CA-05 · ISO standards

ISO 22301

Documentation of critical processes, maximum tolerable periods of disruption (MTPD) and business continuity and recovery plans. Complements ISO 27001.

StandardISO 22301:2019
OutputBIA + continuity plan
Testingannual exercise

ISO 22301 requires businesses to document their critical processes, maximum tolerable periods of disruption (MTPD) and continuity and recovery plans. Every organisation that has experienced a serious incident learns this lesson: fire, cyberattack, key-person absence, supplier failure.

The core of the work is the business impact analysis (BIA): which processes cannot stop, for how long, and with what minimum resources they could operate in degraded mode. On this basis, the continuity strategy is built — replication, redundancy, supplier contracts, response team — together with the recovery plan.

It complements ISO 27001 naturally when the main risk is cyber-related. And with ENS when the client is a public-sector entity or sells to the public sector.

The ISO 22301 process.

The process · four stages
01

BIA

Impact analysis: critical processes, MTPD.

02

Strategy

Replication, redundancy, contracts.

03

Plan

Continuity and recovery.

04

Exercises

Annual as a minimum.

What is included

What ISO 22301 includes.

The operational detail: what we deliver as part of the engagement and what we keep active afterwards.

  • BIA · business impact analysis

    Critical processes, MTPD, degraded-mode resources.

  • Continuity strategy

    Decisions on redundancy and replication.

  • Operational continuity plan

    What to do during the incident.

  • Operational recovery plan

    How to return to normal operations.

  • Testing and exercises

    Annual as a minimum. Tabletop, functional, full-scale.

  • Post-incident review

    Formalised lessons learned.

Summum cluster

How it intersects with related services.

ISO 22301 with ISO 27001 when the risk is cyber-related, with ENS when the client is public-sector.

Frequently asked questions about ISO 22301.

When is it worth it?

After an incident, under regulatory pressure, or when a client requires it.

Do we already have a plan?

We build on it. ISO 22301 structures and tests it.

Exercises?

Full annual exercise. Quarterly tabletop sessions.