Schellman Announces Strategic Partnership with Goldman Sachs Alternatives

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

What are the ISO 22301 Requirements?
Matthew Gierl

By: Matthew Gierl

Print/Save as PDF

What are the ISO 22301 Requirements?

ISO Certifications

Published: Jan 9, 2024

Last Updated: Apr 1, 2026

ISO 22301 is structured much like other ISO management system standards, featuring introductory clauses (1–3) alongside its core requirement clauses (4–10). Of these, Clause 8 (Operation) is the linchpin of standing up a Business Continuity Management System (BCMS) and achieving ISO 22301 certification.

As an experienced ISO certification body, we have guided organizations across industries through the certification process and understand firsthand how demanding it can be to implement any management system. That is why this article provides a concise overview of every ISO 22301 clause, with an in-depth look at Clause 8 and what auditors will expect to see.

If you are pursuing ISO 22301 certification, the information below will give you a strong foundation for planning and executing your implementation.

What Has Changed Since 2023?

Before diving into the clause-by-clause breakdown, it is worth noting several developments that have occurred since 2023:

  • 2024 Climate Action Amendment (ISO 22301:2019/Amd. 1:2024): Published in February 2024, this amendment requires organizations to consider how climate change may impact their operations (Clause 4.1) and their stakeholders (Clause 4.2). Given the rising frequency of extreme weather events, wildfires, and supply-chain disruptions linked to environmental factors, this is a significant addition to your risk landscape.

  • EU DORA Regulation (January 2025): The Digital Operational Resilience Act took effect in January 2025, mandating robust incident response and business continuity planning for financial-sector organizations across Europe. ISO 22301 certification aligns closely with DORA’s requirements, making it an increasingly strategic asset for firms in this space.

  • Upcoming Full Revision (ISO/AWI 22301): ISO/TC 292 has formally approved a project to develop the next edition of ISO 22301. As of early 2026, the standard remains at ISO 22301:2019 with no confirmed publication date for the revision, but organizations should monitor this development as working drafts progress.

The core clauses and requirements described below remain fully current and applicable under the existing standard.

The ISO 22301 Clause Structure

The standard begins with three introductory clauses. These do not contain auditable requirements; instead, they provide essential background for everything that follows:

  • Clause 1 – Scope:
    • Defines the boundaries and applicability of the ISO 22301 standard.
  • Clause 2 – Normative References:
    • Points to additional guidance or standards that support your alignment efforts.
  • Clause 3 – Terms & Definitions:
    • Establishes the common terminology used throughout the standard, ensuring consistent interpretation across organizations.

The remaining six clauses are mandatory and must be fully implemented for ISO 22301 certification:

Clause

Details

Clause 4:

Context of the Organization

Requires you to identify internal and external factors that could affect your ability to sustain business continuity. This includes your organization’s size, structure, and resources, as well as regulatory requirements, economic conditions, and market dynamics. Notably, since the 2024 climate action amendment, organizations must also assess how climate change may affect their operations and stakeholders.

Clause 5:

Leadership

Much like other ISO standards (including ISO/IEC 27001), this clause calls on top management to demonstrate visible commitment to business continuity by allocating the necessary resources, setting direction, and ensuring the BCMS is integrated into the organization’s overall strategic processes.

Clause 6:

Planning

Mandates that your organization defines a business continuity policy and sets measurable objectives. These objectives must be monitored, communicated internally and externally, updated as conditions change, and aligned with all applicable legal and regulatory obligations.

Clause 6 lays the groundwork for Clause 8, since every operational process and its effectiveness will be measured against these objectives.

Clause 7:

Support

Focuses on ensuring that the right people are in place and that they clearly understand their roles within the BCMS. This includes competence, awareness, communication, and the documented information needed to support effective operations.

Clause 9:

Performance Evaluation

Stipulates that you monitor, measure, analyze, and evaluate BCMS performance at planned intervals using documented procedures. This clause also covers internal audit requirements and management review processes.

Clause 10:

Improvement

Addresses how your organization handles nonconformities, learns from incidents, and continuously enhances the BCMS to keep it effective and relevant over time.

A Deep Dive into ISO 22301 Clause 8: Operation

Clause 8 is the operational heart of the BCMS. It translates your policies, objectives, and risk assessments into actionable processes. Because of its critical importance, we will walk through each of its six subclauses and highlight what your auditors will be looking for.

ISO 22301 Clause 8.1 - Operations Planning and Control

This foundational subclause requires you to establish the processes, policies, and procedures necessary for business continuity operations. Personnel must have a clear, documented set of processes to follow, so that execution remains consistent.

