ISO 22301 FAQ

ISO 22301 specifies requirements for a business continuity management system, or BCMS. The system should fit the organization's context, interested-party requirements, products and services, processes, size, structure, and disruption impacts.

A working BCMS includes more than response plans. It needs defined scope, leadership responsibilities, business continuity objectives, resources, competence, communications, controlled documented information, business impact analysis, risk assessment, continuity strategies, plans, exercises, performance evaluation, internal audit, management review, corrective action, and continual improvement.

The BCMS scope should identify the boundaries and applicability of the management system. In practice, that means the parts of the organization included, the products and services covered, the locations and functions in scope, relevant interested-party requirements, and any exclusions.

A weak scope says only that the organization has a business continuity program. A useful scope tells a reviewer which services, sites, teams, suppliers, systems, and recovery responsibilities are actually governed by the BCMS.

A business impact analysis identifies disruption impacts over time and uses those impacts to set business continuity priorities and requirements. It should connect activities to the products and services they support, then define time-sensitive consequences if those activities are interrupted.

The BIA is where teams determine the maximum tolerable period of disruption and recovery time objectives. It should also capture dependencies, resources, people, technology, data, facilities, suppliers, and information needed to recover prioritized activities.

MTPD is the longest period an activity can be disrupted before the impact becomes unacceptable. RTO is the target time for resuming an activity after disruption. RPO is a data-loss target: the point in time to which data must be recoverable.

MTPD and RTO should not be treated as the same number. The RTO normally needs to be shorter than the MTPD so the organization has time to recover before impacts become unacceptable. RPO should be assigned where data availability, transaction history, or records are needed to resume the activity.

Recovery strategies and solutions should be selected from BIA and risk assessment outputs. They need to consider options before, during, and after disruption, then translate those options into implemented capabilities such as alternate processes, staffing arrangements, supplier alternatives, technology recovery, facilities, communications, and resource availability.

A strategy is not credible until it is connected to recovery targets, resource requirements, responsible owners, business continuity plans and procedures, and exercise results. If the strategy cannot meet the RTO or RPO, that gap should be recorded as a risk decision, corrective action, or management-review input.

Certification evidence should show that the BCMS exists, operates, is evaluated, and improves. Useful evidence includes scope, policy, roles and responsibilities, business continuity objectives, competence records, communication arrangements, controlled documented information, BIA and risk assessment records, strategies and solutions, plans and procedures, exercise reports, incident or post-exercise actions, internal audits, management reviews, and corrective actions.

Auditors and customers usually need traceability. A plan without BIA support is weak. A BIA without recovery strategy decisions is incomplete. A strategy without exercise evidence is unproven. A finding without corrective action closure is unfinished.

ISO 22301 expects planned intervals, but the schedule should be risk-based and change-aware. Exercises and tests should validate strategies and solutions over time. Internal audits should provide information about whether the BCMS conforms to the organization's own requirements and ISO 22301 requirements. Management review should confirm the BCMS remains suitable, adequate, and effective.

Do not rely on a calendar alone. Review the BIA, risk assessment, strategies, solutions, plans, and procedures after significant changes to services, locations, suppliers, technology, workforce, legal requirements, threat conditions, or disruption experience.

The biggest misconception is that ISO 22301 can be satisfied by storing a business continuity plan. The standard is broader: it expects a maintained BCMS with leadership commitment, defined scope, documented information, operational planning, BIA, risk assessment, strategies, plans, exercises, performance evaluation, audit, management review, and improvement.

Another misconception is that every activity must have the same recovery target. Recovery requirements should come from the BIA and risk assessment. Some activities may need rapid recovery, while others can wait if disruption impacts remain tolerable.