What Is ISO 22301 and Why Does It Matter?
ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It gives organisations a structured framework for identifying threats, planning responses, and recovering operations when disruption hits. Whether that disruption is a cyberattack, a natural disaster, a supply chain collapse, or a pandemic, ISO 22301 certification tells your clients, your insurers, and your regulators that you have a tested plan in place.
On this page
Getting ISO 22301 certified is not just about having a thick binder of policies on a shelf. It requires you to demonstrate that your organisation genuinely understands its critical functions, has assessed what could go wrong, and has rehearsed its response. Auditors will look for evidence, not just documents.
If you are considering this standard, you are probably in one of a few situations. A major client has asked you to prove business continuity capability. Your board is concerned about operational resilience. Or you have already experienced a disruption and want to make sure it never catches you unprepared again. Whatever your reason, this guide walks you through the ISO 22301 certification process step by step, in plain language.
For context on how this standard fits into the broader landscape of management systems, our ultimate guide to management systems is a useful starting point.
Step 1: Understand What ISO 22301 Actually Requires
Before you spend a dollar on consultants or certification bodies, read the standard. You do not need to memorise every clause, but you do need to understand the structure and intent. ISO 22301 follows the High Level Structure (HLS) used by most modern ISO management system standards, so if you are already familiar with ISO 9001 or ISO 27001, many of the concepts will feel familiar.
The core requirements of ISO 22301 cover:
- Understanding your organisation and its context, including interested parties and legal obligations
- Leadership commitment and a defined business continuity policy
- Risk assessment and business impact analysis (BIA)
- Business continuity strategies and solutions
- Business continuity plans and procedures
- Exercising, testing, and maintaining those plans
- Internal audits and management reviews
- Continual improvement
The business impact analysis is where most organisations underestimate the work involved. It requires you to identify your time-sensitive activities, determine the maximum tolerable period of disruption (MTPD) for each, and establish recovery time objectives (RTOs). This is not a theoretical exercise. You need to talk to your operational teams and get real numbers.
You can purchase the standard directly from ISO.org, where the current version ISO 22301:2019 is available. Reading it before engaging anyone externally will save you significant time and money.
Step 2: Define Your Scope
Scope definition is one of the most important decisions you will make in this process. Your scope determines what parts of the business, which locations, which services, and which processes are covered by your BCMS and therefore subject to certification.
A common mistake is scoping too broadly from the start. If you are a 200-person business with five service lines, certifying all five at once is significantly more complex and expensive than starting with your two most critical lines. You can always expand scope later.
Your scope statement needs to be specific. It should describe the products and services covered, the locations included, and any exclusions with a clear justification. Auditors will test whether your actual operations match your declared scope, so vague scope statements cause problems.
Think about what your clients actually need. If a major government client requires you to demonstrate continuity for a specific contract, scope your BCMS around that contract first. Get certified, then expand.
Our article on determining the scope of management systems covers this in more detail with practical examples.
Step 3: Conduct a Gap Analysis
A gap analysis compares your current state against the requirements of ISO 22301. It tells you what you already have in place, what is partially in place, and what is missing entirely. This is where you figure out how much work lies ahead.
You can do a gap analysis yourself using a structured checklist, or you can bring in an experienced consultant to do it for you. If you have no prior experience with ISO standards, a professional gap analysis is worth the investment. It gives you an honest picture and a prioritised action plan.
Typical gaps organisations find at this stage include:
- No formal business impact analysis has ever been conducted
- Business continuity plans exist but have never been tested
- No documented recovery time objectives for critical processes
- Leadership has not formally committed to or reviewed continuity arrangements
- Supply chain dependencies are not mapped or assessed
- No internal audit program exists
Document your findings. The gap analysis report becomes the foundation of your implementation project plan. Assign owners to each gap, set realistic timelines, and get sign-off from senior leadership before you start building.
Step 4: Build Leadership Commitment
ISO 22301 will not work without genuine commitment from the top. This is not a compliance checkbox that you can hand to a junior staff member. The standard explicitly requires top management to demonstrate leadership, establish a business continuity policy, assign roles and responsibilities, and participate in management reviews.
