The international standard for Business Continuity Management Systems, walked clause by clause. What each clause requires, how auditors sample it, and which BCMStack module satisfies it natively.
ISO 22301 is the international standard for Business Continuity Management Systems. Published originally in 2012 and revised in 2019, it specifies the requirements an organisation must meet to plan, establish, implement, operate, monitor, review, maintain and continually improve its capability to respond to disruptions.
The 2019 revision aligned ISO 22301 with the High-Level Structure shared by ISO 9001, ISO 27001, ISO 14001 and other management-system standards. That made it dramatically easier to integrate a BCMS with adjacent management systems — a single internal audit programme, a single management review cadence, a single risk register can serve all of them.
ISO 22301 is certifiable. An accredited certification body audits in two stages — a documentation review (Stage 1) and an operational verification (Stage 2) — and issues a certificate valid for three years with annual surveillance audits in between. Certification isn’t mandatory by law, but it’s increasingly expected by regulators (SAMA, MAS, FCA, FINMA), customers in financial services and critical infrastructure, and procurement teams running standard security questionnaires.
ISO 22301 vs ISO 22313. ISO 22301:2019 is the requirements standard — what you must do. ISO 22313:2020 is the guidance standard — how to do it. Auditors certify against ISO 22301; ISO 22313 is the implementation companion. Most organisations refer to both during rollout but only 22301 is certifiable.
The standard applies to any organisation regardless of size, type or sector — but the operational drivers tend to come from specific places.
SAMA, MAS, FCA, FINMA, BaFin and most banking regulators reference ISO 22301 as the BCM benchmark. Many require evidence of an ISO 22301-aligned BCMS even if certification isn't mandatory.
Energy, telco, transport, healthcare. Often required by sector regulator or by the organisation's own customers / reinsurers / public-utility supervisors.
Used as the global benchmark to harmonise BCM practice across jurisdictions. Local regulations defer to ISO 22301 as the consensus competence standard.
Customers procuring SaaS routinely ask for ISO 22301 status. Cloud-first companies certify early to remove friction from enterprise sales cycles.
Used by national emergency-management agencies, defence ministries, and central banks as the practitioner standard for organisational resilience.
Outsourcing contracts often require the supplier to maintain ISO 22301 certification (or equivalent) as a contractual continuity guarantee.
Clauses §1 through §3 are introductory (scope, normative references, terms and definitions). The seven clauses below are the operational requirements an auditor samples.
Clause §4
Understand the organisation, its interested parties, and the scope of the BCMS. Document explicitly what's in and out of scope.
BCMStack surface
BCMS scope statement (artefact repository) · interested-parties register
Clause §5
Top management commitment, BCM policy, roles and responsibilities defined and communicated.
BCMStack surface
Policy artefact + attestation · published BCM org chart from RBAC
Clause §6
Risks and opportunities · BCM objectives · planning of changes.
BCMStack surface
Risk module + objectives register
Clause §7
Resources · competence · awareness · communication · documented information.
BCMStack surface
Vendor/app/location registers · training records · document storage
Clause §8
Operational planning · BIA + risk assessment · strategies · BCPs · phased recovery · activation log · exercise programme.
BCMStack surface
BIA · BCP (with §8.4.4 native fields and §8.5 activation log) · Exercise Programme · Crisis Management
Clause §9
Monitoring · measurement · analysis · evaluation · internal audit · management review.
BCMStack surface
Reporting dashboard · audit-evidence repository · committee meetings log
Clause §10
Nonconformity and corrective action · continual improvement.
BCMStack surface
Improvement actions register · NC trend chart on reporting dashboard
Clause §8.4.4 specifies the required content of a business continuity plan. The clause that matters most in practice — and the one BCMStack ships native vs free-text fields.
What outcome the plan is designed to achieve, and the boundary of what's in / out of the plan.
The conditions that trigger plan invocation, who has authority to declare activation, and the deactivation criteria when conditions return to normal.
The IMT roster + RACI assignment + escalation. Tied to clause §8.4.2.
Plan classification level (public/internal/confidential/restricted) plus the recovery objectives the plan is committed to meeting.
The actual recovery steps — phased per §8.4.5 (respond / recover / restore).
How stakeholders are informed before, during and after activation. Tied to clause §8.4.3.
Staff, applications, vendors, locations needed to execute the plan. Pulled from BIA dependencies.
DR plan, crisis management plan, IT runbooks. Often where peer platforms fall down — a free-text field 'related plans' isn't enough.
Each §8.4.4 sub-clause maps to a discrete typed column on thebcp_plans table: purpose, scope, activation criteria, activation authority, deactivation criteria, classification, target RTO, target RPO. Each column type-validated, each change audit-trailed. The IMT roster + comms tree + recovery steps + references live in dedicated child tables — none of this is free-text.
ISO 22301 follows the standard High-Level-Structure Plan-Do-Check-Act cycle. Each phase maps to specific clauses.
The bulk of the operational work — and the bulk of audit-evidence generation — lives in the Do phase. That’s where BCMStack’s six modules sit.
Greenfield: 9-18 months from kickoff to certificate. With BCMStack the remediation phase typically collapses 30-50% because §8.4.4, §8.4.5 and §8.5 surfaces ship native.
Compare current BCMS against ISO 22301:2019 requirements. Document findings + remediation plan.
Close gaps from the analysis. Author missing policies, BIAs, BCPs. Roll out tools. With BCMStack, the §8.4.4 / §8.4.5 / §8.5 surfaces are pre-built so this phase compresses.
Run a full internal audit covering the BCMS scope. Hold a structured management review with required inputs. Required ISO evidence.
