ISO 22301.

ISO 22301 is the international standard for business continuity management systems (BCMS). Specifies the requirements to plan, operate, monitor and improve a BCMS that gets critical operations running again after disruption. Increasingly demanded by financial regulators since DORA, and by NIS 2 supervisors for operators of essential services.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyResilience & continuityAll entries

The Cyber Academy take

ISO 22301 is the international standard for business continuity management systems (BCMS). Specifies the requirements to plan, operate, monitor and improve a BCMS that gets critical operations running again after disruption. Increasingly demanded by financial regulators since DORA, and by NIS 2 supervisors for operators of essential services.

ISO 22301 is the requirements standard for a business continuity management system, a BCMS. It sets out what an organisation must do to keep critical operations running through disruption.

What ISO 22301 actually asks for

The word system matters. ISO 22301 is not a plan you write once and file. It is a managed cycle.

That cycle has four parts:

  • Understand what your organisation does.
  • Decide which activities you cannot afford to lose for long.
  • Build the capability to keep them running, or recover them fast.
  • Keep that capability honest through exercises, reviews, and improvement.

Because it is a requirements standard, an accredited body can audit and certify you against it. That gives a customer or a regulator something concrete to trust.

A shared structure with other ISO standards

ISO 22301 follows the High-Level Structure, like ISO 27001 and other modern ISO management system standards. So it shares the same skeleton:

  • Context of the organisation
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

It all runs on a Plan-Do-Check-Act loop. This is a gift if you already run an information security management system. You reuse the same governance, the same risk language, and the same internal audit machinery. You bolt continuity on top instead of building a parallel structure.

The work behind the certificate

Three activities sit at the heart of a programme. A practitioner spends most of their time here, not on documentation.

Business impact analysis

The BIA identifies your prioritised activities. It works out how quickly each one has to be back.

This is what produces the recovery time objectives. Those objectives drive every later decision. Without a defensible BIA, your continuity strategy is guesswork.

Risk assessment

Here you look at what could disrupt those prioritised activities. Examples include:

  • A ransomware outbreak
  • A supplier failure
  • A flooded data centre

This way your strategy addresses real threats, not a generic checklist.

Continuity strategy and plans

Now you use the BIA and the risk picture. You choose how to protect and recover each activity. Then you write and resource the procedures that people actually follow when the lights go out.

Why regulators increasingly point to it

ISO 22301 used to be a quiet operational-resilience standard. Mature organisations adopted it by choice. That has changed.

Financial regulators now lean on DORA. Supervisors enforce NIS 2. Both now expect demonstrable continuity capability for critical operations. ISO 22301 is the most recognised way to evidence it.

The standard names no specific regulation. But its discipline maps cleanly onto what those regimes demand:

  • Prioritised activities
  • Defined recovery objectives
  • Tested plans
  • Mapped dependencies

Certifying against it lets you answer a supervisor with an independent attestation, not a self-assessment.

How it relates to ISO 27001

A common point of confusion is the link with ISO 27001. They are siblings, not substitutes.

  • ISO 27001 governs information security. It protects the confidentiality, integrity, and availability of information.
  • ISO 22301 governs continuity. It keeps the business operating through disruption.

Availability is the bridge between them. An organisation serious about resilience often runs both. It certifies them together to share audits and management reviews.

Continuity is the answer to a question security alone cannot solve. What happens when prevention fails and you still have to deliver?

Frequently asked questions

01Is ISO 22301 a certification or just guidance?

It is a certifiable requirements standard. An accredited certification body can audit your business continuity management system against it and issue a certificate, which is what makes it useful for answering customers and regulators.

02What is the difference between ISO 22301 and a disaster recovery plan?

Disaster recovery is mostly about restoring IT systems. ISO 22301 covers the whole organisation, people, premises, suppliers, and processes, and asks whether you can keep delivering critical products and services while technical recovery is under way. DR is one component of continuity, not the whole of it.

03Do I need ISO 22301 if I already hold ISO 27001?

Not automatically, but they complement each other. ISO 27001 protects information; ISO 22301 keeps the business running when something fails. Because both follow the same High-Level Structure, many organisations run and certify them together to share governance and audits.

04What is the role of the business impact analysis?

The BIA identifies your prioritised activities and how quickly each must be recovered. It produces the recovery time objectives that drive your whole continuity strategy, so a sound BIA is the foundation of a credible BCMS.

05Does DORA or NIS 2 require ISO 22301?

Neither names the standard, but both expect demonstrable continuity and operational resilience for critical activities. ISO 22301 certification is a widely recognised way to evidence that capability to a supervisor with independent assurance rather than self-assessment.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.