SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What are the ISO 22301 Requirements?

ISO Certifications

Like many of the other ISO standards, ISO 22301 features introductory clauses (1-3), and it also has its own fundamental clauses (4-10)—of these, clause 8 (Operation) is key to standing up the Business Continuity Management System (BCMS) and achieving ISO 22301 certification.

As a long-time ISO certification body, we’ve been helping different organizations secure different ISO certifications for years, which means we know the big lift it is to implement any kind of management system. That’s why, in this article, we’re going to provide a brief overview of each of the ISO 22301 clauses with a more thorough detailing of that key clause 8.

If you’re interested in getting ISO 22301 certified, moving forward with this information should help you well along in that process.

 

What are the ISO 22301 Key Clauses?

Let’s begin with the aforementioned “introductory” clauses—these don’t contain any specific requirements; rather, they provide the background information you’ll need when implementing the next set of clauses:

  • Clause 1: Scope
    • Defines the boundaries and applicability of the ISO 22301 standard
  • Clause 2: Normative References
    • Includes other guidance or standards that can help in your work to align with ISO 22301
  • Clause 3: Terms & Definitions
    • Establishes common terminology used in the standard for consistent implementation of the standard across organizations

Then, you have the next six clauses, which are mandatory and must be implemented in order to achieve ISO 22301 certification. These break down as follows:

Clause

Details

Clause 4:

Context of the Organization

Asks that you identify relevant internal and external factors that could impact your ability to maintain business continuity—understanding things like your organization’s size, structure, and resources, as well as regulatory requirements, economic conditions and current market dynamics can help you better devise strategies for your specific circumstances.

Clause 5:

Leadership

Requires—like many other ISO standards, including 27001—that your organization’s leadership demonstrate support of business continuity through the allocation of necessary resources and their support overall.

Clause 6:

Planning

Mandates that you define your business continuity policy and set related objectives—these items must be measurable, consistent, updated accordingly, monitored and communicated both internally and externally, and also account for any applicable laws and regulations your organization must contractually abide by.

* Clause 6 provides the foundation for adherence to Clause 8, as every management system’s operational processes and effectiveness will revolve around these objectives.

Clause 7:

Support

Involves making sure the necessary personnel are explicitly aware of their roles within the BCMS and prepared to do their parts adequately.

Clause 9:

Performance Evaluation

Stipulates that you monitor and periodically evaluate the BCMS using established and documented procedures for measuring and analyzing its performance.

Clause 10:

Improvement

Conditions that you address discovered nonconformities, learn from any incidents that should occur, and enhance your BCMS in order to facilitate continuous improvement.

 

A Breakdown of ISO 22301 Clause 8

The other key clause of ISO 22301 is Clause 8, which encompasses the Operation of your BCMS.

As it is such a critical component, we’re going to disseminate it into its four subclauses and the specific operating design and effectiveness pieces that your assessors will look for to ensure that your management system is in conformance with this part of the standard.

ISO 22301 Clause 8.1 - Operations Planning and Control

First and foundational, 8.1 asks you to establish your requirements for business continuity operations, including explicit policies and procedures that provide relevant personnel with a set of processes to follow to ensure everything is consistent that is acknowledged by those involved.

Of heavy focus will be the design of how your organization controls:

  • Processes;
  • Planned changes; and
  • Responsibilities (internal or outsourced), in order to ensure that business continuity is being carried out as planned.

During your assessment, auditors will look for specific policies and procedures that match up to the desired effectiveness you establish as part of clause 8.1, and they’ll check to ensure that documentation is reviewed and updated by responsible parties.

ISO 22301 Clause 8.2 - Business Impact Analysis (BIA) and Risk Assessment

Another integral part of ISO 22301, clause 8.2 asks that you assess potential impacts that could affect your ability to meet service agreements, business continuity objectives, and legal/regulatory requirements:

BIA

Risk Assessment

Determines business continuity priorities that are relevant to your organization’s context by:

  • Identifying activities that support the provision of products and services; and
  • Calculating the impact of disruptions noted, including factors like maximum tolerable period of disruption and recovery time objectives.

