What Is ISO 22301 and Who Needs It?
ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It gives organisations a structured framework to prepare for, respond to, and recover from disruptive incidents, whether that is a cyberattack, a natural disaster, a critical supplier failure, or a pandemic-style event that shuts down operations.
On this page
If your business operates in critical infrastructure, financial services, healthcare, government contracting, utilities, or any sector where downtime carries serious consequences, ISO 22301 certification is increasingly expected rather than optional. Procurement teams and government agencies are asking for it more frequently, and in some regulated sectors it is becoming a tender prerequisite.
But before you commit to the process, you need a realistic picture of what it actually costs. This article breaks down the numbers honestly, explains what drives the variation in price, and helps you avoid the traps that catch businesses off guard.
The Short Answer: What ISO 22301 Certification Costs in Australia
ISO 22301 certification typically costs between $8,000 and $60,000 AUD for the full initial certification cycle, depending on your organisation's size, complexity, and how much work you need to do before you are audit-ready. That is a wide range, and the reason for it is genuine, not vague. Let me explain exactly what sits at each end of that range.
Small Organisations (Under 50 Employees)
A small professional services firm, a niche technology company, or a boutique financial services provider with a well-defined scope and limited operational complexity can often complete ISO 22301 certification for between $8,000 and $18,000 AUD. This assumes a focused scope, reasonably mature existing processes, and either an experienced internal resource or a lean consulting engagement.
Medium Organisations (50 to 250 Employees)
Mid-sized organisations with multiple departments, more complex supply chains, or multiple sites typically spend between $18,000 and $35,000 AUD. At this level, the consulting work becomes more involved, the documentation burden increases, and the certification body will allocate more audit days, which directly increases their fees.
Large or Complex Organisations (250+ Employees)
Larger organisations, particularly those in critical infrastructure, banking, or government services, can expect total costs of $35,000 to $60,000 AUD or more. Multi-site operations, complex recovery strategies, and the need to demonstrate resilience across interconnected systems all add time and cost to both the consulting and certification phases.
Breaking Down the Cost Components
ISO 22301 certification costs fall into three main buckets: consulting and implementation, certification body fees, and internal costs. Most businesses only budget for the first two and then get surprised by the third.
1. Consulting and Implementation Costs
Unless you have a highly experienced business continuity specialist in-house, you will almost certainly need external help. ISO 22301 is not a simple standard. It requires a genuine Business Continuity Management System with documented policies, risk and business impact analysis (BIA), recovery strategies, business continuity plans, and evidence of testing and exercising those plans.
Consulting fees in Australia vary considerably. Expect to pay between $150 and $350 AUD per hour for a qualified business continuity consultant, or between $5,000 and $25,000 AUD for a fixed-price engagement depending on scope. Be cautious of fixed-price packages that seem unusually low. As discussed in our article on why cheap ISO certification is bad for your business, cutting corners during implementation almost always costs more later when auditors find gaps.
What a good consultant will do for you includes: gap analysis against ISO 22301 requirements, development of your BCMS documentation, facilitation of business impact analysis workshops, support with recovery strategy development, internal audit preparation, and coaching your team through the Stage 1 and Stage 2 audits.
2. Certification Body Fees
The certification body (the auditing organisation that issues your certificate) charges for the initial audit, ongoing surveillance audits, and the recertification audit at the end of the three-year cycle. Their fees are calculated primarily based on the number of audit days required, which in turn is based on the size and complexity of your organisation.
For a small organisation, initial certification audits typically run two to four days. For a medium organisation, expect four to seven days. Large or complex organisations may require eight to twelve audit days or more. Audit day rates from accredited certification bodies in Australia typically range from $1,200 to $2,500 AUD per day.
On top of audit day fees, certification bodies charge application fees, certificate issuance fees, and sometimes travel costs for on-site audits. These can add another $500 to $3,000 AUD to your initial certification cost depending on the provider and your location.
For ongoing surveillance audits (usually annual), budget approximately $2,000 to $6,000 AUD per year. Recertification at the end of year three is typically similar in cost to the initial certification, though sometimes slightly less if your system is well-maintained. Our guide on hidden ISO certification costs covers many of these ongoing fees that businesses miss when budgeting.
3. Internal Costs
This is the budget line that almost every business underestimates. Implementing ISO 22301 requires significant internal time from your management team, operations staff, and whoever is leading the project. Business impact analysis workshops alone can consume two to five days of time from senior managers across multiple departments.
Other internal costs to account for include:
- Staff time for documentation development, review, and approval
- Business continuity exercises and testing (tabletop exercises, simulations, full-scale tests)
- Training for staff on their roles in the BCMS
- Technology investments such as backup systems, communication tools, or recovery infrastructure
- Any remediation work required to close gaps identified during the gap analysis
For a medium-sized organisation, it is not unusual for internal time costs to represent $10,000 to $25,000 AUD in equivalent staff hours, even when those costs do not appear as a line item on any invoice.
What Drives the Cost Up or Down?
Scope of Your BCMS
The single biggest cost driver is how broad or narrow you define the scope of your Business Continuity Management System. A tightly defined scope covering one business unit or one critical service line will cost significantly less to implement and certify than a scope that covers your entire organisation. This is not about gaming the system. It is about being strategic. Many businesses start with a focused scope and expand it in subsequent certification cycles.
Your Starting Point
If your organisation already has documented processes, a risk management framework, and some form of existing business continuity planning, even informal, you are starting from a much better position than an organisation with nothing in place. A mature starting point can reduce consulting time by thirty to fifty per cent.
