What Is ISO 22301 and Why Does Clause 5.2 Matter?
ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It gives organisations a structured framework for preparing for, responding to, and recovering from disruptive incidents, whether that is a cyberattack, a natural disaster, a supply chain failure, or a pandemic. If your organisation operates in a sector where downtime carries serious consequences, this standard is worth understanding in depth.
On this page
Clause 5.2 sits inside Section 5, which covers Leadership. That positioning is deliberate. The standard's authors placed the business continuity policy requirement under Leadership because a policy is not just a document. It is a direct expression of what senior management is committed to. Without that commitment being clearly stated and communicated, the rest of the management system has no foundation to stand on.
This guide walks you through exactly what ISO 22301 Clause 5.2 requires, what a compliant policy actually looks like, and the common mistakes that trip businesses up during certification audits. Real examples are included throughout so you can see how these requirements translate into practice.
The Full Requirements of ISO 22301 Clause 5.2
The standard requires top management to establish, implement, and maintain a business continuity policy. That sounds simple, but there are specific things the policy must do and specific characteristics it must have. Let us go through each one carefully.
The Policy Must Be Appropriate to the Organisation
The first requirement is that the policy is appropriate to the purpose of the organisation. This means a generic, copy-pasted policy downloaded from the internet will not cut it. An auditor reviewing your policy should be able to understand, at a glance, what kind of organisation you are and what continuity means in your specific context.
A logistics company's business continuity policy will look different from a hospital's, which will look different from a software development firm's. The risks, the critical functions, and the recovery priorities are different. Your policy needs to reflect that.
The Policy Must Provide a Framework for Setting Objectives
Clause 5.2 requires the policy to provide a framework for setting business continuity objectives. This is a common point of confusion. The policy itself does not need to list every objective, but it needs to set the direction that allows objectives to be established, reviewed, and updated in a meaningful way.
Think of it this way. The policy says, “We are committed to maintaining critical operations within defined recovery time frames.” That statement then allows the organisation to set specific, measurable objectives at the operational level, such as restoring the payment processing system within four hours of an incident.
The Policy Must Include a Commitment to Satisfy Applicable Requirements
The policy must contain a clear commitment to satisfying applicable requirements. In practice, this means the policy should acknowledge that the organisation will comply with relevant legal, regulatory, and contractual obligations that relate to business continuity. For Australian businesses, this might reference obligations under the Security of Critical Infrastructure Act 2018, sector-specific regulations, or contractual service level agreements with clients.
The Policy Must Include a Commitment to Continual Improvement
Like all ISO management system standards, ISO 22301 requires a commitment to continual improvement. The policy must state this explicitly. It is not enough to build a system and leave it static. The policy signals that the organisation will regularly review, test, and improve its business continuity arrangements.
The Policy Must Be Available as Documented Information
The policy must exist as documented information. This means it needs to be written down, version controlled, and retained. An auditor will ask to see it. If you cannot produce it, or if it exists only as a vague verbal understanding among senior managers, that is a nonconformance.
The Policy Must Be Communicated Within the Organisation
The policy must be communicated to people within the organisation. This does not mean emailing it once and hoping for the best. Communication means making it available, ensuring relevant staff are aware of it, and being able to demonstrate that awareness. In audits, this is often tested by asking frontline staff whether they know the organisation has a business continuity policy and what it broadly says.
The Policy Must Be Available to Interested Parties as Appropriate
Finally, the policy must be available to interested parties where appropriate. This might mean publishing a summary on your website, sharing it with key clients or suppliers, or including it in tender responses. The phrase “as appropriate” gives you some discretion, but you should be able to justify your decisions about what you share and with whom.
What a Business Continuity Policy Should Actually Say
Many organisations write policies that technically tick the boxes but say nothing meaningful. A well-written business continuity policy should be concise, clear, and specific enough to be useful. Here is what it should cover in practice.
Statement of Purpose and Scope
Open with a clear statement of why the organisation has a BCMS and what it covers. Name the organisation, describe the scope of the system, and state what types of disruptions the policy addresses.
Commitment Statements
Include explicit commitments. Not vague aspirations, but clear statements of intent. For example: the organisation is committed to identifying and protecting its critical activities, to meeting recovery time objectives agreed with clients, to complying with relevant legislation and contractual obligations, and to continually improving the BCMS through regular testing and review.
