» Similarities and Differences Between ISO 27001 and BS 25999-2

Similarities and Differences Between ISO 27001 and BS 25999-2
By Dejan Kosutic

At first glance, information security and business continuity don't have much in common - some would add that the only similarity is that they are both about IT.
Information security management is best defined in the International standard ISO/IEC 27001, while business continuity management is defined in the British standard BS 25999-2 - therefore, if we want to compare these two topics, the wisest thing to do is to take a look at what these two standards have to say.
First of all, IT is an important part of both ISO 27001 and BS 25999-2, but by no means are those two standards about IT only - the emphasis is on business processes & assets, and associated risks. It is true that IT is the main tool to process the data, but the fact remains that the biggest risks are connected to both malicious and unintentional activities of people. Therefore, the risks associated with information security or business continuity cannot be resolved by informaton technology only - it is much more important to define the organization, processes and responsibilities within the organization.

But what is essentially information security? ISO 27001 defines it as "preservation of confidentiality, integrity and availability of information". On the other hand, BS 25999-2 defines business continuity as "strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level".

The two don't seem very much alike. However, there is one thing which makes them very similar - availability. The focus of both information security and business continuity is to keep information available to those who need it - in that respect, Annex A of ISO 27001 offers some controls dedicated solely to business continuity.
Further, both standards require carrying out the risk assessment, in order to identify potential problems related to information; both standards require document management, conducting internal audits, management reviews, and corrective and preventive actions. It means that if you already have documentation for ISO 27001, you can use those same procedures for BS 25999-2 (with only minor adjustments).

What are the differences? The main difference is in the level of detail. ISO 27001 covers a much wider area, and is therefore not very precise when it comes to BC; on the other hand, BS 25999-2 describes in detail how to perform business impact analysis, how to define business continuity strategy, or what the contents of BC plans shall be etc.

To conclude - the point here is that you can think of business continuity as part of information security. The practical use of it is that when it comes to implementation of business continuity in the context of ISO 27001, it is best to use BS 25999-2 as a guideline

Publications archive:

1. How to Deal With Insider Threats - by Dejan Kosutic
2. The Five greatest Mytths about ISO 27001 - by Deian Kosutic.
3. Planning Business Continuity - bu Nick Orchiston
4. Five security secrets your IT administrators don't want you to know
5. ISO 9001 Consulting - How to Benefit From Using an ISO 9001 Consultant - by Arthur Lewis

6. Disaster Recovery or Business Continuity? - by Paul E. Moor

7. ISO 20000: Choosing the Right Implementation Process - by Isabelle Perron


CONTACTS