ISO 22301
Business continuity management systems (BCMS)

ISO 22301 explained for enterprise teams

ISO 22301 (Security and resilience, Business continuity management systems, Requirements) is the international certifiable standard that defines what a business continuity management system (BCMS) is, what it produces, and how it is audited. The current edition (ISO 22301:2019) sits alongside ISO 22313 (guidance), ISO 22317 (BIA guidelines), and ISO/IEC 27031 (ICT readiness for business continuity) in the wider continuity standards family. Programmes operate ISO 22301 as the management system anchor and read the adjacent guidance standards as the operating depth.

For internal security teams, GRC and compliance teams, security operations leaders, business continuity owners, risk management teams, IT continuity owners, activity owners accountable for service availability, AppSec leads where availability is a security property, cloud security teams managing region and provider exposure, and CISOs and security directors carrying the audit-committee read against the wider operational resilience posture, ISO 22301 is the certifiable BCMS standard the continuity evidence reads against. The standard is dense; the value is the management system discipline that turns business continuity from a folder of static documents into a continuous operating record that survives audits, regulators, and material disruptions.

This page covers the standard scope, the eight load-bearing principles, the PDCA operating model, the business impact analysis discipline, the continuity strategies and solutions, the evidence pack, the failure modes, and where ISO 22301 sits alongside ISO/IEC 27031 ICT readiness for business continuity, ISO/IEC 27001 Annex A 5.29 and 5.30, DORA Articles 11, 12, and 14, NIS2 Article 21(2)(c), NIST CSF 2.0 Recover and Respond functions, and SOC 2 Availability criteria. Programmes that adopt ISO 22301 as the certifiable BCMS standard read cleanly into every adjacent regime without rebuilding the management system per audit.

Eight load-bearing principles of the BCMS

ISO 22301 is structured around the standard ISO management system requirements (context, leadership, planning, support, operation, performance evaluation, improvement) and the continuity-specific operating discipline (BIA, risk assessment, strategy and solution, plans and procedures, exercising and testing). The eight principles below are the load-bearing orientations the rest of the standard reads against. Programmes that adopt them as the operating posture produce evidence that survives certification, regulator review, and material disruption; programmes that treat them as text in a policy document produce a BCMS that ages out within the first cycle.

The PDCA operating model

ISO 22301 is structured around the Plan-Do-Check-Act cycle aligned with the wider ISO management system family. The cycle is continuous: each Act closure feeds the next Plan refresh, and the operating record reads against the same evidence pack across years. Programmes that operate the BCMS as a one-time documentation project lose the cycle dimension; the standard expects the lifecycle to be the structural commitment the rest of the principles read against.

1. 1

   Plan (Clauses 4 to 7)

   Establish the BCMS context (internal and external issues, interested parties, legal and regulatory requirements, BCMS scope), leadership (policy, roles, responsibilities, authorities), planning (continuity objectives, risks and opportunities, change management), and support (resources, competence, awareness, communication, documented information). The Plan phase is the cheapest phase to invest in and the most expensive to skip. Programmes that under-invest in Plan rebuild the BCMS at every audit and every regulator change.

2. 2

   Do (Clause 8 Operation)

   Operate the BCMS through the operational planning and control discipline: the business impact analysis (Clause 8.2.2), the risk assessment (Clause 8.2.3), the business continuity strategies and solutions (Clause 8.3), the business continuity plans and procedures (Clause 8.4), and the exercise programme (Clause 8.5). The Do phase is the longest visible phase and the one auditors read against most directly. The artefacts the Do phase produces (BIA outputs, strategy decisions, plans, exercise records) are the load-bearing evidence the rest of the BCMS reads against.

3. 3

   Check (Clause 9 Performance evaluation)

   Evaluate the BCMS through monitoring, measurement, analysis, and evaluation (Clause 9.1), internal audit (Clause 9.2), and management review (Clause 9.3). The Check phase is where the difference between a documented system and an operating system becomes visible. Performance evaluation reads the BIA outputs against the achieved exercise metrics, the documented plans against the executed responses, and the policy against the operating reality. Programmes that operate the Do phase without Check lose the evidence the audit committee and the regulator read.

4. 4

   Act (Clause 10 Improvement)

   Improve the BCMS through nonconformity and corrective action (Clause 10.1) and continual improvement (Clause 10.2). The Act phase converts the gaps surfaced in Check into closed corrective actions feeding the next Plan cycle. Programmes that surface findings without closing them lose the cycle that makes the BCMS durable. The maintain-and-improve phase is the closing artefact that completes one PDCA cycle and opens the next.

