We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / ISO 22301
ISO · Global

ISO 22301

The international standard for business continuity management systems (BCMS).

Introduction to ISO 22301

ISO 22301 is the international management-system standard for Business Continuity Management (BCM). It specifies the requirements an organisation must satisfy to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented Business Continuity Management System (BCMS) that protects against, reduces the likelihood of, prepares for, responds to and recovers from disruptive incidents when they arise. The current edition, ISO 22301:2019, supersedes ISO 22301:2012 and aligns with the ISO High-Level Structure (Annex SL / Harmonized Structure) shared by ISO 27001, ISO 9001 and ISO 14001, which makes integrated management systems substantially easier to design and audit.

For CyberSigma clients, ISO 22301 answers a board-level question that regulators, insurers, customers and rating agencies increasingly ask: 'When a ransomware event, data-centre outage, pandemic, supply-chain failure or cyber-physical incident hits, can you keep the products and services your customers depend on running at an agreed minimum level, and can you prove it?' A certified BCMS provides that assurance through evidence: a business impact analysis, risk assessment, continuity strategies, tested plans, competent people and a cycle of exercising and improvement. This guide is written to auditor grade so that your teams can self-assess against every clause, gather the right evidence and reach certification readiness efficiently.

Copyright note
ISO 22301:2019 is a copyrighted standard published by the International Organization for Standardization (ISO). The normative requirement text is owned by ISO and must be purchased from ISO or an authorised national body (for example BIS in India, BSI in the UK). This guide is original CyberSigma commentary and interpretation. It paraphrases clause intent for assessment purposes and deliberately does not reproduce ISO's copyrighted requirement wording. Always work from a licensed copy of the standard when implementing or certifying.

What is ISO 22301

ISO 22301:2019, titled 'Security and resilience — Business continuity management systems — Requirements', is a certifiable specification standard. Unlike guidance documents, it uses the word 'shall' to define auditable requirements, meaning an accredited certification body can issue a formal certificate of conformity against it. It sits within the wider ISO 223xx resilience family, supported by guidance such as ISO 22313 (guidance on 22301), ISO 22317 (business impact analysis), ISO 22318 (supply-chain continuity), ISO 22331 (business continuity strategy) and ISO 22398 (exercises).

The standard is built on the Plan-Do-Check-Act (PDCA) cycle and structured across ten clauses. Clauses 1 to 3 are introductory (scope, normative references, terms). Clauses 4 to 10 contain the auditable management-system requirements: Context of the organisation, Leadership, Planning, Support, Operation, Performance evaluation, and Improvement. The technical heart of the standard is Clause 8 (Operation), which houses the Business Impact Analysis (BIA), risk assessment, business continuity strategies and solutions, plans and procedures, and the exercising and evaluation programme.

Key concepts that recur throughout the standard include: Maximum Tolerable Period of Disruption (MTPD), the time after which the viability of the organisation is irreparably threatened; Recovery Time Objective (RTO), the target time to resume an activity; Recovery Point Objective (RPO), the maximum tolerable data loss measured backward in time; Minimum Business Continuity Objective (MBCO), the minimum acceptable level at which products and services must be delivered during disruption; and prioritised activities, the time-critical activities identified through the BIA.

It is important to distinguish ISO 22301 from three things it is often confused with. First, it is not disaster recovery (DR): DR is a technical ICT-restoration discipline that supports continuity but addresses only technology, whereas a BCMS spans people, premises, processes, information, equipment and suppliers. Second, it is not incident or crisis management alone: those are activation and response capabilities that a BCMS invokes, but the standard also requires prevention, analysis, strategy and improvement. Third, it is not the same as operational resilience as defined by financial regulators; operational resilience is a broader supervisory outcome, and a certified BCMS is one of the strongest pieces of evidence an organisation can present toward it, but the two are not synonymous. Understanding these boundaries prevents the single most common scoping error: building an IT-DR project and labelling it a BCMS.

The 2019 revision made several notable changes from the 2012 edition that auditors now expect to see reflected in a mature system. It simplified and clarified requirement language, removed the separate 'documented information' listing in favour of embedding retention requirements within each clause, sharpened the treatment of the BIA and risk assessment as distinct but linked activities in Clause 8.2, and reinforced the need to determine what to monitor and measure in Clause 9.1. Organisations that were certified under the 2012 edition and have not refreshed their documentation to the 2019 structure frequently accrue minor nonconformities at surveillance.

