Risk assessment

1. The risk assessment methodology document is the same for 22301 and 27001? There is no direct reference to ISO 22301 in the sample document, only ISO27001. Is it appropriate in case I'm not only implementing 27001? Let’s suppose I implement ISO 22301 or possibly ISO 22301 + 27001 simultaneously.

ISO 22301 does not prescribe a risk methodology approach to be used, so you can use the Risk Assessment and Risk Treatment Methodology document defined for ISO 27001 for complying with ISO 22301 requirements.

For further information, see:

• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
• How can ISO 27001 and ISO 22301 help with critical infrastructure protection? https://advisera.com/27001academy/blog/2017/09/25/how-can-iso-27001-and-iso-22301-help-with-critical-infrastructure-protection/

2. Do I understand correctly that risk assessment should cover all business processes / activities involved in the business continuity management system?

Your understanding is correct. The risk assessment must be applied to all elements defined in the BCMS scope.

These articles will provide you a further explanation about risk assessment in business continuity:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/