---
title: "ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence"
canonical_url: "https://www.sorena.io/artifacts/global/iso-22301/faq"
source_url: "https://www.sorena.io/artifacts/global/iso-22301/faq/items"
author: "Sorena AI"
description: "Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ISO 22301 FAQ"
  - "BCMS FAQ"
  - "business impact analysis ISO 22301"
  - "MTPD RTO RPO"
  - "ISO 22301 audit evidence"
  - "business continuity management system"
  - "ISO 22301"
  - "business continuity management"
  - "BCMS"
  - "business impact analysis"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence

Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence.

*FAQ* *Global* *ISO 22301*

## ISO 22301 FAQ

Clear answers to the ISO 22301 questions teams ask when building or maintaining a business continuity management system.

Use this FAQ to connect BCMS scope, business impact analysis, recovery targets, continuity strategies, exercises, audit evidence, and management review.

ISO 22301 is not just a business continuity plan template. It is a management-system standard for establishing, implementing, maintaining, and improving a BCMS that helps an organization continue delivery of products and services through disruption.

## Browse sub-FAQ modules

### [ISO 22301 Business Impact Analysis FAQ](/artifacts/global/iso-22301/faq/business-impact-analysis.md)

Practical ISO 22301 BIA FAQ covering prioritized activities, impact criteria, MTPD, RTO, RPO, dependencies, resources, strategy handoff, evidence, and review triggers.

- 5 items

### [ISO 22301 Certification Evidence FAQ](/artifacts/global/iso-22301/faq/certification-evidence.md)

FAQ guidance on ISO 22301 certification evidence: BCMS scope, documented information, BIA, risk assessment, exercises, internal audit, management review, and corrective action.

- 4 items

### [ISO 22301 Management Review FAQ](/artifacts/global/iso-22301/faq/management-review.md)

What ISO 22301 management review should cover: inputs, outputs, decisions, evidence, improvement actions, and ownership for BCMS leadership reviews.

- 4 items

### [ISO 22301 MTPD FAQ](/artifacts/global/iso-22301/faq/mtpd.md)

How ISO 22301 teams should define MTPD in the business impact analysis, separate it from RTO and RPO, and keep recovery evidence current.

- 4 items

### [ISO 22301 Recovery Strategies FAQ](/artifacts/global/iso-22301/faq/recovery-strategies.md)

Practical ISO 22301 FAQ on selecting recovery strategies from BIA, risk assessment, prioritized activities, resource needs, exercises, and review evidence.

- 4 items

### [ISO 22301 RPO FAQ: Recovery Point Objectives](/artifacts/global/iso-22301/faq/rpo.md)

How to set, evidence, test, and review recovery point objectives in an ISO 22301 business continuity management system.

- 4 items

### [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md)

Plain-language ISO 22301 guidance for setting recovery time objectives from BIA evidence, MTPD limits, resources, dependencies, exercises, and review triggers.

- 5 items

### [ISO 22301 Testing Exercises FAQ](/artifacts/global/iso-22301/faq/testing-exercises.md)

How ISO 22301 teams should plan, run, evidence, and improve business continuity exercises and tests.

- 4 items

Browse all indexed questions: [/artifacts/global/iso-22301/faq/items](/artifacts/global/iso-22301/faq/items.md)

## All FAQ items

*Page 1 of 2. Showing 20 of 34 items.*

### [What is a BIA for under ISO 22301?](/artifacts/global/iso-22301/faq/business-impact-analysis.md#what-is-a-bia-for-under-iso-22301)

*Module: [ISO 22301 Business Impact Analysis](/artifacts/global/iso-22301/faq/business-impact-analysis.md)*

Under ISO 22301, the BIA is the process that turns business disruption into concrete continuity priorities and requirements. It should start from the BCMS scope and the products or services the organization has decided to protect.

- Define impact types and assessment criteria that fit the organization, such as operational, financial, contractual, legal, safety, customer, and reputational impact.
- Identify the activities that support in-scope products and services rather than listing applications or departments with no business context.
- Use the BIA result to drive continuity strategy and solutions; do not leave it as a standalone spreadsheet.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies ISO 22301:2019 as the requirements standard for business continuity management systems.
- [ISO management system standards overview](https://www.iso.org/management-system-standards.html?ref=sorena.io) - Supports treating ISO 22301 as a management-system discipline with documented processes, review, and improvement.