In practice, this means getting your CEO, COO, or board to understand what business continuity management actually involves. They need to approve the scope, endorse the policy, allocate resources, and be available for management review meetings. If leadership treats this as an IT project or a documentation exercise, your BCMS will fail the audit.
Start with a briefing session for senior leadership. Walk them through what ISO 22301 requires, what the certification process looks like, what resources are needed, and what the business benefits are. Be honest about the time commitment. A genuine BCMS requires ongoing attention, not just a one-time implementation effort.
Step 5: Conduct the Business Impact Analysis and Risk Assessment
This is the technical heart of ISO 22301. The business impact analysis (BIA) and risk assessment are separate but connected activities, and both need to be thorough.
Business Impact Analysis
The BIA identifies which of your activities are time-sensitive, meaning that if they stopped, the impact on your organisation would become unacceptable after a certain period. For each time-sensitive activity, you need to determine:
- The maximum tolerable period of disruption (MTPD)
- The minimum business continuity objective (MBCO), meaning the minimum level of service you need to maintain
- The recovery time objective (RTO), which must be less than the MTPD
- The resources required to resume that activity at the MBCO level
Conduct the BIA through structured interviews with department heads and process owners. Do not let it be completed by a single person sitting at a desk. The quality of your BIA depends entirely on the quality of the conversations you have with the people who actually run your operations.
Risk Assessment
The risk assessment identifies threats and vulnerabilities that could cause disruption. Common threats include natural disasters, power outages, cyberattacks, key person dependencies, supplier failures, and pandemic events. For each threat, assess the likelihood and potential impact, then determine what controls or treatments are appropriate.
Your risk assessment should directly inform your business continuity strategies. If your BIA identifies that your customer invoicing process must be restored within four hours, and your risk assessment identifies a high likelihood of IT system failure, you need a strategy that achieves that four-hour RTO even when your primary systems are down.
Step 6: Develop Business Continuity Strategies and Plans
Once you know which activities are critical and what risks threaten them, you develop strategies to protect and recover those activities. Strategies might include:
- Alternate work locations or remote working arrangements
- Backup suppliers or dual sourcing for critical inputs
- Manual workarounds for IT-dependent processes
- Cross-training staff to cover key person dependencies
- Data backup and recovery arrangements
- Emergency communication systems
Strategies then get translated into documented business continuity plans. A business continuity plan is not a general document. It is a specific, actionable set of instructions for a specific scenario, covering who does what, in what order, using what resources, and how they communicate. Plans should be written clearly enough that someone unfamiliar with the process could follow them under stress.
You will also need an incident response procedure that covers how disruptions are detected, escalated, and declared. This connects your day-to-day operations to your business continuity plans.
Step 7: Train Your Team and Exercise Your Plans
ISO 22301 requires you to demonstrate that your plans actually work. That means exercising them, and documenting those exercises. A plan that has never been tested is not a plan. It is a hypothesis.
There are several types of exercises you can conduct:
- Tabletop exercises: Discussion-based walkthroughs of a scenario with key personnel. Low cost, good for testing awareness and decision-making.
- Functional exercises: Activating specific parts of the plan in a controlled environment without full operational disruption.
- Full simulation exercises: Testing the complete response to a realistic scenario, including communications, recovery activities, and stakeholder management.
You do not need to run a full simulation before your certification audit, but you do need at least one documented exercise that demonstrates the plans have been tested and that lessons learned have been captured and acted upon. Our article on how to run a business continuity exercise under ISO 22301 covers this in practical detail.
Staff training is also a formal requirement. Everyone whose role involves the BCMS needs to understand their responsibilities. Document who received what training and when.
Step 8: Implement Internal Audits and Management Reviews
Before you apply for certification, you need to have completed at least one internal audit of your BCMS and one management review. These are not optional extras. They are formal requirements of the standard, and auditors will look for evidence that both have occurred.
Your internal audit needs to assess whether your BCMS conforms to the requirements of ISO 22301 and whether it is effectively implemented and maintained. The auditor must be someone other than the person responsible for the area being audited. If you do not have internal audit capability, you can engage an external consultant to conduct the internal audit on your behalf.
