{"id":3894,"date":"2015-06-18T14:17:28","date_gmt":"2015-06-18T14:17:28","guid":{"rendered":"https:\/\/multiacademstg.wpengine.comhttps:\/\/multiacademstg.wpengine.com\/27001academy\/what-is-iso-22301\/"},"modified":"2025-07-14T14:58:56","modified_gmt":"2025-07-14T14:58:56","slug":"what-is-iso-22301","status":"publish","type":"page","link":"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/","title":{"rendered":"What is ISO 22301?"},"content":{"rendered":"<div id=\"pl-3894\"  class=\"panel-layout\" ><div id=\"pg-3894-0\"  class=\"panel-grid panel-no-style\" ><div id=\"pgc-3894-0-0\"  class=\"panel-grid-cell\" ><div id=\"panel-3894-0-0-0\" class=\"so-panel widget widget_hero-with-buttons-widget panel-first-child\" data-index=\"0\" ><div\n\t\t\t\n\t\t\tclass=\"so-widget-hero-with-buttons-widget so-widget-hero-with-buttons-widget-default-d75171398898-3894\"\n\t\t\t\n\t\t><section class=\"iso-hero sans\" style=\"background: #03284d;\">\n    <div class=\"container\">\n        <h1 class=\"iso-hero_title  \">\n            What is ISO 22301?\n        <\/h1>\n        <p class=\"iso-hero_subtitle \">\n                \n        <\/p>\n        <div class=\"iso-hero_buttons\">\n                            <div class=\"iso-hero_button\">\n                    <div class=\"button-image\">\n                        <img decoding=\"async\" width=\"64\" height=\"64\" src=\"\/wp-content\/uploads\/sites\/5\/2021\/10\/what-is-ISO-22301-Templates-button.png\" class=\"attachment-full size-full\" alt=\"-\">\n                    <\/div>\n                    <div class=\"button-content\">\n                        <span>ISO 22301 TEMPLATES<\/span>\n                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/\"><\/a>\n                <\/div>\n                            <div class=\"iso-hero_button\">\n                    <div class=\"button-image\">\n                        <img decoding=\"async\" width=\"67\" height=\"67\" src=\"\/wp-content\/uploads\/sites\/5\/2021\/10\/what-is-ISO-22301-Courses-button.png\" class=\"attachment-full size-full\" alt=\"-\">\n                    <\/div>\n                    <div class=\"button-content\">\n                        <span>ISO 27001 COURSES<\/span>\n                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/training\/iso-27001-training\/\"><\/a>\n                <\/div>\n                            <div class=\"iso-hero_button\">\n                    <div class=\"button-image\">\n                        <img decoding=\"async\" width=\"67\" height=\"67\" src=\"\/wp-content\/uploads\/sites\/5\/2021\/10\/what-is-ISO-22301-Free-Materials-button.png\" class=\"attachment-full size-full\" alt=\"-\">\n                    <\/div>\n                    <div class=\"button-content\">\n                        <span>FREE MATERIALS<\/span>\n                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/resources\/iso-27001-free-downloads\/\"><\/a>\n                <\/div>\n                    <\/div>\n    <\/div>\n<\/section><\/div><\/div><div id=\"panel-3894-0-0-1\" class=\"so-panel widget widget_content-with-sidebar-widget panel-last-child\" data-index=\"1\" ><div\n\t\t\t\n\t\t\tclass=\"so-widget-content-with-sidebar-widget so-widget-content-with-sidebar-widget-default-d75171398898-3894\"\n\t\t\t\n\t\t><section class=\"content-with-sidebar\">\n<div class=\"container\">\n\n    <div class=\"sidebar-area\">\n        <div class=\"sidebar-bg\"><\/div>\n        <div class=\"sidebar-wrapper\">\n            <div class=\"sidebar\">\n\n                                    <div class=\"single-post--meta mobile\" style=\"display:none\">\n                        <div class=\"post--meta meta-bigger-space\">\n                            <a href=\"https:\/\/staging.advisera.com\/27001academy\/author\/dejankosutic\/\"\n                            class=\"post--meta__item author link link-blue decoration-none\">\n                                <img decoding=\"async\" class=\"author--avatar\" src=\"\/wp-content\/uploads\/blog_authors\/dejankosutic.jpg\"\n                                    alt=\"Advisera Dejan Kosutic\">\n                                Dejan Kosutic                            <\/a>\n                            <a href=\"https:\/\/www.linkedin.com\/in\/dejankosutic\/\" target=\"_blank\" rel=\"noopener\"><i class=\"icon-linkedin\"><\/i><\/a>                             <a href=\"https:\/\/www.youtube.com\/@DejanKosutic\" target=\"_blank\" rel=\"noopener\"><svg width=\"21\" id=\"youtube-svg-icon\" style=\"enable-background:new 0 0 1000 1000;\" version=\"1.1\" viewBox=\"0 0 1000 1000\" xml:space=\"preserve\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\"><style type=\"text\/css\">.st0{fill:#FF0000;}.st1{fill:#FFFFFF;}<\/style><title\/><g><path class=\"st0\" fill=\"#FF0000\" d=\"M500,1000L500,1000C223.9,1000,0,776.1,0,500v0C0,223.9,223.9,0,500,0h0c276.1,0,500,223.9,500,500v0   C1000,776.1,776.1,1000,500,1000z\"\/><path class=\"st1\" fill=\"#FFFFFF\" d=\"M818.2,339.1c-7.6-28.8-30.1-51.4-58.7-59.1c-51.8-14-259.4-14-259.4-14s-207.7,0-259.4,14   c-28.6,7.7-51.1,30.3-58.7,59.1C168,391.2,168,500,168,500s0,108.8,13.9,160.9c7.6,28.8,30.1,51.4,58.7,59.1   c51.8,14,259.4,14,259.4,14s207.7,0,259.4-14c28.6-7.7,51.1-30.3,58.7-59.1C832,608.8,832,500,832,500S832,391.2,818.2,339.1z    M432.1,598.7V401.3L605.6,500L432.1,598.7z\"\/><\/g><\/svg><\/a> \n                                                    <\/div>\n\n                                                <div class=\"social-share\">\n                            <a href=\"mailto:?subject=What is ISO 22301?