ISO 22301:2019 is the international standard for business continuity management systems (BCMS), published by the International Organization for Standardization under the official title: Security and resilience, Business continuity management systems, Requirements. It gives organisations a structured framework to prepare for, respond to, and recover from disruption such as cyberattacks, supplier failures, power and IT outages, or natural disasters, so that critical activities keep running within predefined timeframes. This guide explains what the standard requires clause by clause, how to implement it and get certified, and how it maps to the EU's DORA regulation, the NIS2 directive, and Switzerland's FINMA operational-resilience expectations.
Key distinction
ISO 22301 is the certifiable standard in the business continuity family. ISO 22313 and ISO/TS 22317 offer guidance, but only ISO 22301 sets the requirements an organisation can be audited and certified against.
What is ISO 22301?
The current edition, ISO 22301:2019, replaced the 2012 version, which itself evolved from the British standard BS 25999. It adopts Annex SL, the common high-level structure shared by ISO 27001 and ISO 9001, which is why the three integrate cleanly into a single management system. The aim throughout is operational availability: knowing in advance which activities are critical, how fast they must recover, and exactly what to do when disruption hits.
Key business continuity terms in ISO 22301
Term: BCMS
Term: BIA
Term: RTO
Term: RPO
Term: MTPD
Term: MBCO
ISO 22301 vs ISO 27001: how they differ and when to combine
The two standards are often confused. ISO 27001 protects information; ISO 22301 protects the organisation's ability to keep operating. Because both follow Annex SL, many organisations run a single integrated management system and certify to both.
ISO 22301 vs ISO 27001 at a glance
Dimension: Primary focus
Dimension: Protects
Dimension: Core analysis
Dimension: Structure
Dimension: Certifiable
Dimension: Related standards
The ISO 22301 clauses explained (Clauses 4 to 10)
Clauses 1 to 3 cover scope, normative references and terms. The certifiable requirements live in Clauses 4 to 10 and follow the Plan-Do-Check-Act logic.
ISO 22301:2019 clause structure
Clause: Clause 4: Context
Clause: Clause 5: Leadership
Clause: Clause 6: Planning
Clause: Clause 7: Support
Clause: Clause 8: Operation
Clause: Clause 9: Performance evaluation
Clause: Clause 10: Improvement
Where audits focus
Clause 8 is the heart of the standard and where most audit attention lands. If your BIA, RTO/RPO and tested plans are weak, certification will stall there, so invest the most effort in Clause 8.
The BCMS lifecycle (Plan-Do-Check-Act)
ISO 22301 follows the Plan-Do-Check-Act cycle that underpins every Annex SL management system. Each phase maps to specific clauses:
The ISO 22301 BCMS lifecycle
Phase: Plan
Phase: Do
Phase: Check
Phase: Act
How to implement ISO 22301, step by step
Implementation is sequential: you cannot choose continuity strategies before you know which activities are critical and how fast they must recover. The business impact analysis drives everything downstream.
- Define the BCMS scope and obtain top-management commitment
- Write the business continuity policy and objectives
- Conduct the business impact analysis (BIA) on critical activities
- Set RTO, RPO and MTPD for each critical activity
- Perform a risk assessment of disruption scenarios
- Select and resource continuity strategies
- Document business continuity and disaster recovery plans
- Train staff and run an awareness programme
- Exercise and test the plans, then capture lessons learned
- Run an internal audit and management review
- Close nonconformities, then undergo the certification audit
Free templates
A good BIA template and a structured BCP template save weeks of work. Build them around your critical-activity list and your RTO/RPO targets so evidence flows straight into the audit.
ISO 22301 and the regulatory landscape: DORA, NIS2 and FINMA
This is where ISO 22301 has become strategically important. A wave of resilience regulation now requires the very capabilities ISO 22301 builds, and while none of these laws mandate ISO 22301 certification, implementing the standard gives you an evidenced, auditable framework that maps onto each of them.
ISO 22301 and the EU DORA regulation
The Digital Operational Resilience Act (DORA), which applies to EU financial entities from 17 January 2025, requires an ICT business-continuity policy (Article 11) and ICT response-and-recovery plans (Article 12). These map directly onto ISO 22301's BIA, documented plans, testing regime and management review, extended with ICT-specific RTO/RPO, third-party ICT continuity, and the register of information for critical providers.
ISO 22301 and the NIS2 directive
The NIS2 directive explicitly lists business continuity, including backup management, disaster recovery and crisis management, among its required security measures (Article 21). NIS2 does not require ISO 22301, but implementing it substantially satisfies the obligation and provides defensible evidence during supervisory inspections, which matters given the directive's significant fines and management accountability.
ISO 22301 and FINMA Circular 2023/1 (the Swiss angle)
For Swiss financial institutions, FINMA Circular 2023/1 on operational risks and resilience sets the recognised minimum standard. It requires identifying critical functions, board-approved tolerances for disruption, a BIA with RTO/RPO, continuity and recovery plans, and testing against severe-but-plausible scenarios, the same building blocks ISO 22301 provides. This is the home-turf advantage for a Swiss organisation: a certified BCMS becomes the operating model behind FINMA resilience expectations.
Swiss reality check
FINMA's own supervisory findings indicate that the large majority of supervised institutions had not yet completed operational-resilience testing ahead of the resilience deadline, which makes a tested, ISO 22301-based BCMS a timely way to close the gap.
The practical takeaway is convergence: rather than running separate projects for each regulation, organisations can build one ISO 22301 management system and map it to DORA, NIS2 and FINMA at once. The crosswalk below shows how the same capabilities satisfy all four.
Crosswalk: ISO 22301 mapped to DORA, NIS2 and FINMA
Capability: Impact analysis
Capability: Continuity and recovery plans
Capability: Testing and exercising
Capability: Governance
Capability: Third-party continuity
Capability: Improvement
ISO 22301 certification: process, timeline and cost
Organisations are certified by an accredited certification body through a two-stage audit, then maintain certification over a three-year cycle with annual surveillance audits. The path runs as follows:
- Gap analysis against the ISO 22301 requirements
- Implement the BCMS and run it long enough to generate records
- Stage 1 audit: review of documentation and readiness
- Stage 2 audit: review of implementation and effectiveness
- Certificate issued, valid for a three-year cycle
- Annual surveillance audits to maintain the certificate
- Recertification at the end of the three-year cycle
Timeline and cost depend on organisation size, number of sites, the maturity of existing continuity arrangements, and the certification body. For a mid-sized organisation, six to twelve months from kick-off to certificate is a realistic planning assumption. Note that certification-body fees are separate from the cost of training your implementation and audit team.
ISO 22301 training and professional certification
Individual PECB certifications build the competence to implement or audit a BCMS. Choose the level that matches your role:
Which ISO 22301 course is right for you?
Course: Foundation
Course: Lead Implementer
Course: Lead Auditor
Why train with Abilene Academy
Abilene Academy is the only PECB Titanium Partner in Switzerland, delivering ISO 22301 Foundation, Lead Implementer and Lead Auditor training in English, French and Spanish, with the regulatory context (DORA, NIS2, FINMA) built into the teaching.
