Guide to ISO 22301 Clause 8 Operation With Examples

What Is ISO 22301 and Why Does Clause 8 Matter?

ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It gives organisations a structured framework for preparing for, responding to, and recovering from disruptive incidents, whether that is a cyberattack, a natural disaster, a supplier failure, or a pandemic.

If you have been working through the standard clause by clause, you will know that the earlier sections cover planning, leadership, and support. Clause 8 is where the real work begins. It is the operational heart of ISO 22301, covering everything your organisation actually does to build and maintain its ability to continue operating when things go wrong.

For businesses pursuing ISO 22301 certification, Clause 8 is where auditors spend a significant portion of their time. It is not enough to have a policy and a risk register. You need to show that your business continuity arrangements are operational, tested, and embedded in how your organisation actually functions.

This guide walks through each sub-clause of Clause 8 in plain language, with practical examples to help you understand what is required and how to implement it properly.

Overview of ISO 22301 Clause 8 Structure

Clause 8 is titled “Operation” and is divided into several sub-clauses. Here is the structure at a glance:

• Clause 8.1: Operational planning and control
• Clause 8.2: Business impact analysis (BIA)
• Clause 8.3: Risk assessment
• Clause 8.4: Business continuity strategy and solutions
• Clause 8.5: Business continuity plans and procedures
• Clause 8.6: Exercise programme
• Clause 8.7: Evaluation of business continuity documentation and capabilities

Each sub-clause builds on the previous one. You cannot develop a meaningful continuity plan without first completing a business impact analysis. You cannot test your plans without having developed them. The logic flows in sequence, and your implementation should follow the same order.

Clause 8.1: Operational Planning and Control

This sub-clause sets the foundation. It requires your organisation to plan, implement, control, and review the processes needed to meet business continuity requirements. It also requires you to manage planned and unplanned changes, and to control outsourced processes that affect your continuity arrangements.

In practical terms, this means you need documented processes, clear ownership, and a mechanism for reviewing whether your operational controls are working. It also means that if you outsource a critical function, such as IT hosting or payroll processing, you cannot simply assume the supplier has continuity covered. You need to verify it.

Example: A logistics company in Brisbane outsources its warehouse management software to a cloud provider. Under Clause 8.1, the logistics company must confirm that the cloud provider has its own business continuity arrangements, and document how it would operate if that provider experienced an outage. Simply including a clause in the contract is not sufficient. You need evidence of the provider's continuity capability and a plan for what your business does if that capability fails.

Clause 8.2: Business Impact Analysis

The business impact analysis, commonly called the BIA, is one of the most important documents in your BCMS. It identifies your critical activities, the resources they depend on, and the consequences of disruption over time.

ISO 22301 requires your BIA to determine the activities that support the delivery of your products and services, the timeframes within which those activities must be resumed, and the minimum level of resources needed to resume them. Two key terms come from this process:

• Maximum Tolerable Period of Disruption (MTPD): The longest time your organisation can tolerate the disruption of a critical activity before it causes unacceptable consequences.
• Recovery Time Objective (RTO): The target time within which you aim to resume a critical activity. This must always be shorter than the MTPD.

Example: A private hospital in Melbourne completes a BIA and identifies that its patient admissions system is a critical activity. The MTPD is determined to be four hours, meaning that if admissions are down for more than four hours, patient safety and regulatory obligations are seriously compromised. The hospital sets an RTO of two hours, giving itself a buffer. This then drives the continuity strategy for that system, including the requirement for a manual backup process and an IT recovery plan.

A common mistake organisations make is treating the BIA as a one-time document. It needs to be reviewed whenever there are significant changes to your operations, your products or services, or your dependencies. Checking whether your ISO management system is actually working includes reviewing whether your BIA still reflects your current business reality.

Clause 8.3: Risk Assessment

While the BIA focuses on the impact of disruption, the risk assessment focuses on the likelihood and nature of threats. Clause 8.3 requires your organisation to identify risks to your critical activities, assess their likelihood and potential impact, and determine appropriate treatments.

ISO 22301 does not prescribe a specific risk assessment methodology, but it does require the process to be systematic and documented. Many organisations use a risk matrix approach, rating threats by likelihood and consequence to determine a risk rating and priority for treatment.

Example: A financial services firm in Sydney identifies the following threats to its operations: extended power outage, key staff unavailability, cyberattack, and loss of access to its office building. Each threat is assessed for likelihood and impact. A cyberattack is rated high likelihood and high impact, making it a priority risk. The firm then develops specific continuity strategies to address this risk, including offline backup systems, an incident response procedure, and a tested recovery process.