### [What should the BIA record for MTPD, RTO, and RPO?](/artifacts/global/iso-22301/faq/business-impact-analysis.md#what-should-the-bia-record-for-mtpd-rto-and-rpo)

*Module: [ISO 22301 Business Impact Analysis](/artifacts/global/iso-22301/faq/business-impact-analysis.md)*

The BIA should assess impacts over time and identify the point where not resuming an activity becomes unacceptable. That point is commonly expressed as the maximum tolerable period of disruption, or MTPD.

- For each prioritized activity, record the MTPD, RTO, minimum acceptable capacity, assumptions, and approval owner.
- For data-dependent activities, record the RPO or equivalent data-loss tolerance and map it to backup, replication, restoration, and reconciliation evidence.
- Flag impossible targets early, such as a one-hour RTO when supplier contracts, staffing, facilities, or data recovery evidence cannot support it.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies the ISO 22301 requirements baseline used for BIA, continuity priorities, and recovery objectives.
- [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Supports the ICT continuity link between BIA outcomes, recovery time expectations, and recovery point expectations for information resources.

### [How should dependencies and resources be handled?](/artifacts/global/iso-22301/faq/business-impact-analysis.md#how-should-dependencies-and-resources-be-handled)

*Module: [ISO 22301 Business Impact Analysis](/artifacts/global/iso-22301/faq/business-impact-analysis.md)*

A BIA is weak if it only ranks activities. It should also identify the resources needed to support prioritized activities and the dependencies and interdependencies that affect recovery.

- Map each prioritized activity to required resources, including minimum staffing, critical records, systems, facilities, suppliers, and manual workarounds.
- Separate internal dependencies from external dependencies so supplier contracts, service levels, and alternate arrangements can be tested.
- Connect each dependency to evidence: owner, contract, runbook, backup record, access path, exercise result, or corrective action.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies the ISO 22301 standard used to ground resource and dependency requirements for prioritized activities.
- [ISO standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports using structured standards-based records rather than informal continuity assumptions.

### [How does the BIA hand off to strategy, plans, and exercises?](/artifacts/global/iso-22301/faq/business-impact-analysis.md#how-does-the-bia-hand-off-to-strategy-plans-and-exercises)

*Module: [ISO 22301 Business Impact Analysis](/artifacts/global/iso-22301/faq/business-impact-analysis.md)*

The BIA and risk assessment should feed the selection of business continuity strategies and solutions. If the selected strategy cannot meet the BIA time frames and minimum capacity, the organization should either improve the strategy or formally accept the gap.

- Trace each prioritized activity from BIA row to selected strategy, continuity solution, plan step, exercise scenario, and improvement action.
- Use exercises and tests to validate whether strategy and solution choices actually meet the BIA recovery targets.
- After incidents, activations, exercises, supplier changes, or technology changes, update the BIA and related plans together.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies ISO 22301 as the BCMS requirements source for linking BIA outputs to strategies, solutions, plans, and exercises.
- [ISO management system standards overview](https://www.iso.org/management-system-standards.html?ref=sorena.io) - Supports the plan-do-check-act style of evidence, evaluation, and improvement across the BCMS.

### [What evidence proves the BIA is current?](/artifacts/global/iso-22301/faq/business-impact-analysis.md#what-evidence-proves-the-bia-is-current)

*Module: [ISO 22301 Business Impact Analysis](/artifacts/global/iso-22301/faq/business-impact-analysis.md)*

Good BIA evidence shows both the analysis and the operating process around it. Keep the approved BIA, criteria, assumptions, owner approvals, dependency records, resource decisions, strategy links, exercise results, audit findings, corrective actions, and management-review inputs together.

- Use versioned BIA records with owner, reviewer, approval date, change summary, assumptions, and next review trigger.
- Keep unresolved recovery gaps visible as risk acceptance, funded improvement work, supplier remediation, or management-review action.
- Avoid audit-day screenshots with no business owner, no activity scope, no time-based impact logic, and no link to continuity strategy.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies the ISO 22301 requirements standard used for periodic review, documented information, evaluation, and improvement of the BCMS.
- [ISO standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports the practical use of ISO standards as repeatable records and operating practices.

### [What counts as ISO 22301 certification evidence?](/artifacts/global/iso-22301/faq/certification-evidence.md#what-counts-as-iso-22301-certification-evidence)

*Module: [ISO 22301 Certification Evidence](/artifacts/global/iso-22301/faq/certification-evidence.md)*

Certification evidence is the controlled documented information and operating record that shows the BCMS meets ISO 22301 requirements. It should not be a folder of policy PDFs alone; it should connect scope, policy, objectives, business impact analysis, risk assessment, continuity strategies, plans, exercises, audit results, management review, and corrective actions.

