The ISO 22399 / PAS 22399 Dilemma

The business continuity story just gets stranger and stranger. We have covered this previously, with respect to ISO 27031. However, as events unfold the situation becomes ever more tangled.

To recap, there are a host of developments with respect to business continuity and standardization:

1) We have pondered where BSI's useful looking business continuity management standard BS 25999-1 fits into the equation. Even with respect to their own standard set they also have a related publication PAS77, and are developing a standard BS 25777 from this. The second part of BS 25999 was in fact published this week, and as a specification, third party certification schemes will soon be in place.

2) Even within ISO though, the water is as clear as mud. A new standard, ISO 22399 (specifically ISO/PAS 22399) has just been published. This is a "Guideline for incident preparedness and operational continuity management".

Great: so where does this (ISO22399) fit with respect to ISO 27031? And what about chapter 14 of ISO 27002? Or ISO 27001? Let alone all those developments over at BSI, who seem far more advanced in the area.

One might ask what exactly is going on here? How do all these developments relate? Do ISO actually have any idea themselves?

If they do in fact have a road map or overview of all these overlapping standards, it would be nice if they shared it with the public. Our guess is that no such document exists, which is rather bad news for standardization in this area.

ISO 2703n: Latest Developments

A little more has emerged on the emerging subset of ISO27k standards ISO27031-40. The following reflects the current position as we understand it.

ISO/IEC 27031
Information technology Information technology – Security Security techniques techniques - ICT readiness for business continuity

ISO/IEC 27032
Information technology - Security techniques - Guidelines for Cybersecurity (Suggested)

ISO/IEC 27033
As referenced in previous articles, this is the revision of ISO 18028. It comprises seven distinct parts:

ISO 27033-1
Information technology Information technology – Security techniques Security techniques - Network security Network security – Guidelines for network security

ISO 27033-2
Information technology Information technology – Security techniques Security techniques - Network security Network security – Guidelines for the design and implementation of network

ISO 27033-3
IT network security - Reference networking scenarios - Risks, design, technologies and control issues

ISO 27033-4
IT network security - Security network information with network security gateways - Risks, design techniques and control issues

ISO 27033-5
IT network security - Secure remote access - Risks, design techniques and control issues

ISO 27033-6
IT network security - Securing communications across networks using Virtual Private Networks

ISO 27033-7
IT network security - Guidelines for the design and implementation of network security


ISO/IEC 27034
Information technology Information technology –Security techniques Security techniques - Guidelines for application security


These at are various stages of the publication process, with at least one still at the proposal stage.

ISO 27000: ISO 27031 and Business Continuity Numbering

The assignment of numbers within the ISO 27000 series has been the subject of ongoing debate for some time. The confusion with respect to future intentions is no better exemplified than with respect to business continuity.

ISO 27031 has long been understood to be earmarked for at least one aspect of business continuity. Clarity was been a long time in coming, but it does now appear that this number will be assigned to a standard pertaining to ICT Readiness for Business Continuity, based perhaps upon SS507. Or does it? Confirmation can still not be found on the ISO website.

If ISO27031 is to be assigned to ICT, then what about other aspects of business continuity? If ICT readiness fits under the ISO 27000 billing, what about planning or service continuity?

Other Business Continuity Standards
BS25999 is currently setting about filling the void for business continuity planning (BCP). This is interesting because its structure is the same as ISO standards tend to be: a code of practice and a specification. BS25999-1 is the code of practice. BS25999-2 is the specification.

Does that sound familiar? It should do. Think ISO 27001 and ISO 27002. Think the two parts of ISO 20000. The list is rather long.

So if 25999 is to evolve to be an ISO standard, where does that fit in the 27000 numbering system?

It doesn't end here. What about PAS77? This BSI document relates to IT service continuity, which is part of the ISO 20000 scene. It is aligned with that standard. Unofficial word has it that this is to become a BS standard (this site: BS25777.Info - is a bit of a giveaway). So where is this to fit if it evolves into the ISO system? It is hard to imagine that ISO will not embrace such a standard given the success of ISO 20000.


We have heard a number of rumours with respect to business continuity numbering, but repeating them probably wouldn't serve a positive purpose at this time. A little more clarity from ISO might, however.

ISO 27000: Where Are We?

The ISO 27000 series of information security standards is a moving feast. This is a 'live page' which will be kept current with the latest situation as we understand it.

ISO 27000
Not yet published. It will define vocabulary and definitions for the rest of the series.

ISO 27001
Published. This is the specification for an ISMS

ISO 27002
Awaiting publication. This will be the rename of ISO 17799.

ISO 27003
Not yet published. This will be an implementation guide.

ISO 27004
Not yet published. This will cover measurement and metrics for information security management.

ISO 27005
Not yet published. This will cover information security risk management, and is likely to be based upon BS7799-3.

ISO 27006
Published. This is a formal guide to the certification and registration process.

ISO 27007
Not yet published. This will cover the audit process for an ISMS

ISO 27031
Not yet published. This standard will cover ICT business continuity planning.

ISO 27032
Not yet published. This is currently a proposed standard for internet security.

ISO 27799
Awaiting publication. This will be the first industry specific version of ISO 27002. It is focused upon the health sector.