Guide

How to implement a BCMS with ISO 22301

Guide to implementing a Business Continuity Management System (BCMS) aligned with ISO 22301. BIA, continuity strategies, plans, and exercises.

ISO 22301 sets requirements for a Business Continuity Management System (BCMS). It enables the organization to prepare for, respond to, and recover from disruptions affecting critical operations.

Step by step

Conduct the Business Impact Analysis (BIA)

Identify the organization's critical activities, their dependencies, and the impact of their interruption over time. Define the MTPD (maximum tolerable period of disruption) and RTO (recovery time objective) for each activity.

Auditor tip: The BIA should be done with process owners, not IT alone. Criticality is defined by the business, not technology. A manual process can be more critical than an automated one.

Assess disruption risks

Identify threats that can disrupt critical activities: cyberattacks, natural disasters, supplier failures, pandemics. Assess likelihood and impact to prioritize treatment.

Auditor tip: Do not limit yourself to obvious risks. The supply chain is the most underestimated source of disruption. Map critical supplier dependencies and their own continuity plans.

Define continuity strategies

For each critical activity, define how to maintain operations during a disruption. Strategies may include alternative sites, system redundancy, backup suppliers, and remote work.

Auditor tip: Each strategy has a cost. Present to management the strategy cost vs. the estimated cost of disruption without a plan. This facilitates budget approval.

Develop continuity and incident response plans

Document response, activation, contingency operation, and recovery procedures. Include roles, emergency contacts, communication trees, and activation criteria.

Auditor tip: The plan must be usable under pressure. If it has more than 20 pages, nobody will read it in a crisis. Use checklists and flowcharts, not lengthy narratives.

Conduct exercises and tests

Conduct periodic exercises (tabletop, simulations, and live tests) to validate that plans work. Document results, lessons learned, and identified improvements.

Auditor tip: Start with tabletop exercises (low cost, low risk) and progress toward more complex simulations. An exercise never conducted is a plan never tested.

Integrate continuous improvement

Use results from exercises, real incidents, and internal audits to update plans and strategies. The management review must evaluate BCMS effectiveness at least annually.

Auditor tip: After each real incident, conduct a formal post-incident analysis. Real incidents are the best source of improvement, but only if documented and analyzed.

Key takeaways

The BIA is the heart of the BCMS: without it, continuity strategies lack foundation.
A continuity plan not tested with exercises is just a document: it does not protect the organization.
The supply chain is the weakest link in most organizations. Assess the continuity of your critical suppliers.
Plans must be concise and actionable. In a crisis, nobody reads 50-page manuals.

Frequently asked questions

The DRP (Disaster Recovery Plan) focuses on IT recovery. The BCP (Business Continuity Plan) covers the entire business operation, including people, processes, and facilities. The DRP is a component of the BCP.

At minimum annually, but semi-annually is recommended for critical activities. After significant changes in the organization, infrastructure, or suppliers, an additional exercise is required.

Yes. Both share the high-level structure (HLS) and ISO 27001 includes continuity controls in its Annex A (A.5.29 and A.5.30). Integration reduces documentation and effort duplication.

Professional guidance for your implementation

Assessment within 72 business hours. ISO methodology. No ties to certification bodies.

Request diagnosis

Loading content…

Key takeaways

The BIA is the heart of the BCMS: without it, continuity strategies lack foundation.

A continuity plan not tested with exercises is just a document: it does not protect the organization.

The supply chain is the weakest link in most organizations. Assess the continuity of your critical suppliers.

Plans must be concise and actionable. In a crisis, nobody reads 50-page manuals.

Frequently asked questions

At minimum annually, but semi-annually is recommended for critical activities. After significant changes in the organization, infrastructure, or suppliers, an additional exercise is required.

Yes. Both share the high-level structure (HLS) and ISO 27001 includes continuity controls in its Annex A (A.5.29 and A.5.30). Integration reduces documentation and effort duplication.