Skip links

Business continuity management ISO 22301


ISO 22301:2012 defines the international standard related to an organization's business continuity.

ISO 22301 specifies requirements for planning, implementing, managing and continuously improving a documented management system to prepare for, respond to and recover from unforeseeable or accidental events, such as:

- Natural disasters
- Market turmoil
- Terrorist acts
- Physical interruptions of the security state
- Infrastructure failures
- Fraud or hacking actions

The standard was developed to minimize the risk of disruption to the activities of each organization.

Applying the requirements of ISO 22301 enables the organization to be able to demonstrate to stakeholders that a business continuity management system modeled on globally recognized best practices is in place.

The standard requires working on broad objectives, which is why it is not prescriptive and can be applied by all Organizations, regardless of their size or whether they operate in local, national and global markets or are public or private.


- Be prepared to deal with business issues that would stop the production process
- Have added value over the competition and be evaluated by an Independent Third Party
- Keeping track of your company's strategic business goals and key services


In addition to all the benefits mentioned above, ISO 22301 Certification is an essential tool especially for:

- Minimize the time to restore operations to full capacity
- Ensure survival in the event of business interruption and restoration of operations within predetermined time frames
- Reduce the risks of business interruption


Initially, efforts should be directed at understanding the nature of the Organization, identifying its critical activities, assessing the threats to which they are exposed and the potential impact related to a possible work/production interruption, determining continuity requirements and risk appetite.

In this way, the scope of the Business Continuity Management System (BCMS) can be identified, taking into account:

- Strategic business objectives
- Products and key services
- Processes needed to achieve them and correlation with organizational structure
- Risk appetite and applicable regulatory and contractual obligations.

Plan development can follow the stages of the Deming cycle (PDCA):


Define the Business Continuity strategy, aimed at recovering any critical activities and managing interactions.


Create a control structure and provide for the drafting of a management plan.


everything implemented must be maintained in operation and monitored continuously.


the plan becomes part of the organization's culture, employees are educated about maintaining its values and management over time, finally the plan is, periodically updated.

A business continuity plan must be continuously tested and updated to achieve maximum adherence to business needs; even a small change in any one basic component of the process can alter the effectiveness of the plan.

The guarantee of success depends on a number of interrelated factors, including:

- Time
- Continuous updating of solutions
- Continuous evaluation of the relationship between cost/complexity of the solution and between business value/priority and normative of the protected process
- Overall costs
- Extent of impact among the functions involved