&body= https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/\"\n                            target=\"_blank\"\n                            class=\"social-share--icon ripple\">\n                                <i class=\"icon-mail\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\" class=\"social-share--icon ripple facebook\"\n                            onclick=\"window.open('https:\/\/www.facebook.com\/sharer.php?u=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/','popup','width=800,height=600'); return false;\"\n                            target=\"_blank\">\n                                <i class=\"icon-fb\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            onclick=\"window.open('https:\/\/twitter.com\/intent\/tweet?text=What is ISO 22301?&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple twitter\" target=\"_blank\">\n                                <i class=\"icon-twit\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            target=\"_blank\"\n                            onclick=\"window.open('https:\/\/www.linkedin.com\/shareArticle?mini=true&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/&title=What is ISO 22301?','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple linkedin\">\n                                <i class=\"icon-linkedin\"><\/i>\n                            <\/a>\n                            <a href=\"\/rss-feeds\/\"\n                                class=\"social-share--icon ripple rss\">\n                                <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 64 380 420\" width=\"22\" height=\"22\" aria-hidden=\"true\"><path d=\"M96 272 A144 144 0 0 1 240 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><path d=\"M96 160 A256 256 0 0 1 352 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><circle cx=\"96\" cy=\"416\" r=\"48\" fill=\"currentColor\"\/><\/svg>\n                            <\/a>\n                        <\/div>\n\n                    <\/div>\n                \n                <h2 class=\"sidebar-title\">\n                    TABLE OF CONTENTS\n                <\/h2>\n\n                                    <div class=\"sidebar-item no-collapse\">\n                        <div class=\"sidebar-item-links\">\n                            <p><a class=\"scrollToAnchor\" href=\"#section1\">What is ISO 22301?<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section2\">The benefits<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section3\">Who can implement it?<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section4\">How does it work?<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section5\">How does business continuity fit?<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section6\">Basic terms<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section7\">Content<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section8\">Key clauses and requirements<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section9\">Implementation<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section10\">Mandatory documentation<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section11\">Certification<\/a><br \/>\n<a class=\"scrollToAnchor\" href=\"#section12\">Related standards<\/a><\/p>\n\n                        <\/div>\n                    <\/div>\n\n                            <\/div>\n        <\/div>\n    <\/div>\n    <div class=\"content-area\">\n        <div class=\"what-is-groups\">\n\n                            <div class=\"single-post--meta desktop\">\n                    <div class=\"post--meta meta-bigger-space\">\n                        <a href=\"https:\/\/staging.advisera.com\/27001academy\/author\/dejankosutic\/\" class=\"post--meta__item author link link-blue decoration-none\">\n                            <img decoding=\"async\" class=\"author--avatar\" src=\"\/wp-content\/uploads\/blog_authors\/dejankosutic.jpg\"\n                                alt=\"Advisera Dejan Kosutic\">\n                            Dejan Kosutic                        <\/a>\n                        <a href=\"https:\/\/www.linkedin.com\/in\/dejankosutic\/\" target=\"_blank\" rel=\"noopener\"><i class=\"icon-linkedin\"><\/i><\/a>                         <a href=\"https:\/\/www.youtube.com\/@DejanKosutic\" target=\"_blank\" rel=\"noopener\"><svg width=\"21\" id=\"youtube-svg-icon\" style=\"enable-background:new 0 0 1000 1000;\" version=\"1.1\" viewBox=\"0 0 1000 1000\" xml:space=\"preserve\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\"><style type=\"text\/css\">.st0{fill:#FF0000;}.st1{fill:#FFFFFF;}<\/style><title\/><g><path class=\"st0\" fill=\"#FF0000\" d=\"M500,1000L500,1000C223.9,1000,0,776.1,0,500v0C0,223.9,223.9,0,500,0h0c276.1,0,500,223.9,500,500v0   C1000,776.1,776.1,1000,500,1000z\"\/><path class=\"st1\" fill=\"#FFFFFF\" d=\"M818.2,339.1c-7.6-28.8-30.1-51.4-58.7-59.1c-51.8-14-259.4-14-259.4-14s-207.7,0-259.4,14   c-28.6,7.7-51.1,30.3-58.7,59.1C168,391.2,168,500,168,500s0,108.8,13.9,160.9c7.6,28.8,30.1,51.4,58.7,59.1   c51.8,14,259.4,14,259.4,14s207.7,0,259.4-14c28.6-7.7,51.1-30.3,58.7-59.1C832,608.8,832,500,832,500S832,391.2,818.2,339.1z    M432.1,598.7V401.3L605.6,500L432.1,598.7z\"\/><\/g><\/svg><\/a> \n                                                    \n                    <\/div>\n\n                                            <div class=\"social-share\">\n                            <a href=\"mailto:?subject=What is ISO 22301?