How Do I Get Certified to ISO 22301?

If you are looking to open up new opportunities for your business and satisfy supply chain regulatory requirements by certifying to the International Organisation for Standardisation (ISO) 22301, then you have come to the right place. Here's an overview of the process involved, from initial training through to ISO certification.

What is ISO 22301?

When disaster strikes, business continuity management systems are essential for the minimisation of disruption. The International Organisation for Standardisation (ISO) 22301 is the set of international standards that inform business continuity in these cases.

Updates to ISO 22301 Certification

The first edition of the certification (ISO 22301:2012) was created in 2012. Since then the most recent update was in 2019, with the creation of ISO 22301:2019. The two standards are very similar in content. However, the updated version uses clearer terminology in alignment with other ISO standards. It also allows more implementation flexibility for different kinds of businesses and organisations.

How to Get Certified to ISO 22301

Perhaps you have been tasked with starting the implementation of a Business Continuity Management System (BCMS) with little prior knowledge and have decided to follow the ISO standard as an assurance of good practice. Or you may already have mature business continuity arrangements and practices in place and want to pursue certification to support key business objectives.

There are two stages to getting certified in ISO 22301. The first is to understand and implement the recommended ISO business continuity requirements; the second is to get externally audited to receive official accreditation.

Implementing ISO 22301 Business Continuity Requirements

The Plan-Do-Check-Act (PDCA) model is a tried and tested method for the implementation of new processes within organisations. The following steps for the implementation of an ISO 22301 compliant business continuity strategy are based on this framework.

• Get support from top-level management for the implementation of an ISO compliant business continuity management system.
• Arrange in-house training for staff to ensure that everyone understands the requirements of the standard.
• Conduct a business impact analysis (BIA) to identify risks.
• Conduct a gap analysis against ISO requirements to identify weaknesses in your organisation.
• Apply changes to your organisation by creating or updating your business continuity management system.
• Assess your progress against the ISO 22301 standard.
• Identify and agree on corrective actions to address any nonconformities.
• Assign and complete the corrective actions.
• Provide training to ensure that employees understand business continuity objectives and are able to use the business continuity management system.
• Conduct a mock audit covering all elements of ISO 22301.

Gaining official accreditation to ISO 22301

Once you are confident your business complies with ISO 22301, you can seek out an accredited certification body which provides ISO management system certification and inspection services to organisations within the UK. Examples of bodies providing audit and certification are the British Standards Institution (BSI) and Amtivo (formerly Certification Europe), both of which are accredited to ISO 22301.

You would then arrange a formal assessment to audit your BCMS internally to ISO 22301 with your chosen accredited certification body.

Once completed, the Business Continuity Management Standard lasts for three years and is subject to mandatory audits every year to ensure that you are compliant.

At the end of the three years, you will be required to complete a reassessment audit in order to receive the standard for an additional three years.

Our expert business analysts can assist you through every step of the process, and each stage can be aligned with the ISO standard and facilitated via our business continuity management software.

The Clauses and Requirements of ISO 22301

We have summarised ISO 22301 documentation clauses below. The first three clauses are introductory, while the last seven detail the requirements of the ISO 22301 standard.

1. Scope

Outline what is included in the ISO 22301 document and what kind of organisations are subject to the recommended guidelines therein.

2. Normative References

Explain how document references should be taken into account, depending on whether they are dated or undated.

3. Terms and Definitions

A list of the terms and definitions used in the ISO 22301; both these and the terms and definitions of ISO 22300 apply.

4. Context

Identifying organisational context entails that organisations understand the landscape in which they operate. Both the internal and external contexts need to be taken into consideration and are defined as follows:

• Internal context: organisation structure, culture, and capacity.
• External context: outward factors (e.g. political circumstances, legal situations) that could impact business operations.

5. Leadership

High-quality leadership is crucial for the success of business continuity. This clause emphasises the role of top management in demonstrating commitment to establishing a business continuity policy.

6. Planning

The planning stage defines the recommended process for setting up objectives for a business continuity management system. From the implementation to internal auditing, Continuity2 business continuity software can help with this.

7. Support

This clause focuses on the support systems organisations need, and includes five main components:

• Resources
• Awareness
• Competence
• Communication
• Documented information

8. Operations

The six procedural requirements organisations should follow to ensure that services are able to continue even in the context of business complications and disruptions.

• Operational Planning and Control: the identification of business continuity management processes and the method by which they will be conducted.
• Resource Management: the plan for how resources will be allocated in the face of disruptive events.
• Incident Management: contingency planning for how organisations will respond to specific incidents.
• Business Continuity Exercises: testing processes through which organisations ascertain the viability of business continuity plans.
• Performance Assessment: an evaluation of how successful the business continuity policy is.
• Continual Improvement: corrective actions organisations take to ensure the streamlining of their business continuity management systems.

9. Performance Evaluation

To ascertain the success of a business continuity plan, you must monitor and evaluate its performance. This includes determining which metrics to use in evaluation, conducting internal audits, and measuring improvement to ensure that the BCMS remains aligned with the organisation's business continuity objectives.

10. Improvement

Off the back of the evaluation, clause 10 highlights the importance of identifying opportunities for continual improvement, which includes executing corrective and preventative measures.

What Are The Benefits of Achieving ISO 22301 Certification?

Certification ensures you have taken the correct steps to protect your business, and that you have equipped your staff with the tools to survive in the event of a major incident or disaster. It also shows potential clients and suppliers you have taken a proactive approach to minimise the impact of incidents.

With an ISO 22301 certification in place, your organisation will be able to:

• Recover from disruptive incidents quickly: Organisational disruption costs time, money, and potential reputation. If you have a solid business continuity management system in place, you will minimise recovery time and get the show back on the road in no time.
• Comply with contractual obligations: While being certified to ISO 22301 is not a legal requirement, it is expected that organisations in the public sector and financial sphere adhere to mandated continuity guidelines. These tend to be based on, or at least in alignment with, the ISO 22301.
• Gain a competitive advantage: Research shows having a business continuity certification will bolster stakeholder perception of organisational trustworthiness, which will give you a competitive edge against those who are not certified.
• Enhance employee trust: When employees feel secure that their employer has a plan in the event of a disaster, it increases job security and satisfaction.
• Increase resilience against uninsurable risks such as natural disasters or reputational damage.

How Can a Business Continuity Management System Help?

As you can tell, a robust continuity management strategy that aligns with ISO 22301 can be a long and complicated process. The many interlinking components of the standard are like a web, highly effective at catching problems if successfully implemented. A tangled mess, if not.

With C2, you don't need to worry about trying to manually track your business continuity management. Our business continuity software is designed to be easy to navigate, with the Plan-Do-Check-Act model in mind. Here is how C2 software features will help your organisation become ISO 22301 compliant:

To get a full run-through of all features and get a feel for how C2's Meridian BCMS can help your organisation, book a demo today.

ISO 22301 FAQs

Who Needs ISO 22301?

Organisations of all sizes benefit from a robust business continuity strategy. From small non-profits to large scale businesses, the ISO 22301:2019 standard has been designed for organisations of all types.

How Much Does ISO 22301 Certification Cost?

Depending on the annual turnover of your organisation, ISO 22301 certification tends to cost between £2,000 to £5,000. Getting certified in ISO 22301 isn't cheap. Still, in the event of a disruptive incident, it is more than worth the investment for the amount of time and money saved.

How Long Does It Take to Get Certified?

It typically takes small- to medium-sized businesses 3-6 months and larger businesses around 12 months to get certified to ISO 22301.