It is worth noting that the risk assessment under ISO 22301 is specifically focused on threats to business continuity, not general enterprise risk. You may already have a risk management framework under ISO 31000, but the continuity-specific risk assessment needs to be documented separately and linked to your BIA findings.

Clause 8.4: Business Continuity Strategy and Solutions

Once you know which activities are critical and what threatens them, you need to determine how you will protect and recover them. Clause 8.4 requires your organisation to identify and select continuity strategies and solutions that address the risks and impacts identified in the BIA and risk assessment.

Strategies need to cover three areas:

1. Protection of critical activities: Measures taken before a disruption to reduce the likelihood or impact of threats.
2. Stabilisation and continuation during a disruption: How you keep operating, even at a reduced level, while the disruption is ongoing.
3. Recovery of critical activities: How you restore full normal operations after the disruption has passed.

Clause 8.4 also requires you to consider resource requirements for your strategies, including people, information, technology, premises, and supply chain dependencies.

Example: A manufacturing company in Adelaide identifies that its production line depends on a single supplier for a critical component. The continuity strategy includes qualifying a second supplier, holding a minimum stock level of the component, and documenting a process for expediting emergency orders. These are all preventive and recovery measures that directly address the identified risk of supply chain disruption.

One area where organisations often fall short is in documenting the rationale for their chosen strategies. An auditor will want to see not just what you decided to do, but why you chose that approach over alternatives. Keep records of the decision-making process as part of your documented information.

Clause 8.5: Business Continuity Plans and Procedures

This is where your strategies become actionable. Clause 8.5 requires your organisation to develop documented plans and procedures that can be activated during a disruption. These documents must be practical enough for people to use under pressure, and they must be accessible when normal systems may not be available.

The standard requires your plans to include:

• Roles, responsibilities, and authorities during an incident
• A process for activating the plan
• Communication procedures, both internal and external
• Steps for stabilising the situation and maintaining critical activities
• Recovery procedures to restore normal operations
• A process for standing down the plan once the disruption is resolved

ISO 22301 also specifically requires an incident response procedure that addresses how your organisation detects and assesses a disruption, activates its response, and communicates with stakeholders including staff, customers, regulators, and the media where relevant.

Example: A law firm in Perth develops a business continuity plan for the loss of access to its office building. The plan includes a pre-designated alternate work location, a list of staff who can work remotely, a communication tree for notifying staff and clients, and a checklist of actions to be taken in the first two hours, first 24 hours, and first week of the disruption. The plan is stored both digitally and in printed form off-site, so it can be accessed even if the firm's systems are unavailable.

A frequent issue I see in audits is plans that are theoretically correct but practically useless. They are written in bureaucratic language, they assume access to systems that may be down, and they have not been tested. Plans need to be written for the people who will use them, not for the auditor who will review them.

Clause 8.6: Exercise Programme

Having a plan is not enough. You need to test it. Clause 8.6 requires your organisation to establish and maintain an exercise programme to validate that your continuity plans and procedures are fit for purpose.

Exercises can take many forms, ranging from desktop walkthroughs to full operational simulations. The standard does not mandate a specific frequency or type of exercise, but it does require that exercises are planned, that results are evaluated, and that any deficiencies identified are addressed.

Common exercise types include:

• Tabletop exercises: A facilitated discussion where key staff walk through a scenario and discuss how they would respond. Low cost and easy to run, but limited in what it tests.
• Functional exercises: Specific functions or teams activate their plans in a controlled environment. More realistic than a tabletop but still controlled.
• Full simulation exercises: The organisation activates its full continuity response as if a real disruption were occurring. Most realistic but also most resource intensive.

Example: A telecommunications provider runs a tabletop exercise in February simulating a major data centre outage. The exercise reveals that the IT team's recovery procedure references a system that was decommissioned six months ago. This finding is logged, the procedure is updated, and a follow-up exercise is scheduled for August. This is exactly how an exercise programme should work: test, find gaps, fix them, and test again.

Your exercise records are important documented evidence for your certification audit. Auditors will want to see exercise plans, attendance records, findings, and evidence that corrective actions were completed. Running internal audits that actually find problems applies equally to your exercise programme. The goal is to find weaknesses before a real event does.

Clause 8.7: Evaluation of Business Continuity Documentation and Capabilities

The final sub-clause of Clause 8 requires your organisation to periodically evaluate its business continuity documentation and capabilities to confirm they remain current, accurate, and effective.