&body= https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/\"\n                            target=\"_blank\"\n                            class=\"social-share--icon ripple\">\n                                <i class=\"icon-mail\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\" class=\"social-share--icon ripple facebook\"\n                            onclick=\"window.open('https:\/\/www.facebook.com\/sharer.php?u=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/','popup','width=800,height=600'); return false;\"\n                            target=\"_blank\">\n                                <i class=\"icon-fb\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            onclick=\"window.open('https:\/\/twitter.com\/intent\/tweet?text=What is ISO 22301?&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple twitter\" target=\"_blank\">\n                                <i class=\"icon-twit\"><\/i>\n                            <\/a>\n                            <a href=\"javascript:void(0);\"\n                            target=\"_blank\"\n                            onclick=\"window.open('https:\/\/www.linkedin.com\/shareArticle?mini=true&url=https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/&title=What is ISO 22301?','popup','width=800,height=600'); return false;\"\n                            class=\"social-share--icon ripple linkedin\">\n                                <i class=\"icon-linkedin\"><\/i>\n                            <\/a>\n                            <a href=\"\/rss-feeds\/\"\n                                class=\"social-share--icon ripple rss\">\n                                <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 64 380 420\" width=\"22\" height=\"22\" aria-hidden=\"true\"><path d=\"M96 272 A144 144 0 0 1 240 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><path d=\"M96 160 A256 256 0 0 1 352 416\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"64\" stroke-linecap=\"round\"\/><circle cx=\"96\" cy=\"416\" r=\"48\" fill=\"currentColor\"\/><\/svg>\n                            <\/a>\n                        <\/div>\n\n                <\/div>\n            \n            <p>&nbsp;<\/p>\n<p><em>Update: May 7, 2023.<\/em><\/p>\n<h2 id=\"section1\">What is ISO 22301?<\/h2>\n<p>The full name of this standard is ISO 22301:2019 Security and resilience \u2013 Business continuity management systems \u2013 Requirements. It is an international standard published by the International Organization for Standardization (ISO), and it describes how to manage business continuity in an organization. This standard is written by leading business continuity experts and provides the best framework for managing business continuity in an organization.<\/p>\n<p>One of the features that differentiates this standard from other business continuity frameworks\/standards is that an organization can become certified by an accredited certification body, and will therefore be able to prove its compliance to its customers, partners, owners, and other stakeholders.<\/p>\n<div class=\"post-featured\">\n<div class=\"post-featured--content\">\n<p>ISO 22301 defines business continuity management as a part of overall risk management in a company, partially overlapping with information security management and IT management. Implementation and certification are useful to prove your company\u2019s compliance to your partners, owners, and other stakeholders. ISO 22301 also helps you get new customers, by making it easier to demonstrate that you are among the best in the industry.<\/p>\n<\/div>\n<\/div>\n<h2>Relationship with ISO 22301:2012<\/h2>\n<p>The latest revision of ISO 22301 was published in October 2019. ISO 22301:2019 has replaced ISO 22301:2012, which was developed based on the British standard BS 25999-2. This 2019 revision does not bring big changes, but it definitely brings more flexibility and less prescriptiveness, adding more value to organizations and their customers.<\/p>\n<h2 id=\"section2\">What are the benefits of ISO 22301 \u2013 the business continuity standard?<\/h2>\n<p>There are four essential business benefits that a company can achieve with the implementation of this business continuity standard:<\/p>\n<p><strong>Comply with legal requirements.