The business impact analysis discipline

ISO 22301 Clause 8.2.2 names business impact analysis as the load-bearing input the rest of the operating discipline reads against. The BIA is the structured analysis of activity criticality, impact over time, MTPD, MBCO, RTO, RPO, and dependency footprint that produces the per-activity recovery commitments. ISO 22317 supplies the BIA-specific guidance the standard reads alongside. Programmes that operate the BCMS without a current BIA produce per-activity commitments that float free of organisational impact; the BIA is the structural artefact that ties recovery posture to business reality.

Continuity strategies and solutions

ISO 22301 Clauses 8.3 (strategies and solutions) and 8.4 (plans and procedures) name the artefacts that translate the BIA outputs into operational capability. Strategies are the chosen approaches; solutions are the technical, operational, and procedural arrangements that implement them; plans are the documents the operators read at the moment of disruption. The three artefact layers read together as one continuity posture rather than as three separate disciplines.

The BCMS evidence pack

The minimum durable evidence pack the certification auditor, the internal auditor, the regulator, the audit committee, and the executive sponsor each read against the BCMS is grouped below by artefact type. Each artefact carries a named owner, a refresh cadence, and a version history so reconstruction at audit time is replaced with a continuous operating trail. ISO 22301 does not invent these artefacts; it names what the BCMS operating record needs to contain to satisfy the management system discipline the standard reads against.

Failure modes the standard is designed to surface

ISO 22301 is forgiving on the choice of tooling, the recovery architecture, and the depth of exercise per activity. It is unforgiving about a small number of patterns that turn the BCMS cosmetic rather than operational. The patterns below recur across BCMS programmes and are the ones that erode the year-over-year continuity audits, regulators, and audit committees increasingly read against.

How ISO 22301 relates to adjacent regimes

ISO 22301 sits in a busy continuity, regulatory, and standards neighbourhood. The relationships below are the ones programmes encounter most often when they read the standard against the rest of the resilience regime. Programmes operating across regions and sectors use ISO 22301 as the BCMS spine and read ISO/IEC 27031, ISO/IEC 27001 Annex A 5.29 and 5.30, NIST SP 800-34, NIST CSF 2.0 Recover and Respond, DORA, NIS2, SOC 2 A1, and PCI DSS 12.10 as the framework-specific reads alongside.

Where ISO 22301 sits next to other framework pages

ISO 22301 is the certifiable BCMS standard; the adjacent framework pages cover the regimes the BCMS reads alongside. The pages below are the ones BCMS programmes most often read together when producing the integrated evidence pack.

• The ISO/IEC 27031 framework page covers the ICT readiness for business continuity standard. ISO/IEC 27031 sits beneath ISO 22301 clauses 8.2 to 8.5 as the ICT-specific operating companion the BCMS auditor reads for the ICT scope.
• The ISO/IEC 27001 framework page covers the certifiable ISMS standard. Annex A 5.29 (information security during disruption) and A 5.30 (ICT readiness for business continuity) are the certifiable controls in the ISMS that read directly against ISO 22301 and ISO/IEC 27031. Programmes operating both standards typically run an integrated management system.
• The ISO/IEC 27035 framework page covers the incident management standard. The handoff from operational incident response to the BCMS recovery declaration is the integration the holistic discipline expects.
• The NIST SP 800-61 framework page covers the US federal incident handling guide. The integration between operational incident handling (where 800-61 lives) and BCMS recovery declaration (where ISO 22301 lives) is the same handoff named from the federal direction.
• The DORA framework page covers the EU Digital Operational Resilience Act for financial entities. Articles 11 (ICT business continuity policy), 12 (backup, restoration, and recovery procedures), and 14 (communication) read against ISO 22301 as the wider BCMS the financial-services ICT continuity obligations sit inside.
• The NIS2 framework page covers the EU directive on cybersecurity for essential and important entities. Article 21(2)(c) requires business continuity management for which ISO 22301 is the natural BCMS reference. Article 23 incident reporting reads alongside ISO/IEC 27035 and ISO 22301 communication discipline.
• The NIST CSF 2.0 framework page covers the framework-level outcome model. The Recover function (RC.RP, RC.CO, RC.IM) and the Respond function (RS.MA, RS.AN, RS.MI, RS.CO, RS.RP) read against ISO 22301 as the implementation companion that supplies the management system depth the outcome statements are achieved through.
• The SOC 2 framework page covers the AICPA Trust Services Criteria. A1.1 (capacity), A1.2 (environmental protections and recovery infrastructure), and A1.3 (recovery plan testing) read against the same BCMS discipline ISO 22301 expects.
• The PCI DSS framework page covers the payment card industry data security standard. Requirement 12.10 incident response planning reads against the BCMS exercising and incident response discipline.
• The ISO/IEC 27036 framework page covers the supplier-relationship security standard. The supplier-side BCDR clauses read alongside ISO 22301 so the acquirer-side recovery posture does not assume supplier-side readiness without evidence.

