Skip to content
RPResiliencePilot
← All resources
ISO 223015 min read·14 June 2026

What is ISO 22301? Business continuity management, explained

A plain-English introduction to ISO 22301: the international standard for business continuity management systems, the BIA, RTO/RPO and MTPD, and the operational core in clause 8.

ISO 22301 is the international standard for business continuity management systems (BCMS). Where ISO 27001 is about protecting information, ISO 22301 is about a harder question: when something disrupts you, can you keep going, and recover within the time the business can tolerate?

A management system, not a binder

The biggest misconception about ISO 22301 is that it's a document you write and file. It isn't. Like other ISO management-system standards it follows the plan-do-check-act cycle, and its value is in staying current as the business changes. A continuity plan that's twelve months out of date is worse than none, because it gives false confidence.

The operational core (clause 8)

The heart of ISO 22301 is clause 8, which takes you from "what matters?" to "can we prove we'd recover?":

  • 8.2 Business impact analysis and risk assessment. Identify your processes, rank their criticality, and set recovery objectives. This is where the key numbers come from:
    • MTPD (maximum tolerable period of disruption) — how long a process can be down before the damage is unacceptable.
    • RTO (recovery time objective) — how quickly you aim to restore it.
    • RPO (recovery point objective) — how much data loss is tolerable. The BIA also identifies the dependencies each process relies on: people, applications, suppliers and infrastructure.
  • 8.3 Strategies and solutions. Choose how you'll recover each process to meet its RTO/RPO, from hot standby to manual fallback.
  • 8.4 Plans and procedures. Continuity plans with activation criteria, roles and escalation, built from the strategy rather than a blank template.
  • 8.5 Exercise programme. Plan, run and evidence exercises, with findings tracked to corrective action. This is what turns a plan into a tested capability.
  • 8.6 Evaluation. Periodically re-evaluate everything built across 8.2 to 8.5 so the BCMS stays effective.

Why it matters beyond certification

The thread running through ISO 22301 is tested recovery. A plan you've never exercised isn't continuity; it's a document. That distinction is exactly what regulators increasingly probe, which is why ISO 22301 has become the go-to framework for organisations that also need to satisfy DORA and NIS2 continuity obligations.

See ResiliencePilot in action.

See it on your own data and frameworks, with your security and data-residency questions answered.

Book a demoContact sales