<\/strong> There are more and more countries defining laws and regulations requiring business continuity compliance. And beyond government interests, private businesses (e.g., financial institutions) are also requiring their suppliers and partners to implement business continuity solutions. And the good news is that ISO 22301 provides a perfect framework and methodology to support compliance with these requirements \u2013 by reducing administrative and operational effort, as well as the number of penalties to be paid. Read the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/laws-regulations-information-security-business-continuity\/\" target=\"_blank\" rel=\"noopener\">Laws and regulations on information security and business continuity<\/a> to see a list of business continuity legislation worldwide.<\/p>\n<p><strong>Achieve marketing advantage.<\/strong> If your company is ISO 22301 certified and your competitors aren\u2019t, you will have an advantage over them when it comes to customers who are sensitive about keeping the continuity of their operations, and the delivery of their products and services. Additionally, such certification can enhance your reputation and help you get new customers, by making it easier to demonstrate that you are among the best in the industry, leading to increased market share and higher profits.<\/p>\n<p><strong>Reduce dependence on individuals.<\/strong> More often than not, a company\u2019s critical activities rely on just a few people who are hard to replace \u2013 a situation painfully demonstrated when these people leave the organization. Executives who are aware of this can make use of business continuity practices to become far less dependent on those individuals (either because of implemented replacement solutions or by documenting related tasks), meaning you can prevent a lot of headache when someone leaves the organization.<\/p>\n<p><strong>Prevent large-scale damage.<\/strong> In a world of real-time services and transactions, every minute of down service costs money \u2013 a lot of money. And, even if your business is not so sensitive to small periods of unavailability, disruptive incidents will cost you. By implementing business continuity practices compliant with ISO 22301, you will have a sort of insurance policy. Whether by preventing disruptive incidents from happening, or by becoming capable of faster recovery \u2013 your company will save money. And, the best thing of all is that your investment in ISO 22301 is far smaller than the cost savings you\u2019ll achieve.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 id=\"section3\">Who can implement this standard?<\/h2>\n<p>Any kind of organization \u2013 large or small, for profit or non-profit, private or public \u2013 can benefit from ISO 22301. The standard was conceived in such a way that it is applicable to any size or type of organization.<\/p>\n<p>ISO 22301 implementation and certification can be considered essential to any company legally required to engage in contingency planning, including energy, transport, health, and essential public services.<\/p>\n<h2 id=\"section4\"><strong>How does ISO 22301 work?<\/strong><\/h2>\n<p>The focus of ISO 22301 is to ensure continuity of business delivery of products and services after occurrence of disruptive events (e.g., natural disasters, man-made disasters, etc.). This is done by finding out business continuity priorities (through business impact analysis), what potential disruptive events can affect business operations (through risk assessment), defining what needs to be done to prevent such events from happening, and then defining how to recover minimal and normal operations in the shortest time possible (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 22301 is based on analyzing impacts and managing risks: find out which activities are more important and which risks can affect them, and then systematically treat those risks.<\/p>\n<p>The strategies and solutions that are to be implemented are usually in the form of policies, procedures, and technical\/physical implementation (e.g., facilities, software, and equipment). In most cases, organizations do not have all the facilities, hardware, and software in place \u2013 therefore, ISO 22301 implementation will involve not only setting organizational rules (i.e., writing documents) that are needed in order to prevent disruptive incidents, but also developing plans and allocating technical and other resources to make the continuity and recovery of business activities possible. Because such implementation will require a number of policies, procedures, people, assets, etc. to be managed, ISO 22301 has described how to fit all these elements together in the Business Continuity Management System (BCMS).<\/p>\n<h2 id=\"section5\">How does business continuity fit into overall management?<\/h2>\n<p>Business continuity is part of overall risk management in a company, with areas that overlap with information security management and IT management.<\/p>\n<p><img decoding=\"async\" class=\"size-full wp-image-24697 aligncenter\" src=\"\/wp-content\/uploads\/\/sites\/5\/2019\/11\/22301-risk.png\" alt=\"What is ISO 22301? Basics, how to comply, certification &amp; more\" width=\"1000\" height=\"632\" srcset=\"\/wp-content\/uploads\/sites\/5\/2019\/11\/22301-risk.png 1000w, \/wp-content\/uploads\/sites\/5\/2019\/11\/22301-risk-300x190.png 300w, \/wp-content\/uploads\/sites\/5\/2019\/11\/22301-risk-768x485.