ISO 27000: ISO 27031 and Business Continuity Numbering

The assignment of numbers within the ISO 27000 series has been the subject of ongoing debate for some time. The confusion with respect to future intentions is no better exemplified than with respect to business continuity.

ISO 27031 has long been understood to be earmarked for at least one aspect of business continuity. Clarity was been a long time in coming, but it does now appear that this number will be assigned to a standard pertaining to ICT Readiness for Business Continuity, based perhaps upon SS507. Or does it? Confirmation can still not be found on the ISO website.

If ISO27031 is to be assigned to ICT, then what about other aspects of business continuity? If ICT readiness fits under the ISO 27000 billing, what about planning or service continuity?

Other Business Continuity Standards
BS25999 is currently setting about filling the void for business continuity planning (BCP). This is interesting because its structure is the same as ISO standards tend to be: a code of practice and a specification. BS25999-1 is the code of practice. BS25999-2 is the specification.

Does that sound familiar? It should do. Think ISO 27001 and ISO 27002. Think the two parts of ISO 20000. The list is rather long.

So if 25999 is to evolve to be an ISO standard, where does that fit in the 27000 numbering system?

It doesn't end here. What about PAS77? This BSI document relates to IT service continuity, which is part of the ISO 20000 scene. It is aligned with that standard. Unofficial word has it that this is to become a BS standard (this site: BS25777.Info - is a bit of a giveaway). So where is this to fit if it evolves into the ISO system? It is hard to imagine that ISO will not embrace such a standard given the success of ISO 20000.


We have heard a number of rumours with respect to business continuity numbering, but repeating them probably wouldn't serve a positive purpose at this time. A little more clarity from ISO might, however.