Key areas of focus include how your organization controls:

  • Day-to-day processes;
  • Planned changes to the BCMS; and
  • Responsibilities—whether internal or outsourced—to confirm that business continuity activities are carried out as intended.

During your assessment, auditors will verify that specific policies and procedures align with the effectiveness criteria you established, and that documentation is reviewed and kept current by responsible parties.

ISO 22301 Clause 8.2 - Business Impact Analysis (BIA) and Risk Assessment

Clause 8.2 is one of the most integral parts of ISO 22301. It asks you to evaluate potential impacts on your ability to meet service agreements, business continuity objectives, and legal or regulatory obligations.

BIA

Risk Assessment
Determines business continuity priorities relevant to your organization’s context by identifying activities that support the delivery of products and services and calculating the impact of disruptions—including factors like the maximum tolerable period of disruption and recovery time objectives.

Scores and categorizes business continuity risks based on the potential impact of disruption. This includes how your organization analyzes, evaluates, and prioritizes risks so that treatment plans can be developed for those deemed most detrimental to your products and services.

Note: The risks addressed in Clause 8.2 are specifically tied to disruption of business continuity, which distinguishes them from the broader management-system risks covered in Clause 6.

Auditors will confirm that you perform, monitor, and review both the BIA and risk assessment at planned intervals to account for organizational changes or evolving threat landscapes.

ISO 22301 Clause 8.3 - Business Continuity Strategies and Solutions

Drawing on the outputs of your BIA and risk assessment, Clause 8.3 requires you to identify and select strategies for pre-disruption, active disruption, and post-disruption activities. With consideration for the time frames identified in the BIA (which should reflect contractual requirements), these strategies should:

  • Reduce the likelihood of disruptions;
  • Limit the impact when disruptions do occur;
  • Ensure adequate resources are available; and
  • Protect the organization and its ability to deliver products and services.

For each strategy, you will also need to determine resource requirements—including personnel, information and data, physical infrastructure, technology, and the associated financial costs.

ISO 22301 Clause 8.4 - Business Continuity Plans and Procedures

Building on the strategies selected in Clause 8.3, this subclause requires documented plans and procedures for managing disruptions. The primary goal is to minimize the impact of any incident, and your plans should include details regarding:

  • Warning and communication procedures;
  • Specific steps for mitigating disruption;
  • Defined roles, responsibilities, and how teams interact with one another.

Overall, in the event of an incident, your plan should enable you to:

  • Assess the nature, extent, and potential impact of the disruption;
  • Activate an appropriate response; and
  • Communicate the effects of the disruption to all interested parties.

ISO 22301 Clause 8.5 - Exercise Program

With your plans in place, Clause 8.5 requires you to validate them through business continuity exercises. These exercises are designed to build teamwork, confirm competence, and ensure the right people are prepared to lead the organization through a real disruption. Your exercises should:

  • Align with your established business continuity objectives;
  • Be built on realistic scenarios with clearly defined goals;
  • Be conducted at planned intervals; and
  • Include a thorough post-exercise review.

It is not enough to simply run these exercises. You must also evaluate whether the results demonstrate adequate effectiveness and implement improvements so that each test reflects real-world conditions as closely as possible.

ISO 22301 Clause 8.6 - Evaluation of Business Continuity Documentation and Capabilities

Finally, Clause 8.6 provides guidance—including a template—for periodically re-evaluating everything you have built across the previous subclauses. By routinely reviewing your business continuity documentation and organizational capabilities, you ensure that your BCMS stays effective and current as your organization evolves.

Moving Forward with ISO 22301 Certification

Achieving certification against any ISO standard is a significant undertaking, and ISO 22301 is no exception. The standard demands thoroughness across every dimension of business continuity: impact analyses, policies, objectives, risk assessments, strategies, solutions, plans, procedures, validation exercises, and post-incident reviews.

However, the payoff is equally significant. A well-implemented BCMS does more than check a compliance box—it strengthens your organization’s resilience against everything from cyberattacks and supply-chain failures to climate-related disruptions and regulatory shifts.

If you have questions about the standard or would like to discuss a potential partnership for certification, contact us today. Our team of experts would be happy to help you chart a clear path forward.

About Matthew Gierl

Matthew Gierl is a Senior Associate with Schellman. Prior to joining the firm in February of 2018, Matthew worked as a IT Risk Consultant specializing in SOC 1 and SOC 2 testing. As a Senior Associate with Schellman, Matt is now focused primarily on helping organizations across various industries achieve different ISO certifications.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

 

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.