Home/Materials/ISO 22301
Standards and certification

ISO 22301: what it is, requirements and how to implement it

ISO 22301 is the main international standard for business continuity management. We explain in plain language what it requires, how it is structured and what it takes to implement it and, if needed, get certified.

Updated: June 28, 2026 · Author: Evgeny Telenkov · ≈ 8 min read
ISO 22301: what it is, requirements and how to implement it

What ISO 22301 is

ISO 22301 is the international standard for a business continuity management system (BCMS). The current edition is ISO 22301:2019 (with a 2024 amendment on climate-related risks). It sets uniform requirements for how a company plans, implements, checks and improves its ability to keep operating during disruptions.

The standard follows the same logic as other ISO management-system standards (for example, ISO 9001) and runs on the PDCA cycle — "plan, do, check, act."

Key requirements (clauses 4-10)

ClauseAbout
4. ContextUnderstanding the organisation, interested parties, scope of the BCMS
5. LeadershipRole of top management, continuity policy, assignment of responsibility
6. PlanningContinuity objectives, addressing risks and opportunities
7. SupportResources, competence, awareness, communication, documents
8. OperationBIA, risk assessment, continuity strategies and plans, drills
9. EvaluationMonitoring, measurement, internal audit, management review
10. ImprovementHandling nonconformities and continual improvement

Related standards: ISO 22313 (guidance on implementing ISO 22301) and ISO/IEC 27031 (ICT readiness for business continuity).

How to implement it: main steps

  1. Define the scope and secure management support.
  2. Run a business impact analysis (BIA) and risk assessment.
  3. Choose continuity strategies and develop plans (BCP).
  4. Train the team and run drills.
  5. Launch internal audits and management review.

Is certification necessary

Certification is optional for most companies — but the ISO 22301 methodology itself is useful as the framework of a mature system. A certificate makes sense when partners, tenders, an exchange or a parent company require it. In Russia the terminology equivalent is the GOST R series on continuity management; the principles are the same.

See how resilient your business really is

13 questions, 5 minutes, free — results on screen and by email.

Take the free assessment → Book a review · 4,900 ₽ BCM turnkey →

FAQ

Which edition of ISO 22301 is current?

ISO 22301:2019 with the 2024 amendment (Amd 1, climate aspects). This is the current edition of the international business continuity standard.

Is ISO 22301 certification mandatory?

No. The standard can be used as a methodology without certification. A certificate is needed when customers, tenders or a regulator require it.

How is ISO 22301 different from ISO 27031?

ISO 22301 is about whole-business continuity. ISO/IEC 27031 is about ICT (IT infrastructure) readiness to support continuity. They complement each other.

Evgeny Telenkov
Evgeny Telenkov
Chief Risk Officer · PhD in Economics · "Best Risk Manager of Russia 2020"
20 years in risk management. Led risk management at Beeline, Nornickel, Rosneft and EY. Built business continuity plans for Nornickel, Rostec, NSD and DIA. Trained 300+ risk and BCM specialists.
More about the approach and expert →
Read also
7 days of downtime: a cyberattack lesson →
A real ransomware case at a major insurer: 7 days of downtime, website and app offline. Which BCM mechanisms w
BCM, BCP, DRP — the difference →
How BCM, BCP, DRP and risk management differ in plain language. A clear levels diagram, comparison table and e
5-minute assessment →
Your resilience level, three main risks and first steps. Free.