ISO 22301 Business Continuity: Getting Started

What Is ISO 22301?

ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It provides a framework for identifying potential threats to an organisation and building the capability to respond effectively, protecting stakeholders, reputation, and value-creating activities. Whether you face natural disasters, cyber attacks, supply chain failures, or pandemics, a well-designed BCMS ensures you can continue operating.

Getting Leadership Buy-In

Business continuity requires commitment from the top. Senior management must define the BCMS scope, establish a business continuity policy, assign roles and responsibilities, and ensure adequate resources. Without genuine leadership engagement, business continuity plans often become shelf documents that fail under real pressure.

Conducting a Business Impact Analysis

The Business Impact Analysis (BIA) is the foundation of your BCMS. It identifies your organisation's critical activities and the resources they depend on. During the BIA:

• Identify all products, services, and supporting activities
• Determine the impact of disruption over time for each activity
• Establish Maximum Tolerable Period of Disruption (MTPD) for each critical activity
• Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
• Identify dependencies, including people, technology, suppliers, and facilities

Risk Assessment for Business Continuity

While the BIA tells you what matters most, the risk assessment identifies what could go wrong. Assess threats and vulnerabilities that could cause disruption to your critical activities. Common categories include:

• Technology failures and cyber incidents
• Loss of key personnel or skills
• Supply chain and third-party disruptions
• Physical threats such as fire, flood, or power outage

Prioritise risks based on likelihood and impact, then determine appropriate treatment strategies.

Developing Recovery Strategies

For each critical activity, develop strategies that enable recovery within the defined RTO. Recovery strategies should address:

• People: Cross-training, succession planning, remote work capabilities
• Technology: Backup systems, failover infrastructure, data replication
• Facilities: Alternative work locations, mutual aid agreements
• Suppliers: Diversification, stockpiling, contractual continuity clauses

Balance the cost of each strategy against the potential impact of disruption.

Writing Business Continuity Plans

Business continuity plans translate strategies into actionable procedures. Each plan should include:

• Activation criteria and escalation procedures
• Roles and responsibilities during an incident
• Communication protocols for internal and external stakeholders
• Step-by-step recovery procedures
• Resource requirements and contact lists

Keep plans concise and accessible. During a crisis, no one has time to read a 200-page manual.

Testing and Exercising

Plans that are never tested cannot be trusted. ISO 22301 requires organisations to conduct exercises at planned intervals. Common exercise types include:

• Tabletop exercises: Discussion-based walkthroughs of scenarios
• Simulation exercises: Realistic scenario enactments without full activation
• Full-scale exercises: Complete activation of plans and recovery procedures

After each exercise, conduct a debrief and document lessons learned. Update plans based on findings.

Monitoring and Continual Improvement

A BCMS is a living system. Monitor performance through internal audits, management reviews, and post-incident analysis. Track metrics such as RTO achievement during exercises, plan currency, and training completion rates. By following a structured approach rooted in BIA findings, you can build resilience that genuinely protects your organisation when disruption strikes.