ISO 22301 is an internationally recognised standard for business continuity management systems (BCMS). It provides a structured framework to help organisations prepare for, respond to, and recover from disruptive incidents.

The standard focuses on:

• Identifying potential threats to business operations

• Assessing the impact of disruption

• Developing and implementing continuity strategies

• Ensuring resilience and the ability to recover effectively

• Driving continual improvement in business continuity capability

It is particularly relevant for organisations where service continuity is critical to clients, regulators, or contractual obligations.

Implementing ISO 22301 involves developing a management system that ensures your organisation can continue operating during and after disruption.

​

This typically includes:

• Defining the scope of the BCMS

• Conducting a business impact analysis (BIA)

• Identifying risks and disruption scenarios

• Developing business continuity strategies and solutions

• Establishing business continuity and disaster recovery plans

• Defining roles and responsibilities during incidents

• Implementing communication and escalation processes

• Delivering training and awareness

• Testing and exercising continuity plans

• Monitoring and reviewing performance

• Conducting internal audits

• Completing management reviews

• Driving continual improvement

The objective is to create a system that is practical, tested, and capable of responding effectively to real-world disruption.

ISO 22301 provides both operational and commercial advantages:

​

• Improved organisational resilience and preparedness

• Reduced impact of disruptions on operations and service delivery

• Faster and more effective recovery from incidents

• Increased confidence from clients, regulators, and stakeholders

• Enhanced ability to meet contractual and regulatory requirements

• Competitive advantage in tenders where continuity is critical

It demonstrates that your organisation can continue to operate under adverse conditions.

ISO 22301 is suitable for organisations that:

​

• Provide critical services or operate in time-sensitive environments

• Have contractual or regulatory continuity requirements

• Need to demonstrate resilience to clients or stakeholders

• Operate in sectors such as IT, professional services, finance, logistics, or infrastructure

• Want a structured and tested approach to managing disruption

It is increasingly expected within supply chains and for organisations supporting larger or regulated clients.

Certification is carried out by a UKAS-accredited certification body and typically follows these stages:

​

• Gap analysis (optional)

• Definition of BCMS scope and requirements

• Business impact analysis and risk assessment

• Development of continuity strategies and plans

• Implementation across the organisation

• Testing and exercising of plans

• Internal audit and management review

• Stage 1 audit (readiness assessment)

• Stage 2 audit (certification audit)

Certification audits will assess both documented plans and evidence that they are tested and effective.

Once certified, organisations are subject to annual surveillance audits to maintain certification.

​

Certification Support

We support clients through the full certification process, including audit preparation and coordination with certification bodies.

​

Certification itself is carried out by independent UKAS-accredited certification bodies, ensuring impartial assessment. A list of UKAS-accredited certification bodies can be found here.

​

We recommend that you engage with a UKAS-accredited certification body early in the process as each have different processes and lead times can vary.

Timescales depend on:

• The size and complexity of the organisation

• The criticality of services and acceptable downtime

• The maturity of existing continuity and risk management processes

Typical timeframe:

• 3–9 months

• Shorter where continuity planning already exists

• Longer where full analysis, planning, and testing are required

Implementation can be more involved due to the need for analysis, planning, and testing across the organisation.

• ISO 22301 is not just an IT disaster recovery plan

• It is not solely documentation-based; testing and validation are essential

• It is not only relevant for large or high-risk organisations

• It does not guarantee zero disruption

• It is not a one-off exercise; plans must be maintained and tested regularly

• A well-designed system should improve resilience without adding unnecessary complexity

We provide practical, hands-on support to help you achieve and maintain ISO 22301 certification.

​

Our services include:

• Gap analysis and business continuity reviews

• Support with business impact analysis and risk assessment

• Development of continuity strategies and plans

• Design and facilitation of testing and exercises

• Development of tailored policies and procedures

• Implementation support aligned to your operations

• Internal audits

• Ongoing compliance and system maintenance

Our approach is proportionate, pragmatic, and focused on real-world resilience, ensuring your system is effective, tested, and aligned to your organisation’s needs.