ISO 22301 Certification (Business Continuity Management System)

What ISO 22301 is (in operational terms)

ISO 22301 is a management system for keeping critical services running (or restoring them quickly) when disruptions happen. Audits focus on whether you have a defensible continuity scope, realistic recovery objectives, tested plans, and evidence that decisions and improvements are maintained over time.

Typical scope choices that affect the audit

• Which services/products are truly critical and included in scope.
• Which sites, vendors, data centers, and outsourced processes are in scope.
• Regulatory/customer contractual obligations (availability, SLA penalties).
• Technology vs people dependencies (key roles, single points of failure).

Key ISO 22301 requirements (what auditors actually look for)

• BIA: how you identify impacts and prioritize recovery.
• Risk assessment: disruptions considered and mitigation decisions.
• Recovery objectives: RTO/RPO (where relevant) and supporting rationale.
• Continuity strategies: alternate sites, redundancy, manual workarounds.
• Plans & exercises: documented plans and tested scenarios with lessons learned.
• Performance & improvement: internal audits, management review, corrective actions.

Evidence pack (examples you can prepare)

• BCMS scope statement + boundary diagram.
• BIA outputs (critical activities, dependencies, priorities).
• Risk assessment + treatment actions.
• Continuity plans + contact trees + roles.
• Exercise/test records + after-action reports + improvements.
• Supplier continuity requirements + evidence (where applicable).

Related certificates

ISO 22301 is often paired with ISO 27001 for resilient information security and incident response planning.

ISO 27001