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p style=\"text-align: center;\">Note: Risk management is part of overall corporate management.<\/p>\n<h2 id=\"section6\"><strong>Basic terms used in the standard<\/strong><\/h2>\n<ul>\n<li>Business Continuity Management System (BCMS) \u2013 part of an overall management system that makes sure business continuity is planned, implemented, maintained, and continually improved<\/li>\n<li>Maximum Acceptable Outage (MAO) \u2013 the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption \u2013 MTPD)<\/li>\n<li>Recovery Time Objective (RTO) \u2013 the pre-determined time at which a product, service, or activity must be resumed, or resources must be recovered<\/li>\n<li>Recovery Point Objective (RPO) \u2013 maximum data loss, i.e., minimum amount of data used by an activity that needs to be restored<\/li>\n<li>Minimum Business Continuity Objective (MBCO) \u2013 the minimum level of services or products an organization needs to produce to achieve its defined objectives after resuming its business operations<\/li>\n<\/ul>\n<h2 id=\"section7\"><strong>Content of ISO 22301<\/strong><\/h2>\n<p>ISO 22301 is split into 11 sections, or clauses. Clauses 0 to 3 are introductory (and are not mandatory for implementation), while seven clauses (from 4 to 10) are the key clauses and are mandatory \u2013 meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard.<\/p>\n<p>According to Annex SL of the International Organization for Standardization ISO\/IEC Directives, the section titles in ISO 22301 are the same as those in ISO 27001:2013, ISO 9001:2015, and other management standards, enabling easier integration of these standards.<\/p>\n<h2 id=\"section8\">ISO 22301 requirements<\/h2>\n<p>Let\u2019s take a look at the requirements of ISO 22301, which are given in clauses 4 to 10.<\/p>\n<p><strong>Clause 4 - Context:<\/strong> Organizations must understand who they are, what they are doing, and which processes and outputs they must sustain. They must also determine who has a stake in the continuity of operations \u2013 interested parties \u2013 and what their expectations are. Also, legal and regulatory requirements must be identified and documented. With this information, the organization establishes and documents its ISO 22301 scope. When determining the scope, the organization\u2019s locations, missions, goals, products, and services must be considered.<\/p>\n<p><strong>Clause 5 - Leadership:<\/strong> For successful implementation of ISO 22301, organizations need the continuous support and leadership of top management. To show their commitment, the top management of the organization should develop, document, and communicate a policy within the organization and with interested parties while making resources available, directing and leading employees to contribute to the effectiveness of ISO 22301. For this purpose, organizational roles must be clearly defined with responsibilities, authorities, and competencies for each role.<\/p>\n<p><strong>Clause 6 - Planning:<\/strong> To plan for business continuity, organizations must understand what disruptions could potentially occur and how these incidents affect the business. Organizations must consider the consequences of risks, their impact, and the benefits of opportunities regarding their context and plan actions to address them. The standard also mandates organizations to set measurable BCMS objectives to guarantee the minimum viable products or services, as well as compliance with any legal or regulatory requirements. These objectives must be documented and communicated. To achieve them, organizations must have action plans within a timeframe, with responsibilities assigned.<\/p>\n<p><strong>Clause 7 - Support:<\/strong> No organization can advance without resources and support. Organizations must consider resource needs and provide them to meet their BCMS objectives. These resources may include infrastructure, technology, communication, competence, awareness, and documented information. The standard requires documented evidence of competence for the defined roles, such as training records, education, and professional background.<\/p>\n<p><strong>Clause 8 - Operation:<\/strong> This section of the standard describes the activities that should be performed to meet BCMS objectives and return to the normal way the organization operates. Key activities include:<\/p>\n<ul>\n<li><strong>Conducting and documenting a business impact analysis (BIA) and risk assessment.<\/strong> The BIA should identify the operational, legal, and financial impacts resulting from the disruption. While conducting the BIA, the duration of the disruption is an important input for determining impacts and, later, the recovery time. The risk assessment enables the organization to analyze the likelihood of disruption to its activities, and resources. Learn more about the BIA in the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/how-to-implement-business-impact-analysis-bia-according-to-iso-22301\/\" target=\"_blank\" rel=\"noopener\">How to implement business impact analysis (BIA) according to ISO 22301<\/a>.