What ISO 22301 Actually Requires
ISO 22301 is a management system standard — not a business continuity plan template. It requires organisations to establish, implement, maintain and continually improve a Business Continuity Management System (BCMS). The standard has nine clauses, of which clauses 4 through 10 contain the actual requirements. Clauses 4 to 6 cover context and planning; clauses 7 to 10 cover operation, performance, and improvement.
The most commonly misunderstood aspect of ISO 22301 is that it assesses the management system that produces your business continuity plans — not the plans themselves. A plan that would work in a real event but was produced through an undisciplined process is not ISO 22301 compliant. A plan produced through a disciplined, documented process is — even if it is less comprehensive than the first.
The Business Impact Analysis — Where Most Certification Efforts Go Wrong
The Business Impact Analysis (BIA) is the foundation of everything in ISO 22301. It identifies your critical business activities, determines the maximum tolerable period of disruption (MTPD) for each, establishes recovery time objectives (RTOs), and identifies the minimum resources required to resume each activity. Auditors consistently report that BIA quality is the single biggest differentiator between organisations that achieve certification assurance and those that do not.
The most common BIA failures are: activities assessed at the wrong level of granularity (too high-level to produce meaningful RTOs), MTDPs that have not been validated with the people who would actually feel the consequence of disruption, and resource assessments that list the resources that normally support an activity rather than the minimum resources required to resume it at an acceptable level.
Business continuity specialists. Certification programme proposal within 48 hours.