ISO22301 Business Continuity Standard

ISO/IEC 22301:2012 sets out the requirements for a business continuity management system (BCMS) and is considered the only credible framework for effective business continuity management in the world.

By creating a BCMS aligned with ISO 22301, organisations are best prepared for a disruptive incident.

Effective business continuity management means an organisation can resume operations and return to ‘business as usual’ as quickly as possible after a disruptive incident (for example, a cyber attack or power failure).

An ISO 22301-aligned BCMS will include disaster recovery plans that focus on the recovery of specific operations, functions, sites, services or applications.

Purchase a copy of ISO/IEC 22301:2012 (PDF) here.

What is a business continuity management system (BCMS)?

A BCMS is a comprehensive approach to organisational resilience. It enables organisations to update, control and deploy effective plans, taking into account organisational contingencies and capabilities, as well as the business needs (product- and service- requirements).

A BCMS helps the business to cope with incidents affecting all of the organisation’s business-critical processes and activities, from the failure of a single server to the complete loss of a major facility.

Download our free ISO 22301 guide

For an introduction and some guidance on ISO 22301 and business continuity management, download our free green paper: Business Continuity Management ISO 22301.

Download now

What is the difference between business continuity management and disaster recovery?

Disaster recovery management (DRM) usually takes place within the context of business continuity management. Disaster recovery plans are often relatively technical and will focus on the recovery of specific operations, functions, sites, services or applications. Best practice for disaster recovery is also set out in ISO/IEC 22301.

Business continuity management makes sure that a business can continue to function while recovering from the disaster. DRM, meanwhile, is a process of returning a business or organisation to a state of normality after a disastrous event. This will ordinarily incorporate business continuity, but the focus is on total recovery.

What is the difference between a business continuity plan and a BCMS?

A BCMS is a comprehensive approach to organisational resilience. It allows organisations to update, control and deploy effective plans, taking into account organisational contingencies, capabilities and business needs (product and service requirements).


  •  Based on analysis 
  • Regularly tested 
  • Requires regular review and management
  • Awareness organisation-wide, embedded in the culture and deployed throughout the business

Business Continuity Plan

  • Based on guesswork
  • Untested
  • Can become outdated
  • Lack of organisational awareness, deployed in a limited division of the organisation and not part of the culture

What are the benefits of business continuity management and ISO 22301

  • Optimally recover from a potentially damaging and disruptive incident.
  • Protect your organisation’s turnover, profits and reputation due to improved resilience and preparedness.
  • Achieve regulatory and governance requirements where business continuity management is a necessity.
  • Reduce the cost of business interruption insurance cover based on actual analysis of your organisational risk exposure.
  • Receive independently audited assurance that your business has established the necessary measures to respond to a potential disaster.
  • Meet the demands of clients across the supply chain.

Read more about the advantages of ISO 22301 and business continuity management here >>

The business continuity management lifecycle

Implementing a BCMS aligned to ISO 22301 will include the following elements and supporting processes:

  • Scope the project and develop the business case
  • Get board commitment and secure the necessary budget
  • Develop internal competence
  • Undertake the development of documentation and documentation control
  • Establish roles and responsibilities
  • Undertake internal and external communications
  • Establish staff awareness programmes
  • Conduct a risk assessment
  • Undertake a business impact analysis (BIA)
  • Develop business continuity plans and strategy
  • Conduct BCM testing
  • Ongoing review and maintenance
  • Get certified

ISO 27031 – ICT continuity best practice

ISO/IEC 27031 – Guidelines for ICT readiness for business continuity – is the international standard for information and communication technology (ICT) service continuity management, and forms part of the ISO 27001 family of standards for information security.

Section A.17.1 of Annex A of ISO 27001 requires that organisations develop business continuity procedures to support its information security management system (ISMS).

ISO 27031 provides additional recommendations specifically for ICT continuity management when aligning to ISO 27001 or ISO 22301 and covers all events and incidents (including security-related events) that could impact ICT infrastructure and systems.

Note that ISO 27031 is not a certifiable standard, but rather a best-practice guideline for achieving business continuity of ICT systems.

Purchase the ISO 27031 standard here >>>


Let’s get started on your business continuity management project

IT Governance has the widest range of affordable solutions that are easy to use and ready to deploy.

Business continuity management/ ISO 23301 resources

Let's work together to get things moving

Please contact us for further information or to speak to an expert.

SAVE 25%