Definition · Plain-language
ISO 22301
ISO 22301 is the international standard specifying requirements for a business continuity management system (BCMS), helping organisations prepare for, respond to and recover from disruptions.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
What ISO 22301 requires
ISO 22301 specifies requirements for establishing, implementing, maintaining and continually improving a business continuity management system. The standard introduces several key concepts. A business impact analysis (BIA) identifies which activities are critical to the organisation, quantifies the consequences of their disruption over time and determines maximum tolerable periods of disruption. Recovery time objectives (RTOs) define the maximum acceptable duration for restoring a particular function or service after a disruption. Recovery point objectives (RPOs) define the maximum acceptable quantity of data loss, typically expressed as a time interval — for example, the system must be restorable to a state no older than four hours before the incident. Business continuity plans (BCPs) are documented procedures for managing and responding to disruptions, including incident response, escalation, communication and recovery actions. The BCMS provides the governance framework within which these elements are systematically managed, tested and improved.
Structure and the 2019 revision
ISO 22301:2019 (second edition, replacing the 2012 version) adopted the common High-Level Structure (Annex SL), aligning its clause structure with ISO 9001, ISO 14001 and ISO/IEC 27001. This alignment enables organisations to integrate their BCMS with existing management systems, sharing documentation, internal audit programmes and management reviews. The 2019 revision placed greater emphasis on outcomes — what the BCMS achieves — rather than prescriptive activities, and improved alignment with other ISO management system standards. Key requirements include: leadership commitment and business continuity policy; understanding of the organisation and its context; risk assessment and business impact analysis; operational planning and control; business continuity plans and recovery procedures; exercising and testing the plans at planned intervals; internal audit and management review; and continual improvement following exercise findings, incidents and changes in context.
Certification and sector applications
ISO 22301 certification is carried out by accredited third-party certification bodies following a two-stage audit process: Stage 1 reviews BCMS documentation against the standard; Stage 2 assesses the implementation and operation of the system in practice. Certificates are valid for three years with annual surveillance audits. The standard is widely adopted in sectors where continuity of operation is critical: financial services and banking (where regulatory resilience requirements increasingly reference ISO 22301); healthcare (maintaining patient care during disruptions); telecommunications and utilities (essential-service provision); and public-sector and government bodies (civil contingencies). ISO 22301 complements ISO/IEC 27001 — many organisations certify to both, with the BCMS addressing operational continuity and the ISMS addressing information security. The standard also relates to ISO 31000 (the international risk management framework), with BCMS risk assessment processes aligned to ISO 31000 principles.
Key facts
At a glance
- Standard: ISO 22301:2019 (second edition)
- Purpose: specifies requirements for a business continuity management system (BCMS)
- Key concepts: business impact analysis (BIA), recovery time objective (RTO), recovery point objective (RPO), business continuity plan (BCP)
- Structure: High-Level Structure (Annex SL) — integrates with ISO 9001 and ISO/IEC 27001
- Certifiable: yes, by independent third-party audit; certificates valid three years
- Sector focus: financial services, healthcare, telecommunications, utilities, public sector, critical national infrastructure
Common misconceptions
What people often get wrong
Often heard: ISO 22301 is just a disaster recovery plan.
Actually: A business continuity plan is one component of ISO 22301, but the standard establishes a comprehensive management system encompassing prevention, threat monitoring, business impact analysis, planning, testing, continual improvement and governance — not a single document. A BCP produced without the BCMS management framework may not be reliably maintained, tested or improved over time.
Often heard: Only large organisations need ISO 22301.
Actually: ISO 22301 applies to organisations of any size. Smaller organisations may have simpler BCPs and less complex BCMSs, but the standard is designed to be scalable and proportionate. Many small and medium-sized enterprises hold ISO 22301 certification to meet customer contractual requirements or demonstrate resilience to supply-chain partners.
Often heard: ISO 22301 certification guarantees the organisation will never experience unplanned downtime.
Actually: ISO 22301 certifies that a systematic, tested BCMS is in place and that the organisation has plans and capabilities to respond to and recover from disruptions. It cannot eliminate all disruption. The standard's value is in ensuring the organisation is as prepared as reasonably practicable and can minimise recovery time when disruptions occur.
Going deeper
