The Short Answer: No, But It Is More Complicated Than That
ISO 22301 is not a legal requirement for any industry in the United Kingdom. No Act of Parliament, no statutory instrument, and no regulatory body currently mandates that organisations must hold ISO 22301 certification to operate. If you have been told otherwise by a consultant or certification body, that is worth questioning.
On this page
But here is where it gets more nuanced. Across several UK industries, regulators, procurement bodies, and major clients either strongly expect business continuity capabilities or effectively require them through contractual and licensing obligations. ISO 22301 has become the most widely recognised way to demonstrate those capabilities. So while the standard itself is not law, the underlying requirement for robust business continuity management often is, or it might as well be for practical purposes.
This article walks through which UK industries face the strongest pressure to implement ISO 22301, what the regulatory landscape actually looks like, and how to decide whether certification is the right path for your organisation.
What ISO 22301 Actually Requires
Before diving into sector-specific obligations, it helps to understand what you are actually committing to when you pursue ISO 22301 certification. The standard specifies requirements for a Business Continuity Management System, commonly referred to as a BCMS. It is built around the same high-level structure as other ISO management system standards, so if your organisation already holds ISO 9001 or ISO 27001, many of the structural elements will feel familiar.
At its core, ISO 22301 requires organisations to:
- Understand the context of the organisation and identify threats to continuity
- Define the scope of the BCMS and set clear objectives
- Conduct a Business Impact Analysis to understand which functions are critical
- Develop and maintain business continuity plans and recovery strategies
- Test and exercise those plans on a regular basis
- Review and improve the system continuously
The standard does not prescribe exactly how you recover from a disruption. It requires that you have thought it through, documented it, tested it, and can demonstrate it to an auditor. That distinction matters when you are comparing it to a basic disaster recovery plan, which tends to be narrower in scope and less formally governed. If you want to understand the difference in more depth, the article on what is the difference between ISO 22301 and a disaster recovery plan covers this well.
UK Sectors Where Business Continuity Is Effectively Mandated
Financial Services and Banking
This is the sector where the pressure to have ISO 22301 or an equivalent BCMS is strongest in the UK. The Prudential Regulation Authority and the Financial Conduct Authority both require regulated firms to maintain operational resilience and business continuity capabilities as a condition of authorisation. The PRA Rulebook and FCA Handbook contain explicit requirements around continuity planning, impact tolerances, and recovery capabilities.
The Bank of England's operational resilience policy, which came into full effect in March 2025, requires firms to identify their important business services, set impact tolerances, and be able to remain within those tolerances during severe but plausible disruptions. ISO 22301 is not named in that policy, but it is the most widely used framework for meeting those expectations in practice. Many large UK banks and insurers hold ISO 22301 certification and require their critical suppliers to demonstrate equivalent capabilities.
If you are a fintech, a payment processor, or a third-party service provider to a regulated financial institution, expect your clients to ask for evidence of a BCMS. That request may come in the form of a supplier questionnaire, a contractual clause, or a direct audit of your operations.
Critical National Infrastructure
The UK government's Centre for the Protection of National Infrastructure identifies thirteen sectors as critical national infrastructure, including energy, water, transport, health, and communications. Operators in these sectors face obligations under legislation such as the Network and Information Systems Regulations 2018, the Civil Contingencies Act 2004, and sector-specific licensing conditions.
The Civil Contingencies Act places duties on Category 1 responders, which include local authorities, emergency services, NHS trusts, and utility providers, to maintain business continuity plans and promote business continuity management more broadly. Again, ISO 22301 is not named in the legislation, but it provides a structured way to meet those statutory duties and demonstrate compliance to regulators.
For energy sector operators, Ofgem licence conditions require contingency planning. For water companies, the Water Industry Act and Ofwat expectations include continuity requirements. Telecoms providers operating under Ofcom's general conditions must take all reasonably practicable steps to maintain continuity of service. ISO 22301 is regularly used as the framework for evidencing compliance in all of these contexts.
Healthcare and the NHS Supply Chain
NHS England and NHS Improvement have long required NHS trusts and foundation trusts to maintain business continuity plans as part of their core operational requirements. The NHS Standard Contract includes business continuity obligations for providers of NHS-funded services. NHS England's own Business Continuity Management Framework references ISO 22301 as the benchmark standard.
For private healthcare providers and suppliers to the NHS, the picture is similar. If you are bidding for NHS contracts, particularly for clinical services, medical devices, or critical IT systems, you will almost certainly encounter business continuity requirements in the tender process. ISO 22301 certification is increasingly used as a pass or fail criterion at the prequalification stage.
Central and Local Government Procurement
UK government procurement frameworks, particularly those managed through the Crown Commercial Service, routinely include business continuity requirements for suppliers of critical services. The Cabinet Office has published guidance on supply chain resilience that references ISO 22301 as a recognised standard for demonstrating continuity capability.
If your organisation supplies services to government departments, defence, or public sector bodies, you should expect to face questions about your BCMS in tender documents. For high-value or high-criticality contracts, ISO 22301 certification may be listed as a minimum requirement or as a scored criterion that directly affects your bid evaluation.
