This website uses cookies. View our cookie policy

ISO22301 (ISO 22301) Business Continuity Standard

Robust BCM (business continuity management) is increasingly necessary for organisations seeking to properly secure their information and preserve its availability. BCM enables an organisation to resume business as usual as quickly as possible following a disruptive incident – such as a power outage or a cyber attack. 

Internationally reputed as the only effective framework for BCM, ISO 22301 provides the requirements for a BCMS (business continuity management system), which ensures organisations are properly prepared for a disruptive incident. An ISO 22301 BCMS includes disaster recovery plans, focusing on specific applications, services, sites functions and operations.

What is a BCMS?

A BCMS enables organisations to update, control and deploy effective recovery plans, helping the organisation cope with incidents affecting any of its business-critical processes and activities. 

From server failure to the complete loss of a major facility, a BCMS takes into account your organisational contingencies, capabilities and business needs to provide a comprehensive approach to organisational resilience.

Download our free ISO 22301 guide

For an introduction and some guidance on ISO 22301 and business continuity management, download our free green paper: Business Continuity Management ISO 22301.

Download now

What is the difference between business continuity management and disaster recovery?

DRM (disaster recovery management) forms part of your overall BCM but is more technical in nature and specifically focuses on the recovery of particular services, applications, sites, operations and functions.

BCM makes sure that a business can continue to function while recovering from the disaster. DRM, meanwhile, is a process of returning a business or organisation to a state of normality after a disastrous event. This will ordinarily incorporate business continuity, but the focus is on total recovery. Best-practice DRM requirements are included in ISO 22301.

What is the difference between a business continuity plan and a BCMS?

As a comprehensive approach to organisational resilience, a BCMS offers more concrete assurance that your organisation is managing its business continuity effectively, allowing you to update, control and deploy effective plans according to your business needs, capabilities and contingencies.


  •  Based on analysis 
  • Regularly tested- Untested 
  • Regular review and management
  • Organisation-wide awareness, embedded in company

Business Continuity Plan

  • Based on guesswork
  • Untested
  • Can become outdated
  • Lack of organisational awareness culture

The benefits of BCM and ISO 22301

  • Optimum recovery from a potentially destructive and disruptive incident. 
  • Safeguard your organisation’s reputation, turnover and profits by avoiding penalties for lack of resilience or preparedness. 
  • Conform with regulatory and governance requirements where BCM is a necessity, and meet client demands across the supply chain. 
  • Analysis of your organisational risk exposure enables you to reduce the cost of business interruption insurance cover. 
  • Independent audit assurance that your organisation has implemented the necessary measures to respond to a potential disaster.

Read more about the advantages of ISO 22301 and business continuity management here >>

The BCM lifecycle

An ISO 22301-aligned BCMS includes the following elements and underlying processes:

  • Scope project and develop a business case 
  • Secure board commitment and necessary budget 
  • Develop internal competence 
  • Undertake the development of documentation and documentation control 
  • Define roles and responsibilities 
  • Undertake internal and external communications 
  • Establish and deploy staff awareness programmes 
  • Conduct a risk assessment 
  • Undertake a BIA (business impact analysis) 
  • Develop business continuity plans and strategy 
  • Conduct BCM testing 
  • Continual review and maintenance 
  • Certification

ISO 27031 – ICT continuity best practice

Part of the ISO 27001 series and the international standard for information and communication technology service continuity management, ISO/IEC 27031 – Guidelines for ICT readiness for business continuity covers all manner of disruptions (including security-related events) that could impact ICT infrastructure and systems. 

ISO 27031 is not a certifiable standard, but rather a best-practice guideline, providing additional guidance specifically for ICT continuity management when aligning to ISO 22301 or 27001 and for achieving business continuity of ICT systems.

Purchase the ISO 27031 standard here >>

Let's work together to get things moving

Please contact us for further information or to speak to an expert.