What is ISO 22301?
ISO 22301:2019 is the international standard for Business Continuity Management Systems (BCMS). It specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, and improving a documented BCMS — enabling organisations to protect against, prepare for, respond to, and recover from disruptive incidents.
Who Needs ISO 22301?
- Financial services organisations subject to DORA and banking supervisor continuity requirements
- Critical infrastructure operators (energy, utilities, telecoms)
- Cloud providers and data centres with uptime SLAs
- Healthcare organisations with patient safety obligations
- Public sector and government contractors
- Any organisation required to demonstrate resilience in enterprise supplier qualification
DORA and ISO 22301
The EU Digital Operational Resilience Act (DORA), mandatory from January 2025, requires EU financial entities to implement ICT business continuity policies and disaster recovery plans. ISO 22301 provides a structured framework that directly addresses DORA's operational resilience requirements — and BALTUM's integrated programmes map ISO 22301 controls to DORA obligations to minimise duplication.
Key Elements of the BCMS
- Business Impact Analysis (BIA) — identifying critical activities and recovery time objectives
- Risk Assessment — threats and vulnerabilities affecting business continuity
- Business Continuity Plans (BCPs) — documented recovery procedures for all critical processes
- IT Disaster Recovery Plans (DRPs) — system and data recovery procedures
- Crisis Communication Plans — stakeholder communication during incidents
- Exercise and Testing programme — tabletop, simulation, and full live exercises
Integration with ISO 27001
ISO 22301 and ISO 27001 are highly complementary. BALTUM's integrated programme shares the risk assessment methodology, management review cycle, internal audit programme, and documentation structure — reducing total implementation effort by 30–40% compared to sequential certifications.