AttributeDetail
Full titleSecurity and resilience — Business continuity management systems — Requirements
Current editionISO 22301:2019 (2nd edition, superseding 2012)
IssuerInternational Organization for Standardization (ISO), technical committee ISO/TC 292
TypeCertifiable management-system specification (uses 'shall')
StructureAnnex SL / Harmonized Structure, Clauses 4–10, PDCA
CertificationAccredited third-party certification against ISO/IEC 17021-1
RegionGlobal; adopted nationally (e.g., IS/ISO 22301 in India, BS EN ISO 22301 in UK)
Related standardsISO 22313, 22317, 22318, 22331, 22398, ISO 27001 (integration)

Who must comply with ISO 22301

ISO 22301 is voluntary in most jurisdictions, but adoption is frequently mandated contractually, by regulators, or by parent-company policy. It is applicable to organisations of every size, sector and geography, because the requirements are scalable to the nature, scale and complexity of the organisation. Certification is most commonly pursued where continuity of service is a legal, financial or reputational imperative.

A useful way to test whether ISO 22301 applies to a given organisation is to ask three questions: do customers, citizens or patients depend on our products and services continuing during a disruption; would a prolonged outage of a core activity threaten the organisation's viability, cash flow, licence to operate or public safety; and do any of our contracts, regulators or insurers require demonstrable continuity capability. If the answer to any is yes, a formal BCMS is warranted, and certification converts that capability from an internal assertion into independently verified assurance that unlocks tenders, lowers premiums and reduces regulatory friction.

Organisation / sectorDriver for ISO 22301
Banks, NBFCs and payment firmsRBI, DPSS and payment-scheme resilience expectations; sound-practices for operational resilience; PCI DSS continuity linkage
Critical infrastructure operatorsNational critical-infrastructure protection rules; sectoral continuity mandates for power, telecom, water, transport
IT / ITeS, BPO and cloud providersCustomer contractual clauses, MSAs and RFPs demanding certified BCMS; SLA credibility
Healthcare and pharmaPatient-safety continuity, cold-chain integrity, regulatory inspection readiness
Government and defence suppliersTender eligibility, national resilience programmes, mission-continuity requirements
Insurers and reinsurersSolvency and operational-resilience supervision; own BCM plus expectation on insureds
Manufacturers with lean supply chainsJust-in-time exposure, single-source risk, customer OEM continuity audits
Any firm on an ISO 27001 / integrated journeyBCMS satisfies ISO 27001 Annex A continuity controls and enables integrated certification
  • Regulatory pressure: financial-services and critical-sector supervisors increasingly treat operational resilience and business continuity as prudential requirements.
  • Contractual pressure: large enterprise and government buyers embed 'maintain a certified BCMS' clauses in supplier agreements.
  • Insurance pressure: cyber and business-interruption insurers price risk on demonstrable continuity capability.
  • Board and investor pressure: resilience is a governance and ESG expectation; disruption events attract regulatory and shareholder scrutiny.

Structure of ISO 22301

ISO 22301:2019 is organised into ten clauses. The first three are contextual and non-auditable; Clauses 4 through 10 carry the 'shall' requirements against which conformity is assessed. The table below maps each auditable clause, its principal sub-clauses and its purpose within the PDCA cycle.

ClauseTitleKey sub-clausesPDCA phase
4Context of the organisation4.1 Understanding the organisation and its context; 4.2 Interested parties and legal/regulatory requirements; 4.3 Scope of the BCMS; 4.4 BCMSPlan
5Leadership5.1 Leadership and commitment; 5.2 Policy; 5.3 Roles, responsibilities and authoritiesPlan
6Planning6.1 Actions to address risks and opportunities; 6.2 Business continuity objectives and planning; 6.3 Planning changes to the BCMSPlan
7Support7.1 Resources; 7.2 Competence; 7.3 Awareness; 7.4 Communication; 7.5 Documented informationPlan / Do
8Operation8.1 Operational planning and control; 8.2 BIA and risk assessment; 8.3 BC strategies and solutions; 8.4 BC plans and procedures; 8.5 Exercise programme; 8.6 Evaluation of BC documentation and capabilitiesDo
9Performance evaluation9.1 Monitoring, measurement, analysis and evaluation; 9.2 Internal audit; 9.3 Management reviewCheck
10Improvement10.1 Nonconformity and corrective action; 10.2 Continual improvementAct

Note that unlike ISO 27001, ISO 22301 has no 'Annex A' catalogue of controls. Its requirements are entirely in the body of the clauses, with Clause 8 acting as the operational core. This means an ISO 22301 assessment is a clause-by-clause conformity audit rather than a control-by-control statement-of-applicability exercise.

Master assessment checklist

This is the operational heart of the guide. Each auditable clause and sub-clause is enumerated below with a dedicated table of what an auditor verifies and the typical evidence that demonstrates conformity. Work through every group; do not skip any clause. Where the standard says 'shall determine', 'shall establish', 'shall maintain' or 'shall retain documented information', an assessor expects to see the corresponding artefact and its operation.

