Business Continuity Management Systems- ISO 22301

Business Continuity Management Systems - ISO 22301

The ISO 22301:2012 defines the international standard for the business continuity of an organization.

The ISO 22301 standard specifies the requirements for planning, implementing, managing and continuously improving a documented management system to prepare, react and recover from unforeseeable or accidental events, such as:

Natural disasters

Market turbulence

Terrorist acts

Physical interruptions of the security status

Infrastructure failures

Fraud or hacking actions

The standard has been developed to minimise the risk of interruption of the activities of each organisation.

The application of the ISO 22301 requirements allows companies to be able to demonstrate to the stakeholders that there is a business continuity management system modeled on best practices recognised worldwide.

The standard requires working on broad objectives, for this reason it is not prescriptive and can be applied by all organisations, regardless of their size or whether they operate on local, national and global markets or whether they are public or private.


  • Being prepared to deal with business problems that would stop the production process
  • Having an added value over the competitors and be assessed by a Third Independent Party
  • Keep the strategic business objectives and key services of your company monitored


In addition to all the mentioned advantages, ISO 22301 Certification is a fundamental tool in order to:

  • Minimise the time to restore full activity
  • Guarantee the survival in case of interruption of operations and restoration of activities within the predetermined times
  • Reduce the risk of business interruption


Initially the efforts must be aimed at understanding the nature of the organisation, identifying the critical activities, assessing the potential threats and the impact related to a possible interruption of the work/production activity, determining the continuity requirements and the risk propensity.

In this way it is possible to identify the scope of application of the Business Continuity Management System (BCMS), taking into account:

  • Strategic business objectives
  • Key products and services
  • Processes necessary to achieve them and correlation with the organisational structure
  • Risk propensity and applicable regulatory and contractual obligations.

The development of the plan can follow the phases of the Deming cycle (PDCA):


define the Business Continuity strategy, aimed at recovering all critical activities and managing interactions.


create a control structure and prepare a management plan.


everything implemented must be maintained and continuously monitored.


the plan becomes part of the organisation’s culture, employees are educated to maintain its values and its management over time, and finally the plan is periodically updated.

A Business Continuity plan must be continuously tested and updated to achieve maximum compliance with the needs of the business, even a small change in any basic component of the process can alter the effectiveness of the plan.

The guarantee of success depends on some factors connected to each other, including:

  • Time
  • Continuous updating of solutions
  • Continuous evaluation of the relationship between cost / complexity of the solution and between value / priority of the business and regulation of the protected process
  • Overall costs
  • Extent of impact between the functions involved