The management review is a formal meeting where top management reviews the performance of the BCMS, considers changes in context and risk, evaluates whether the policy and objectives remain appropriate, and makes decisions about resources and improvements. Minutes must be kept.
For guidance on running audits that genuinely find problems rather than just ticking boxes, see our article on how to run ISO internal audits that actually find problems.
Step 9: Choose an Accredited Certification Body
Choosing the right certification body matters more than most businesses realise. Not all certification bodies carry the same credibility. You want a body that is accredited by a recognised national accreditation body, such as JAS-ANZ in Australia and New Zealand, or UKAS in the United Kingdom.
Accreditation means the certification body has been independently assessed and found competent to certify against specific standards. A certificate issued by an unaccredited body may not be accepted by your clients or by government procurement processes.
When evaluating certification bodies, consider their experience with ISO 22301 specifically, their industry knowledge, their audit approach, their fees, and their turnaround time for audit reports. Get at least two or three quotes so you can compare. Our article on how to select the best ISO certification body includes a free checklist to help you evaluate your options.
Step 10: Stage 1 and Stage 2 Certification Audits
ISO 22301 certification involves a two-stage audit process.
Stage 1 Audit
The Stage 1 audit is a documentation review. The auditor checks that your BCMS is designed to meet the requirements of ISO 22301. They will review your scope, your policy, your BIA, your risk assessment, your plans, your internal audit records, and your management review minutes. They are not yet assessing whether everything is fully operational. They are checking that the foundations are in place.
At the end of Stage 1, the auditor will identify any areas that need attention before Stage 2. These are not formal nonconformances yet, but they are issues that could prevent certification if not addressed. You typically have a few weeks between Stage 1 and Stage 2 to resolve them.
Stage 2 Audit
The Stage 2 audit is the main event. Auditors will interview staff, observe processes, review evidence, and test whether your BCMS is genuinely implemented and effective. They will look for evidence of your exercises, your training records, your corrective actions, and your continual improvement activities.
Nonconformances raised during Stage 2 must be addressed before the certificate is issued. Major nonconformances require a full corrective action with evidence before certification can proceed. Minor nonconformances may be accepted with a corrective action plan, with verification at the next surveillance audit.
Step 11: Receive Your Certificate and Maintain Your BCMS
Once Stage 2 is complete and any nonconformances are resolved, the certification body issues your ISO 22301 certificate. Certificates are typically valid for three years, with annual surveillance audits in years one and two, and a full recertification audit in year three.
Maintaining certification requires ongoing effort. You need to keep your BIA and risk assessment current, continue exercising your plans, conduct annual internal audits, hold regular management reviews, and manage any changes to your business that affect your BCMS. For a detailed look at what ongoing maintenance involves, see our guide on how to maintain ISO 22301 certification year after year.
Do not let your BCMS become a static document collection after you receive your certificate. Auditors at surveillance audits will look for evidence of continual improvement and active management. A BCMS that has not been updated since the initial certification will raise serious concerns.
How Long Does ISO 22301 Certification Take?
For most organisations, the implementation and certification process takes between three and nine months. Smaller, less complex organisations with strong leadership support can move faster. Large organisations with multiple sites, complex operations, or limited internal resources will take longer.
The main time drivers are the BIA and risk assessment (which require significant stakeholder engagement), plan development, and completing the mandatory internal audit and management review cycle before applying for certification.
Rushing the process is a mistake. A poorly conducted BIA will undermine your entire BCMS. Take the time to do it properly.
Do You Need a Consultant?
You do not always need a consultant, but for most organisations pursuing ISO 22301 for the first time, experienced guidance makes a significant difference. Business continuity is a specialist discipline. The BIA methodology, recovery strategy development, and exercise design all benefit from someone who has done it before.
If you decide to engage a consultant, choose carefully. Look for someone with direct ISO 22301 experience, not just general ISO consulting experience. Ask to see examples of BIAs they have facilitated and exercises they have designed. Check their references.
If you are comparing consultants and want to make sure you are getting genuine expertise at a fair price, CertBetter can help. Submit one form and receive up to three competing quotes from verified ISO consultants and accredited certification bodies. The service is completely free for businesses seeking certification. It is a straightforward way to compare your options without spending hours searching and chasing responses.
