ISO 22301 is the international, certifiable standard for business continuity management – the discipline of knowing which of your activities genuinely cannot stop, how quickly each must recover, and having tested arrangements to make that happen. Cyber incidents have made it newly urgent: ransomware is now the most common trigger of a continuity event, and customers, insurers, and regulators have all noticed. Certification is the strongest available answer to the question every enterprise procurement team now asks – "what happens to our service when something happens to you?"
What ISO 22301 actually isLink to this section
ISO 22301 defines the requirements for a business continuity management system (BCMS). Like ISO 27001 and ISO 9001 it follows the Annex SL structure (Clauses 4–10), so it slots into an existing integrated management system, and certification runs through the familiar two-stage audit with annual surveillance. What makes it distinctive is Clause 8, where the real continuity work lives: impact analysis, strategy, plans, and – crucially – exercising. An auditor will not certify a paper plan; they want evidence the capability has been tested.
The BIA: where good and bad BCMSs divergeLink to this section
Everything in business continuity descends from the business impact analysis (Clause 8.2). The BIA identifies your prioritised activities, how impact grows over time when each stops, and sets the numbers everything else must honour: RTO (recovery time objective – how quickly an activity must resume) and RPO (recovery point objective – how much data loss is tolerable). It also surfaces the dependency map – the people, systems, suppliers, and single points of failure your recovery actually hinges on. A BIA done by survey-blast produces fiction; one done in structured workshops with process owners produces the document every subsequent decision cites. We do the latter.
Plans are necessary; exercises are the pointLink to this section
Clause 8.4 requires documented plans – activation criteria, response teams, communications, and recovery procedures. Clause 8.5 is where the standard earns its keep: a standing exercise programme that validates those plans against realistic scenarios, on a schedule, with documented outcomes and consequent improvements. Our strong view, from running these: the first tabletop exercise is worth more than the second hundred pages of plan. It reveals the out-of-date contact tree, the unowned decision, and the recovery step that assumes a system that was migrated last year – while those discoveries are still free.
The regulatory tailwindLink to this section
If you're in Australian financial services, this is no longer optional: APRA CPS 230 requires regulated entities to maintain and test credible continuity arrangements with defined tolerance levels for critical operations – and its reach extends contractually to their material service providers, which is how many technology companies first encounter it. ISO 22301 is the cleanest framework for meeting those expectations and evidencing them. Similar operational-resilience regimes are live in the UK and EU (DORA), so multinational customers increasingly arrive with the same questions.
How ISO 22301 relates to other frameworksLink to this section
Continuity and security are converging. ISO 27001 Annex A expects ICT readiness for business continuity, and a mature BCMS satisfies those controls wholesale; ISO 27017 and your cloud architecture determine what failover is actually possible; and the Recover function of the NIST CSF maps directly onto Clause 8. Cyber response and continuity response should be one rehearsed capability, not two binders – we build them that way.
How we helpLink to this section
Business continuity is one-third analysis, one-third documentation, and one-third people knowing what to do. Most providers stop at two-thirds; the people part is our home ground:
- BIA and risk assessment. Facilitated workshops producing defensible RTOs and RPOs, a dependency map, and a disruption risk assessment auditors accept without argument.
- Strategies and plans that fit. Continuity strategies matched to your impact tolerances and budget, and response plans written to be executed under stress.
- Exercises, run properly. Graduated tabletop and simulation exercises we design and facilitate – including combined cyber-and-continuity scenarios – with findings turned into tracked improvements.
- Trained, aware people. Response-team training and organisation-wide continuity awareness through our platform, with tamper-evident completion records satisfying Clause 7 evidence requirements out of the box.
- Certification support. Internal audit, management review, and Stage 1/Stage 2 preparation through to a certificate – and a BCMS that stays alive between surveillance audits.
The table below walks through the clauses of ISO 22301 and how we help with each.
ISO 22301 requirements (Clauses 4–10)
Establish
| Clause | Requirement | How we help |
|---|---|---|
| Cl. 4 | Context of the organisation – issues, interested parties, legal and regulatory requirements, and BCMS scope | We define a scope around your genuinely critical products and services, and capture the regulatory and contractual continuity obligations (think APRA CPS 230, customer SLAs) the system must satisfy. |
| Cl. 5 | Leadership – commitment, business continuity policy, and roles | We draft the continuity policy and secure the visible management commitment auditors test for – including leadership's role in exercises, not just sign-off. |
| Cl. 6 | Planning – risks and opportunities, and business continuity objectives | We set measurable continuity objectives (recovery times met in exercises, coverage of critical suppliers) so the BCMS has a definition of success beyond "certified". |
| Cl. 7 | Support – resources, competence, awareness, and documented information | Continuity fails when people don't know their role. We train response teams and build organisation-wide awareness, with completions recorded in our tamper-evident training ledger as clause 7 evidence. |
Operate
| Clause | Requirement | How we help |
|---|---|---|
| Cl. 8.2 | Business impact analysis and risk assessment | We run the BIA with your process owners – prioritised activities, RTOs, RPOs, and dependencies on people, systems, and suppliers – paired with a disruption-focused risk assessment. This is the analytical heart of the standard, and we make it defensible. |
| Cl. 8.3 | Business continuity strategies and solutions | We identify and cost strategy options – workarounds, alternate sites and suppliers, cloud failover, cross-training – and match them to your RTOs so solutions fit the impact, not the vendor's brochure. |
| Cl. 8.4 | Business continuity plans and procedures | We write response structures and plans people can execute at 2am under pressure – activation criteria, roles, communication trees, and recovery procedures – not binders that read well and perform badly. |
| Cl. 8.5 | Exercise programme | We design and facilitate a graduated exercise programme – walkthroughs, tabletops, simulations through to full failover tests – with documented outcomes and improvement actions after every exercise. |
| Cl. 8.6 | Evaluation of business continuity documentation and capabilities | We build the review cycle that keeps the BIA, plans, and contact trees current as your organisation changes – the discipline that separates living BCMSs from expired ones. |
Improve
| Clause | Requirement | How we help |
|---|---|---|
| Cl. 9 | Performance evaluation – monitoring, internal audit, and management review | We define BCMS metrics, run or train your internal audit function, and structure management reviews around what the standard requires and what leadership actually needs to decide. |
| Cl. 10 | Improvement – nonconformity and corrective action | We turn exercise findings and real incidents into tracked corrective actions with root-cause analysis, so capability demonstrably improves cycle over cycle. |