<\/li>\n<li><strong>Developing a business continuity strategy<\/strong> Companies are required to develop a continuity strategy using the information gathered from the risk assessment and business impact analysis. Business continuity strategy essentially means the development of options and the selection of the most appropriate actions, including mitigation, response, and recovery. You can learn more about the importance of recovery in the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2010\/03\/15\/can-business-continuity-strategy-save-your-money\/\" target=\"_blank\" rel=\"noopener\">Can business continuity strategy save your money?<\/a>.<\/li>\n<li><strong>Establishing and implementing business continuity procedures.<\/strong> Organizations are required to document business continuity plans and procedures based on the outputs of their strategy. The plans and procedures should have clear and specific steps for handling disruptions, well-defined roles and resource needs, and organized communication. For more information about developing plans and procedures, read the article <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/business-continuity-plan-how-to-structure-it-according-to-iso-22301\/\" target=\"_blank\" rel=\"noopener\">Business continuity plan: How to structure it according to ISO 22301<\/a>.<\/li>\n<li><strong>Exercising and testing the business continuity procedures<\/strong>. ISO 22301 requires periodic testing of plans and procedures to see if they are appropriate and effective. Test results must be reviewed and reported for recommendations and improvements. The article <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/02\/02\/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301\/\" target=\"_blank\" rel=\"noopener\">How to perform business continuity exercising and testing according to ISO 22301<\/a>\u00a0explains more about the purpose and ways of exercising and testing, as well as how to prepare and whom to include.<\/li>\n<\/ul>\n<p><strong>Clause 9 - Performance evaluation:<\/strong> Organizations need to consider performance indicators and metrics; monitor, measure, analyze, and evaluate them; and then document the results. Planned internal audits should be conducted to measure the level of conformance to the standard and the organization\u2019s own requirements. The audit program and results must be documented. Lastly, top management should review the effectiveness of the BCMS at planned intervals and document the results of these reviews.<\/p>\n<p><strong>Clause 10 - Improvement:<\/strong> Organizations shall have a methodology to address non-conformities, with root causes and corrective actions, as well as strategies for improvement on a continual basis. The standard mandates documented information for the evaluation of corrective actions. The organization needs to consider the results of the analysis and evaluation, and the outputs from the management review, to determine if there are needs or opportunities.<\/p>\n<h2 id=\"section9\">How do you implement ISO 22301?<\/h2>\n<p>To implement ISO 22301 in your company, you have to follow these <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/17-steps-for-implementing-iso-22301\/\" target=\"_blank\" rel=\"noopener\">17 steps<\/a>:<\/p>\n<p>1) Management support<br \/>\n2) Identification of requirements<br \/>\n3) <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-policy-amp-bia&amp;doc=business-continuity-policy\" target=\"_blank\" rel=\"noopener\">Business continuity policy<\/a> and objectives<br \/>\n4) Support documents for management system<br \/>\n5) Risk assessment and treatment<br \/>\n6) Business impact analysis<br \/>\n7) <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-strategy&amp;doc=business-continuity-strategy\" target=\"_blank\" rel=\"noopener\">Business continuity strategy<\/a><br \/>\n8) <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-plan&amp;doc=business-continuity-plan\" target=\"_blank\" rel=\"noopener\">Business continuity plan<\/a><br \/>\n9) Training and awareness<br \/>\n10) Documentation maintenance<br \/>\n11) Exercising &amp; testing<br \/>\n12) Post-incident reviews<br \/>\n13) Communication with interested parties<br \/>\n14) Measurement and evaluation<br \/>\n15) Internal audit<br \/>\n16) Corrective actions<br \/>\n17) Management review<\/p>\n<p>For a more detailed explanation of these steps, see <a href=\"https:\/\/info.staging.advisera.com\/27001academy\/free-download\/project-checklist-for-iso-22301-implementation\" target=\"_blank\" rel=\"noopener\">Project checklist for ISO 22301 implementation<\/a>.