ISO 22301 · Business Continuity Management

Be ready before disruption becomes a crisis.

ISO 22301 helps the organisation understand what matters most, plan how to keep it running through disruption, and test that the plan actually works.

Book a Strategic Consultation Start with a gap analysis

What it is

A brief introduction to ISO 22301

ISO 22301 sets out requirements for a business continuity management system, with business impact analysis, risk assessment, continuity strategies, incident response, exercises and continual improvement.

CroftSpurr summaries are written in our own words. We do not reproduce copyrighted clauses from ISO standards.

Why organisations pursue it

Common business drivers.

Customers want evidence of operational resilience.

Cyber incidents have made continuity a board-level issue.

Critical suppliers are increasing concentration risk.

Regulatory expectations are tightening.

You need a credible response, not a binder.

Business benefits

Outcomes a well-built system can support.

A clear view of what is critical to the business

Tested plans that survive real incidents

Reduced downtime and faster recovery

Stronger supplier and dependency oversight

Greater customer confidence in your resilience

Continual improvement after exercises and incidents

Common triggers

What usually prompts a project.

A customer or framework requires ISO 22301.
An outage exposed gaps in recovery plans.
A supplier failure caused unplanned disruption.
Regulatory operational resilience expectations apply.
Investors or partners are asking continuity questions.

What implementation involves

The core building blocks.

01
Business impact analysis (BIA).
02
Identifying critical activities and dependencies.
03
Setting recovery priorities and continuity strategies.
04
Designing incident response and communication.
05
Running exercises and tests.
06
Improving based on what actually happens.

How CroftSpurr helps

A focused, hands-on approach.

Focused BIA workshops, not endless spreadsheets.

Continuity strategies sized to your risk appetite.

Realistic exercises that surface real issues.

Supplier continuity assessments.

Integration with information security and incident response.

Relationship with other standards

How it fits the wider picture.

ISO/IEC 27001Information security incident response feeds continuity.
ISO 31000Underpins enterprise risk management.
ISO 22317Guidance specifically on business impact analysis.

Typical project journey

What a project usually looks like.

01Scoping and leadership alignment
02Business impact analysis
03Continuity strategy design
04Plans, roles and communication
05Exercises and testing
06Audit and certification readiness

Certification

Consultancy and certification are different.

CroftSpurr helps you understand requirements, implement your management system and prepare for the certification audit. Independent certification is carried out by a separate certification body. We do not sell or issue ISO certificates.

FAQs

Common questions.

Is ISO 22301 only for large organisations?+

No. It scales. The depth of analysis and the number of strategies are proportionate to your size and risk.

How often should we test our continuity plans?+

At least annually, plus targeted exercises after significant changes — and always learn from real incidents.

Does ISO 22301 cover cyber incidents?+

Continuity for cyber events is included, but you also need detailed incident response and information security controls.

Fact check or approval required — verify implementation timeframes against client-specific scope

Make ISO 22301 useful to the business.

Start with a focused conversation.

Book a Strategic Consultation Tell us what you’re working towards