External certification body reviews documentation: scope, policy, BIAs, BCPs, exercise records, audit reports, management review minutes.
External auditor samples actual operations: interviews users, observes processes, reviews evidence quality. Findings raised; minor non-conformances addressed in 90 days.
Certificate issued; valid for 3 years with annual surveillance audits + a triennial recertification audit.
The three patterns that appear in the majority of pre-certification gap analyses.
The gap
Plans authored as free-text descriptions. Purpose, scope, activation criteria, classification, RTO/RPO are buried in narrative paragraphs. Auditors can't diff them across versions or filter plans by classification.
The fix
Migrate to a platform with discrete §8.4.4 columns. Per-plan migration ~30 minutes once the schema is in place. BCMStack ships this natively.
The gap
Plans authored but never invoked. No record of exercises versus real activations. When auditor asks 'when was this last invoked?' answer is 'we don't know'.
The fix
Every plan invocation logged as a structured activation record (activatedAt, activatedBy, triggerSummary, outcome). Tabletop exercises also logged. BCMStack's bcp_activations table is the canonical surface.
The gap
Management review (§9.3) is performed but inputs are missing or stale (audit findings, exercise outcomes, KPIs not consolidated). Outputs (decisions, actions) aren't tracked to closure.
The fix
Cross-module reporting dashboard pulling live data into a structured management-review template. Decisions tracked in improvement-actions register with verification.
Every clause that has an operational footprint maps to a BCMStack module surface. Click any module to see its product page.
| Clause | What it requires | BCMStack module(s) | Note |
|---|---|---|---|
| §4 + §5 | Context · scope · leadership · BCM policy | BCMS artefact repository + attestation pulse for the BCM policy. | |
| §6.1 | Risk and opportunity | Polymorphic risk register; treatments; scenario library shared with exercises. | |
| §8.2 | Business impact analysis | Configurable matrix; impact-over-time; RTO/RPO/MTPD calculation; dependencies. | |
| §8.4.4 | BCP plan content | Discrete native columns: purpose, scope, activation criteria, deactivation, classification, RTO, RPO. | |
| §8.4.5 | Phased recovery | respond / recover / restore as a typed enum on each recovery step. | |
| §8.5 | Performance evaluation evidence (activation log) | First-class activation log; crisis events linked back to BCP activations. | |
| §8.5 + ISO 22398 | Exercise programme | MSEL injects · evaluator observations · AAR lifecycle · SAMA coverage rollup. | |
| §9.1 | Monitoring + measurement | Cross-module dashboard with live tRPC rollups. | |
| §9.2 + §9.3 | Internal audit + management review | Evidence repository attaches external audit reports + committee minutes; improvement actions wired in. | |
| §10.1 | Nonconformity + corrective action | Auto-coded action items; tracked to closure with verification. |
ISO 22301:2019 is the international standard for Business Continuity Management Systems (BCMS). Published originally in 2012 and revised in 2019, it specifies requirements an organisation must meet to plan, establish, implement, operate, monitor, review, maintain and continually improve its capability to respond to disruptions. Certifiable by accredited bodies; widely accepted as the global benchmark for BCM maturity.
Not by law, but increasingly expected by regulators (SAMA, MAS, FCA, FINMA), customers (especially in financial services and critical infrastructure), and procurement teams (security questionnaires routinely ask for ISO 22301 status). Some sector-specific regulations effectively require it as evidence of BCM competence even when not naming the standard explicitly.
§8.4.4 specifies the required content of a business continuity plan. Each plan must document: purpose; scope; how the plan is activated (who, when, criteria); how it's deactivated; classification level (public/internal/confidential/restricted); responsibilities and authorities; the procedures and information needed for response and recovery; target recovery time objective (RTO) and target recovery point objective (RPO); and any relevant references to other plans (DR, crisis management, IT runbooks). BCMStack stores each as a discrete column with type validation.
ISO 22301:2019 is the requirements standard — what you must do. ISO 22313:2020 is the guidance standard — how to do it. Auditors certify against ISO 22301; ISO 22313 is the implementation companion organisations read to interpret 22301's requirements. Most organisations refer to both during implementation but only 22301 is certifiable.
Greenfield: 9-18 months from kickoff to certificate. The path: 1-3 months gap-analysis, 3-6 months remediation + BCMS rollout, 1 month internal audit + management review, 1 month Stage-1 audit (documentation review), 1 month Stage-2 audit (operational verification), 1 month certificate issuance. With BCMStack's pre-mapped data model, the remediation phase typically collapses by 30-50% because §8.4.4, §8.4.5 and §8.5 surfaces ship native.
Three patterns appear in the majority of pre-certification gap analyses. (1) BCPs lack §8.4.4 native fields — purpose / scope / activation criteria buried in free-text descriptions, not auditable as discrete records. (2) §8.5 activation evidence is missing — plans authored but never invoked, no record of exercises versus real activations. (3) Management review (§9.3) is performed as a tick-box rather than a structured input/output cycle. All three are operational discipline issues, not template issues.
Yes. BCMStack's data model is built around ISO 22301 clause structure — every BCP carries §8.4.4 native fields; recovery steps are phased per §8.4.5; activations are logged per §8.5; exercise programmes follow §8.5 + ISO 22398 jointly. The branded BCP and BIA PDF exports use clause-numbered section headings. Auditors typically remark that BCMStack-generated evidence is easier to sample than spreadsheet- or free-text-platform evidence.
Tell us your organisation, your target certification date, and where your BCMS lives today. We’ll show you BCMStack mapped clause by clause and outline a 6-9 month path to Stage 2.
Book a 20-minute demoAlso see SAMA BCM Framework, ISO 22398:2013, or the BCP module.