A logistics service provider loses access to its order system for four days after a ransomware incident. Management searches for the contingency plan — it exists as an 80-page PDF from 2021, with phone numbers of employees who have since left the company. Manual order handling in Excel works for at most one day. A BCMS that only exists on paper is worthless in an emergency.
ISO 22301:2019 is the international standard for business continuity management systems (BCMS). The standard defines requirements for the establishment, operation, monitoring and improvement of a BCMS that prepares an organisation for disruptions and enables it to resume critical activities within an acceptable timeframe.
What does the standard cover?
ISO 22301 follows the same High Level Structure (HLS) as ISO 27001 — ten clauses defining a management system. This makes it straightforward to integrate a BCMS with an ISMS or a quality management system under ISO 9001.
The ten clauses of the main body
- Clauses 1-3 — scope, normative references, terms.
- Clause 4 — Context of the organization: internal and external issues, requirements of interested parties, BCMS scope.
- Clause 5 — Leadership: commitment from top management, BC policy, roles and responsibilities.
- Clause 6 — Planning: risks and opportunities, BC objectives, planning of changes.
- Clause 7 — Support: resources, competence, awareness, communication, documented information.
- Clause 8 — Operation: business impact analysis, risk assessment, BC strategies and solutions, BC plans and procedures, exercise programme.
- Clause 9 — Performance evaluation: monitoring, internal audit, management review.
- Clause 10 — Improvement: corrective action and continual improvement.
Clause 8 in detail — the operational core
Unlike ISO 27001, ISO 22301 does not contain an annex with controls. Instead, Clause 8 is extensive and describes the operational building blocks of a BCMS:
- Business Impact Analysis (BIA): identification of critical activities, assessment of outage consequences over time, definition of MTPD and RTO.
- Risk assessment: assessment of risks that may disrupt critical activities (typically complementary to the ISMS risk assessment).
- BC strategies and solutions: selection of measures for people, locations, IT, suppliers and stakeholder communication.
- BC plans and procedures: documented response to incidents, activation criteria, escalation paths, emergency contacts.
- Exercise programme: tabletop exercises, technical failover tests, full simulations with documented evaluation.
Certification process
The certification flow mirrors ISO 27001:
Stage 1 — document review. Scope, BC policy, BIA methodology, risk assessment, BC plans, exercise programme. Duration: 1-3 days.
Stage 2 — on-site audit. Effectiveness review. Auditors interview stakeholders from business areas, review exercise logs, examine the interlocking of BIA and BC plans. Duration: 2-8 days.
Surveillance and recertification audits. A three-year cycle with annual surveillance audits.
Prerequisites before Stage 1:
- Complete BIA and risk assessment documented
- BC plans created for all critical activities
- At least one exercise conducted with documented evaluation
- Internal audit covering the full scope completed
- At least one management review with BCMS reference performed
Mapping to other standards
| Standard | Relation to ISO 22301 |
|---|---|
| ISO/IEC 27001:2022 | Annex A controls A.5.29 and A.5.30 cover the IS aspects of BCM |
| ISO 22313:2020 | Implementation guidance for ISO 22301; not certifiable |
| ISO 22317:2021 | Guidance for Business Impact Analysis |
| ISO 22318:2021 | Guidance for supply chain continuity |
| ISO/IEC 27031 | ICT readiness for business continuity (disaster recovery) |
| BSI Standard 200-4 | Business Continuity Management per BSI |
| NIST SP 800-34 | Contingency Planning Guide for Federal Information Systems |
| DORA (EU) | Digital Operational Resilience Act; mandates BCM elements for the financial sector |
Implementation effort
SMEs (10-50 people): 6-9 months build, 0.2-0.4 FTE for operation. Often combined with ISMS responsibility.
Mid-sized companies (50-500 people): 9-15 months build, 0.5-1 FTE for operation. Full-time BC manager or the focus of a combined role.
Large enterprises (>500 people): 12-24 months build across multiple locations or distributed business processes. Multiple FTEs with decentralised responsibility per business unit.
Key cost drivers in addition to the ISMS build:
- Redundancy investments (second site, cloud failover, standby hardware)
- Exercise effort (hours of participants plus external facilitation for crisis simulations)
- External BIA workshops when no internal method experience is available
Related standards
- ISO/IEC 27001: Complementary ISMS standard with a BCM link in A.5.29/A.5.30.
- ISO/IEC 27002: Implementation guidance for A.5.30 (ICT readiness for business continuity).
- ISO/IEC 27005: Risk management methodology; complements the BCMS risk assessment.
- BSI IT-Grundschutz: BSI Standard 200-4 as the German BCM counterpart.
Sources
- ISO 22301:2019 (ISO Online Browsing Platform) — official standard information
- ISO 22313:2020 — implementation guidance
- Beuth Verlag — German translation as DIN EN ISO 22301 (paid)
- BSI Standard 200-4 — German BCM model (free of charge)