Instant downloadAuditor-writtenSecure Stripe checkout
ISO 22301 Certification Process: Best 2026 Guide — ISO Toolkits

ISO 22301 Certification Process: Best 2026 Guide

The ISO 22301 certification process is the structured route an organisation follows to build, operate and independently certify a business continuity management system (BCMS) against ISO 22301:2019. Certification confirms to customers, regulators and stakeholders that you can anticipate disruptions, respond effectively and recover critical activities within defined timeframes. This guide walks through what the standard requires and how the assessment typically unfolds.

What is ISO 22301:2019?

ISO 22301:2019 is the international standard for a business continuity management system. It is a pure management-system standard, meaning it defines requirements for how you plan, operate and improve continuity capability rather than prescribing a fixed catalogue of controls. There is no Annex A of controls, which distinguishes it from standards such as ISO/IEC 27001.

The standard follows the ISO Harmonized Structure (the common high-level structure shared across modern management-system standards), with requirements set out in clauses 4 to 10. You can confirm scope and the current version on the official ISO 22301 standard page; always verify the current version before relying on any specific edition.

The core elements of a BCMS

Whatever your sector, an ISO 22301 BCMS is built on a consistent set of activities:

  • Business impact analysis (BIA) — identifying prioritised activities and the impact of disruption over time.
  • Risk assessment — understanding threats that could cause disruption to those activities.
  • Business continuity strategies and solutions — deciding how to protect, recover and maintain prioritised activities.
  • Business continuity plans — documented, actionable response and recovery procedures.
  • Exercising and testing — validating that plans and arrangements actually work.

The BIA drives your recovery time objectives (RTO) and recovery point objectives (RPO), which quantify how quickly activities must resume and how much data or work you can afford to lose.

The ISO 22301 certification process step by step

The ISO 22301 certification process combines internal implementation work with an external, two-stage audit performed by an accredited certification body. The stages below reflect common practice; sequencing and duration vary by organisation size and maturity.

StageWhat happensRelated clauses
1. Context & scopeDefine the BCMS scope, interested parties and requirements.Clause 4
2. Leadership & planningSecure top-management commitment, set policy and objectives, address risks.Clauses 5–6
3. Support & resourcesProvide competence, awareness, communication and documented information.Clause 7
4. OperationRun the BIA, risk assessment, strategies, plans and exercises.Clause 8
5. EvaluationMonitor, measure, conduct internal audits and management review.Clause 9
6. ImprovementHandle nonconformities and drive continual improvement.Clause 10
7. Stage 1 auditCertification body reviews documentation and readiness.
8. Stage 2 auditBody assesses BCMS effectiveness in practice; certificate issued.

Stage 1 and Stage 2 audits

Stage 1 is a readiness review: the auditor checks that your documented BCMS exists, matches the intended scope and is ready for a full assessment. Any gaps are flagged so you can act before the deeper audit.

Stage 2 evaluates whether the BCMS is genuinely implemented and effective — testing evidence of BIA output, plans, exercises, competence and management review. If the auditor is satisfied, the certification body issues a certificate, typically valid for approximately three years subject to ongoing surveillance; verify the exact cycle with your chosen body.

Surveillance and recertification

Certification is not a one-off event. After the initial award, the certification body conducts periodic surveillance audits (commonly annual) to confirm you continue to operate and improve the BCMS. A recertification audit takes place at the end of the cycle to renew the certificate.

How to prepare for the ISO 22301 certification process

Most delays come from weak evidence rather than missing intent. To move smoothly through the ISO 22301 certification process, focus on demonstrable outcomes:

  • Complete a defensible BIA that clearly sets RTOs and RPOs for prioritised activities.
  • Link your risk assessment and continuity strategies directly to BIA findings.
  • Keep continuity plans concise, current and genuinely usable during a crisis.
  • Run at least one meaningful exercise and retain the results and lessons learned.
  • Perform internal audits and a management review before inviting the external body.

A gap analysis early on helps you map current practice against clauses 4 to 10 and prioritise remediation.

Frequently asked questions

How long does ISO 22301 certification take?

It depends on organisation size, complexity and existing maturity. Implementation commonly takes several months, followed by the Stage 1 and Stage 2 audits. Organisations with mature continuity practices move faster; treat any specific timeframe as approximate.

Is ISO 22301 mandatory?

No. Certification is voluntary, though customers, regulators or tender requirements may effectively require it. Even without certifying, adopting the standard strengthens resilience and stakeholder confidence.

Does ISO 22301 have controls like ISO 27001?

No. ISO 22301 is a pure management-system standard with no Annex A of controls. It specifies requirements for the BCMS lifecycle — planning, operating, evaluating and improving continuity capability — rather than a fixed control set.

What is the difference between RTO and RPO?

The recovery time objective (RTO) is how quickly an activity must be restored after disruption. The recovery point objective (RPO) is the maximum acceptable data or work loss, measured back from the point of disruption. Both are outputs of the BIA.

ISO 22301 certification process toolkit templates
The editable ISO 22301 Toolkit — BCMS policies, BIA, plans and audit templates.

Related guides

Ready to accelerate your project? Our editable ISO 22301:2019 toolkit gives you ready-to-use BIA templates, risk assessment tools, continuity plans and audit-ready documentation mapped to clauses 4 to 10. Explore the ISO 22301 toolkit and start building a certification-ready BCMS today.

Shopping Cart