verified_user
Standardful
Homechevron_rightStandardschevron_rightISO 22301:2019
ActiveInternational Standardupdate Standard Updated: October 2019fact_check Fact checked: Jun 28, 2026

ISO 22301:2019

Security and resilience — Business continuity management systems — Requirements

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO 22301:2019 is the international standard for business continuity management systems (BCMS). It provides a framework for organizations to plan for, respond to, and recover from disruptive incidents — whether natural disasters, cyber attacks, supply chain failures, pandemics, or other unexpected events. The standard specifies requirements for establishing, implementing, maintaining, and continually improving a BCMS.

ISO 22301 requires organizations to conduct business impact analysis (BIA) and risk assessment to identify critical business functions and threats. Based on this analysis, organizations develop business continuity strategies, plans, and procedures, then test them through exercises and drills. The standard follows the ISO High Level Structure (HLS), enabling integration with ISO 27001 and ISO 9001. Over 5,000 organizations worldwide hold ISO 22301 certification, with strong adoption in financial services, IT, healthcare, and government sectors.

emergency

Business Impact Analysis

Requires formal Business Impact Analysis (BIA) to identify critical activities, assess disruption impacts, and set recovery time objectives (RTO) and recovery point objectives (RPO).

restart_alt

Recovery Strategies

Organizations must select and implement continuity strategies proportionate to identified risks — covering people, facilities, technology, information, and supply chain.

exercise

Exercising & Testing

Continuity plans must be regularly exercised and tested through tabletop exercises, simulations, and full-scale drills to validate their effectiveness.

list_alt Core BCMS Elements

  • Business Impact Analysis (BIA)
  • Risk assessment for disruption scenarios
  • Business continuity strategies and solutions
  • Business continuity plans and procedures
  • Exercise and testing program
  • Incident response structure
  • Communication plans (internal and external)
  • Performance evaluation and continual improvement

Who Needs to Comply?

groups

Organizations that need to ensure critical operations continue during disruptions — particularly financial services, healthcare, critical infrastructure, IT services, and government agencies.

Key Requirements

1

Business Impact Analysis

Analyze the impact of disruption to activities over time. Identify critical activities, maximum tolerable period of disruption (MTPD), recovery time objectives (RTO), and resource requirements.

2

Business Continuity Plans

Develop documented plans that include response procedures, roles and responsibilities, communication protocols, resource requirements, and recovery steps for prioritized activities.

3

Exercise Program

Conduct exercises at planned intervals to validate continuity plans. Exercises must be consistent with the scope of the BCMS and include post-exercise reports with identified improvements.

4

Incident Response

Establish an incident management structure with clear escalation criteria, communication procedures, and decision-making authority to respond effectively to disruptions.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, leadership and objectives

Define the business continuity management system scope across critical products, services, processes, locations, suppliers, technology, and recovery dependencies. Confirm leadership accountability, interested parties, legal and contractual obligations, policy commitments, and measurable objectives before detailed control work begins.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis and risk assessment

Assess current practices against ISO 22301 requirements and the organization's risk context. Review business impact analysis, continuity strategies, response structures, recovery plans, exercises, and continual improvement, then prioritize gaps by compliance exposure, customer impact, operational risk, and audit readiness.

3
Phase 3schedule Duration: 8-16 weeks

Implement processes, controls and records

Deploy or improve the required processes, operating controls, responsibilities, training, monitoring, documented information, and corrective-action workflows. Build evidence around BIAs, risk assessments, continuity strategies, recovery plans, exercise reports, incident lessons learned, and management reviews.

4
Phase 4schedule Duration: Ongoing

Audit, review and continually improve

Run internal audits, management reviews, performance monitoring, and corrective actions before the certification audit. Keep the system current after incidents, process changes, customer feedback, regulatory changes, or audit findings.

Compliance Checklist

0 / 12

checklist Scope and governance

checklist Operational controls and evidence

checklist Performance and improvement

Penalties & Enforcement

warning

No direct legal penalties — ISO 22301 is voluntary. However, regulators in financial services (e.g., ECB, FCA, OCC) increasingly require business continuity frameworks aligned with ISO 22301. Non-certification may mean non-compliance with sector regulations.

Frequently Asked Questions

Who needs ISO 22301?

expand_more

ISO 22301 is relevant for organizations that need a disciplined business continuity management system covering critical products, services, processes, locations, suppliers, technology, and recovery dependencies. It is often adopted because customers, regulators, procurement teams, or market expectations require demonstrable controls and repeatable performance.

Is ISO 22301 certifiable or auditable?

expand_more

Yes, organizations can normally pursue a certification audit against ISO 22301 where certification or accreditation infrastructure exists. Even when certification is not the immediate goal, the standard can be used as an internal operating and assurance framework.

How long does implementation take?

expand_more

A focused implementation often takes several months, depending on scope, maturity, number of sites, process complexity, and evidence quality. Organizations with mature processes can move faster, while multi-site or regulated environments usually need more time.

What is the most important first step?

expand_more

Start with clear scope, leadership accountability, and an honest gap assessment. Without a stable scope and process ownership, teams usually create documents that do not match how work is actually performed.

What evidence do auditors expect?

expand_more

Auditors look for operating evidence, not just policy documents. Useful evidence includes BIAs, risk assessments, continuity strategies, recovery plans, exercise reports, incident lessons learned, and management reviews, plus proof that findings are reviewed and improved over time.

How often are internal audits needed?

expand_more

Internal audits should be performed at planned intervals based on risk, process importance, prior findings, and changes. Many organizations audit the full system annually and use targeted audits after incidents or major changes.

How does continual improvement work?

expand_more

Continual improvement uses performance data, audit findings, incidents, customer feedback, management review decisions, and corrective actions to strengthen the system. Improvement should be visible in objectives, controls, and measurable outcomes.

Can it be integrated with other standards?

expand_more

Yes. ISO 22301 can usually be integrated with other management-system standards by sharing governance, document control, internal audit, corrective action, risk management, and management review processes.

Official Documentation

View All

Related Categories