What is ISO 22301

ISO 22301 is the internationally recognised standard for Business Continuity Management Systems (BCMS). It defines business continuity management as a part of overall risk management, partially overlapping with information security management and IT management, and describes how to manage business continuity in an organisation.  
 
ISO 22301 provides a flexible framework that can be adapted to the unique needs of businesses of any size, from small enterprises to large corporations. The standard does not dictate how to run your organisation; instead, it ensures that your methods for identifying risks and maintaining business continuity are designed to achieve reliable outcomes for your stakeholders and customers. 
 
A BCMS does not need to be certified for your business to experience the benefits of ISO 22301. Many organisations align their systems with the standard first and pursue certification later, if desired. This approach enables businesses to strengthen their continuity capabilities and build resilience without the immediate cost or complexity of certification. 

What are the benefits of ISO 22301? 

Resilience: Minimise disruptions by planning to manage business upsets. 
 
Enhanced Operational Stability: Safeguard critical processes, reduce downtime, and ensure reliable outcomes for stakeholders. 
 
Proactive Risk Management: Apply a systematic approach to identify, assess, and mitigate potential disruptions, ensuring predictable and resilient operations. 
 
Empowered Workforce: Promote engagement, define clear roles, and empower employees to take ownership of business continuity practices. 
 
Continuous Improvement in Business Continuity: Foster a culture of continual enhancement, adapt to changing risks, and innovate to strengthen resilience. 

Steps to getting ISO 22301 certification 

Every organisation has their own unique way of implementing ISO 22301, tailored specifically to their business. However, there are some common steps to achieving certification. 
Carry out a Gap Analysis to asses your current management system against the requirements of ISO 22301. Develop an action plan to address the gaps and bring your practices in line with the standard. 
Deliver your action plan to align your practices with ISO 22301. This involves setting strategic business continuity objectives, developing and implementing a comprehensive continuity policy, identifying and mitigating significant risks to critical operations, and embedding resilient practices across all areas of your organisation. 
Stage 1 Certification Audit - your chosen certification body will review the scope of your management system and assess your readiness for certification.  
Address any areas of improvement identified at Stage 1 Certification Audit and continue to implement your management system, building up evidence of compliance. 
Stage 2 Certification Audit - your chosen certification body will evaluate the implementation and effectiveness of your management system, and will make a recommendation for certification 
Once your have gained certification, you need to continue the implementation and development of your BCMS. You will typically be subject to an annual surveillance audit carried out by your certification body to ensure your BCMS continues to meet the requirements of ISO 22301. 
 
ISO 22301 Certification is awarded for a period of three years; your certification body will carry out a full certification audit after three years to full examine the BCMS. 
 
Remember to promote your ISO 22301 certification—it highlights your commitment to resilience and business continuity. 

ISO 22301 FAQ's 

A: ISO 22301 is built on the key principles of leadership and commitment, risk-based approach, taking a life-cycle perspective, stakeholder involvement and continual improvement. 
A: ISO 22301 is essential for organisations aiming to ensure resilience, minimise disruptions, and safeguard critical operations. By carrying out a Business Impact Analysis, identifying areas of risk and developing a Business Continuity Strategy your organisation will be best placed to overcome threats to the business. 
A: Complying with ISO 22301 can be self-proclaimed when you have implemented all the requirements of the standard to the best of your ability. To give assurance to this claim, Applaud can carry out an assessment of your BCMS against the requirements of ISO 22301.  
 
Certified to ISO 22301 means that an independent certification body has assessed your BCMS against the requirements of ISO 22301 and has provided written assurance of compliance. 
A: To achieve ISO 22301 certification, you must engage an ISO 22301 certification body and pass an audit that looks for evidence that your BCMS is in place and meets the certification standards. Applaud can help you select a certification body that meets the needs of your business. 
A: The time taken to achieve ISO 22301 certification can vary from a few weeks to a year or more, depending on the size and complexity of your organisation and the readiness of your organisation at the start of the process. Typically Applaud work on a six to nine month timescale, but this can be shortened or may be lengthened based on factors such as the size of the organisation, your existing management processes, the resources available to work on the management system and number of locations the organisation has. 
A: A certification body provides independent third party recognition of your compliance with ISO 22301. When choosing an certification body, you need to consider if they are accredited by UKAS or not. Be aware that some supply chains insist on UKAS accredited awarding bodies for ISO 22301 certification. 
A: UKAS-accredited certification bodies are officially recognised in the UK to provide ISO 22301 certification, ensuring compliance with rigorous international standards and delivering globally trusted credentials. Certifications from UKAS-accredited bodies are more credible, widely accepted, and often required for regulated industries or government contracts. Non-accredited certification bodies, while often cheaper, lack oversight from recognised authorities, leading to inconsistent auditing quality and limited acceptance by clients or markets. Choosing a UKAS-accredited body reduces risks and enhances the value and recognition of your ISO 22301 certification. 
A: Certification lasts for three years (subject to the outcome of surveillance audits). During those three years you will need to carry out internal audits of your BCMS and be subject to surveillance audits by your certification body. At the end of the three year period, you will go through a re-certification audit similar to the stage 2 certification audit. 
A: ISO 223010:2019 Security and Resilience. Business Continuity Management Systems