The five standards worth knowing about
ISO Spaghetti: Why the Standards Landscape Is Confusing (and What to Do About It)
I have lost count of the number of tender documents I have reviewed that specify ISO 22301 and ISO 27001 and ISO 31000, sometimes with ISO 22361 thrown in for good measure. Occasionally all four appear in the same sentence, as though stacking standards is a proxy for being well-prepared. It is not. And the confusion runs deeper than procurement.
The resilience, risk and security standards landscape has grown considerably over the past decade, and it is genuinely hard to navigate if nobody has ever explained what each standard actually does — and, more importantly, what it does not do. The result is what I’ve come to call ISO spaghetti — multiple standards, overlapping in places, distinct in others, referenced in ways that suggest they are interchangeable when they are not..
They are not interchangeable.
The five that appear most often in this space are ISO 22301 (Business Continuity), ISO 27001 (Information Security), ISO 22361 (Crisis Management), ISO 31000 (Risk Management) and ISO 22316 (Organisational Resilience). Between them, they cover a significant amount of ground. The problem is that most organisations — and many procurement teams — treat them as broadly equivalent options rather than distinct frameworks with different purposes.
The Certification Question
Of the five standards covered here, only two are certifiable — ISO 22301 and ISO 27001. The other three are guidance documents, which means no audit, no certificate, and no renewal.
This matters more than it might seem. If you have seen a tender asking for “ISO 31000 certification,” the specification has not been written by someone who understands the standard. ISO 31000 cannot be certified to. Neither can ISO 22361 or ISO 22316. They exist to inform and improve practice, not to provide third-party assurance.
ISO 22301 and ISO 27001 — the certifiable pair
ISO 22301 and ISO 27001 are management system standards. Both require independent auditing by an accredited certification body, ongoing surveillance, and renewal. They mean something, and they are not equivalent to each other.
The 2022 revision of ISO 27001 updated its approach to business continuity — what was previously Annex A.17 is now control 5.30. It still addresses the continuity of information security. It does not address the broader operational continuity that ISO 22301 requires. If your clients need to know you can keep operating during a serious incident, ISO 27001 alone does not give them that assurance.
ISO 22301, meanwhile, requires a Business Impact Analysis, the development of continuity strategies and plans, and — critically — testing those plans through exercises. An audit will assess whether the plans are realistic, not simply whether they exist.
ISO 22361, ISO 31000 and ISO 22316 — the guidance trio
ISO 22361 addresses something neither of the certifiable standards covers well: crisis management at the leadership level. What happens when the incident is not in the plan? When the media are involved, when the board needs to make decisions without full information, when stakeholder trust is at stake? That is crisis management territory, and it is distinct from business continuity planning in ways that matter when you actually need it.
ISO 31000 is the risk management framework that underpins everything else. It is worth reading, worth applying, and worth referencing — but it is not a certification and should not be treated as one.
ISO 22316, the least well-known of the five, addresses organisational resilience at the most conceptual level. It is most useful for organisations that have already implemented ISO 22301 and ISO 27001 and want a more integrated way of thinking about resilience as a strategic capability.
So which do you actually need?
The honest answer is that it depends on your sector, your risk profile, your client requirements, and your stage of maturity. Contractual or regulatory obligations come first — if ISO 27001 is specified in your contracts, that is your starting point. If you have operational continuity obligations, ISO 22301 belongs alongside it. If a serious incident could put you in front of cameras or a regulator, crisis management capability matters as much as continuity planning, and ISO 22361 is the reference framework for building it.
The organisations that manage disruption well are rarely those with the most certificates. They are the ones that have thought carefully about which frameworks are genuinely relevant to their context, implemented them with substance rather than for optics, and tested them before they needed them.
To help make sense of where each standard sits — what it covers, what it cannot do, and how it overlaps with the others — I have put together a practical reference guide. It includes a comparison table across all five standards and a set of questions to help work out which ones are actually relevant to your organisation.
[Download: ISO Spaghetti — A Practical Guide to the Standards That Govern Risk, Resilience and Security]
If you are trying to work out where to start, or whether what you already have is fit for purpose, get in touch.
