ISO 22301 is the international standard for a Business Continuity Management System (BCMS) — a management system to prepare for, respond to and recover from disruptive incidents. It follows the same high-level structure as ISO 27001, so the two integrate well.
Core elements
| Element | What it covers |
|---|---|
| Business Impact Analysis (BIA) | Identify critical activities, impacts over time, RTO and RPO |
| Risk assessment | Threats to prioritised activities and their likelihood/impact |
| Continuity strategies | Options to protect and recover critical activities |
| Business continuity plans | Documented response, recovery and communication procedures |
| Exercising & testing | Validate plans through drills and scenario exercises |
| Management system | Policy, objectives, internal audit, management review, improvement |
Key metrics
- RTO (Recovery Time Objective) — how quickly an activity must be restored.
- RPO (Recovery Point Objective) — the maximum tolerable data loss.
- MTPD (Maximum Tolerable Period of Disruption).
Certification path
- Define BCMS scope and secure leadership commitment.
- Perform the BIA and risk assessment.
- Select continuity strategies and build plans.
- Exercise and test the plans.
- Internal audit and management review, then Stage 1 and Stage 2 certification audits.
How CyberSigma helps
We build your BCMS — BIA, strategies, plans and exercises — and support ISO 22301 certification, integrated with your ISO 27001 ISMS and regulatory continuity requirements.
Frequently asked questions
How does ISO 22301 relate to ISO 27001?
They share the same management-system structure and complement each other — ISO 27001’s ICT continuity requirements align with a full ISO 22301 BCMS.
Official documents
CyberSigma resources
Need help with ISO 22301?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
