Answer: The order of implementation will depend on your needs. If your priority is information protection, then you should go first for an ISMS. On the other hand, if your priority is to ensure processes and services delivery under disruptive conditions, then you should go first for a BCMS. It is important to note that if you use as basis for these systems the standards ISO 27001 (for information security) and ISO 22301(for business continuity), you can implement parts of these systems simultaneously, because the have many requirements in common.
2 . What is Step by step guidelines if I need to implement both?
Answer: In a general manner, you have these steps:
- Obtain management support
- Develop a project plan
- Define scope (related to each standard)
- Define top level policies (related to each standard)
- Define basic management system procedures (common to both standard)
- Develop specific policies and procedures (related to each standard)
- Implement policies and procedures and train personnel
- Perform internal audit
- Perform management review
- Proceed with corrective actions