What plans and procedures should an ISO 22301 BCMS include?

A BCMS brings together continuity plans, response procedures and crisis arrangements. They must be coherent, tested and kept up to date.

In an ISO 22301-conformant BCMS, plans and procedures are not isolated documents. They form a coherent set aligned with the impact analysis, the risks and the chosen strategies. The core is the business continuity plans and procedures: workaround instructions, recovery organisation, management of critical dependencies, and the arrangements for returning to stabilised operation.

The BCMS also includes response arrangements. The programme covers an incident response plan and an emergency response plan. Their purpose is to manage the first hours, keep people and assets safe, and stabilise the situation before switching to continuity or recovery. The crisis management plan completes this by organising governance, decision-making and coordination, along with the interfaces to communication.

Communication is an explicit element. It must be prepared: channels, responsibilities, template messages and validation rules. Without this, decisions can be contradictory or late, worsening the impacts.

Finally, plans must be kept current and tested. ISO 22301 implies exercises, performance monitoring, internal audits and management reviews. An untested plan is a hypothesis; a tested and corrected plan becomes a capability. Certification-audit readiness requires demonstrating this logic: plans defined, exercises run, results analysed and improvements implemented.

Related Information

  • Plans must align with impacts, risks and strategies
  • The set includes continuity, incident, emergency and crisis management
  • Communication must be integrated and prepared in advance
  • Exercises turn documents into real capability
  • The certification audit requires proof of testing and maintenance

Expert Insight

The difficulty is not writing a lot, but writing the right thing. Plans must be usable under pressure: simple structure, explicit roles, short checklists, key information within reach. Organisations that fail produce complete but unusable documents. Impose a maintenance logic — document owner, review frequency, dependencies, and activation criteria.

Browse all FAQs →

Full knowledge base

We use cookies to improve your experience

Necessary cookies are always active. You can accept, reject non-essential cookies, or customize your preferences.