Warning: Undefined array key "longTitle" in /home/u571561899/domains/crescentqualitycertification.com/public_html/includes/service-page.php on line 40
ISO 22301 Consultancy — Business Continuity Management · Crescent Quality Certifications

Product & Regulatory

ISO 22301 stay standing when things break.

A business continuity management system built on honest impact analysis, agreed recovery objectives, tested plans, and post-incident discipline — not PDFs that fail on the first real outage.

Request a readiness assessment Our approach
What it is

The international standard for business continuity management.

ISO 22301 specifies the requirements for a business continuity management system. The standard is rooted in a simple bargain — identify what disruptions could plausibly affect your organisation, understand what the consequences would be, agree how quickly you need to recover, and build and test the capability to do so.

It is deliberately agnostic about the nature of disruption. Cyber incident, fire, flood, pandemic, key-supplier failure, civil unrest, power outage — the standard treats each as a cause of potential interruption and requires you to prepare for the consequences rather than the cause. Certification confirms that the capability exists, has been tested, and is maintained.

Who needs it

Organisations where an outage has material customer, regulatory, or financial consequences.

Banks, insurers, payments firms, critical infrastructure operators, hospital groups, logistics networks, data-centre operators, and SaaS providers serving enterprise customers are the primary adopters. Increasingly, professional-services firms handling regulated or time-critical client work pursue certification because their clients now include BCMS capability in RFPs. Regulators in several jurisdictions — RBI for payments, DORA in the EU for financial services — have made tested continuity capability effectively mandatory.

Benefits

What a well-built BIFMA system earns you.

01

Regulatory and contractual readiness.

RBI IT-outage directives, EU DORA, UK FCA expectations, and similar regimes align closely with ISO 22301. The certificate shortens compliance conversations materially.

02

Tested recovery capability.

The difference between a plan and a tested capability is measured in millions on the day of an incident. The standard forces actual tests, not desk reviews.

03

BIA-driven prioritisation.

Business impact analysis is the engine of a good BCMS. Done honestly, it re-prioritises investment away from theoretical scenarios towards the disruptions that actually matter.

04

Vendor and customer confidence.

Enterprise procurement increasingly asks for ISO 22301 or equivalent. For cloud and SaaS providers, its absence is often a deal-blocker.

05

Insurance positioning.

Cyber and business-interruption insurers use the presence of a tested BCMS in underwriting, coverage scope, and claim response.

06

Incident command discipline.

Crisis-management structures, escalation, communication trees, and recovery playbooks are established before they are needed, not after.

Requirements, in outline

What the standard actually asks of you.

Clause 4 requires understanding the organisation, its context, and the needs of interested parties (including regulators and customers), and defining the scope of the BCMS. Clause 5 places leadership accountability for business continuity, including a business continuity policy and defined roles. Clause 6 covers planning — risks, opportunities, and business continuity objectives.

Clause 7 covers support: resources, competence, awareness, communication, and documented information. Clause 8 is the operational heart: business impact analysis (identifying prioritised activities, MAO/RTO/RPO), risk assessment of disruption scenarios, business continuity strategies and solutions, continuity plans and procedures, and an exercise programme that actually tests the capability. Clause 9 covers evaluation (monitoring and measurement of BCMS performance, internal audit, and management review). Clause 10 covers non-conformity, corrective action, and continual improvement. The 2019 revision aligned the standard with the harmonised high-level structure and emphasised the role of senior management throughout.

Our approach

Five stages, from discovery to certificate.

01

BCMS scoping

Agree the organisational scope, identify interested parties (including regulators), and position the BCMS alongside any existing disaster recovery, incident management, or crisis communications capability.

02

Business impact analysis

Interview process owners to identify prioritised activities, impacts over time, and resource dependencies. Translate into MAO, RTO, and RPO for each prioritised activity.

03

Strategies & plans

Continuity strategies per prioritised activity, tactical plans at the level of detail someone running the response will actually use, and a crisis management / communications structure.

04

Exercise programme

Tabletop and technical exercises proportionate to the scope. Lessons learned fed back into plans, risk register, and training.

05

Certification audit

Attendance at Stage 1 and Stage 2 audits, findings response, and support through surveillance. Particular attention to exercise evidence and post-exercise improvement.

Timeline & investment

Honest ranges, not placeholder pricing.

An organisation with an existing disaster recovery capability and engaged business owners typically reaches Stage 2 in ten to sixteen weeks. Organisations starting without a BIA, or operating across multiple business units with distinct regulatory obligations, typically run to twenty weeks or longer.

Fees depend on organisational scope, number of prioritised activities, and the scale of exercise activity. Certification body fees are separate. Where regulatory requirements (RBI, DORA, sectoral rules) drive scope, we align the BCMS to those requirements rather than building two parallel systems.

Frequently asked

Questions we answer on most BIFMA calls.

No. Disaster recovery typically focuses on IT system recovery. ISO 22301 is a business-wide management system covering people, premises, suppliers, and processes as well as technology. DR sits inside a well-built BCMS, not alongside it.

The standard does not mandate a specific frequency. Good practice is at least one meaningful exercise per prioritised activity per year, with a rolling programme that covers different scenarios over time. Auditors look for evidence of an exercise programme, not a single annual drill.

Maximum Acceptable Outage is the longest period an activity can be unavailable before consequences become unacceptable. Recovery Time Objective is the time within which the activity must be resumed; it is set shorter than MAO. Recovery Point Objective is the maximum acceptable data loss — the point in time to which data must be recovered.

Yes — the scope on the certificate must be clear and the BCMS must cover what it claims to cover. Selective scoping is legitimate, but regulators and major customers increasingly look for enterprise-wide coverage.

ISO 27001 Annex A includes business continuity controls; ISO 22301 is the full management-system treatment. Many clients run both, with 22301 serving as the continuity engine referenced from the 27001 Statement of Applicability.

Related services

Often pursued alongside BIFMA.

ISO 27001

Information security management aligned to Annex A controls, ready for customer and regulator scrutiny.

Learn more

ISO 20000-1

Design, deliver, and improve IT services against a standard that enterprise buyers already trust.

Learn more

ISO 9001

Embed a quality management system that customers, regulators, and auditors recognise on sight.

Learn more

Get a readiness assessment for ISO 22301.

Half a day with a senior consultant, a clause-level gap report, and a candid timeline. No commitment beyond the assessment itself.

Request assessment