The ISO 22301:2019 standard provides an internationally recognised framework for building a Business Continuity Management System (BCMS). Its high-level structure (HLS) makes integration with ISO 27001 and ISO 9001 straightforward. Here is a pragmatic ten-step method to drive your organisation toward certification, or simply toward proven resilience.
Step 1: Context of the organisation (clause 4)
Start by formalising the internal context (activities, dependencies, governance) and external context (clients, suppliers, regulators, interested parties). Define the scope of the BCMS: sites, business lines, functions included. A scope that is too broad paralyses the project; too narrow, and the system loses its value. Document exclusions with justification.
Step 2: Leadership and commitment (clause 5)
Top management must sign a continuity policy aligned with strategy, allocate resources (budget, time, skills) and appoint a BCMS owner with clear authority. Without visible sponsorship, the project stalls in committee. Management reviews become the quarterly steering mechanism.
Step 3: Planning for risks and opportunities (clause 6)
Identify risks that could prevent the BCMS from meeting its objectives (site loss, cyberattack, unavailability of a critical supplier). Set measurable objectives: RTO (Recovery Time Objective), RPO (Recovery Point Objective), MTPD (Maximum Tolerable Period of Disruption). Each objective gets an action plan and a named owner.
Step 4: Support and resources (clause 7)
Document required competences, human, infrastructure and technology resources. Prepare internal and external crisis communication plans: channels, template messages, spokespeople. Awareness must reach 100% of staff; training must cover all plan owners.
Step 5: Business Impact Analysis (BIA)
The BIA is the foundation of the BCMS. For each critical activity, measure:
- Financial, regulatory, reputational and human impacts of disruption
- Criticality over time (1h, 4h, 24h, 72h, 1 week)
- Resources needed for recovery (people, systems, data, suppliers, premises)
- Internal and external dependencies
The BIA produces per-process RTOs and RPOs, which drive the sizing of recovery solutions.
Step 6: Risk assessment
Complement the BIA with a risk assessment on major scenarios: major disaster, pandemic, cyberattack, supplier unavailability, social crisis. Use a recognised method (ISO 31000, EBIOS RM) and link each risk to a treatment plan: avoid, reduce, transfer, accept.
Step 7: Continuity strategies and solutions
Choose strategies that will enable you to meet RTO/RPO targets: hot/warm/cold backup site, cloud redundancy, extended remote working, customer rerouting, supplier priority contracts. Each strategy deserves a business case covering cost, lead time and effectiveness.
Step 8: Continuity and recovery plans
Draft operational plans: BCP (Business Continuity Plan) per activity, DRP (Disaster Recovery Plan) for IT, IRP (Incident Response Plan) for cyber, cross-cutting Operations Continuity Plan. Each plan follows the same structure: triggering, teams, chronological actions, resources, communication, return to normal. Reflex cards summarise the first 30 minutes.
Step 9: Exercises and tests (clause 8.5)
No plan is credible without exercising. Plan over three years:
- Tabletop exercises: 2 to 4 per year, 2 to 4 hours each
- Partial simulation exercises: 1 to 2 per year
- IT failover (DRP) exercises: 1 to 2 per year
- Full multi-site exercise: 1 every two years
Each exercise produces a report with identified gaps, corrective actions and deadlines.
Step 10: Performance evaluation and improvement (clauses 9 and 10)
Put steering in place: key indicators (BCP coverage rate, exercise rate, mean time to detect, observed effective RTO), annual internal audits, semi-annual management reviews. Non-conformities trigger documented corrective actions. Continuous improvement feeds the next PDCA cycle.
Summary: key success factors
| Factor | Impact on certification |
|---|---|
| Management sponsorship | Critical |
| Up-to-date and exhaustive BIA | Very high |
| Realistic and documented exercises | Very high |
| Rigorous document management | High |
| Integration with ISO 27001 | High |
Learn more
ResiPlan supports ISO 22301 implementation end-to-end: collaborative BIAs, library of template plans, exercise planner, maturity dashboards, automated audit evidence. The 8 plan types (BCP, BRP, DRP, IRP, ERP, CMP, CCP, SRP) are preconfigured to the standard.
- BCM and business continuity solution
- Business Impact Analysis (BIA): practical guide
- 10 Crisis Exercise Scenarios
- Pricing and demo
Sources: ISO 22301:2019, ISO 22313:2020 (implementation guidance), BCI Good Practice Guidelines 2023, AFNOR publications on business continuity.