The ISO 22301 business impact analysis is the foundational activity that tells your organisation which activities matter most, how quickly they must be recovered, and how much data loss is tolerable when disruption strikes. Everything downstream in a business continuity management system (BCMS) — strategies, plans, resourcing, and testing — rests on the quality of this analysis. Get it wrong and you protect the wrong things; get it right and your continuity investment is focused, defensible, and proportionate.
ISO 22301:2019 is a pure management-system standard built on the Harmonized Structure shared across modern ISO standards, spanning clauses approximately 4 through 10 (verify the current version against the official text). It contains no Annex A of controls. Instead, it sets requirements for planning, operating, evaluating, and improving continuity. The business impact analysis and the risk assessment together form the analytical core that drives strategy selection.
What the ISO 22301 business impact analysis actually does
The BIA identifies your organisation’s activities, evaluates the impact over time of not performing them, and uses that impact to prioritise recovery. It answers a simple but demanding question: if this activity stopped, how bad would it get, how fast, and when does the harm become unacceptable?
Rather than treating every process as equally critical, the ISO 22301 business impact analysis forces a ranking. That ranking then defines your recovery targets and the resources you commit. It is fundamentally about consequence and time, not about the likelihood of a specific threat — likelihood belongs to the risk assessment that runs alongside it.
Typical steps in a BIA
- Identify and scope the activities the organisation performs.
- Assess the impact over time of disruption to each activity (financial, reputational, legal/regulatory, operational, and safety).
- Determine the point in time at which impact becomes unacceptable — this drives the recovery time objective (RTO).
- Identify dependencies: people, technology, information, suppliers, facilities, and equipment.
- Establish acceptable data loss to set the recovery point objective (RPO).
- Prioritise activities and agree minimum acceptable levels of operation during disruption.
RTO, RPO and the metrics the BIA produces
ISO 22301:2019 emphasises measurable recovery objectives. The two most important outputs of the ISO 22301 business impact analysis are the recovery time objective and the recovery point objective. These translate impact judgements into concrete engineering and resourcing targets.
| Term | Question it answers | Drives |
|---|---|---|
| RTO (Recovery Time Objective) | How quickly must this activity be restored before impact is unacceptable? | Recovery strategy, standby capacity, failover speed |
| RPO (Recovery Point Objective) | How much data loss (measured in time) can we tolerate? | Backup frequency, replication, data architecture |
| MBCO (Minimum Business Continuity Objective) | What is the lowest acceptable level of output during disruption? | Scaled-down operating arrangements |
| MTPD / MAO (Maximum Tolerable Period of Disruption) | What is the outer limit before viability is threatened? | Upper bound for setting RTO |
A well-run BIA keeps these consistent: the RTO for any prioritised activity should sit within its maximum tolerable period of disruption, and the RPO should reflect a genuine tolerance for data loss rather than a wish.
How the BIA connects to the rest of the BCMS
The ISO 22301 business impact analysis does not stand alone. Its outputs feed directly into the selection of business continuity strategies and solutions, the design of continuity plans, and the exercising and testing programme. When you later exercise a plan, you are effectively validating whether the RTOs and RPOs your BIA set can actually be met.
Paired with the risk assessment, the BIA gives you both halves of the picture: the BIA tells you what to protect and how fast, while the risk assessment tells you what could cause the disruption and how likely it is. Together they justify where continuity budget goes.
Common BIA pitfalls to avoid
- Confusing likelihood with impact — the BIA measures consequence over time, not probability.
- Setting RTOs by aspiration rather than by documented impact, making them impossible to meet.
- Ignoring dependencies, especially upstream suppliers and shared IT services.
- Running the BIA once and never revisiting it after organisational change.
- Over-classifying everything as critical, which defeats the purpose of prioritisation.
Keeping the analysis current and evidenced
Because ISO 22301 sits within a continual-improvement cycle, the BIA should be reviewed at planned intervals and after significant change — new products, restructures, acquisitions, or major technology shifts. Retain evidence of the method used, the impact criteria applied, and how RTO and RPO values were derived, so that auditors and leadership can trace decisions back to a defensible rationale.
For the authoritative scope and requirements, consult the standard directly via the official ISO 22301:2019 page and verify the current version before quoting any specific clause.
Frequently asked questions
Is the business impact analysis mandatory under ISO 22301?
Yes. ISO 22301:2019 requires organisations to conduct a business impact analysis and a risk assessment as part of establishing continuity. The BIA is a core, expected activity, not an optional extra.
What is the difference between the BIA and the risk assessment?
The BIA measures the impact over time of disruption and sets recovery priorities and objectives. The risk assessment evaluates the threats that could cause disruption and their likelihood. Both are required and they complement each other.
How do RTO and RPO differ?
RTO is about time to restore an activity; RPO is about acceptable data loss expressed as a period. RTO drives how fast you recover, while RPO drives how frequently you back up or replicate data.
How often should the BIA be reviewed?
Review it at planned intervals and after any significant organisational, technological, or supplier change. The standard’s improvement cycle expects the analysis to stay current rather than being a one-off exercise.

Related guides
- ISO 22301 business continuity management: a complete guide
- ISO 22301 requirements checklist for clauses 4–10
- The ISO 22301 certification process, step by step
Our editable ISO 22301:2019 toolkit gives you ready-to-use BIA templates, RTO/RPO worksheets, and continuity plan documents to accelerate implementation. Explore the ISO 22301 toolkit and build a defensible business impact analysis in days, not months.