When using this checklist, keep in mind the concept auditors call the 'golden thread': every requirement in Clause 8 should trace forward and backward in an unbroken chain. Products and services (4.3) drive prioritised activities (8.2.2), which carry MTPD/RTO/RPO/MBCO (8.2.2), which justify chosen strategies (8.3.1), which specify resources (8.3.2) and implemented solutions (8.3.3), which are enacted through documented plans (8.4), which are validated by exercises (8.5) and evaluations (8.6), and whose performance is measured (9.1), audited (9.2), reviewed (9.3) and improved (10). If any link is missing, the system will not satisfy the standard even if each individual artefact looks complete. During self-assessment, pick two or three prioritised activities and trace them end to end; the gaps that surface are almost always the gaps a certification auditor will raise.

Clause 4 — Context of the organisation

What to verifyTypical evidence
4.1 External and internal issues relevant to purpose and BCMS outcomes are determinedContext analysis / PESTLE / SWOT register; strategic plan references; documented internal issues list
4.2.1 Interested parties relevant to the BCMS are identifiedStakeholder register mapping employees, customers, suppliers, regulators, shareholders, community
4.2.2 Their needs and expectations, including legal and regulatory requirements, are determinedRequirements register; legal/regulatory obligations register; contractual continuity clauses catalogue
4.2.3 Legal and regulatory requirements are documented and kept currentCompliance obligations log with review dates and owners
4.3 Scope of the BCMS is determined and documented, with exclusions justifiedBCMS scope statement listing products, services, sites, activities; documented scope exclusions and rationale
4.4 BCMS is established, implemented, maintained and continually improvedManual / BCMS description; process map; evidence of PDCA operation

Clause 5 — Leadership

What to verifyTypical evidence
5.1 Top management demonstrates leadership and commitment to the BCMSApproved policy; resource-allocation records; management-review minutes; steering-committee charter
5.1 BC requirements integrated into business processes and strategic directionEvidence BC is embedded in project gating, change management, procurement
5.2 A business continuity policy is established, appropriate, and includes commitment to satisfy requirements and continual improvementSigned BC policy with version control, scope and objectives references
5.2 Policy is communicated and available to interested parties as appropriateIntranet publication; induction packs; supplier-facing policy summary
5.3 Roles, responsibilities and authorities are assigned and communicatedBCMS RACI; job descriptions; delegation-of-authority matrix; appointment letters for BC manager and incident roles

Clause 6 — Planning

What to verifyTypical evidence
6.1.1 Risks and opportunities to the BCMS are determined considering context and interested partiesRisk-and-opportunity register at management-system level (distinct from operational risk assessment)
6.1.2 Actions to address those risks and opportunities are planned and integrated into the BCMSAction plans with owners and dates; evidence of evaluation of effectiveness
6.2.1 Business continuity objectives are established at relevant functions and levels, consistent with policy and measurableDocumented BC objectives with metrics (e.g., achieve RTOs on X% of activities)
6.2.2 Planning to achieve objectives defines what, resources, responsibility, timeline and evaluationObjective implementation plans; programme roadmap
6.3 Changes to the BCMS are carried out in a planned mannerChange-control records for BCMS scope, policy or process changes

Clause 7 — Support

What to verifyTypical evidence
7.1 Resources needed for the BCMS are determined and providedBudget approvals; staffing plan; tooling and facilities provision records
7.2 Competence of persons doing BC work is determined, ensured and evidencedCompetence matrix; training records; CVs / certifications (e.g., ISO 22301 LI, CBCP); on-the-job assessment
7.3 Persons are aware of policy, their contribution, and implications of nonconformanceAwareness campaign material; attendance logs; quiz results; induction records
7.4 Internal and external communication needs are determined (what, when, with whom, how, who by)Communications plan / matrix; warning and stakeholder-communication procedures
7.5.1 / 7.5.2 Documented information required by the standard and by the organisation exists and is properly identified and formattedDocument register; template with title, date, author, version, approval
7.5.3 Documented information is controlled: available, protected, distributed, stored, retained and disposedDocument-control procedure; access controls; version history; retention schedule; control of external documents

Clause 8.1 — Operational planning and control

What to verifyTypical evidence
Processes needed to meet requirements and implement Clause 6 actions are planned, implemented and controlledOperating procedures; process criteria; control records
Outsourced and externally provided processes relevant to continuity are controlledSupplier contracts with continuity clauses; oversight records; third-party BC assessments
Changes are controlled and consequences of unintended changes reviewed and mitigatedChange logs; post-change review notes

Clause 8.2 — Business impact analysis and risk assessment

Clause 8.2 is where most audit findings concentrate, because it demands two distinct analytical disciplines that are frequently confused or conflated. The BIA (8.2.2) determines the impact over time of not performing an activity, and from that impact profile derives the recovery timescales (MTPD, RTO, RPO) and the minimum acceptable level (MBCO). The risk assessment (8.2.3) then evaluates the likelihood and consequence of disruptions to those prioritised activities so that treatment and strategy decisions can be prioritised. A robust BIA captures dependencies in every category — people (numbers and skills), information (vital records and data), facilities, technology, equipment, transport, finance and third parties — because a plan that restores an application but not the staff, the workspace or the upstream supplier will fail at activation. Evidence should show a repeatable methodology, consistent impact scales applied across departments, and management sign-off on the derived objectives.