- Keep a current BCMS scope record with covered entities, sites, functions, products, services, dependencies, exclusions, approver, and review date.
- Link business continuity policy and objectives to named owners, resources, responsibilities, and measurable continuity outcomes.
- Treat undocumented decisions as evidence gaps: if the auditor cannot trace the decision, the team cannot reliably operate or improve it.
- Control records by title, date, owner, version, approval status, access, storage location, retention rule, and change history.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary ISO listing for ISO 22301 as the business continuity management system requirements standard.
- [ISO standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Provides public context for standards as repeatable approaches, supporting the need for controlled and repeatable evidence.

### [Which operational records should be in the evidence pack?](/artifacts/global/iso-22301/faq/certification-evidence.md#which-operational-records-should-be-in-the-evidence-pack)

*Module: [ISO 22301 Certification Evidence](/artifacts/global/iso-22301/faq/certification-evidence.md)*

The core operating evidence should show how the organization determined continuity priorities and selected recovery arrangements. That means business impact analysis records, risk assessment records, continuity requirements, strategy and solution decisions, resource requirements, plans, procedures, warning and communication steps, response structure, and recovery processes.

- BIA evidence: activity inventory, impact categories, dependencies, maximum tolerable disruption assumptions, RTO/RPO needs, priority decisions, and approval trail.
- Risk assessment evidence: disruption scenarios, risk criteria, assumptions, existing controls, selected treatment, residual risk, and review trigger.
- Strategy evidence: selected business continuity strategies and solutions for before, during, and after disruption, with resource requirements and activation conditions.
- Procedure evidence: response structure, warning and communication procedures, business continuity plans, recovery processes, contact lists, and dependency owners.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the focus on BCMS operation, BIA, risk assessment, strategies, solutions, plans, procedures, response, and recovery.
- [ISO/TS 22317 standard page](https://www.iso.org/standard/50050.html?ref=sorena.io) - Public ISO listing for business impact analysis guidance, useful when explaining BIA evidence expectations alongside ISO 22301.
- [ISO/TS 22331 standard page](https://www.iso.org/standard/50052.html?ref=sorena.io) - Public ISO listing for business continuity strategy guidance, supporting strategy and solution evidence references.

### [How do exercises, audits, and management review prove the BCMS works?](/artifacts/global/iso-22301/faq/certification-evidence.md#how-do-exercises-audits-and-management-review-prove-the-bcms-works)

*Module: [ISO 22301 Certification Evidence](/artifacts/global/iso-22301/faq/certification-evidence.md)*

Exercises and tests show whether strategies, solutions, plans, communications, teams, and suppliers can perform over time. Keep the scenario, aims, objectives, participants, assumptions, results, recommendations, action owners, due dates, and closure proof together with the plan or capability being tested.

- Exercise evidence should include the programme, scenario, objective, participants, observed results, post-exercise report, recommendations, actions, and effectiveness review.
- Capability evaluation evidence should cover plans, procedures, post-incident reports, tests, partner or supplier capabilities, and legal or regulatory conformity checks.
- Internal audit evidence should include audit programme, audit scope, audit criteria, selected auditors, results, findings, corrective actions, and verification of follow-up actions.
- Management review evidence should show previous-action status, BCMS performance trends, audit results, interested-party feedback, BIA and risk information, decisions, and communicated outputs.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Grounds the need for exercise and test evidence, performance evaluation, internal audit, management review, and retained records.
- [ISO standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports treating BCMS evidence as repeatable management-system records rather than one-off audit preparation.

### [How should teams keep certification evidence current?](/artifacts/global/iso-22301/faq/certification-evidence.md#how-should-teams-keep-certification-evidence-current)

*Module: [ISO 22301 Certification Evidence](/artifacts/global/iso-22301/faq/certification-evidence.md)*

Keep an evidence map instead of a last-minute audit folder. Each evidence item should have a record owner, storage location, review frequency, change trigger, retention rule, and status. When the scope, product, service, site, supplier, system, incident pattern, legal requirement, or continuity objective changes, update the affected evidence and show what changed.

