Definition and purpose

The purpose of ISO/IEC 22301 is to provide organizations with a framework to plan, establish, implement, operate, monitor, review, maintain, and continually improve a BCMS. It is intended to safeguard an organization from a wide range of potential threats and disruptions, such as natural disasters, IT failures, staff illness, terrorist activity, or any other event that could disrupt operations.

Governing Body

The standard is published and maintained by the International Organization for Standardization (ISO) in conjunction with the International Electrotechnical Commission (IEC).

Last updated

The latest version of ISO/IEC 22301 was published in 2019, known as ISO/IEC 22301:2019.

Applies to

ISO/IEC 22301 is applicable to any organization, regardless of its size, industry, or nature of business. It is particularly relevant for organizations that operate in high-risk environments or where the ability to continue operations is critical.

Controls and requirements

ISO/IEC 22301 sets out a number of requirements for a BCMS, including:

• Context of the Organization: Understanding the organization and its context, the needs and expectations of interested parties, and the scope of the BCMS.
• Leadership: Leadership and commitment, policy, organizational roles, responsibilities, and authorities.
• Planning: Actions to address risks and opportunities, business continuity objectives, and plans to achieve them.
• Support: Resources needed for the BCMS, competence, awareness, communication, and documented information.
• Operation: Operational planning and control, the business impact analysis (BIA), risk assessment, business continuity strategies, and solutions.
• Performance Evaluation: Monitoring, measurement, analysis, evaluation, internal audit, and management review.
• Improvement: Nonconformity and corrective action, continual improvement.

Please refer to the official ISO/IEC 22301:2019 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits of ISO/IEC 22301 compliance can be performed internally, by customers, or by external certification bodies. Certification audits are conducted in two stages: Stage 1 (readiness review) and Stage 2 (evaluation of implementation). Internal audits are usually conducted annually, but the frequency can be higher depending on the organization's operational environment. Surveillance audits by certification bodies are typically conducted annually, with a recertification audit every three years.

The duration of the audit depends on the size and complexity of the organization, the scope of the BCMS, and the number of locations included in the scope. An audit can range from one day for a small organization to several weeks for a multinational corporation.