What to verifyTypical evidence
8.2.2 A BIA process is defined, including criteria for impact-type and time-based assessmentDocumented BIA methodology; impact categories (financial, legal, reputational, operational); timescales
8.2.2 Prioritised activities and their dependencies (people, information, facilities, technology, suppliers) are identifiedCompleted BIA per department; activity dependency maps; resource-requirement tables
8.2.2 MTPD, RTO, RPO and MBCO are determined for prioritised activitiesBIA output register showing MTPD/RTO/RPO/MBCO with sign-off
8.2.3 A risk assessment process identifies, analyses and evaluates risks of disruption to prioritised activitiesRisk-assessment methodology aligned with ISO 31000; threat/scenario register; risk treatment decisions
BIA and risk assessment are reviewed at planned intervals and after significant changeReview dates; management approval; change-triggered updates

Clause 8.3 — Business continuity strategies and solutions

Strategy selection is where analysis becomes investment. For each prioritised activity the organisation must choose how it will protect, stabilise, continue, resume and recover the activity so that the MBCO is met within the RTO. Typical strategy patterns include diversification (multiple sites, dual sourcing, multi-region cloud), replication and standby (hot, warm or cold DR arrangements matched to the RTO/RPO), reservation of capacity (mutual-aid agreements, third-party recovery services, standby equipment), and adaptation (manual workarounds, degraded-mode operation, temporary staff redeployment). The selected option should be justified against cost, feasibility and the recovery objective it must satisfy — an RTO of two hours cannot be met by a cold standby site that takes two days to commission. Auditors look for a documented options analysis rather than an assumed solution, and for evidence that the resources the strategy depends on have actually been provisioned, not merely planned.

What to verifyTypical evidence
8.3.1 Strategies to protect prioritised activities, stabilise, continue, resume and recover are identified and selected based on BIA and risk assessmentStrategy options analysis; selection rationale against RTO/MBCO/cost
8.3.2 Resource requirements to implement chosen solutions are determined (people, information/data, buildings, equipment, ICT, transport, finance, partners/suppliers)Resource-requirement schedules per solution; gap analysis vs current capability
8.3.3 Solutions are implemented to meet the MBCO within RTOImplemented arrangements: alternate sites, standby ICT/DR, cross-training, stockpiles, mutual-aid agreements, contracts
Risk mitigation measures reduce likelihood and impact of identified disruptionsPreventive/mitigating controls records; treatment tracking

Clause 8.4 — Business continuity plans and procedures

What to verifyTypical evidence
8.4.1 A structure of response teams and documented procedures is establishedIncident-management structure chart; team charters; activation criteria and escalation thresholds
8.4.2 Warning and communication procedures exist (detection, internal/external notification, authorities, media, interested parties)Notification trees; call cascade; media-statement templates; regulator-reporting procedures
8.4.3 Business continuity plans are documented with purpose, scope, roles, activation, and step-by-step responseBC plans per prioritised activity/site; incident-management plan; crisis-communication plan
8.4.4 Plans include recovery procedures to restore and return to business as usualRecovery and resumption procedures; return-to-normal criteria
8.4 Plans specify interdependencies, resource requirements and information needed to enact themPlan appendices: contact lists, vendor details, vital records, dependency references

Clause 8.5 — Exercise programme

An exercise programme is the standard's mechanism for turning documented intent into demonstrated capability, and auditors treat a plan that has never been exercised as an unvalidated hypothesis. A mature programme uses a graduated range of exercise types — orientation and walkthroughs to familiarise teams, tabletop exercises to test decision-making against scenarios, simulation and communication tests to validate notification cascades, and live or technical exercises (including failover of ICT to the DR environment) to prove recovery within RTO/RPO. Each exercise should have defined objectives, a realistic scenario, controlled risk so that the exercise itself does not cause a disruption, and a post-exercise report whose lessons are fed back into the plans, BIA or strategy. The absence of evidence that lessons were actioned is a frequent minor nonconformity.