Framework for Objectives
State that business continuity objectives will be established at relevant functions and levels, and that these objectives will be consistent with this policy. This creates the link between the policy and the operational work that follows.
Roles and Accountability
While the detailed roles and responsibilities are usually documented elsewhere in the BCMS, the policy should state that top management takes accountability for the effectiveness of the system. This reinforces the leadership requirement.
Review Commitment
State how often the policy will be reviewed and under what circumstances it will be updated. Annual review is typical, with additional reviews triggered by significant organisational changes, incidents, or changes in the regulatory environment.
Real-World Examples of ISO 22301 Clause 5.2 in Practice
Abstract requirements become much clearer when you see them applied to real scenarios. Here are three examples across different industries.
Example 1: Financial Services Firm
A mid-sized financial advisory firm in Melbourne is pursuing ISO 22301 certification. Their business continuity policy includes the following key elements. It states that the firm is committed to maintaining the continuity of client-facing financial services in the event of any disruption. It commits to meeting recovery time objectives specified in client service agreements. It references compliance with ASIC regulatory obligations and the Australian Privacy Act. It states that the policy will be reviewed annually by the Board and after any significant incident. The policy is signed by the CEO and is available to all staff on the intranet and to clients on request.
This policy works because it is specific to the firm's context, it names the relevant regulatory obligations, and it creates a clear link between leadership commitment and operational objectives.
Example 2: Healthcare Provider
A private hospital group operating across three states develops a business continuity policy that acknowledges the critical nature of patient care. The policy commits to maintaining essential clinical services during any disruption, including power outages, IT failures, and supply chain interruptions. It references compliance with state-based health legislation and accreditation requirements. It commits to conducting at least two business continuity exercises per year and to reviewing the BCMS following any significant incident. The policy is available to staff, to health department regulators, and is referenced in supplier contracts.
The strength of this policy is in its acknowledgment of the stakes involved. Patient safety is named explicitly, which drives the right behaviour throughout the rest of the system.
Example 3: IT Managed Services Provider
An IT managed services provider in Brisbane includes a business continuity policy as part of its integrated management system, alongside ISO 27001 for information security. The policy states that the organisation is committed to ensuring the continuity of IT services provided to clients, with defined recovery time and recovery point objectives. It commits to aligning business continuity arrangements with information security requirements. It references relevant contractual obligations with enterprise clients and compliance with the Notifiable Data Breaches scheme. The policy is reviewed quarterly due to the fast-changing nature of the business environment.
This example illustrates how a business continuity policy can be integrated with other management system policies without losing its specific focus. If you are also working through an introduction to ISO 27001 information security management, you will recognise how the two standards complement each other at the policy level.
Common Mistakes Businesses Make With Clause 5.2
Having reviewed many BCMS implementations over the years, the same mistakes come up repeatedly. Knowing them in advance saves a lot of rework.
Using a Generic Template Without Customisation
The most common mistake is downloading a generic policy template and changing only the company name. Auditors see this constantly. A policy that could belong to any organisation in any industry signals that leadership has not genuinely engaged with the requirement. Take the time to make it specific.
No Evidence of Communication
Having a policy on paper is one thing. Being able to demonstrate that staff have seen it and understand it is another. Keep records of how the policy was communicated, whether through induction training, team briefings, intranet publication, or email distribution. During an audit, you may be asked to show this evidence.
Policy Not Signed or Approved by Top Management
The policy must come from top management. If it is signed by a quality manager or a business continuity coordinator without any evidence of senior leadership endorsement, an auditor will raise this as a gap. The CEO, Managing Director, or Board must be visibly behind it.
Objectives Not Linked to the Policy
A policy that says “we are committed to continual improvement” but has no documented business continuity objectives sitting beneath it is an incomplete system. The policy creates the framework. The objectives bring it to life. Make sure there is a clear, traceable connection between the two.
Policy Not Reviewed or Updated
A policy dated three years ago with no evidence of review is a red flag. Business environments change. The policy must keep pace. If your organisation has grown, changed its services, or experienced a significant incident, the policy should reflect that.
