ISO 22301:2019 focuses on business continuity

Who is ISO 22301 typically aimed at?

ISO 22301 certification mainly attracts organizations where interruption of operations has serious consequences.

These are often critical sectors, heavily regulated, or where customers demand uninterrupted service continuity. Typical company profiles include:

• Financial services companies: banks, insurance companies, fintechs, who need to maintain access to funds, data and platforms at all times.
• Operators of critical infrastructures: energy, telecommunications, transport, healthcare, where any interruption has an immediate impact on society.
• Manufacturing companies: especially those with tight supply chains or contractual penalties for delays.
• Technology providers: hosters, cloud computing, IT service managers, for whom downtime can affect thousands of customers.
• Public sector and municipalities: to guarantee the continued provision of essential services to citizens.

In short, certification is sought after by organizations that need to prove to their customers, partners or regulators that they are ready to handle major events without falling over.

What is a BCMS?

The Business Continuity Management System (BCMS) is to business continuity what the ISMS (ISO 27001) is to security: a set of documented processes based on the Deming wheel(Plan-Do-Check-Act) for planning, implementing, operating, monitoring, reviewing and improving the company’s ability to survive a crisis.

Main stages:

1. Clear scope: sites, business lines and assets concerned.
2. Business Impact Analysis (BIA ): quantification of potential losses and determination of RTO/RPO.
3. Risk assessment: identification of threats (flooding, cyber attacks, pandemics) and vulnerabilities.
4. Continuity strategies: redundancy, outsourcing, teleworking, additional stocks.
5. Plans and procedures: crisis management, escalation scripts, back-up procedures.
6. Exercises and tests: table-top, dry runs, load tests.
7. Continuous improvement: indicators, internal audits, management reviews.

Without this cycle, the “contingency plan” ends up in a drawer and is never used, as is all too often the case.

Similarities and differences with ISO 27001

ISO 22301 and ISO 27001 share the common HLS structure, making them easy to integrate.

However, they have different objectives.

ISO 27001 seeks to avoid security incidents, while ISO 22301 aims to limit the damage when they do occur.

Availability crises

Organizations are regularly faced with crises that can compromise the availability of their operations.

These disruptions may be caused by internal factors, such as fire, human error or technical failure of critical infrastructure, or by external factors, such as major telecommunications network failures (for example, the Rogers outages in July 2022 and June 2025, or the Vidéotron outage in September 2023) or natural disasters, such as the major ice storms that deprived thousands of families of electricity in April 2023 and March 2025.

Hiding one’s head in the sand and hoping that these crises don’t happen is clearly not a solution. Indeed, just because a crisis has never occurred in an organization doesn’t mean it never will.

In writing this article, I came across several statistics. (see source at the end)

1. 93% of companies that lost their data center for 10 days or more due to a disaster closed down within a year.
2. 96% of companies with a reliable backup and disaster recovery plan were able to survive ransomware attacks.
3. 75% of small businesses do not have a disaster recovery plan in place.
4. Hardware failures are responsible for 45% of interruptions.
5. Human error is the cause of 22% of interruptions.
6. Software failures account for 18% of interruptions.
7. The average cost of an IT outage is $5,600 per minute.
8. 98% of organizations report that a single hour of downtime costs more than $100,000.
9. 40% of companies fail to reopen after a disaster.
10. A further 25% go bankrupt within a year.
11. 90% of companies go bankrupt within two years of a loss.

Source:

https://drj.com/journal/summer-2018-volume-31-issue-2/the-40-percent-business-failure-myth/

https://news.sophos.com/en-us/2023/05/17/the-state-of-ransomware-2023/

https://news.nationwide.com/half-of-small-businesses-lack-a-disaster-recovery-plan-nationwide-survey/

https://uptimeinstitute.com/resources/research-reports

https://www.atlassian.com/incident-management/kpis/cost-of-downtime

https://itic-corp.com/itic-reports-surveys/

Common errors observed during audits

During the audits I’ve carried out, I’ve seen these situations on a regular basis:

• Plan stored only in SharePoint and inaccessible offline.
• Generator tested without load: circuit-breaker trips on first use with a real load.
• Unrealistic Business Impact Analysis (BIA ): five-minute RTO for all equipment, no budget.
• Untrained personnel: unknown procedures at the critical moment.

Link with regulatory obligations

Although ISO 22301 is not a legal requirement, it does demonstrate due diligence in the face of several obligations:

• Bill 25 in Quebec: obligation to protect personal information, even in the event of an operational incident.
• Civil Protection Act: planning requirements for municipalities and public bodies.
• Insurers’ requirements: some now require certified business continuity plans in order to grant extended coverage.

Certification process: what to expect

ISO 22301 certification follows the classic steps:

1. Define the scope
2. BCMS implementation (6 to 18 months depending on scope) ;
3. Certification audit by an accredited body;
4. Annual monitoring for 3 years.

Costs range from $15,000 to $80,000, depending on size, outsourcing and scope.

Example of performance indicators(KPI)

Here are some useful indicators for measuring the ongoing effectiveness of the BCMS:

• % of plans updated in the last 12 months ;
• observed average recovery time compared to target RTO ;
• exercise participation rates by department ;
• average post-incident validation times.

With this data, the BCMS manager can better direct efforts towards continuous improvement.

Complementary standards to ISO 22301

There are ISO standards in the same family that can go into more detail on certain aspects of the BCMS :

• ISO 22317:2021: Methodological guide to conducting a business impact analysis (BIA) ;
• ISO 22318:2021: supply chain continuity – useful for companies dependent on critical suppliers;
• ISO 22320:2018: emergency management, focusing on operational response actions.

These standards are not certifiable, but provide additional information for ISO 22301.

The difference between business continuity and IT resilience

Business continuity

Business continuity concerns an organization’s ability to maintain its essential functions in the event of a crisis or major disruption. This approach is broad and covers all critical operations, not just IT:

• Identification of processes vital to the company.
• The definition of plans and procedures to continue or restore these processes after an incident.
• The implementation of clear governance, staff training and ongoing awareness-raising.

Business continuity is structured by the ISO 22301 standard.

IT resilience

IT resilience is more specific and focused on the ability of IT systems to resist, adapt and recover quickly from technical or IT disruption. It is included in

• Redundant IT infrastructures.
• Regular backups and rapid data restoration.
• Disaster Recovery (DR) solutions.
• Preventing computer attacks and incidents.

IT resilience is an essential part of business continuity, but it remains focused on the technical and technological aspects.

Example: A redundant cloud infrastructure distributed across several data centers to avoid service interruption in the event of hardware failure.