What to verifyTypical evidence
An exercise and testing programme validates BC strategies and plans at planned intervalsAnnual exercise calendar; exercise scope covering technical DR and business/crisis response
Exercises are consistent with scope, based on scenarios, and minimise disruption riskExercise design documents; scenario injects; risk-controlled test plans
Post-exercise reports capture outcomes, and improvements are identified and actionedExercise reports; lessons-learned logs; corrective-action tracker linked to plan updates

Clause 8.6 — Evaluation of business continuity documentation and capabilities

What to verifyTypical evidence
BC procedures and capabilities are evaluated at planned intervals and after change/exercise/incidentReview schedule; evaluation reports; post-incident reviews
Evaluations verify continued suitability, adequacy and effectivenessAssessment findings; suitability/adequacy conclusions; updates to BIA, strategy or plans

Clause 9 — Performance evaluation

What to verifyTypical evidence
9.1 What needs monitoring/measuring, methods, and when to analyse/evaluate are determinedMeasurement plan; KPI definitions; metrics dashboards; monitoring records
9.1 BCMS performance and effectiveness are evaluated and evidence retainedPerformance reports; trend analysis; retained metric data
9.2 A planned internal-audit programme is established, and audits are conducted objectively and impartiallyAudit programme; audit plans; auditor competence and independence evidence; audit reports; nonconformity records
9.3 Management review is conducted at planned intervals covering required inputsManagement-review agenda and minutes covering status of actions, changes, performance, audit results, opportunities
9.3 Management review produces decisions on improvement and resource needsDocumented review outputs; decisions and action items with owners

Clause 10 — Improvement

What to verifyTypical evidence
10.1 Nonconformities are reacted to, controlled, corrected and consequences dealt withNonconformity register; containment/correction records
10.1 Root cause is evaluated and corrective action taken and reviewed for effectivenessRoot-cause analysis; corrective-action plans; effectiveness verification; updates to BCMS if needed
10.2 The BCMS is continually improved in suitability, adequacy and effectivenessImprovement log; trend of reducing recurring issues; evidence of enhancements over time

Scoping the BCMS

Scope definition (Clause 4.3) is the single most consequential design decision in an ISO 22301 programme, because it bounds what will be assessed, protected and certified. A well-drawn scope is defensible, complete for the products and services it names, and free of convenient exclusions that would hollow out the certificate's value.

  1. Start from products and services: identify the outputs your organisation delivers to customers and society, then work back to the activities that produce them.
  2. Determine boundaries: which legal entities, business units, sites, functions and technology environments are in scope; document geographic and organisational limits.
  3. Justify exclusions: any activity, product or site excluded must be justified and must not affect the organisation's ability or responsibility to deliver in-scope continuity.
  4. Confirm dependencies: even out-of-scope internal functions and external suppliers that in-scope activities rely on must be considered as dependencies.
  5. Align with the BIA: scope should be validated against BIA findings so no prioritised activity falls outside the certified boundary.
  6. Document and approve: capture the scope statement, obtain top-management sign-off, and place it under document control.
Scoping pitfall
A common auditor finding is a scope narrowed to a single flagship service or site while the products customers actually depend on run on shared, out-of-scope infrastructure. If a dependency is essential to delivering an in-scope activity, either bring it into scope or demonstrate that its continuity is contractually assured and evidenced.

Implementation approach

CyberSigma delivers ISO 22301 through a phased programme mapped to PDCA. Each phase below lists its principal activities and the deliverables an auditor will later expect to see. A typical first-time certification for a mid-sized organisation runs six to twelve months depending on scope complexity and exercise cadence. The phases are sequential in emphasis but iterative in practice: findings in the BIA often reshape the scope, and lessons from exercises frequently revise strategies, so treat the roadmap as a spiral rather than a strict waterfall. A critical success factor across every phase is genuine top-management engagement; programmes that are delegated wholesale to a single BC manager without executive sponsorship stall at the strategy and resourcing stage, because continuity solutions such as alternate sites, standby ICT and cross-training require investment decisions only leadership can make.

Phase 1 — Initiation and context (Clauses 4, 5)

  • Activities: secure top-management sponsorship; define initial scope; identify interested parties and legal/regulatory requirements; establish governance and steering committee; draft the BC policy; assign roles and authorities.
  • Deliverables: project charter; context and stakeholder analysis; legal/regulatory obligations register; approved BC policy; BCMS RACI and appointment letters; provisional scope statement.

Phase 2 — Planning and support (Clauses 6, 7)

  • Activities: determine BCMS-level risks and opportunities; set measurable BC objectives; build competence and awareness plans; establish document-control and communication frameworks.
  • Deliverables: risk-and-opportunity register; BC objectives with metrics; competence matrix and training plan; awareness programme; communications matrix; document-control procedure and register.

