ISO 22301 as part of information security audit

Answer: When you implement ISO 27001, it is not mandatory to implement ISO 22301 as well - consequently, during the ISO 27001 internal audit or certification audit it is not necessary to audit BCMS according to ISO 22301. However, if you implemented only ISO 27001, the auditor will have to review the business continuity implementation according to ISO 27001 controls in Annex A.17 (these controls have much smaller requirements than ISO 22301).

If you have decided to implement both ISO 27001 and ISO 22301 (which I think is a very good thing to do), then internal audit/certification audit can be performed at the same time for both of these systems - this is called "integrated audit".

These materials will also help you:
- article How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementa tion-of-business-continuity-in-iso-27001/
- webinar ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/
- book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/