Should include the details of business continuity risks that score and categorize the impact of disruption to the organization if that risk were to occur, including how your organization:

  • Analyzes;
  • Evaluates; and
  • Prioritizes risks so that you can determine treatment plans for those risks deemed detrimental to your product and/or services.

Note: These risks differ slightly from risks addressed in clause 6, as these risks are specific to disruption of business continuity rather than the effectiveness of the management system.

Auditors will check that you’re performing, monitoring, and reviewing these two processes at planned intervals to account for organizational changes or shifting potential impacts.

ISO 22301 Clause 8.3 - Business Continuity Strategies and Solutions

Using those outputs from the business impact analysis and risk assessment, you’ll then identify and select business continuity strategies for pre-, during, and post-disruption activities as part of clause 8.3.

With consideration to the required time frames for the continuance and recovery of products and services identified in the BIA (that reflect contractual requirements), these strategies should:

  • Reduce the likelihood of disruptions;
  • Limit the impact of disruption;
  • Provide adequate resources; and
  • Protect the organization.

As part of each strategy, you’ll also need to determine the resource requirements, including the necessary people, information and data, physical infrastructure, etc.—as well as the financial cost for all of that.

ISO 22301 Clause 8.4 - Business Continuity Plans and Procedures

Clause 8.4’s plans and procedures refer to those you’ll use to ensure you are properly managing disruptions and, again, build on the outputs of your selected strategies and solutions from clause 8.3.

The steps and solutions of these plans should aim foremost to be effective in minimizing the impact of the disruption, and so should include details regarding:

  • Procedures for warning and communication;
  • Specific steps for mitigating disruption;
  • Roles and responsibilities of each team and how they interact with each other; and

Overall, your plan should allow you to—in the event of an incident:

  • Properly assess the nature and extent of disruption and potential impact;
  • Activate an appropriate response and solution; and
  • Establish a way to monitor and communicate the effects of the disruption to interested parties.

ISO 22301 Clause 8.5 - Exercise Program

With all these established plans, clause 8.5 then requires business continuity exercises as validation that your plans are timely and effective strategies/solutions. To help develop and confirm the necessary teamwork, competence, and proper knowledge for those who are responsible for leading the organization through business continuity disruptions, these tests/exercises should:

  • Be consistent with your established business continuity objectives;
  • Be based on appropriate scenarios with defined objectives;
  • Be performed at planned intervals; and
  • Contain a post-exercise review.

However, it’s not enough to just perform these exercises—you must also evaluate the effectiveness and adequacy of the results and implement changes and/or improvements to ensure the tests mimic as close as possible to real-life disruptions.

ISO 22301 Clause 8.6 - Evaluation of Business Continuity Documentation and Capabilities

Finally, clause 8.6 provides guidance—including a template—for the regular re-evaluation of all the work you’ve done to satisfy the previous clauses. By periodically reviewing all your established business continuity documentation and capabilities, you’ll ensure that your BCMS remains effective and up-to-date as your organization evolves.

 

Moving Forward with ISO 22301 Certification

Though becoming ISO certified against any of the family of standards can be a huge boon to an organization, the work in aligning with the requirements is a heavy lift—ISO 22301 included.

But now you understand a bit more about the requirements for this standard focused on improving and maintaining business continuity, and how thorough it requires you to be, including the business impact analysis, policies, objectives, risk assessments, strategies, solutions, plans, and procedures, validation exercises, and post-incident reports that you’ll need to create and implement in order to become ISO 22301 certified.

If you have further questions about the standard or would like to speak with Schellman regarding a possible partnership for certification, contact us today to be put in touch with our experts, who would be happy to speak with you.

About Matthew Gierl

Matthew Gierl is a Senior Associate with Schellman. Prior to joining the firm in February of 2018, Matthew worked as a IT Risk Consultant specializing in SOC 1 and SOC 2 testing. As a Senior Associate with Schellman, Matt is now focused primarily on helping organizations across various industries achieve different ISO certifications.