Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I have a question that why BIA is not mandatory document for ISO 27001 and why RA is mandatory for 22301? Can you please help me in this.
Answer:
The requirements of each standard are established by internacional technical committees, so we cannot know the real decisions about why each requirement is included in the standard, although the BIA is not mandatory in ISO 27001 but is a best practice (the BIA is referenced as best practice in the paragraph "17.1.1 Planning information security continuity" of the ISO 27002:2013). From my point of view, the BIA is a specific task related with the Business Continuity and ISO 27001 is focused on general requirements about information security, and it has global requirements about various areas like human resources, compliance, IT operations, cryptography, suppliers, business continuity, etc.
On the other hand, the risk management is a process that can apply to any area and to any management system because can be used to identify risks and reduce them, even it is included in the new version of the ISO 9001:2015, and in ISO 22301 it is necessary to know risks related to the business continuity.
Finally, if you are interested you can see here what documents are mandatory in ISO 27001 List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And in ISO 22301 Mandatory documents required by ISO 22301 : https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Comment as guest or Sign in
Jan 12, 2016
Jan 26, 2023
Jan 26, 2023