Industry Complexity
Organisations in highly regulated sectors or those with complex, interdependent systems take longer to implement and audit. A financial services firm with regulatory obligations around operational resilience, for example, will have a more involved implementation than a professional services firm with simpler operations.
Number of Sites
Each additional site adds audit time and implementation complexity. If your organisation operates across multiple locations, expect the certification body to either audit all sites or apply a sampling methodology, both of which add cost.
Recovery Time Objectives and Infrastructure
ISO 22301 requires you to define and demonstrate your ability to meet recovery time objectives (RTOs) for critical functions. If your current infrastructure cannot support those RTOs, you may need to invest in backup systems, redundant facilities, or third-party recovery services before certification is achievable. These technology investments can sometimes dwarf the consulting and audit fees.
Consulting Models: What Are You Actually Paying For?
There are three main ways consultants price ISO 22301 work, and understanding the difference helps you compare quotes properly.
Hourly Rate Engagements
You pay for time used. This works well when you have internal capacity and just need expert guidance at key points. The risk is scope creep if the engagement is not well-defined. Our article on ISO consultant pricing: fixed price vs hourly rate explains how to decide which model suits your situation.
Fixed-Price Packages
A defined scope of work for a set price. This gives you budget certainty but requires you to understand exactly what is included and excluded. Ask specifically whether the package includes business impact analysis facilitation, exercise support, and Stage 2 audit attendance. These are often excluded from lower-priced packages.
Retainer or Ongoing Support Models
Some consultants offer ongoing support arrangements covering implementation plus the first year of surveillance. This can be cost-effective for organisations that want continuity of support across the full certification cycle.
ISO 22301 vs Other ISO Standards: Is It More Expensive?
ISO 22301 is generally more expensive to implement than ISO 9001 or ISO 14001, and comparable in cost to ISO 27001. The reason is the depth of operational analysis required. Business impact analysis is time-intensive. Recovery strategies need to be documented, tested, and evidenced. Business continuity exercises need to be planned and executed before certification.
If you are already certified to ISO 27001, there is meaningful overlap between the two standards, particularly around risk assessment, information security continuity, and documentation requirements. Some organisations pursue both standards simultaneously to reduce the combined cost. For context on how other certification costs compare, our article on ISO 27001 certification costs in Australia provides a detailed breakdown of that standard.
Choosing a Certification Body: What to Look For
Not all certification bodies are equal, and for ISO 22301 specifically, industry experience matters. You want an auditor who understands business continuity in practice, not just someone who can tick boxes against the standard's clauses.
In Australia, certification bodies should be accredited by JAS-ANZ (Joint Accreditation System of Australia and New Zealand), which is the national accreditation body responsible for ensuring certification bodies operate to the required standard. Only use JAS-ANZ accredited (or equivalent internationally recognised) certification bodies if you want your certificate to be recognised in procurement and regulatory contexts.
When comparing certification body quotes, look beyond the day rate. Consider their experience auditing BCMS in your sector, the qualifications of the auditors they will assign, their responsiveness during the sales process (a good indicator of how they will communicate during the audit), and what their surveillance audit process looks like.
How to Reduce ISO 22301 Certification Costs Without Cutting Corners
There are legitimate ways to reduce your total spend on ISO 22301 certification without compromising the quality or integrity of your system.
- Start with a focused scope. Define your BCMS around your most critical products or services first. Expand later.
- Do a proper gap analysis before engaging a consultant. Understanding where you are starting from helps you scope the consulting engagement accurately and avoid paying for work you do not need.
- Invest in internal capability. Training one or two internal staff members in business continuity management reduces your long-term dependency on external consultants and lowers ongoing costs.
- Get multiple quotes. Certification body fees vary significantly between providers for the same audit scope. There is no reason to accept the first quote you receive.
- Combine with ISO 27001 if relevant. If you are pursuing both standards, an integrated approach can reduce consulting and audit costs by twenty to thirty per cent.
- Use technology for documentation management. A good document management system reduces the administrative burden and makes surveillance audits smoother and faster.
The Three-Year Cost Picture
ISO 22301 certification operates on a three-year cycle. Initial certification is the most expensive phase. Surveillance audits in years one and two are lighter touch. Recertification at the end of year three is more involved but typically less costly than the initial certification.
A realistic three-year total cost for a medium-sized Australian organisation might look like this:
- Year 1 (Implementation and Initial Certification): $25,000 to $45,000 AUD
- Year 2 (Surveillance Audit and Maintenance): $5,000 to $12,000 AUD
- Year 3 (Surveillance Audit and Recertification): $8,000 to $18,000 AUD
- Three-Year Total: $38,000 to $75,000 AUD
These figures include consulting support, certification body fees, and a reasonable allowance for internal time. Technology investments, if required, are additional.
Is ISO 22301 Worth the Investment?
That depends entirely on your context. If you are bidding for government contracts, operating in critical infrastructure, or serving clients who have their own regulatory obligations around supply chain resilience, ISO 22301 certification can be the difference between winning and losing contracts worth far more than the certification cost.
Beyond the commercial argument, the process of implementing a genuine BCMS forces your organisation to answer questions it should probably already have answers to. What are your most critical functions? How long can you survive without them? What would actually happen if your primary data centre went offline, your key supplier failed, or your main office became inaccessible? Organisations that go through this process properly are materially more resilient, not just certified.
If you are unsure whether ISO 22301 is the right standard for your situation, or whether you should pursue it alongside another standard, speaking with an experienced consultant before committing is worth the time. CertBetter connects businesses with verified ISO consultants and accredited certification bodies who can give you an honest assessment of your situation and provide competing quotes so you can compare your options. The service is free for businesses, and submitting one form gets you up to three quotes from vetted providers.
