Similarities and differences between ISO 27001 and BS 25999-2

At first glance, information security and business continuity don’t have much in common – some would add that the only similarity is that they are both about IT.

Information security management is best defined in the International standard ISO/IEC 27001, while business continuity management is defined in the British standard BS 25999-2 – therefore, if we want to compare these two topics, the wisest thing to do is to take a look at what these two standards have to say.

First of all, IT is an important part of both ISO 27001 and BS 25999-2, but by no means are those two standards about IT only – the emphasis is on business processes & assets, and associated risks. It is true that IT is the main tool to process the data, but the fact remains that the biggest risks are connected to both malicious and unintentional activities of people. Therefore, the risks associated with information security or business continuity cannot be resolved by information technology only – it is much more important to define the organization, processes and responsibilities within the organization.

But what is essentially information security? ISO 27001 defines it as “preservation of confidentiality, integrity and availability of information”. On the other hand, BS 25999-2 defines business continuity as “strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level”.

The two don’t seem very much alike. However, there is one thing which makes them very similar – availability. The focus of both information security and business continuity is to keep information available to those who need it – in that respect, Annex A of ISO 27001 offers some controls dedicated solely to business continuity.

  - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -  
Advantages of Managed Security Services
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -

Further, both standards require carrying out the risk assessment, in order to identify potential problems related to information; both standards require document management, conducting internal audits, management reviews, and corrective and preventive actions. It means that if you already have documentation for ISO 27001, you can use those same procedures for BS 25999-2 (with only minor adjustments).

What are the differences? The main difference is in the level of detail. ISO 27001 covers a much wider area, and is therefore not very precise when it comes to business continuity; on the other hand, BS 25999-2 describes in detail how to perform business impact analysis, how to define business continuity strategy, or what the contents of business continuity plans shall be etc.

To conclude – the point here is that you can think of business continuity as part of information security. The practical use of it is that when it comes to implementation of business continuity in the context of ISO 27001, it is best to use BS 25999-2 as a guideline.

 

Cross posted from http://blog.iso27001standard.com

Dejan Kosutic

About Dejan Kosutic

Expert in information security management (ISO 27001 standard) and business continuity management (BS 25999-2 standard)

, , ,

No comments yet.

Leave a Reply


*