Phase 3 — Business impact analysis and risk assessment (Clause 8.2)

  • Activities: define and run the BIA across in-scope functions; identify prioritised activities and dependencies; set MTPD, RTO, RPO and MBCO; conduct the disruption-risk assessment and decide treatments.
  • Deliverables: BIA methodology and completed BIA register; dependency maps; MTPD/RTO/RPO/MBCO schedule; risk-assessment report and treatment plan.

Phase 4 — Strategy, solutions, plans and procedures (Clauses 8.3, 8.4)

  • Activities: evaluate and select continuity strategies against RTO/MBCO and cost; determine and provision resources; implement solutions (DR, alternate sites, cross-training, supplier arrangements); write incident-management, communication, continuity and recovery plans.
  • Deliverables: strategy-options analysis and selection; resource schedules; implemented arrangements; incident-management plan; warning and communication procedures; BC and recovery plans.

Phase 5 — Exercising and evaluation (Clauses 8.5, 8.6)

  • Activities: design and run tabletop, walkthrough and live/technical exercises; validate plans and capabilities; capture lessons learned; evaluate documentation for suitability and adequacy; remediate gaps.
  • Deliverables: exercise programme and schedule; exercise reports; lessons-learned log; capability-evaluation reports; updated plans.

Phase 6 — Performance evaluation, certification and improvement (Clauses 9, 10)

  • Activities: measure KPIs; conduct internal audit; hold management review; close nonconformities; undertake Stage 1 and Stage 2 certification audits; embed continual improvement.
  • Deliverables: measurement dashboards; internal-audit report; management-review minutes; corrective-action records; certification audit reports and certificate; improvement log.

Maturity and capability model

ISO 22301 certification is binary (conform / not conform), but a maturity model helps organisations plan the journey and demonstrate improvement over surveillance cycles. CyberSigma assesses each clause area against a five-level capability scale adapted from CMMI and ISO/IEC 33000 concepts. Certification typically corresponds to reaching Level 4 (Managed) across all clauses, because the standard requires not just documented processes (Level 3) but evidence that they are measured, audited, reviewed and improved. Organisations should not aim to leap from Level 1 to Level 4 in a single push; a realistic target is to reach Level 3 through the initial implementation, achieve Level 4 by the first surveillance audit as the monitoring and review cycle beds in, and progress toward Level 5 over subsequent cycles by integrating the BCMS with enterprise risk and information-security management.

LevelNameDescriptionIndicative characteristics
1Initial / Ad hocNo formal BCMS; response is reactive and undocumentedNo BIA, no plans, heroics-based recovery, no ownership
2DevelopingSome plans exist but are incomplete, siloed and untestedPartial BIA; IT-only DR; plans not exercised; unclear roles
3DefinedDocumented BCMS covering scope; BIA, strategies and plans in placeFull BIA with RTO/RPO/MBCO; plans documented; roles assigned; first exercises run
4ManagedBCMS is measured, audited and reviewed; exercises are regular and evidence-drivenKPIs tracked; internal audit and management review operating; corrective actions closed; certified
5OptimisingBCMS is continually improved and embedded in strategy and culturePredictive resilience metrics; integrated with ISO 27001/enterprise risk; scenario-driven investment; near-zero repeat findings

Assessment and audit approach

An ISO 22301 conformity assessment follows the accredited two-stage certification model defined in ISO/IEC 17021-1, whether performed as a gap assessment, internal audit or third-party certification. The steps below describe CyberSigma's structured approach.

Certification is not a one-off event but a three-year cycle. The initial certification comprises Stage 1 (a documentation and readiness review that confirms the BCMS is designed and mature enough to proceed) and Stage 2 (an on-site or remote implementation audit that tests whether the system is operating effectively). A recommendation for certification, once nonconformities are closed, results in a certificate valid for three years. During that period the certification body conducts annual surveillance audits sampling a subset of clauses — always including that at least one exercise and one management review and internal audit have occurred — and a full recertification audit before the certificate expires. Understanding this rhythm helps organisations plan their exercise, audit and review calendar so that evidence is always current at the point of assessment rather than assembled in a scramble.

Findings are graded consistently: a major nonconformity is a total absence or systemic breakdown of a required process, or a situation that raises significant doubt that the BCMS can achieve its intended outcomes, and it blocks certification until corrected and verified; a minor nonconformity is a single lapse or isolated failure to meet a requirement that does not by itself undermine the system; an opportunity for improvement is not a breach but a suggestion to strengthen the system. Root-cause analysis is expected for all nonconformities, and correction (fixing the instance) must be distinguished from corrective action (removing the cause so it does not recur).