<\/p>\n<h2 id=\"section10\"><strong>Mandatory documentation<\/strong><\/h2>\n<p>If an organization wants to implement this standard, the following documentation is mandatory:<\/p>\n<ul>\n<li><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=management-system&amp;doc=list-of-legal-regulatory-contractual-and-other-requirements\" target=\"_blank\" rel=\"noopener\">List of applicable legal, regulatory and other requirements<\/a><\/li>\n<li>Scope of the BCMS<\/li>\n<li><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-policy-amp-bia&amp;doc=business-continuity-policy\" target=\"_blank\" rel=\"noopener\">Business continuity policy<\/a><\/li>\n<li>Business continuity objectives<\/li>\n<li>Evidence of personnel competences<\/li>\n<li>Procedure for communication with interested parties<\/li>\n<li>Records of communication with interested parties<\/li>\n<li>Records of disruption details, actions taken, and decisions made<\/li>\n<li>Incident response structure<\/li>\n<li><a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/?rel=business-continuity-plan&amp;doc=business-continuity-plan\" target=\"_blank\" rel=\"noopener\">Business continuity plans<\/a><\/li>\n<li>Recovery procedures<\/li>\n<li>Results of monitoring and measurement<\/li>\n<li>Results of internal audit<\/li>\n<li>Results of management review<\/li>\n<li>Results of corrective actions<\/li>\n<\/ul>\n<p>To learn more details about mandatory documents, download this free <a href=\"https:\/\/info.staging.advisera.com\/27001academy\/free-download\/checklist-of-iso22301-mandatory-documentation\" target=\"_blank\" rel=\"noopener\">Checklist of ISO 22301 mandatory documentation (PDF)<\/a>.<\/p>\n<h2 id=\"section11\">ISO 22301 certification<\/h2>\n<p>An ISO 22301 certificate is proof that a company has met the requirements of the standard, as well as the company\u2019s commitment to business continuity. But is it mandatory? Like all ISO standards, ISO 22301 certification is a voluntary action and remains the choice of the organization. However, in many countries, for some business sectors, there are regulations for ISO 22301 certification. Examples can be found in industries like energy, finance, public transportation, and logistics. In addition, as mentioned before, companies have many benefits of implementing and getting certified by a third party after an assessment.<\/p>\n<p>Every organization \u2013 large or small \u2013 that implemented ISO 22301 can apply to a certification body for assessment. But how can an organization get ISO 22301 certified? First, you must select a certification body. Selecting an accredited certification body is important, because accreditation bodies have rules for independent certification bodies, and it is internationally recognized. Certification bodies will ask you to send information about your organization, such as the number of employees and your core processes, so that they can submit an offer based on audit duration in man-days. Once you accept an offer and sign a contract with a certification body, your audit program starts.<\/p>\n<h2>Gap analysis and the two certification audit stages<\/h2>\n<p>Before the official audit program, there is an optional pre-audit called gap analysis where the certification body takes a closer look at the existing Business Continuity Management System and compares it to the ISO 22301 requirements. It saves time and money by identifying those areas that require more effort before starting the formal assessment.<\/p>\n<p>The certification audit is carried out in two stages. During the first stage, the audit team checks if you meet the requirements of ISO 22301, such as mandatory documents and records, and looks over your implementation in general. It reviews your current business continuity management in the context of an ISO 22301 checklist. If the audit team finds differences, it will allow you to close them. If you meet all the requirements, the auditors will complete the official certification readiness audit.<\/p>\n<p>Once you pass the certification audit, you will receive an ISO 22301 certificate valid for three years. For the next two years, you will have surveillance audits. Surveillances take less time, generally half the duration of the certification audit. And at the end of the third year, you must have a re-certification audit before your certification validity ends. Keep in mind that before every audit, whether it is certification, surveillance, or re-certification, the lead auditor sends you an audit plan that includes which elements of the standard will be audited, and when. At the end of every audit, an audit report is submitted. It must at least include a statement of conformity for the audited areas. If there are findings that resulted in nonconformity, you must take corrective actions to maintain your certificate.<\/p>\n<h2>How long does it take to get ISO 22301 certification?<\/h2>\n<p>Depending on the scale and complexity of the organization and business, the duration of effective implementation varies. It also depends on the resources and effort of the organization. Generally speaking, for small or medium-sized companies with fewer compliance requirements, it may take from three to six months. For large organizations with many sites, or companies that have to comply with many regulations, this duration can be a year or even longer (in cases like multinational energy companies or public sector health institutions). But whatever the type of company is, having a good and clear project plan for establishing ISO 22301 is essential. Within this timescale, you\u2019ll also need to count on the certification audit period before having your certificate issued by a certification body.