ISO 22301 is the international standard for business continuity management systems. The current edition, ISO 22301:2019, was published in October 2019 and replaced ISO 22301:2012. This section of the Knowledge Base covers every clause of the standard in plain language, explaining what each requirement means in practice and what you need to do to comply.
The standard provides a framework for an organisation to prepare for, respond to and recover from disruptive incidents - the events that stop the business doing what it is supposed to do. That includes fires, floods, cyber attacks, supplier failures, loss of premises, loss of key staff, pandemics, energy outages and any other event that threatens to interrupt operations. The aim is not to predict every possible disruption, but to understand which activities matter most, how long the organisation can manage without them, and what arrangements are in place to keep things running or get them back up quickly.
A business continuity management system (BCMS) built to ISO 22301 sits across the business rather than inside one department. It pulls together the analysis, plans, people and resources needed to keep priority activities going, and gives top management a way to see whether those arrangements are actually fit for purpose.
The 2019 edition kept the main clause structure (Clause 4 through Clause 10) aligned with the Annex SL high-level structure that all modern ISO management system standards share. Most of the changes from the 2012 version were editorial - simpler language, fewer prescriptive requirements, and clearer separation between what the standard requires and what the supporting guidance suggests. The technical heart of the standard - business impact analysis, risk assessment, business continuity strategies, plans and exercising - remained intact in Clause 8.
The shared Annex SL structure means that organisations already certified to ISO 9001, ISO 14001, ISO 45001 or ISO 27001 will recognise most of Clauses 4 to 7, 9 and 10. Clause 8 is where business continuity is genuinely different from the other standards, requiring a business impact analysis, a continuity-specific risk assessment, documented continuity strategies, plans and a programme of exercising and testing.
The alphaZ ISO 22301 Toolkit provides a complete set of policies, procedures, plans, registers and audit checklists that map to the requirements of the standard. The toolkit is built around the IMS1 Integrated Management System Manual, which can be used on its own or alongside other ISO standards in a single integrated system. The business continuity-specific arrangements are anchored by the PP-1-05 Business Continuity Policy, which references the supporting registers, plans and forms. Each clause article in this section signposts the specific alphaZ documents that help demonstrate compliance with that clause.
People often think business continuity is about thick binders of plans that nobody reads. ISO 22301 pushes back on that. The standard is much more interested in whether you have done the analysis, whether your priorities are right, and whether the people who would actually run the response know what they are doing. A short plan that has been tested beats a long plan that has not.
When I audit against ISO 22301 I look for a clear thread from the business impact analysis through to the plans and the exercises. If the BIA says the call centre must be back within four hours but the recovery arrangements assume a working day, that is a problem. The clauses are linked - what comes out of 8.2 should drive 8.3, 8.4 and 8.5.