- Set freshness rules for scope, policy, objectives, BIA, risk assessment, plans, supplier continuity evidence, exercises, audits, management review, and corrective actions.
- Connect every nonconformity or issue to cause analysis, action owner, due date, evidence of completion, effectiveness review, and closure approval.
- Avoid screenshots without context; preserve source-system exports, approvals, version history, and links to the process that produced the record.
- Use management review to decide on scope changes, BIA and risk updates, plan changes, resources, measures, and continual improvement.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports evidence freshness, corrective action, management review, continual improvement, and retained documented information.
- [ISO standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Provides public context for maintaining standards-based evidence as a repeatable operating practice.

### [What should ISO 22301 management review include?](/artifacts/global/iso-22301/faq/management-review.md#what-should-iso-22301-management-review-include)

*Module: [ISO 22301 Management Review](/artifacts/global/iso-22301/faq/management-review.md)*

Treat the review as a top-management decision meeting for the BCMS. The agenda should start with open actions from the previous review, then move through changes in internal and external context, interested-party feedback, BCMS performance, audit results, nonconformities, corrective actions, and monitoring results.

- Bring forward unresolved actions from the previous management review with owners and due dates.
- Show what changed in scope, sites, services, suppliers, people, technology, threats, interested-party expectations, and continuity objectives.
- Summarize BCMS performance trends, audit results, exercise outcomes, nonconformities, corrective actions, disruptions, near misses, BIA updates, and risk-assessment changes.
- Record resource constraints, procedure gaps, capability weaknesses, and improvement opportunities that require leadership decisions.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Official ISO page for the current ISO 22301 business continuity management system requirements standard.
- [ISO Online browsing platform](https://www.iso.org/obp/ui?ref=sorena.io) - ISO's public terminology platform is referenced by ISO 22301 for standardized management-system terminology.

### [What outputs should management approve?](/artifacts/global/iso-22301/faq/management-review.md#what-outputs-should-management-approve)

*Module: [ISO 22301 Management Review](/artifacts/global/iso-22301/faq/management-review.md)*

The strongest output is a short decision log, not a long meeting transcript. Each decision should say what will change, why it matters to continuity, who owns it, when it is due, and which evidence will prove completion.

- Separate decisions from discussion notes so owners can execute them.
- Tie each approved change to a BCMS artifact: scope statement, BIA, risk assessment, continuity plan, exercise programme, audit action, corrective action, resource plan, or performance metric.
- Escalate decisions that affect recovery targets, customer commitments, critical suppliers, certification scope, continuity resources, or unresolved nonconformities.
- Carry rejected or deferred improvements as explicit risk acceptance, backlog items, or next-review inputs.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the BCMS requirements context for management-review outputs and retained evidence.

### [What evidence proves the review happened?](/artifacts/global/iso-22301/faq/management-review.md#what-evidence-proves-the-review-happened)

*Module: [ISO 22301 Management Review](/artifacts/global/iso-22301/faq/management-review.md)*

Retain the management-review record with enough detail for a later auditor, customer reviewer, or executive sponsor to reconstruct the decision. At minimum, keep the agenda, attendance or approval record, input pack, decision log, assigned actions, communication record, and follow-up status.

- Keep evidence in the BCMS record system instead of scattered email threads.
- Make the record clear about which leadership role reviewed and approved the outputs.
- Preserve action closure evidence, not only the original review minutes.
- Communicate relevant results to affected interested parties when the decision changes commitments, procedures, responsibilities, or recovery expectations.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary source for ISO 22301 BCMS requirements, including management review and documented information expectations.
- [ISO - Standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Explains ISO standards as repeatable practices organizations use to manage processes consistently.

### [When should management review run?](/artifacts/global/iso-22301/faq/management-review.md#when-should-management-review-run)

*Module: [ISO 22301 Management Review](/artifacts/global/iso-22301/faq/management-review.md)*

Run management review at planned intervals and after material changes. A useful cadence is frequent enough that actions from exercises, audits, incidents, supplier changes, business changes, and recovery-target updates do not wait until the certification audit cycle.

- Define the planned interval and event-based triggers in the BCMS governance calendar.
- Use internal audit, exercise reports, monitoring results, and corrective-action trends to decide whether the cadence is still adequate.
- Do not close the review until owners, due dates, communication needs, and evidence locations are recorded.
- Feed outputs into continual improvement so review decisions become visible changes to the BCMS.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the ISO 22301 context for planned management review, performance evaluation, and continual improvement.

