ISO 22301 and business continuity,explained
ISO 22301 is the international standard for a business continuity management system (BCMS). It certifies that you run a managed, repeatable process for keeping your priority activities going through disruption: understanding what matters most, setting recovery objectives, and putting strategies, plans, and exercises in place to meet them.
What ISO 22301 is
ISO 22301:2019 is a management-system standard, like ISO 27001, and is certifiable by an accredited body. Rather than testing a fixed checklist, it certifies that you identify your priority activities and manage the risk of disruption to them in a governed, repeatable way.
It covers the whole organisation, not just IT. People, facilities, suppliers, and processes are all in scope, although it overlaps strongly with the availability and resilience parts of an information-security programme.
The business impact analysis at its core
The business impact analysis (BIA) is the heart of ISO 22301. It identifies your prioritised activities, how quickly each must be resumed (the recovery time objective), and the resources each one needs. Everything else, the strategies and the plans, follows from the BIA.
Strategies, plans, and exercising
Once you know your priorities, ISO 22301 expects you to put resilience in place and prove it works:
- Continuity strategies and solutions that protect, stabilise, and recover prioritised activities.
- Documented response and recovery plans that say who does what during a disruption.
- Exercises and tests that validate the plans and keep them current.
- Performance evaluation, internal audit, and management review of the whole system.
How it relates to ISO 27001
ISO 22301 uses the same management-system structure as ISO 27001, so the governance backbone, risk process, internal audit, and management review look familiar if you already run an ISMS. The continuity and availability controls in particular overlap, so the work can be reused rather than duplicated.
How to approach it
- 1Define the scope: which activities and locations the BCMS covers.
- 2Run a business impact analysis to find your priorities and recovery objectives.
- 3Assess the risks of disruption and choose continuity strategies.
- 4Write and exercise response and recovery plans.
- 5Reuse your ISO 27001 governance and evidence where the two overlap.
Frequently asked questions
Is ISO 22301 just IT disaster recovery?
No. IT disaster recovery is one part of it, but ISO 22301 covers continuity of the whole organisation priority activities, including people, facilities, and suppliers. It is a management system for resilience, not only a technical recovery plan.
What is a business impact analysis?
A business impact analysis identifies your prioritised activities, how quickly each must be recovered after a disruption, and the resources they depend on. It is the foundation of ISO 22301, because the continuity strategies and plans are built from its findings.
Is ISO 22301 certifiable?
Yes. Like ISO 27001, ISO 22301 is certifiable by an accredited certification body after an audit, with surveillance audits to maintain it. The certificate shows you run a governed business continuity management system.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.