Why Accounting Firms Are a Prime Target for Disruption
Accounting firms handle some of the most sensitive and time-critical work in any business ecosystem. Tax lodgements, payroll processing, audit sign-offs, financial reporting deadlines. None of these wait for a ransomware attack to resolve itself, a flood to recede, or a key partner to return from sick leave.
On this page
Yet most accounting practices, from sole practitioners to mid-sized firms, have no formal plan for what happens when something goes seriously wrong. They have backups, maybe. A rough idea of who calls who. But an actual documented, tested, and certified business continuity management system? Rarely.
That is exactly what ISO 22301 certification for accounting firms addresses. And in a sector where client trust is everything, the ability to demonstrate that your firm will not go dark during a crisis is becoming a genuine competitive differentiator.
This guide walks you through what ISO 22301 actually requires, why it matters specifically for accounting practices, and how to get certified without turning your firm upside down.
What Is ISO 22301?
ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). Published by the International Organisation for Standardisation, it provides a framework for organisations to anticipate disruptions, prepare responses, and recover critical functions within defined timeframes.
Unlike a simple disaster recovery plan sitting in a drawer, ISO 22301 requires you to build a living management system. That means documented processes, regular testing, trained staff, leadership commitment, and ongoing improvement. The certification is awarded by an accredited third-party certification body after a formal audit confirms your system meets the standard.
The standard was last significantly updated in 2019 and aligns with the High Level Structure used across other ISO management system standards. If your firm already holds ISO 27001 for information security, you will find a lot of familiar territory in ISO 22301. The two standards complement each other well, which we will come back to shortly.
Why Business Continuity Matters More for Accounting Firms Than Most Industries
Statutory and Regulatory Deadlines Cannot Be Missed
An accounting firm operates under a web of hard deadlines. Business Activity Statements, income tax returns, superannuation obligations, ASIC lodgements, payroll tax filings. These are not soft targets. Missing them can result in penalties for your clients, and in serious cases, professional liability claims against your firm.
When a disruption hits, whether it is a cyberattack, a burst pipe flooding your server room, or a critical staff member suddenly unavailable, the clock does not stop. ISO 22301 forces you to identify your most time-sensitive functions and build recovery plans that keep those functions running, or restore them fast enough to avoid real damage.
Client Data Is Extraordinarily Sensitive
Accounting firms hold financial records, tax file numbers, bank account details, payroll data, and in many cases, information about business structures that clients consider highly confidential. A breach or prolonged outage involving this data is not just an operational problem. It is a reputational crisis.
ISO 22301 works hand in hand with information security controls. Many firms pursue it alongside ISO 27001 for information security management, creating an integrated approach to both protecting data and ensuring the firm can continue operating if something goes wrong.
Clients Are Starting to Ask the Question
Corporate clients, particularly those in financial services, government, and listed companies, are increasingly scrutinising their professional service providers. Procurement teams and risk managers want to know: what happens to our financial data and our compliance obligations if your firm experiences a major incident?
A certified ISO 22301 BCMS gives you a credible, audited answer to that question. It is not a marketing claim. It is a third-party verified statement that your firm has a tested plan. For firms tendering for larger engagements or seeking to retain institutional clients, this certification is moving from a nice-to-have toward an expected credential.
What ISO 22301 Actually Requires
The standard is structured around the Plan-Do-Check-Act cycle, consistent with other ISO management systems. Here is what the key requirements look like in practice for an accounting firm.
Understanding the Organisation and Its Context
You start by identifying what could disrupt your firm and what the consequences would be. This means looking at internal factors, your systems, your people, your premises, and external factors, your supply chain, your regulatory environment, your geographic risks. For an accounting firm in Brisbane, cyclone season is a real consideration. For a Sydney CBD practice, a prolonged building access issue is worth planning for.
Business Impact Analysis
This is the engine room of ISO 22301. A Business Impact Analysis (BIA) requires you to map out every critical function your firm performs and determine two things: how long can you afford to be without it, and what is the minimum level of resources needed to keep it running.
For example, payroll processing for a client with a Friday pay run has a very short recovery time objective. Preparation of an annual financial statement for a client whose year-end is three months away has more flexibility. The BIA forces you to be specific and honest about these timeframes rather than assuming everything is equally urgent.
Risk Assessment
Once you know what matters most, you assess the likelihood and impact of threats to those functions. Cybersecurity incidents, key person dependency, technology failure, third-party supplier outages, and natural disasters are all common risk areas for accounting firms. ISO 31000 provides a useful risk management framework that integrates well with your BCMS risk assessment process.
Business Continuity Plans and Procedures
This is where the documented plans live. Your BCMS must include specific procedures for how your firm responds to and recovers from identified disruptions. These are not generic templates. They need to name roles, specify actions, include contact lists, and address the actual scenarios relevant to your firm.
For an accounting firm, typical plans might cover: responding to a ransomware attack that locks your practice management software, relocating staff if your office is inaccessible for more than 48 hours, and maintaining client communication during an extended outage.
Testing and Exercises
A plan that has never been tested is not a plan. ISO 22301 requires you to conduct regular exercises to validate that your procedures actually work. This can range from desktop walkthroughs with key staff to full simulations where you actually attempt to operate from a backup location using backup systems. Most firms start with tabletop exercises and build from there.
Management Review and Continual Improvement
Like all ISO management systems, ISO 22301 requires leadership to review performance data, audit results, and exercise outcomes, then make decisions about improvements. This keeps the system current as your firm grows, changes its technology stack, or takes on new client types.
