What is business continuity/ISO 22301 and why do you need it?

You might already have a BCP (business continuity plan) – or other contingency plan – in place in the event of a disruptive incident, such as a natural disaster.

However, because these plans aren’t necessarily based on a proper risk analysis, they can become outdated quickly, leaving your organisation vulnerable should disaster strike. This is where an effective BCMS (business continuity management system) can vastly improve things.

What is business continuity management?

BCM (business continuity management) manages risks to handle the threat of business activities or processes being interrupted by external and/or internal factors.

The activities involved in BCM ensure that an organisation can respond effectively in the event of a disruption and that mission-critical functions continue to provide an acceptable level of service.

Effective BCM can be achieved by implementing a BCMS. A BCMS allows an organisation to update, control and deploy effective plans that take into account the organisation’s contingencies and capabilities, as well as the overall business needs and requirements.

What is ISO 22301?

ISO 22301:2012 (ISO 22301) is the international standard for BCM. It outlines the specific requirements for implementing an effective BCMS.

A BCMS aligned with ISO 22301 is based on analysis and takes into consideration the organisation as an entirety. It will include disaster recovery and business continuity plans that focus on the recovery of specific operations, functions, sites, services, etc.

Winning new business contracts, protecting revenue and profits, optimal recovery from a damaging incident, and compliance with regulatory requirements are all benefits of an ISO 22301-aligned BCMS.


Although many organisations will have BCPs in place, they are not enough to ensure adequate continuity of services in the event of a disruption. BCPs alone are based on guesswork and are untested, and they also become quickly outdated because of a lack of regular review from management.

A BCMS, however, is based on comprehensive analysis that is regularly reviewed by management and updated. Also, awareness of a BCMS is organisation-wide and is embedded in the company culture – something that a BCP lacks.

BCMS and cyber resilience

Cyber resilience is an essential survival tool for organisations in today’s ever-changing cyber and environmental landscapes. It involves organisations not only protecting themselves from a disruption, but also responding to and recovering from one.

Combining an ISMS (information security management system) and BCMS is the most robust way to build cyber resilience to ensure your organisation can return to business as usual as quickly as possible.

Start your BCM journey

Although certification to ISO 22301 may not be the route your organisation wishes to take, using the Standard as a framework for implementing your BCMS is the most effective way to ensure organisational resilience.

IT Governance’s ISO 22301 Gap Analysis will assess any current business continuity arrangements against the Standard and provide you with a roadmap to implement an effective BCMS.

Learn more about the ISO 22301 Gap Analysis >>

If you want to read more about business continuity and ISO 22301, download our free green paper >>