 27031 in its Clause 8.5 ICT continuity procedures.
| KEY IDEA | ISO 22301 requires ICT continuity (Clause 8.5) but does not specify how to achieve it. ISO 27031 provides the detailed methodology: the IRBC programme, the ICT RTO/RPO framework, backup and recovery testing, and the relationship between ICT continuity and the overall BCP. Organisations implementing ISO 22301 without ISO 27031 guidance typically produce ICT continuity plans that lack the technical depth to survive a Stage 2 audit or an actual ICT disruption. |
ISO 27001 and the ISMS/BCMS Integration
ISO 27001 and ISO 22301 share the High Level Structure, which means they share: scope determination, leadership and policy, planning methodology, resource allocation, competence and awareness frameworks, internal audit structure, management review process, and improvement mechanisms. The management system architecture is identical. Only the operational content differs.
ISO 27001 includes two IS continuity controls in Annex A that directly align with ISO 22301 operational content: Control 5.29 (Information security during disruption) and Control 5.30 (ICT readiness for business continuity). Control 5.29 requires maintaining information security at an appropriate level during disruption—a requirement that ISO 22301 Clause 8.4 BCPs must address. Control 5.30 requires planning, implementing, and testing ICT continuity—the same requirement as ISO 22301 Clause 8.5.
An organisation that holds both ISO 27001 and ISO 22301 can conduct a single combined audit in which the auditor assesses the shared management system infrastructure (Clauses 4–7 and Annex SL elements) once, then assesses the separate operational requirements (ISMS operational controls and BCMS Clause 8 operations) in the context of a single engagement.
| ISO 27001 Control | Control Description | ISO 22301 Clause Alignment |
|---|---|---|
| 5.29 | Information security during disruption | Clause 8.4 (BCPs must address information security during disruption) |
| 5.30 | ICT readiness for business continuity | Clause 8.5 (ICT continuity plans, RTO/RPO, exercise and testing) |
| 5.24 | IS incident management planning | Clause 8.4 (incident escalation from IS incident to business continuity event) |
| 5.26 | Response to information security incidents | Clause 8.4 (crisis management procedures, BCP activation criteria) |
| 5.36 | Compliance with policies, rules, and standards | Clause 9.1 (BCMS compliance monitoring and measurement) |
ISO 31000 and Enterprise Risk Management Integration
ISO 22301 Clause 6.1 requires a risk assessment that identifies potential business continuity risks and evaluates the impact and likelihood of those risks. ISO 31000:2018 provides the enterprise risk management framework and methodology. ISO 31000 is not a management system standard; it is guidelines for implementing risk management in any context.
An organisation with an established enterprise risk management function can align its BCM risk assessment with the ERM methodology, using the same risk taxonomy, the same scoring methodology, and the same risk register. This prevents the BC risk assessment from becoming a parallel, disconnected process. The risk committee sees a single, consistent view of operational risk rather than separate registers managed by different teams.
ISO 22361 and Crisis Management Integration
ISO 22361 provides guidelines for crisis management. ISO 22301 Clause 8.4 requires the organisation to establish crisis management procedures. The relationship is straightforward: use ISO 22361 as the methodology for establishing the crisis management framework required by ISO 22301.
ISO 22361 addresses: crisis communication, command and control structures, decision-making frameworks during crisis, stakeholder management, and recovery from crisis. These map directly into the BCPs and crisis management procedures that ISO 22301 requires.
| IMPORTANT | Organisations with an enterprise risk management function often find that BC risk assessment is being conducted independently of ERM, producing separate risk registers, different risk methodologies, and inconsistent risk ratings for the same threats. ISO 22301 does not require a separate risk methodology—it requires a risk assessment appropriate to the BCMS. Aligning the BC risk assessment with the ERM methodology eliminates duplication and gives the risk committee a single, consistent view of operational risk. |
The BCI Good Practice Guidelines as Implementation Methodology
The BCI Good Practice Guidelines (published by the Business Continuity Institute, a non-profit professional body) provide detailed guidance on implementing business continuity. The guidelines are not certifiable like ISO 22301—an organisation cannot be "certified to BCI GPG." But the guidelines provide practitioner methodology that is widely used to implement the operational requirements of ISO 22301.
In particular, the BCI GPG provides detailed methodology for Business Impact Analysis, recovery strategy development, and exercise design. Many organisations that use ISO 22301 as the management system standard reference BCI GPG as the implementation methodology.
| BITLION INSIGHT | For Indonesian organisations implementing ISO 22301 for the first time, the most practical sequencing is: ISO 27001 first (if not already certified), then ISO 22301 as an extension of the existing management system. The HLS architecture means the ISMS project builds the platform—policy governance, document control, internal audit, management review—that the BCMS then runs on. The incremental cost of ISO 22301 after ISO 27001 is primarily in the BIA, the operational BCPs, and the exercise programme. |