HomeResourcesGuides › Resilience & Continuity
Practical Guide · 16 pages · Free

ISO 22301 Business Continuity Certification: A Practical Guide

ISO 22301 certification is achievable within 6 to 12 months for most organisations. The organisations that fail their first attempt have almost always made the same preparation mistakes. This guide walks through every stage — from business impact analysis to Stage 2 audit — with the practical detail that makes the difference.

Published May 2026·Resilience & Continuity·ISO 22301 Business Continuity BCP

What ISO 22301 Actually Requires

ISO 22301 is a management system standard — not a business continuity plan template. It requires organisations to establish, implement, maintain and continually improve a Business Continuity Management System (BCMS). The standard has nine clauses, of which clauses 4 through 10 contain the actual requirements. Clauses 4 to 6 cover context and planning; clauses 7 to 10 cover operation, performance, and improvement.

The most commonly misunderstood aspect of ISO 22301 is that it assesses the management system that produces your business continuity plans — not the plans themselves. A plan that would work in a real event but was produced through an undisciplined process is not ISO 22301 compliant. A plan produced through a disciplined, documented process is — even if it is less comprehensive than the first.

The Business Impact Analysis — Where Most Certification Efforts Go Wrong

The Business Impact Analysis (BIA) is the foundation of everything in ISO 22301. It identifies your critical business activities, determines the maximum tolerable period of disruption (MTPD) for each, establishes recovery time objectives (RTOs), and identifies the minimum resources required to resume each activity. Auditors consistently report that BIA quality is the single biggest differentiator between organisations that achieve first-time certification and those that do not.

The most common BIA failures are: activities assessed at the wrong level of granularity (too high-level to produce meaningful RTOs), MTDPs that have not been validated with the people who would actually feel the consequence of disruption, and resource assessments that list the resources that normally support an activity rather than the minimum resources required to resume it at an acceptable level.

Access the complete guide
All 16 pages — practical implementation guidance, checklists and templates. Free, instant access.
No spam. No sales calls. AjaCertX will email you a copy for reference.
Guide unlocked ✓
A copy has been sent to your email for reference.

Stage-by-Stage Certification Programme

Step 01
Scope definition and context establishment
Define what is and is not in scope for your BCMS. The scope must be realistic — auditors will assess whether your business continuity plans cover everything within the declared scope. A narrower, well-implemented scope is more defensible than a broad scope with partial coverage. Document your internal and external context: who are your interested parties, what are their requirements, and how do these affect what your BCMS must achieve?
Step 02
Business Impact Analysis
Identify all activities within scope. For each activity: determine the MTPD (the point at which consequences of disruption become unacceptable), establish the RTO (when the activity must be resumed to meet the MTPD), identify the minimum resources required, and document the dependencies — people, technology, facilities, suppliers — that the activity relies on. Validate MTDPs with stakeholders who understand the business consequence, not just the operational one.
Step 03
Business continuity risk assessment
Assess the threats that could cause disruption to your critical activities. For each threat: assess the likelihood of occurrence, the consequence if it materialises, and the existing controls that reduce either likelihood or consequence. Prioritise threats for continuity strategy development based on residual risk after existing controls.
Step 04
Continuity strategy development
For each critical activity, develop a recovery strategy: how will the activity be resumed within its RTO if the primary method of delivery is unavailable? Strategies must be realistic — they must reflect capacity and capability that actually exists, not theoretical alternatives. Document the assumptions and conditions under which each strategy is viable.
Step 05
Business continuity plan development
Document the plans that implement your recovery strategies: specific procedures, contact details, decision authority, resource activation procedures, and communication protocols. Plans must be specific enough to be executed by someone who was not involved in writing them — a test that is worth applying literally during the plan review process.
Step 06
Exercise and testing
Exercise your plans — a tabletop exercise at minimum, and a live exercise or drill for your highest-risk scenarios. Document the exercise: scenario, participants, outcomes, gaps identified, and actions assigned. An ISO 22301 auditor will review exercise records and assess whether identified gaps were addressed. An exercise that identified no gaps is typically treated with scepticism.
Step 07
Internal audit and management review
Conduct an internal audit of the BCMS against ISO 22301 requirements before the Stage 1 certification audit. The internal audit must be conducted by someone with ISO 22301 knowledge — either internal with training or an external resource. The management review must demonstrate that senior leadership has reviewed BCMS performance data and made decisions about improvement.
Step 08
Stage 1 certification audit
The Stage 1 audit is a documentation review — the certification body auditor assesses your BCMS documentation against ISO 22301 requirements. Prepare a comprehensive documentation package: scope statement, BIA outputs, risk assessment, continuity strategies, business continuity plans, exercise records, internal audit report, management review minutes. Stage 1 typically identifies items for clarification before Stage 2.
Key Insight

Stage 1 findings are not non-conformances — they are areas the auditor wants to examine in more detail at Stage 2. Address them substantively before Stage 2, not cosmetically.

Step 09
Stage 2 certification audit
The Stage 2 audit assesses implementation — whether your BCMS is actually operating as documented. The auditor will interview personnel, review records of BCMS activities, and verify that your plans and procedures reflect actual practice. The most common Stage 2 failures are plans that describe resources or procedures that do not actually exist, and BIA outputs that have not been updated to reflect current operations.

Common Mistakes That Delay Certification

  • BIA outputs not validated by the business. RTOs set by IT or quality teams without validation from operational managers who understand the consequence of disruption produce unrealistic targets that auditors challenge.
  • Plans that cannot be executed without the author. If the only person who can activate a recovery procedure is the person who wrote it, the plan has failed its fundamental purpose.
  • Exercise programmes that test the same scenario repeatedly. ISO 22301 requires exercises to test your plans — which means testing different plans and different scenarios over time, not repeatedly exercising the same desktop scenario.
  • Management review that is a formality. Auditors assess whether management review generates actual decisions about BCMS improvement. A management review that receives a report and notes it without generating actions does not demonstrate the continual improvement orientation that ISO 22301 requires.
ISO 22301 Certification Readiness Checklist
Scope is defined and documented — with a clear statement of what is and is not included
Business Impact Analysis completed at activity level with validated MTDPs, RTOs and minimum resource requirements
Risk assessment completed for all significant threats to critical activities
Continuity strategies documented for all critical activities — realistic, capacity-verified alternatives
Business continuity plans documented at sufficient detail to be executable by someone not involved in their development
At minimum one tabletop exercise conducted with documented outcomes and gap closure
Internal audit completed by someone with ISO 22301 knowledge — with findings and actions documented
Management review conducted with evidence of decisions made about BCMS performance and improvement
Ready to pursue ISO 22301 certification?

Business continuity specialists. Certification programme proposal within 48 hours.

Get a Proposal →WhatsApp
About AjaCertX
AjaCertX is a specialist compliance, certification and assurance partner serving organisations globally. Our Resilience and Continuity practice delivers ISO 22301 implementation, business continuity programme design, and scenario exercise facilitation across all sectors.
WhatsAppConnect