  1. Define audit scope, objectives and criteria against ISO 22301:2019 and the organisation's declared BCMS scope.
  2. Conduct a documentation review (Stage 1 readiness): verify that the BCMS documentation exists, is controlled and covers every clause; identify readiness gaps and confirm the organisation is prepared for Stage 2.
  3. Plan the on-site / on-system audit: prepare the audit plan, sampling strategy and interview schedule across in-scope sites and functions.
  4. Execute fieldwork (Stage 2): interview top management and process owners; examine records; observe processes; test a sample of plans, exercises, BIA outputs and corrective actions for effective implementation.
  5. Assess Clause 8 in depth: trace a prioritised activity from BIA through strategy, plan, exercise and evaluation to confirm the golden thread holds end to end.
  6. Record findings: classify as major nonconformity, minor nonconformity, opportunity for improvement, or conformity, each linked to a specific clause and objective evidence.
  7. Report and agree corrective-action plans with root-cause analysis, owners and timelines for any nonconformities.
  8. Verify closure of nonconformities and, for certification, recommend issue of the certificate; thereafter conduct annual surveillance and three-yearly recertification audits.

Evidence request list

Assemble the following documented information ahead of any assessment, categorised by clause area. Having these ready is the single biggest accelerator of a smooth audit.

Governance and context (Clauses 4–5)

  • Context, stakeholder and interested-party analysis
  • Legal and regulatory requirements register
  • BCMS scope statement with exclusion justifications
  • Approved business continuity policy
  • Roles, responsibilities and authorities (RACI, appointment letters)

Planning and support (Clauses 6–7)

  • BCMS risk-and-opportunity register and action plans
  • Business continuity objectives with measures
  • Competence matrix, training records and certifications
  • Awareness programme evidence and attendance logs
  • Communications plan / matrix
  • Document-control procedure and master document register

Operation (Clause 8)

  • BIA methodology and completed BIA outputs (MTPD, RTO, RPO, MBCO, dependencies)
  • Risk-assessment methodology and reports with treatment decisions
  • Business continuity strategy and solution selection records
  • Resource-requirement schedules and provisioning evidence
  • Incident-management structure, warning and communication procedures
  • Business continuity and recovery plans
  • Exercise programme, exercise reports and lessons-learned logs
  • Documentation and capability evaluation reports

Performance and improvement (Clauses 9–10)

  • Monitoring and measurement records, KPI dashboards
  • Internal-audit programme, plans and reports
  • Management-review minutes and outputs
  • Nonconformity and corrective-action register with effectiveness verification
  • Continual-improvement log

Roles and responsibilities

RolePrimary responsibilities
Top management / BoardProvide leadership and commitment, approve policy and scope, allocate resources, own management review and overall accountability
BCMS sponsor / executive ownerChampion the programme, chair the steering committee, resolve escalations, own strategic BC objectives
Business Continuity ManagerDesign, implement and maintain the BCMS day to day; coordinate BIA, strategy, plans, exercises and audits
Process / activity ownersProvide BIA inputs, maintain plans for their activities, participate in exercises, deliver recovery within RTO
Incident / crisis management teamActivate and lead response, make time-critical decisions, coordinate recovery and communications
ICT / DR teamDeliver technology recovery to meet RTO/RPO; maintain and test DR arrangements
Communications / PR leadExecute internal and external crisis communications, liaise with media and authorities
Internal auditIndependently audit the BCMS for conformity and effectiveness
HR / FacilitiesSupport people continuity, welfare, alternate sites and safety during disruption
Procurement / Vendor managementEnsure supplier continuity clauses, oversight and third-party BC assessments

KPIs to track

  • Percentage of prioritised activities with a current, approved BIA (target 100%)
  • Percentage of prioritised activities meeting their RTO in the most recent exercise
  • RPO adherence: actual data-loss window versus target for critical systems
  • Exercise coverage: percentage of plans exercised within the last 12 months
  • Mean time to activate incident management and mean time to recover (MTTR)
  • Number of open nonconformities and average age to closure
  • Corrective-action effectiveness rate (actions verified effective on first check)
  • Percentage of staff completing BC awareness training within the period
  • Supplier continuity coverage: percentage of critical suppliers with assessed continuity arrangements
  • Number of BC plans reviewed and updated on schedule versus overdue
  • Time since last management review and internal audit (should be within planned interval)
  • Trend of repeat findings across surveillance cycles (should decline)

