Understanding the ISO 22301 clauses is the fastest way to grasp how a business continuity management system (BCMS) is actually built, audited, and certified. ISO 22301:2019 is the international standard for business continuity management, and like other modern management-system standards it follows the Harmonized Structure, with the auditable requirements sitting in clauses 4 through 10. Getting to know each clause helps you scope your programme, allocate responsibilities, and prepare evidence with confidence.
This guide walks through the numbered clauses at a practical level, explains the core continuity elements they demand, and answers the questions practitioners ask most. Where a specific number or edition matters, always verify the current version against the official source before relying on it.
How the ISO 22301 clauses are organised
ISO 22301:2019 opens with three introductory clauses that are not directly auditable. Clause 1 (Scope), Clause 2 (Normative references) and Clause 3 (Terms and definitions) set context and vocabulary. The requirements you must demonstrate conformity against begin at Clause 4.
Because ISO 22301 adopts the Harmonized Structure shared across ISO management-system standards, its layout mirrors ISO 27001, ISO 9001 and others. That makes integration straightforward: if you already run one management system, the ISO 22301 clauses 4-10 will feel familiar. It is also a pure management-system standard, so there is no Annex A list of controls to reference.
The core requirement clauses (4-10)
The table below summarises the intent of each numbered clause. Treat the numbering as a guide and verify the current version, as editions can be revised over time.
| Clause | Title | What it requires (in brief) |
|---|---|---|
| 4 | Context of the organization | Understand internal/external issues, interested parties and their needs, and define the BCMS scope. |
| 5 | Leadership | Top-management commitment, a business continuity policy, and clear roles and responsibilities. |
| 6 | Planning | Address risks and opportunities and set measurable continuity objectives. |
| 7 | Support | Provide resources, competence, awareness, communication, and documented information. |
| 8 | Operation | The operational heart: BIA, risk assessment, strategies, plans, and exercising. |
| 9 | Performance evaluation | Monitoring, measurement, internal audit, and management review. |
| 10 | Improvement | Handle nonconformities, corrective actions, and continual improvement. |
What the operational ISO 22301 clauses ask you to do
Clause 8 is where most of the practical work lives, and it is worth unpacking because it drives the rest of the BCMS. It brings together the recognised building blocks of business continuity management.
Business impact analysis (BIA)
The BIA identifies your prioritised activities and the impact of disruption over time. From it you derive continuity requirements, including the recovery time objective (RTO) — how quickly an activity must resume — and the recovery point objective (RPO), the maximum tolerable data loss. RTO and RPO are central to ISO 22301 and shape every downstream decision.
Risk assessment
Alongside the BIA, you assess the risks of disruption to your prioritised activities. This informs which threats warrant mitigation and which continuity strategies are proportionate.
Business continuity strategies and solutions
Based on the BIA and risk assessment, you select strategies and solutions to protect prioritised activities, stabilise, continue, and recover them within agreed objectives — covering people, premises, technology, information, and suppliers.
Business continuity plans and procedures
Documented plans define how you respond to and manage a disruption, including incident structure, communications, and recovery procedures. They must be actionable under pressure, not shelf-ware.
Exercising and testing
Finally, you exercise and test your arrangements so you can validate that plans work, that people know their roles, and that objectives such as RTO are achievable. Results feed continual improvement under Clauses 9 and 10.
Why the ISO 22301 clauses matter for certification
An external auditor assesses your BCMS against clauses 4-10. Each clause maps to evidence: a defined scope and interested-party analysis for Clause 4, a signed policy for Clause 5, documented objectives for Clause 6, competence records for Clause 7, BIA and exercise reports for Clause 8, audit and review minutes for Clause 9, and corrective-action logs for Clause 10.
Because the requirements are outcome-focused rather than prescriptive, you have latitude in how you meet them — provided you can demonstrate a systematic, documented, and continually improving approach. For the definitive wording, consult the standard itself via the official ISO 22301 page at iso.org.
Frequently asked questions
How many clauses does ISO 22301 have?
ISO 22301:2019 contains ten numbered clauses. Clauses 1-3 are introductory (scope, references, terms), while the auditable management-system requirements sit in clauses 4-10. Verify the current version if a future edition renumbers anything.
Which ISO 22301 clause covers the business impact analysis?
The BIA is required within Clause 8 (Operation), alongside risk assessment, continuity strategies, plans, and exercising. Clause 8 is generally the most resource-intensive part of implementation.
Does ISO 22301 have an Annex A like ISO 27001?
No. ISO 22301 is a pure management-system standard and does not include an Annex A control set. All requirements are expressed directly within the clauses themselves.
Are RTO and RPO defined in the clauses?
Yes, in substance. The recovery time objective and recovery point objective are derived through the Clause 8 business impact analysis and underpin the continuity strategies and plans you must document.

Related guides
- ISO 22301 business continuity management: a complete guide
- ISO 22301 requirements checklist for implementation and audit
- The ISO 22301 certification process explained step by step
Ready to move from theory to evidence? Our editable ISO 22301:2019 toolkit maps directly to the clauses above, with ready-to-tailor policies, BIA and risk templates, plans, and audit-ready documentation. Explore the ISO 22301 toolkit and accelerate your path to a certifiable BCMS.