### [What does MTPD mean in ISO 22301?](/artifacts/global/iso-22301/faq/mtpd.md#what-does-mtpd-mean-in-iso-22301)

*Module: [ISO 22301 MTPD](/artifacts/global/iso-22301/faq/mtpd.md)*

MTPD is the maximum period an organization can tolerate a disruption to an activity before the impact becomes unacceptable. It is not a generic service-level target; it is a business impact finding for a specific activity that supports products or services in the BCMS scope.

- Define MTPD per prioritized activity, not once for the whole organization.
- Base the value on impacts over time: operational loss, customer harm, legal or regulatory exposure, safety, financial loss, reputation, or contractual commitments.
- Record the assumptions behind the decision, including minimum acceptable capacity, dependency limits, supplier constraints, and escalation thresholds.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary ISO listing for the business continuity management system requirements standard that frames MTPD as part of BCMS planning and operation.
- [ISO management system standards overview](https://www.iso.org/management-system-standards.html?ref=sorena.io) - Supports treating MTPD decisions as maintained operating evidence inside a management system, not as one-time audit wording.

### [How is MTPD different from RTO and RPO?](/artifacts/global/iso-22301/faq/mtpd.md#how-is-mtpd-different-from-rto-and-rpo)

*Module: [ISO 22301 MTPD](/artifacts/global/iso-22301/faq/mtpd.md)*

MTPD is the outer impact tolerance. RTO is the planned time frame for resuming the disrupted activity at a specified minimum acceptable capacity, and it should sit inside the MTPD. RPO is different again: it expresses the acceptable point of data recovery or data loss for systems and information supporting the activity.

- Use MTPD to define when impact becomes unacceptable.
- Use RTO to set the recovery target for the prioritized activity at minimum acceptable capacity.
- Use RPO for data recovery expectations where information loss affects the activity.
- Flag any activity where the chosen RTO, RPO, supplier commitment, or workaround cannot realistically fit inside the MTPD.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the ISO 22301 context for BIA, continuity requirements, and business continuity management system requirements.
- [ISO management system standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports the distinction between documented management-system requirements and organization-specific implementation choices.

### [What evidence should prove the MTPD is current?](/artifacts/global/iso-22301/faq/mtpd.md#what-evidence-should-prove-the-mtpd-is-current)

*Module: [ISO 22301 MTPD](/artifacts/global/iso-22301/faq/mtpd.md)*

The evidence should connect the MTPD to the BIA, not just list a number in a spreadsheet. A reviewer should be able to trace the activity to the service it supports, the impact criteria used, the impacts over time, the selected RTO and RPO, required resources, dependencies, continuity strategy, exercise results, and open corrective actions.

- Keep the BIA worksheet, approval record, impact criteria, assumptions, and dependency map together.
- Link MTPD to recovery strategy decisions, resource requirements, supplier or partner dependencies, and exercise/test evidence.
- Treat missed RTOs, failed workarounds, supplier changes, and capacity shortfalls as evidence that the MTPD or strategy may need review.
- Document accepted exceptions as risk decisions or corrective actions, not as hidden notes.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary ISO source for the BCMS requirements context behind BIA, continuity strategies, documented information, evaluation, audit, and management review evidence.
- [ISO - Standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports the management-system expectation that important decisions are controlled, reviewed, and improved over time.

### [When should teams review MTPD and update the BIA?](/artifacts/global/iso-22301/faq/mtpd.md#when-should-teams-review-mtpd-and-update-the-bia)

*Module: [ISO 22301 MTPD](/artifacts/global/iso-22301/faq/mtpd.md)*

Review MTPD at planned intervals and whenever the facts behind the BIA change. Typical triggers include a new or changed product, site, process, system, supplier, customer promise, legal or contractual duty, incident lesson, failed exercise, resource constraint, or management decision that changes impact tolerance.

- Update the BIA when significant organizational or context changes affect activities, dependencies, or acceptable impact.
- Review recovery strategies and solutions when exercises, tests, incidents, or supplier evaluations show the selected approach cannot meet the time frames.
- Escalate unresolved gaps into corrective action, risk acceptance, or management review.
- Keep version history so reviewers can see what changed, who approved it, and which recovery evidence was updated.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the ISO 22301 management-system context for planned review, evaluation, business continuity documentation, and continual improvement.
- [ISO - Standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports treating MTPD review as part of a maintained system for doing business continuity work consistently.

