{"id":4673,"date":"2013-05-21T21:41:01","date_gmt":"2013-05-21T21:41:01","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/013\/05\/21\/iso-22301-vs-iso-22313\/"},"modified":"2025-07-09T09:30:18","modified_gmt":"2025-07-09T09:30:18","slug":"iso-22301-vs-iso-22313","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2013\/05\/21\/iso-22301-vs-iso-22313\/","title":{"rendered":"ISO 22301 vs. ISO 22313"},"content":{"rendered":"<p>I was quite skeptical when I started to read ISO 22313, the guidance standard on business continuity management, but I was proved to be wrong. It can be quite useful as a supplement to <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a> \u2013 here&#8217;s what I found:<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Similarities and differences<\/h2>\n<p>If you are familiar with <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> and ISO 27002 (see <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-27001-vs-iso-27002\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 vs. ISO 27002<\/a>), a very similar relationship exists between ISO 22301 (published in May 2012) and ISO 22313 (published in December 2012): ISO 22301 is the main standard, which defines the framework for business continuity management, whereas ISO 22313 is an auxiliary standard that helps with the ISO 22301 implementation.<\/p>\n<p>The main difference is that ISO 22301 specifies requirements \u2013 in other words, you need to comply fully with everything that is written in this standard if you want to get your company certified. This is why this standard uses words like &#8220;shall&#8221; and &#8220;must.&#8221; Learn more here: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/17-steps-for-implementing-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">17 steps for implementing ISO 22301<\/a>.<\/p>\n<p>As opposed to that, ISO 22313 gives only the guidance, or best practices, on how the requirements from ISO 22301 could be implemented; however, implementation doesn&#8217;t have to be done exactly that way. You&#8217;ll notice that terminology here is different \u2013 &#8220;should&#8221; and &#8220;may&#8221; are used. Consequently, a company can be certified only against ISO 22301, not against ISO 22313.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Where is ISO 22313 particularly useful?<\/h2>\n<p>My impression is that ISO 22313 is most helpful in these sections, because this is where ISO 22301 is not very detailed:<\/p>\n<ul>\n<li>Description of strategy options for resources (clauses 8.3.1 and 8.3.2): suggested strategic options for protecting prioritized activities, suggested strategies for resources\/activities, suggestion on what can be excluded from the BCMS scope based on cost of mitigation, options to mitigate the impact and duration of an incident, techniques for evaluating business continuity capabilities of suppliers, types of resources an organization should establish, resources strategies for people, what to take into account for procedures of relocation of staff, explanation on <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo\/\" target=\"_blank\" rel=\"noopener\">when RPO is used<\/a>, suggested backup types, strategies for worksites, facilities and supplies strategies, strategies for ICT systems, strategies for transportation, suggestion of finance needed during an incident, etc.<\/li>\n<li>Content of <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=business-continuity&amp;doc=business-continuity-plan\" target=\"_blank\" rel=\"noopener\">business continuity procedures\/plans<\/a> (clause 8.4): what to include in incident communication procedures, what to include in business continuity procedures, content of business continuity plans, location for incident management team, content of the communication procedure, elements of safety and welfare procedures, list of resources that may be required for the welfare of employees, content of salvage and security procedures, content of procedures for resuming activities, content of ICT continuity procedures, etc.<\/li>\n<\/ul>\n<p>Here are also a few clauses where ISO 22313 gives useful guidance for implementation:<\/p>\n<ul>\n<li>4.2.1 \u2013 Figure 4 \u2013 examples of interested parties<\/li>\n<li>4.2.2 \u2013 list of legislation that should be taken into account<\/li>\n<li>5.3 \u2013 list of items to write in <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/?rel=business-continuity&amp;doc=business-continuity-policy\" target=\"_blank\" rel=\"noopener\">Business continuity policy<\/a><\/li>\n<li>5.4 \u2013 explanation of BCMS roles and responsibilities<\/li>\n<li>6.2 \u2013 examples of goals for the BCMS<\/li>\n<li>7.1 \u2013 BCMS resources that are required<\/li>\n<li>7.2 and 7.3 &#8211; competence development program, types of trainings, types of teams, what to include in awareness programs, etc.<\/li>\n<li>7.5.1 \u2013 list of all documentation required by the standard<\/li>\n<li>8.1.4 \u2013 examples of metrics that may be used for measuring the effectiveness of BCMS<\/li>\n<li>8.2.2 \u2013 elements of assessing the impact in BIA<\/li>\n<li>8.2.2 \u2013 explanation of RTO and what it is used for<\/li>\n<li>8.2.3 \u2013 typical elements to be included in risk assessment<\/li>\n<li>8.4.5 \u2013 content of assessment procedure for determining the impact and tasks needed<\/li>\n<li>8.5.2 \u2013 content of exercise program<\/li>\n<li>8.5.3 \u2013 suggested objectives for the business continuity exercises<\/li>\n<li>9.1.2 \u2013 checklist of what evaluation of business continuity procedures should verify<\/li>\n<li>9.1.2 \u2013 content of post-incident review<\/li>\n<\/ul>\n<p>In any case, unless you are an experienced BCM consultant and\/or implementer, I would recommend getting both of these standards. They may be expensive, but return on investment will be quite quick.<\/p>\n<p><em>To implement ISO 22301 easily and efficiently, use our<\/em>\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 22301 Documentation Toolkit<\/a>\u00a0<em>that provides step-by-step guidance and all documents for full ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was quite skeptical when I started to read ISO 22313, the guidance standard on business continuity management, but I was proved to be wrong. It can be quite useful as a supplement to ISO 22301 \u2013 here&#8217;s what I found: Similarities and differences If you are familiar with ISO 27001 and ISO 27002 (see &#8230;<\/p>\n","protected":false},"author":26,"featured_media":83164,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[380,496,601],"class_list":["post-4673","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-22301","tag-bcms","tag-iso-22313"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4673"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4673\/revisions"}],"predecessor-version":[{"id":104300,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4673\/revisions\/104300"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/83164"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}