What ISO 22301 is and why buyers ask for it
ISO 22301 is the international standard for a Business Continuity Management System (BCMS). Certification confirms, through an independent audit, that your organisation has a tested framework to keep its critical activities running — and to recover them quickly — when something goes wrong, whether that is an IT outage, a cyber incident, a supplier failure or a physical disruption.
Resilience has become a procurement question. Buyers in financial services, regulated industries and any sector that depends on continuous service increasingly ask suppliers to prove they can keep operating through disruption, rather than simply promising they can. ISO 22301 provides that proof. Issued under IAS accreditation and the IAF Multilateral Recognition Arrangement, it is part of the ISO Certifications portfolio and complements information security work such as ISO 27001; it sits in our Cyber Security grouping because continuity and cyber resilience are so closely linked.
What the audit covers
Certification follows the same two-stage assessment as other ISO management systems. The audit examines how your BCMS works in practice, including:
- A business impact analysis that identifies your critical activities and the consequences of their disruption
- A risk assessment of the threats to those activities
- Continuity strategies and plans, including recovery time objectives
- Exercising and testing of those plans, and how you learn from the results
Surveillance audits across the three-year cycle confirm the system is maintained and improved, not left on a shelf.
Typical timeline
For most organisations, ISO 22301 certification takes around 12–16 weeks from kick-off, depending on the complexity of your operations and how much continuity planning already exists. Larger or multi-site organisations take longer. Each engagement begins with a fixed-price scoping call and a proposal within 24 hours.
Common questions
What is a Business Continuity Management System (BCMS)?
A BCMS is the management system ISO 22301 certifies: a structured way of identifying your critical activities, understanding the risks to them, and putting tested plans in place to keep them running — or restore them quickly — when disruption hits.
What is the difference between ISO 22301 and disaster recovery?
Disaster recovery usually refers specifically to restoring IT systems and data. ISO 22301 is broader: it covers continuity of the whole organisation’s critical activities — people, facilities, suppliers and processes as well as technology. Disaster recovery is one part of a wider business continuity management system.
Who needs ISO 22301?
Organisations where downtime is costly or where customers and regulators expect proven resilience — financial services, IT and cloud providers, healthcare, manufacturing and public services. It is increasingly requested in tenders as evidence that a supplier can keep delivering through disruption.
How does ISO 22301 relate to ISO 27001?
ISO 27001 includes business-continuity considerations for information security, but ISO 22301 is the dedicated, certifiable standard for business continuity across the organisation. The two integrate well and share the common management-system structure, so many organisations certify both.