Readiness checklist

  • Top-management commitment is evidenced and a signed BC policy is published
  • BCMS scope is documented with justified exclusions and management sign-off
  • Interested parties and legal/regulatory requirements are identified and registered
  • Roles, responsibilities and authorities are assigned and communicated
  • BCMS-level risks and opportunities and measurable BC objectives are defined
  • Competence, awareness, communication and document-control frameworks are operating
  • A BIA is complete for all prioritised activities with MTPD, RTO, RPO and MBCO set
  • A disruption risk assessment is complete with treatment decisions
  • Continuity strategies are selected and solutions implemented within resource plans
  • Incident-management, communication, continuity and recovery plans are documented
  • An exercise programme has run at least one exercise per prioritised area with reports
  • Documentation and capabilities have been evaluated and gaps remediated
  • KPIs are being measured and reported
  • An internal audit has been completed and nonconformities are being closed
  • A management review has been conducted with documented outputs
  • Corrective-action and continual-improvement processes are demonstrably working

Common gaps

  • Treating BCMS as IT disaster recovery only, ignoring people, premises, suppliers and business processes
  • BIA that lists activities but never derives MTPD, RTO, RPO and MBCO, breaking the golden thread to strategy
  • Scope drawn too narrowly, excluding dependencies that in-scope activities genuinely rely on
  • Plans written but never exercised, or exercises run but lessons never actioned
  • No documented risk assessment distinct from the BIA, so treatment decisions are unsupported
  • Weak supplier continuity oversight; single-source dependencies unmanaged and uncontracted
  • Objectives that are aspirational rather than measurable, making Clause 9 evaluation impossible
  • Management review that rubber-stamps rather than covering all required inputs and producing decisions
  • Corrective actions that correct symptoms without root-cause analysis, leading to repeat findings
  • Document control failures: outdated plans in circulation, no version control, uncontrolled external documents
  • Contact and vital-records information in plans that is stale and untested at activation
  • No evaluation of BC documentation and capabilities after significant change, incident or exercise (Clause 8.6)

ISO 22301 mapped to other frameworks

ISO 22301 rarely sits alone. Its Annex SL structure and continuity focus map cleanly onto information-security and resilience frameworks, enabling integrated management systems and reduced audit burden. Because Clauses 4 through 10 are largely common across all Annex SL management-system standards, an organisation running ISO 27001 already has a context analysis, leadership commitment, competence framework, internal-audit programme, management review and improvement process that can be shared with the BCMS, leaving only the continuity-specific Clause 8 to build. This shared-clause architecture is the single biggest efficiency in integrated certification and is why CyberSigma sequences BCMS work to reuse existing ISO 27001 artefacts wherever a client has them.

FrameworkRelationship to ISO 22301Key mapping points
ISO/IEC 27001:2022Complementary; shared Annex SL structureAnnex A control 5.29 (information security during disruption) and 5.30 (ICT readiness for business continuity) satisfied by an ISO 22301 BCMS; shared clauses 4–10
ISO/IEC 27031Guidance on ICT readiness for business continuityProvides the technical DR detail that underpins ISO 22301 Clause 8.3 ICT solutions
ISO 22313 / 22317 / 22331Guidance standards within the same family22313 general guidance, 22317 BIA method, 22331 strategy selection — directly support Clause 8
ISO 31000Risk-management principles and processUnderpins the disruption risk assessment in Clause 8.2.3 and risks/opportunities in Clause 6.1
NIST SP 800-34Contingency planning for IT systemsAligns with ICT recovery elements of Clauses 8.3 and 8.4; complementary US federal guidance
NIST CSF 2.0Cyber resilience framework'Respond' and 'Recover' functions align with ISO 22301 response and recovery plans; 'Govern' aligns with Clauses 4–5
PCI DSS v4.0Payment security standardIncident-response and continuity expectations (Req. 12.10) are strengthened by a certified BCMS
RBI / financial-sector resilience expectations (India)Regulatory operational-resilience guidanceBCMS evidences the BC, DR and testing expectations supervisors examine
ISO 9001:2015Quality management systemShared Annex SL clauses 4–10 enable a single integrated management system and combined audits
How CyberSigma helps
CyberSigma is a CERT-In empanelled cybersecurity and compliance partner with deep resilience expertise. We take organisations from zero to certified ISO 22301 BCMS: running the context and gap analysis, facilitating the BIA and risk assessment, engineering continuity strategies and DR solutions, authoring incident, communication, continuity and recovery plans, designing and running tabletop and live exercises, and preparing you for Stage 1 and Stage 2 audits with an accredited certification body. Our integrated approach maps ISO 22301 to your ISO 27001, PCI DSS and regulatory obligations so a single evidence set serves multiple audits, and our SigmaCRM-driven tracking keeps BIA outputs, plans, exercises, KPIs and corrective actions audit-ready year round. Talk to CyberSigma to build resilience you can prove.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

How does ISO 22301 relate to ISO 27001?
They share the same management-system structure and complement each other — ISO 27001’s ICT continuity requirements align with a full ISO 22301 BCMS.
Official documents

Need help with ISO 22301?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.