Published on December 03, 2018
Last updated on March 05, 2025
If you are looking to open up new opportunities for your business and satisfy supply chain regulatory requirements by certifying to the International Organisation for Standardisation (ISO) 22301, then you have come to the right place. Here's an overview of the process involved, from initial training through to ISO certification.
When disaster strikes, business continuity management systems are essential for the minimisation of disruption. The International Organisation for Standardisation (ISO) 22301 is the set of international standards that inform business continuity in these cases.
The first edition of the certification (ISO 22301:2012) was created in 2012. Since then the most recent update was in 2019, with the creation of ISO 22301:2019. The two standards are very similar in content. However, the updated version uses clearer terminology in alignment with other ISO standards. It also allows more implementation flexibility for different kinds of businesses and organisations.
Perhaps you have been tasked with starting the implementation of a Business Continuity Management System (BCMS) with little prior knowledge and have decided to follow the ISO standard as an assurance of good practice. Or you may already have mature business continuity arrangements and practices in place and want to pursue certification to support key business objectives.
There are two stages to getting certified in ISO 22301. The first is to understand and implement the recommended ISO business continuity requirements; the second is to get externally audited to receive official accreditation.
The Plan-Do-Check-Act (PDCA) model is a tried and tested method for the implementation of new processes within organisations. The following steps for the implementation of an ISO 22301 compliant business continuity strategy are based on this framework.
Once you are confident your business complies with ISO 22301, you can seek out an accredited certification body which provides ISO management system certification and inspection services to organisations within the UK. Examples of bodies providing audit and certification are the British Standards Institution (BSI) and Amtivo (formerly Certification Europe), both of which are accredited to ISO 22301.
You would then arrange a formal assessment to audit your BCMS internally to ISO 22301 with your chosen accredited certification body.
Once completed, the Business Continuity Management Standard lasts for three years and is subject to mandatory audits every year to ensure that you are compliant.
At the end of the three years, you will be required to complete a reassessment audit in order to receive the standard for an additional three years.
Our expert business analysts can assist you through every step of the process, and each stage can be aligned with the ISO standard and facilitated via our business continuity management software.
We have summarised ISO 22301 documentation clauses below. The first three clauses are introductory, while the last seven detail the requirements of the ISO 22301 standard.
Outline what is included in the ISO 22301 document and what kind of organisations are subject to the recommended guidelines therein.
Explain how document references should be taken into account, depending on whether they are dated or undated.
A list of the terms and definitions used in the ISO 22301; both these and the terms and definitions of ISO 22300 apply.
Identifying organisational context entails that organisations understand the landscape in which they operate. Both the internal and external contexts need to be taken into consideration and are defined as follows:
High-quality leadership is crucial for the success of business continuity. This clause emphasises the role of top management in demonstrating commitment to establishing a business continuity policy.
The planning stage defines the recommended process for setting up objectives for a business continuity management system. From the implementation to internal auditing, Continuity2 business continuity software can help with this.
This clause focuses on the support systems organisations need, and includes five main components:
The six procedural requirements organisations should follow to ensure that services are able to continue even in the context of business complications and disruptions.
To ascertain the success of a business continuity plan, you must monitor and evaluate its performance. This includes determining which metrics to use in evaluation, conducting internal audits, and measuring improvement to ensure that the BCMS remains aligned with the organisation's business continuity objectives.
Off the back of the evaluation, clause 10 highlights the importance of identifying opportunities for continual improvement, which includes executing corrective and preventative measures.
Certification ensures you have taken the correct steps to protect your business, and that you have equipped your staff with the tools to survive in the event of a major incident or disaster. It also shows potential clients and suppliers you have taken a proactive approach to minimise the impact of incidents.
With an ISO 22301 certification in place, your organisation will be able to:
As you can tell, a robust continuity management strategy that aligns with ISO 22301 can be a long and complicated process. The many interlinking components of the standard are like a web, highly effective at catching problems if successfully implemented. A tangled mess, if not.
With C2, you don't need to worry about trying to manually track your business continuity management. Our business continuity software is designed to be easy to navigate, with the Plan-Do-Check-Act model in mind. Here is how C2 software features will help your organisation become ISO 22301 compliant:
ISO 22301 Clause | How C2 Meridian BCMS Can Help |
Clause 4: Context | Assess, analyse, and document internal and external risks, and map them to processes, assets, and locations with integrated Risk Management. |
Clause 5: Leadership | Ensure that business continuity documentation is well-structured, accessible, controlled, and aligned with leadership's strategic objectives with Document Management. |
Clause 6: Planning | Leverage Risk Management module to ensure risks, objectives, and changes affecting business continuity are systematically identified, assessed, and managed. |
Clause 7: Support | Maintain open lines of communication with the Incident Management and Call List to ensure everyone has what they need when they need it. |
Clause 8: Operations | With BIA, Management Information, and Exercise & Testing modules, ensure effective business continuity planning, real-time monitoring, and validated response capabilities for operational resilience. |
Clause 9: Performance Evaluation | Take full advantage of real-time performance monitoring and reporting via Management Information dashboard, while the Audit & Compliance module ensures systematic evaluation, internal audits, and regulatory compliance |
Clause 10: Improvement | Assign and track areas for improvement with Corrective Action. |
To get a full run-through of all features and get a feel for how C2's Meridian BCMS can help your organisation, book a demo today.
Organisations of all sizes benefit from a robust business continuity strategy. From small non-profits to large scale businesses, the ISO 22301:2019 standard has been designed for organisations of all types.
Depending on the annual turnover of your organisation, ISO 22301 certification tends to cost between £2,000 to £5,000. Getting certified in ISO 22301 isn't cheap. Still, in the event of a disruptive incident, it is more than worth the investment for the amount of time and money saved.
It typically takes small- to medium-sized businesses 3-6 months and larger businesses around 12 months to get certified to ISO 22301.
Resilience Manager at Continuity2
With an Honours degree in Risk Management from Glasgow Caledonian University and 6+ years in Business Risk and Resilience, Aimee looks after the design and implementation of Business Continuity Management Systems (BCMS) across all clients. From carrying out successful software deployments to achieving ISO 22301, Aimee helps make companies more resilient and their lives easier in the long run.
Resilience Manager at Continuity2
With an Honours degree in Risk Management from Glasgow Caledonian University and 6+ years in Business Risk and Resilience, Aimee looks after the design and implementation of Business Continuity Management Systems (BCMS) across all clients. From carrying out successful software deployments to achieving ISO 22301, Aimee helps make companies more resilient and their lives easier in the long run.