How to Get ISO 22301 Certified: A Practical Roadmap
Step 1: Secure Leadership Commitment
The partners or directors of the firm need to genuinely sponsor this project. ISO 22301 is not an IT project or an admin task. It requires decisions about resource allocation, acceptable risk levels, and recovery priorities that only senior leadership can make. Without that commitment, the system will be superficial and will not survive an audit.
Step 2: Appoint a BCMS Owner
Someone in the firm needs to own this. In a smaller practice, that might be a senior manager wearing multiple hats. In a larger firm, it could be a dedicated compliance or risk role. This person coordinates the BIA, drafts the plans, organises exercises, and manages the audit process. Getting the right person here matters enormously.
If your firm does not have the internal expertise to build the system from scratch, working with an experienced ISO consultant who understands professional services is a sensible investment. Choosing the right ISO consultant at this stage can save significant time and prevent costly rework before your audit.
Step 3: Conduct the Business Impact Analysis and Risk Assessment
This is typically the most time-intensive phase and should not be rushed. Interview the people who actually do the work, not just the managers. The person who runs payroll every Thursday knows exactly what systems and information they need. The tax manager knows which client deadlines are genuinely immovable. Capture that knowledge formally.
Step 4: Build Your Business Continuity Plans
Using the outputs of your BIA and risk assessment, develop documented plans for your priority scenarios. Keep them practical. A 40-page document that nobody has read is not a business continuity plan. A clear, action-oriented procedure that a staff member could follow under pressure is.
Step 5: Train Your People and Test Your Plans
Run your first tabletop exercise before you engage a certification body. You will almost certainly find gaps, and that is the point. Fix them, then test again. Certification auditors want to see evidence that you have exercised your plans and acted on the findings. A first-time exercise with a clean outcome actually looks suspicious.
Step 6: Select an Accredited Certification Body
Your ISO 22301 certificate is only as credible as the body that issues it. In Australia, certification bodies should be accredited by JAS-ANZ, the Joint Accreditation System of Australia and New Zealand. Do not accept a certificate from an unaccredited body, particularly if you intend to use the certification to satisfy client or tender requirements.
The audit process involves a Stage 1 review of your documentation and readiness, followed by a Stage 2 audit where the auditor assesses whether your BCMS is actually implemented and effective. After certification, you will have annual surveillance audits and a full recertification audit every three years.
Step 7: Manage Nonconformities and Improve
It is normal to receive findings during your certification audit. Major nonconformities must be resolved before the certificate is issued. Minor nonconformities are typically addressed within an agreed timeframe after certification. Do not treat audit findings as failures. They are the system working as intended.
Integrating ISO 22301 With ISO 27001
For accounting firms, the combination of ISO 27001 and ISO 22301 is particularly powerful. ISO 27001 addresses the confidentiality, integrity, and availability of information. ISO 22301 addresses the continuity of business operations. Together, they cover the two most likely catastrophic scenarios for an accounting firm: a data breach and an operational shutdown.
Because both standards use the same High Level Structure, a significant portion of your documentation, policies, management review processes, and internal audit programs can be shared across both systems. This reduces duplication and makes the integrated system easier to maintain. Many firms pursue both certifications simultaneously to take advantage of this efficiency.
If you are already certified to ISO 27001 and considering adding ISO 22301, the incremental effort is considerably less than starting from scratch. Your existing risk assessment methodology, document control processes, and internal audit program all carry across with relatively minor adaptation.
Common Mistakes Accounting Firms Make With ISO 22301
Treating It as a One-Time Documentation Exercise
The most common failure mode is building a system for the audit and then leaving it on a shelf. ISO 22301 requires ongoing maintenance. Plans need to be updated when staff change, when you migrate to a new practice management platform, or when you take on a new major client with different risk characteristics. Surveillance audits will expose a system that has not been maintained.
Underestimating Key Person Dependency
Many accounting firms are built around one or two senior practitioners who hold critical client relationships and technical knowledge. If that person is unavailable for an extended period, the firm faces a genuine continuity crisis. ISO 22301 forces you to confront this honestly and put succession arrangements, cross-training, or documented knowledge transfer processes in place.
Ignoring Third-Party Dependencies
Your practice management software provider, your cloud storage vendor, your payroll platform. These are all third parties whose outages can directly affect your ability to serve clients. Your BCMS needs to address what happens when a critical supplier fails, not just when your own systems go down.
The Business Case in Plain Numbers
The cost of ISO 22301 certification for an accounting firm typically ranges from around $8,000 to $25,000 depending on firm size, complexity, and whether you use a consultant. That includes consultant fees, certification body fees, and internal time.
Compare that to the potential cost of a single serious incident: a ransomware attack on a mid-sized accounting firm can cost well over $100,000 when you account for recovery costs, lost billings, client remediation, and reputational damage. The certification cost is not just a compliance expense. It is a risk management investment with a clear return.
Beyond risk mitigation, firms that can demonstrate ISO 22301 certification are better positioned to win and retain larger clients, particularly in financial services and government sectors where supply chain risk management is taken seriously.
Getting Started Without Getting Overwhelmed
If you are reading this as a partner or manager of an accounting firm and thinking this sounds like a significant undertaking, you are right. It is not trivial. But it is also not as complex as it might appear when approached systematically with the right guidance.
The best starting point is a gap analysis. Before you commit to a full implementation project, have someone with ISO 22301 experience assess what your firm already has in place and what needs to be built. Most firms are surprised to find they already have elements of a BCMS in informal practices. The work is often about formalising, documenting, and connecting what already exists, rather than building everything from scratch.
If you want to compare quotes from verified ISO consultants and certification bodies who have experience working with professional services firms, CertBetter makes that process straightforward. Submit one form and receive up to three competing quotes from vetted providers, at no cost to your firm.