This goes beyond just reviewing documents. It requires you to assess whether your continuity capabilities, the strategies, resources, and plans you have developed, are still appropriate given changes to your organisation and its operating environment.

Example: A retail chain acquires two new stores in Queensland. Under Clause 8.7, the organisation must update its BIA to include the new locations, review whether existing continuity strategies cover the expanded operation, and update its plans accordingly. Simply adding the stores to the scope without reviewing the underlying continuity arrangements would be a non-conformance.

Clause 8.7 works closely with the management review process under Clause 9, and with the internal audit programme. Together, these processes form a continuous improvement loop that keeps your BCMS relevant and effective over time. For more on how documented information supports this process, understanding controlled documents is a practical starting point.

Common Non-Conformances in Clause 8

Based on audit experience, these are the most frequent issues organisations encounter with Clause 8:

• BIA not linked to continuity strategies: The BIA identifies critical activities but the strategies do not specifically address them. There is a disconnect between analysis and action.
• RTOs that are not achievable: Organisations set ambitious recovery time objectives but have not put in place the resources or procedures to actually meet them.
• Plans not tested or not tested recently: Exercise programmes exist on paper but have not been run, or were last run several years ago.
• Plans not accessible during a disruption: Continuity plans are stored only on internal servers that may be unavailable during the very events they are meant to address.
• Outsourced processes not covered: Critical dependencies on third parties have not been assessed for continuity capability.
• BIA not reviewed after significant changes: The BIA was completed for certification and has not been updated since, even though the business has changed significantly.

If you are preparing for your Stage 1 or Stage 2 audit, reviewing your Clause 8 documentation against this list is a useful self-assessment exercise. Preparing for your Stage 1 readiness audit covers the broader preparation process in detail.

How Clause 8 Connects to the Rest of ISO 22301

Clause 8 does not sit in isolation. It draws on the outputs of earlier clauses and feeds into later ones.

The context analysis from Clause 4 informs what threats and dependencies are relevant to your BIA and risk assessment. The leadership commitment from Clause 5 determines whether your continuity programme has the resources and authority it needs. The planning outputs from Clause 6 set the objectives that your operational activities need to achieve.

On the output side, the results of your exercises and evaluations under Clause 8.6 and 8.7 feed directly into the performance evaluation processes of Clause 9 and the improvement activities of Clause 10. ISO 31000 risk management principles can also complement your Clause 8.3 risk assessment process, particularly for organisations that want a more structured approach to risk treatment.

The ISO 22301:2019 standard itself describes this interconnection clearly. Clause 8 is the operational expression of everything your organisation has committed to in its policy and planning. If your operational activities are not aligned with your stated objectives and risk appetite, you have a gap that an auditor will find.

Practical Tips for Implementing Clause 8

Here are some direct, practical recommendations for getting Clause 8 right:

• Start the BIA with your most critical products or services, not with a complete inventory of every activity in the business. Identify what would cause the most serious consequences if disrupted, and work from there.
• Validate your RTOs with the people responsible for recovery. It is common for management to set RTOs without checking whether the IT team or operations team can actually meet them.
• Keep your plans short and practical. A 60-page business continuity plan is not useful in a crisis. One-page action checklists for each critical scenario are far more effective.
• Store plans in multiple locations, including off-site and in printed form. Cloud storage is useful but may be unavailable during a cyberattack or extended power outage.
• Run exercises annually at minimum, and after any significant change to your operations or after a real incident. Treat exercise findings as non-conformances that require corrective action.
• Review your supply chain dependencies carefully. Many organisations discover during a real disruption that a critical dependency they had not identified was actually their weakest link.

Getting Help With ISO 22301 Certification

ISO 22301 is one of the more complex management system standards to implement, particularly for organisations that have not previously formalised their business continuity arrangements. Clause 8 alone requires significant analytical work, including the BIA, risk assessment, strategy development, plan writing, and exercise facilitation.

If you are working through this for the first time, or if you are preparing for a recertification audit and want to make sure your Clause 8 documentation is solid, working with an experienced ISO 22301 consultant can save you significant time and help you avoid the common pitfalls described in this article.

CertBetter connects businesses with verified ISO consultants and accredited certification bodies who specialise in business continuity. Submit one form and receive up to three competing quotes from vetted providers. The service is completely free for businesses seeking certification help, and it takes the guesswork out of finding the right partner for your ISO 22301 journey.