### [What is an ISO 22301 recovery strategy?](/artifacts/global/iso-22301/faq/recovery-strategies.md#what-is-an-iso-22301-recovery-strategy)

*Module: [ISO 22301 Recovery Strategies](/artifacts/global/iso-22301/faq/recovery-strategies.md)*

A recovery strategy is the chosen way to continue or recover prioritized activities within the time frames and capacity agreed through the business impact analysis. It becomes useful only when it identifies the actual continuity solution: alternate site, manual workaround, supplier substitution, technology failover, staffing model, inventory buffer, communications path, or another controlled option.

- Trace each strategy to a prioritized activity and the business-impact time frame it must meet.
- Record the continuity solution, activation criteria, accountable owner, required resources, and dependency assumptions.
- Separate strategy selection from plan wording: the plan explains how to activate the selected solution during disruption.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary ISO listing for the current ISO 22301 business continuity management system requirements standard.
- [ISO/TS 22331 business continuity strategy guidance](https://www.iso.org/standard/50054.html?ref=sorena.io) - ISO guidance dedicated to business continuity strategy, useful when turning ISO 22301 strategy requirements into operating choices.

### [How should recovery strategies be selected?](/artifacts/global/iso-22301/faq/recovery-strategies.md#how-should-recovery-strategies-be-selected)

*Module: [ISO 22301 Recovery Strategies](/artifacts/global/iso-22301/faq/recovery-strategies.md)*

Start with BIA outputs: products and services in scope, activity impacts over time, maximum tolerable disruption, recovery time objectives, recovery point objectives where relevant, prioritized activities, required resources, and dependencies. Then compare feasible strategies against the disruption risks for those activities and resources.

- Use BIA and risk-assessment records as the input, not a separate wish list of recovery options.
- Compare options against agreed recovery time, capacity, resource, supplier, and interdependency needs.
- Document why rejected options were not selected when cost, capacity, supplier availability, or residual risk matters.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports the link between ISO 22301 operation requirements, BIA, risk assessment, and business continuity strategies and solutions.
- [ISO/TS 22317 BIA guidance](https://www.iso.org/standard/50053.html?ref=sorena.io) - Supports the BIA input side of recovery-strategy selection.

### [What evidence should prove a recovery strategy is real?](/artifacts/global/iso-22301/faq/recovery-strategies.md#what-evidence-should-prove-a-recovery-strategy-is-real)

*Module: [ISO 22301 Recovery Strategies](/artifacts/global/iso-22301/faq/recovery-strategies.md)*

Evidence should show that the strategy can be activated, not merely that it was named in a document. Keep the selected strategy, resource requirements, implemented solution, continuity plan or procedure, exercise/test result, post-exercise actions, and any management-review decision together or cross-linked.

- Keep a strategy-to-activity map with RTO, capacity, key resources, suppliers, facilities, applications, data, and people assumptions.
- Attach exercise or test reports that show whether the strategy worked and what corrective actions remain open.
- Link unresolved gaps to risk acceptance, corrective action, investment decisions, or management-review outputs.

Sources for this answer:

- [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Supports evidence coverage for BCMS operation, business continuity strategies and solutions, plans and procedures, exercising, evaluation, and management review.
- [ISO - Standards overview](https://www.iso.org/standards.html?ref=sorena.io) - General ISO context for why standards support repeatable operating methods and records, rather than one-off audit documents.

## FAQ Pagination

- Canonical index (page 1): [/artifacts/global/iso-22301/faq/items](/artifacts/global/iso-22301/faq/items.md)
- Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL.
- Current page: 1 of 2

Pages: [1](/artifacts/global/iso-22301/faq/items.md) | [2](/artifacts/global/iso-22301/faq/items/page/2.md)

[Next page](/artifacts/global/iso-22301/faq/items/page/2.md)

*Recommended next step*

*Placement: after FAQ guidance*

## Operationalize ISO 22301 FAQ

Use this FAQ to turn common BCMS questions into assigned evidence: scope decisions, BIA records, recovery targets, strategy choices, exercise reports, audit findings, and management-review actions.

- [Open Assessment Autopilot for ISO 22301](/solutions/assessment.md): Convert ISO 22301 FAQ answers into accountable tasks, evidence requests, review checkpoints, and certification-readiness records.
- [Talk through ISO 22301 implementation](/contact.md): Review your BCMS scope, BIA quality, recovery targets, exercise evidence, audit gaps, and management-review actions.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/iso-22301/faq/items