ISO 22301. Business continuity management

ISO 22301 defines the requirements for a business continuity management system. Certification to this standard proves that there are arrangements in place that allow the company to continue operation even in case of a major disturbing incident.


RIGCERT provides ISO 22301 certification to help you build organizational resilience and demonstrate it to your clients, partners or any other party.

Continuity management

The concept of business continuity involves three key elements: resilience (critical business functions and the supporting infrastructure are designed in such a way that they are not easily affected by disruptions); recovery (there are arrangements in place to recover or restore critical business functions following a disruptive event) and contingency (capability and preparedness to cope effectively with incidents).

ISO 22301 standard

ISO 22301 was published in 2012, replacing back then the British standard BS 25999-2. ISO 22301 defines the requirements for a business continuity management system and can be implemented of course by any organization.

Among other elements the standard requires a business impact analysis and a good understanding of how the activity can be affected by a disturbing incident; a risk assessment and the development of a business continuity strategy and business continuity plans that have to be tested periodically and improved.

A structure (team) to respond in case of incidents must be defined and invested with the responsibility to act in critical situations.

ISO 22301 Certification

ISO 22301 requires the organization to identify potential risks and threats, evaluate their impact on the activities; plan and implement actions to ensure critical business functions will continue to operate in case of an incident or can be restored and restarted within a reasonable time frame.

Certification to ISO 22301 provides partners, clients, suppliers and other interested parties a guarantee of the organization’s commitment to face difficult situations and continue operation in case of disturbing incidents.


If you want more information about this standard and its requirements we have an online course below that may interest you.

For certification purposes please write an e-mail to

Get in touchs with us!

Welcome to your {38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}QUIZ_NAME{38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}

Which are the components of the P-D-C-A cycle?
What represents a requirement determined as not applicable to the QMS as per ISO 9001:2015?
Which of the following can be considered post-delivery activities according to ISO 9001:2015?
What is the frequency for internal audits required by ISO 9001:2015?
Which of the following statements is true?

Welcome to your {38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}QUIZ_NAME{38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}

1. What is the relation between environmental aspects and impacts?
2. Which statement is true according to ISO 14001:2015?
3. The corrective action is?
4. As per ISO 14001:2015 compliance obligations refer to:
5. For determining environmental aspects purposes, the life cycle of a product may include stages like:

Welcome to your {38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}QUIZ_NAME{38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}

1. The occupational health and safety policy
2. What represents a “near-miss”?
2. OHSAS 18001 requires:
4. Which of the following statements is false?
5. As per OHSAS 18001 the health and safety of visitors to the workplace represents the responsibility of the organization?

Welcome to your {38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}QUIZ_NAME{38e5eebb5c1380f7017bb98b6adfe22a76404ca792267d725b8f2bdb580a7de4}

1. What represents the Statement of Applicability?
2. In case the same person is responsible for both initiating and approving specific transactions, what information security control is not respected?
3. In case the organization decides to outsource software development does it have any responsibility to monitor the activity of its subcontractor(s) in terms of information security?
4. The decision to accept a security risk represents an option for treatment?
5. What is the principle of independence related to internal audits referring to?