This connects to a broader point about ISO certification and government tenders. The article on which ISO certification is required for government tenders covers how these requirements work across different standards and contract types.
Information Technology and Managed Services
IT service providers, managed service providers, and cloud services companies face business continuity expectations from multiple directions. Their clients expect continuity capabilities, their own ISO 27001 certification often creates pressure to implement a BCMS as a complementary control, and major frameworks like Cyber Essentials Plus and the UK government's Digital Marketplace requirements increasingly reference resilience and continuity.
ISO 22301 and ISO 27001 are frequently implemented together in this sector because information security and business continuity are closely related. A security incident that takes down your systems is a business continuity event. If you are already certified to ISO 27001, adding ISO 22301 to your management system is often more straightforward than starting from scratch, since many of the documentation and governance structures already exist.
Where ISO 22301 Is Strongly Recommended But Not Required
Beyond the sectors above, there are many UK industries where ISO 22301 is not required by law or regulation but where having it provides a genuine competitive and operational advantage.
Professional Services and Legal Firms
Law firms, accountancy practices, and consulting firms hold sensitive client data and provide services that clients depend on. The Solicitors Regulation Authority expects firms to have arrangements in place to maintain client services during disruptions, and ISO 22301 is an increasingly common way to demonstrate that. For larger firms competing for corporate mandates, certification is becoming a differentiator in the same way ISO 27001 has become standard in this sector over the past decade.
Logistics and Supply Chain
The disruptions of recent years, from port congestion to extreme weather events, have pushed business continuity up the agenda for logistics companies. Major retailers and manufacturers now include business continuity requirements in their supplier contracts. ISO 22301 gives logistics providers a credible way to demonstrate resilience to their clients and to differentiate themselves in a competitive market.
Education and Higher Education
Universities and larger further education institutions in the UK are increasingly implementing ISO 22301, particularly those with significant research operations, international student populations, or large-scale IT infrastructure. While there is no regulatory mandate, the Office for Students expects providers to maintain continuity of provision, and ISO 22301 provides a recognised framework for doing so.
How to Decide Whether Your Organisation Needs ISO 22301
Rather than asking whether ISO 22301 is mandatory for your industry, a more useful question is whether your organisation faces any of the following situations:
- You operate in a regulated sector where business continuity is a licensing or authorisation condition
- You supply services to the NHS, central government, or critical national infrastructure operators
- Your clients include large enterprises or financial institutions that require evidence of a BCMS
- You hold ISO 27001 and want to extend your resilience framework in a structured way
- You have experienced a disruption that exposed gaps in your recovery capability
- You are bidding for contracts where business continuity is a scored criterion
If any of these apply, ISO 22301 certification is worth serious consideration. If none of them apply and your operations are relatively simple, a well-documented business continuity plan that meets the spirit of the standard may be sufficient without formal certification.
It is also worth understanding what maintaining certification involves before you commit. The article on how to maintain ISO 22301 certification year after year gives a practical picture of the ongoing commitment required.
The UK Regulatory Landscape Post-Brexit
One question that comes up regularly is whether Brexit has changed the picture for ISO 22301 in the UK. The short answer is that it has not changed the fundamental status of the standard, but it has added some complexity around mutual recognition and cross-border operations.
ISO 22301 is an international standard published by the International Organisation for Standardisation. It is not an EU standard and was not affected by Brexit in terms of its content or validity. UK Accreditation Service accredited certification bodies continue to issue ISO 22301 certificates that are recognised internationally through the International Accreditation Forum's multilateral recognition arrangements.
For UK organisations operating in EU markets, it is worth checking whether your EU clients or EU regulators have specific requirements around accreditation. UKAS accreditation is generally accepted, but for some regulated sectors, EU-based accreditation may be preferred. This is more of an operational consideration than a legal one for most businesses.
Choosing the Right Approach to ISO 22301 in the UK
If you have decided that ISO 22301 certification is the right path, the next step is finding the right support. The standard has meaningful depth, particularly around the Business Impact Analysis and the testing and exercising requirements, and organisations that try to implement it purely through templates often struggle to produce a BCMS that functions in practice rather than just on paper.
A good ISO 22301 consultant will have experience in your specific sector, understand the regulatory context you operate in, and be able to help you build a system that genuinely works rather than one that just satisfies an auditor on the day. Choosing the right certification body matters too, since the quality of the audit process varies considerably across the market. The article on top ISO certification bodies in the UK provides a useful breakdown if you are at that stage of the process.
One practical issue that many UK businesses face is the time and cost involved in finding and comparing qualified providers. You can spend weeks going back and forth with consultants and certification bodies, getting quotes that are difficult to compare because they are scoped differently. CertBetter was built to solve exactly that problem. You submit one form describing your organisation and your certification goals, and you receive up to three competing quotes from vetted consultants and certification bodies. The service is completely free for businesses seeking certification. It is a straightforward way to get a realistic picture of what ISO 22301 will cost and who is best placed to help you in your sector.