For a broader view of how leadership obligations connect across the standard, it is worth reading about maintaining ISO 22301 certification year after year, which covers how ongoing leadership engagement keeps your system audit-ready.
How Clause 5.2 Connects to the Rest of ISO 22301
Clause 5.2 does not exist in isolation. It feeds directly into several other parts of the standard, and understanding those connections helps you build a coherent system rather than a collection of disconnected documents.
Connection to Clause 6.2 Business Continuity Objectives
As mentioned earlier, the policy provides the framework for setting objectives. Clause 6.2 then requires those objectives to be established, documented, and monitored. If your policy does not provide a clear direction, your objectives will lack grounding.
Connection to Clause 7.3 Awareness
Clause 7.3 requires that people doing work under the organisation's control are aware of the business continuity policy. This is the operational follow-through on the communication requirement in Clause 5.2. Your awareness programme needs to include the policy as a core element.
Connection to Clause 9.3 Management Review
The management review process, covered in Clause 9.3, should include a review of the policy's continued suitability. Top management needs to periodically ask whether the policy still reflects the organisation's context, obligations, and strategic direction. This is where the commitment to continual improvement becomes tangible.
Connection to Clause 4.1 and 4.2 Context
The policy must be appropriate to the organisation's purpose, which means it should be informed by the context analysis done under Clause 4. If you have identified key risks, critical stakeholders, and relevant obligations in your context analysis, these should be visible in the policy. The two clauses work together to anchor the entire system in reality.
If you want to understand how context analysis feeds into policy development, the article on practical examples of Clause 4.1 understanding organisation and its context is a useful companion read.
A Sample Business Continuity Policy Structure
Below is a suggested structure for a business continuity policy that meets Clause 5.2 requirements. This is not a template to copy word for word. It is a guide to what a compliant, meaningful policy includes.
- Title and Version: Business Continuity Policy, version number, date of issue, and next review date.
- Purpose: A brief statement explaining why the organisation has a BCMS and what it is designed to achieve.
- Scope: The activities, locations, and functions covered by the BCMS.
- Policy Commitments: Explicit statements covering protection of critical activities, compliance with applicable requirements, meeting recovery objectives, and continual improvement.
- Framework for Objectives: A statement that business continuity objectives will be set, monitored, and reviewed in line with this policy.
- Roles and Accountability: A statement that top management takes overall accountability for the BCMS.
- Review: The frequency of policy review and the triggers for unscheduled review.
- Approval: Signature and title of the authorising executive.
Keep the policy to one or two pages. Longer is not better. A clear, concise policy that staff can actually read and understand is far more valuable than a ten-page document that nobody looks at.
Preparing for an Audit on Clause 5.2
When an auditor reviews your business continuity policy, they are looking for a few specific things. Being prepared for these questions will save you from unnecessary findings.
First, they will read the policy itself and assess whether it meets each of the requirements listed in Clause 5.2. They will check for the commitment statements, the framework for objectives, and the appropriateness to the organisation's context.
Second, they will ask how the policy was communicated. Be ready to show records. This might be an email distribution list, a training register, an intranet page with access logs, or meeting minutes where the policy was presented to staff.
Third, they may speak with staff members, including those who are not directly involved in the BCMS, to check awareness. A receptionist or warehouse team member should be able to say, in general terms, that the organisation has a business continuity policy and what it is broadly about.
Fourth, they will check the review history. Is the policy current? Has it been reviewed within the stated timeframe? Are there records of that review?
If you are preparing for your first ISO 22301 certification and want to understand what the overall process involves, the 7 steps to achieve ISO certification guide gives a solid overview of the journey from start to certificate.
Getting the Right Support for ISO 22301 Implementation
ISO 22301 is not a simple standard to implement alone. The policy is one of the easier elements, but building a complete, audit-ready BCMS requires significant expertise across risk assessment, business impact analysis, recovery strategy development, and testing. Many organisations benefit from working with an experienced consultant who understands both the standard and the specific sector they operate in.
If you are at the stage of looking for implementation support or a certification body to conduct your audit, CertBetter makes that process straightforward. You submit one form describing your organisation and your certification needs, and you receive up to three competing quotes from vetted consultants and accredited certification bodies. The service is completely free for businesses seeking certification help, and it removes the guesswork from finding providers who actually know what they are doing.