<\/p>\n<h2 id=\"section12\"><strong>Related standards<\/strong><\/h2>\n<p>Other standards that are helpful in implementation of business continuity are:<\/p>\n<p>ISO\/IEC 27031 \u2013 Guidelines for information and communication technology readiness for business continuity<br \/>\nISO 22313, Societal security \u2013 Business continuity management systems - Guidance<br \/>\nPAS 200 \u2013 Crisis management \u2013 Guidance and good practice<br \/>\nPD 25666 \u2013 Guidance on exercising and testing for continuity and contingency programmes<br \/>\nPD 25111 \u2013 Guidance on human aspects of business continuity<br \/>\nISO\/IEC 24762 \u2013 Guidelines for information and communications technology disaster recovery services<br \/>\nISO\/PAS 22399 \u2013 Guideline for incident preparedness and operational continuity management<br \/>\nISO\/IEC 27001 \u2013 Information security management systems \u2013 Requirements<\/p>\n<p><em>For implementing ISO 22301 yourself, easily and efficiently, use this helpful<\/em> <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso22301-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 22301 Documentation Toolkit<\/a>.<\/p>\n<p><div id=\"custom-banner\" class=\"banner-shortcode no-bottom-border\"><\/div><\/p>\n\n\n                            <div class=\"author-resume\">\n                    <img decoding=\"async\" class=\"author--avatar\" src=\"\/wp-content\/uploads\/blog_authors\/dejankosutic.jpg\"\n                        alt=\"Advisera Dejan Kosutic\">\n                    <div class=\"author--role\">\n                        Author                    <\/div>\n                    <a href=\"https:\/\/staging.advisera.com\/27001academy\/author\/dejankosutic\/\" class=\"author--name\">\n                    Dejan Kosutic                    <\/a>\n                    <div class=\"author--bio\">\n                        <p>CEO &amp; Lead Expert for ISO 27001 NIS 2, and DORA<\/p><br \/>\n<p>Leading expert on cybersecurity &amp; information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera&#8217;s clients, and that AI technology is crucial for achieving this.<\/p><br \/>\n<p>As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.<\/p><br \/>\n                    <\/div>\n                                            <div class=\"author--connect\">\n                            <div class=\"author--connect_connect\">\n                                                                    Connect with Dejan:                                   \n                            <\/div>\n                            <div class=\"author--connect_social\">\n                                <a href=\"https:\/\/www.linkedin.com\/in\/dejankosutic\/\" target=\"_blank\" rel=\"noopener\"><i class=\"icon-linkedin\"><\/i><\/a>\n                                <a href=\"https:\/\/www.youtube.com\/@DejanKosutic\" target=\"_blank\" rel=\"noopener\"><svg width=\"32\" id=\"youtube-svg-icon\" style=\"enable-background:new 0 0 1000 1000;\" version=\"1.1\" viewBox=\"0 0 1000 1000\" xml:space=\"preserve\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\"><style type=\"text\/css\">.st0{fill:#FF0000;}.st1{fill:#FFFFFF;}<\/style><title\/><g><path class=\"st0\" fill=\"#FF0000\" d=\"M500,1000L500,1000C223.9,1000,0,776.1,0,500v0C0,223.9,223.9,0,500,0h0c276.1,0,500,223.9,500,500v0   C1000,776.1,776.1,1000,500,1000z\"\/><path class=\"st1\" fill=\"#FFFFFF\" d=\"M818.2,339.1c-7.6-28.8-30.1-51.4-58.7-59.1c-51.8-14-259.4-14-259.4-14s-207.7,0-259.4,14   c-28.6,7.7-51.1,30.3-58.7,59.1C168,391.2,168,500,168,500s0,108.8,13.9,160.9c7.6,28.8,30.1,51.4,58.7,59.1   c51.8,14,259.4,14,259.4,14s207.7,0,259.4-14c28.6-7.7,51.1-30.3,58.7-59.1C832,608.8,832,500,832,500S832,391.2,818.2,339.1z    M432.1,598.7V401.3L605.6,500L432.1,598.7z\"\/><\/g><\/svg><\/a> \n                                                            \n                            <\/div>\n                        <\/div>\n                    \n                                    <\/div>\n            \n        <\/div>\n    <\/div>\n<\/div>\n<\/section>\n<\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>What is ISO 22301? ISO 22301 TEMPLATES ISO 27001 COURSES FREE MATERIALS Dejan Kosutic TABLE OF CONTENTS What is ISO 22301? The benefits Who can implement it? How does it work? How does business continuity fit? Basic terms Content Key clauses and requirements Implementation Mandatory documentation Certification Related standards Dejan Kosutic &nbsp; Update: May 7, &#8230;<\/p>\n","protected":false},"author":6,"featured_media":81408,"parent":0,"menu_order":31,"comment_status":"open","ping_status":"open","template":"page-what-is-iso.php","meta":{"_acf_changed":false,"footnotes":""},"toolkit-document-types":[],"class_list":["post-3894","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages\/3894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=3894"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages\/3894\/revisions"}],"predecessor-version":[{"id":104442,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/pages\/3894\/revisions\/104442"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/81408"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=3894"}],"wp:term":[{"taxonomy":"toolkit-document-types","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/toolkit-document-types?post=3894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}