Where SecPortal fits in an ISO 22301 programme

SecPortal is the operating layer for the BCMS programme record, not a replacement for the standard itself, not a business continuity software suite, not a disaster recovery automation platform, not an IT service management platform, and not a backup and recovery infrastructure controller. The platform handles the workstreams that produce the ISO 22301 evidence (engagement structure for the per-cycle BCMS work, finding intake from after-action reviews and audits and incident post-mortems, severity scoring under CVSS 3.1 where availability is the impact axis, retest evidence paired to the corrective action follow-up, exception register with named owner and expiry, document management for the policy and procedures and exercise records, the activity log certification bodies and regulators read against). The same workspace that hosts the BCMS record hosts the technical assessment evidence the recovery design depends on, so the line from policy to evidence stays traceable.

What SecPortal does not do

ISO 22301 is a management system standard that depends on the organisation operating business continuity, ICT readiness, incident management, and crisis management as coordinated functions. SecPortal is the operating record for the BCMS slice, not the business continuity software suite, not the IT service management platform, not the backup and recovery infrastructure, and not the third-party certification body. The honest scope below reads against the ISO 22301 boundary so the platform commitment is unambiguous.

The operational workstreams the BCMS reads against already exist as named use cases on SecPortal. The security leadership reporting workflow covers the executive and audit-committee read against the BCMS performance posture. The audit fieldwork evidence request fulfillment workflow covers the certification audit liaison the BCMS evidence pack reads against. The cross-framework control mapping workflow reads the same BCMS evidence pack across ISO 22301, ISO/IEC 27031, ISO/IEC 27001 Annex A 5.29 and 5.30, DORA Articles 11 to 14, NIS2 Article 21(2)(c), NIST CSF 2.0 Recover and Respond, SOC 2 A1.1 to A1.3, and PCI DSS 12.10 so the cross-regime read is reconcilable rather than reconciled per audit. The control gap remediation workflow carries the corrective action follow-up the exercise after-action records, the internal audit findings, and the management review nonconformities feed. The breach notification and regulator readiness workflow covers the regulator-clock dimension the crisis management plan operates against. The incident response workflow covers the operational incident handling that hands off into the BCMS recovery declaration. The cyber insurance security evidence workflow bundles the BCMS evidence pack into the underwriter and broker read at renewal so the continuity posture is visible alongside the security posture.

For GRC and compliance teams running the BCMS alongside the wider information security and operational resilience programmes, the GRC and compliance teams workspace bundles the platform with the engagement structure the BCMS audit cadence reads against. For security operations leaders carrying the operational continuity posture into the management review, the security operations leaders workspace covers the per-cycle exercise programme, the after-action review, and the incident- driven improvement loop. For CISOs and security leaders carrying the audit-committee read against the operational resilience posture, the CISOs and security leaders workspace covers the board-side reporting model that sits on top of the BCMS operating record.

For deeper reading on the disciplines this standard reads against, the DORA ICT third-party risk management implementation guide covers the financial-services-specific ICT continuity expectations DORA Articles 11 and 12 read against. The incident response plan guide covers the incident-response discipline that hands off into the BCMS recovery declaration. The ransomware readiness program guide covers the ransomware-specific scenario the BCMS backup and recovery posture is most often tested against. The incident response tabletop exercise guide covers the desk-based exercise format the BCMS walkthrough cadence uses. The enterprise incident response at scale guide covers the multi-team operating model the BCMS crisis discipline reads alongside. The continuous control monitoring cadence research covers the cadence economics the BCMS exercise programme inherits from when balancing test cost against capability assurance.