ISO 22301:2019 · Business Continuity
ISO 22301 Business
Continuity (BCMS)
ISO 22301:2019 is the international standard for business continuity management systems (BCMS) — the certifiable framework that proves your organisation can keep critical operations running through cyber incidents, outages, and disasters. It is now effectively mandatory for vendors serving banks in the UAE and Saudi Arabia, for material service providers to APRA-regulated entities in Australia, and for any company whose enterprise contracts carry continuity clauses.
Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East. Engagements run 8–14 weeks with a fixed-fee quote after scoping; accredited certification-body fees are billed separately.
ISO/IEC 22301:2019 · Accredited certification bodies · Last reviewed June 2026
The Standard
What a BCMS Actually Contains
A business continuity management system is not a binder of plans — it is a live management system with four operational pillars, all tested under Clause 8 of the standard.
Business impact analysis (BIA)
The BIA ranks your products and services by the impact of disruption over time, then sets the recovery targets every other decision flows from: the recovery time objective (RTO), the recovery point objective (RPO) for data loss, and the maximum tolerable period of disruption (MTPD).
Risk assessment
A structured assessment of the threats that could disrupt prioritised activities — cyber attack, data-centre loss, supplier failure, regional outage — and the controls that bring their likelihood and impact within your risk appetite.
Continuity strategies & plans
Documented strategies and solutions that meet each RTO and RPO — alternate sites, failover infrastructure, workforce arrangements, supplier substitution — turned into business continuity and recovery plans with named owners and invocation criteria.
Exercising & testing
ISO 22301 requires plans to be exercised on a planned schedule — from tabletop walkthroughs to full failover tests — with results evaluated so the BCMS demonstrably improves after every exercise and every real incident.
The standard is published by the International Organization for Standardization as ISO 22301:2019 — Security and resilience — Business continuity management systems — Requirements. Clauses 0–3 are introductory; certification is assessed against the mandatory Clauses 4–10 below.
Clauses 4–10
The ISO 22301:2019 Clause Structure
ISO 22301 follows the same Annex SL high-level structure as ISO 27001 — which is why the two systems integrate so cleanly. Here is what an auditor checks, clause by clause.
| Clause | Title | What it requires |
|---|---|---|
| Clause 4 | Context of the organization | Define the BCMS scope, the products and services it protects, interested parties (regulators, customers, contracts), and applicable legal and regulatory continuity requirements. |
| Clause 5 | Leadership | Top-management commitment, a business continuity policy, and clearly assigned roles, responsibilities, and authorities for the BCMS. |
| Clause 6 | Planning | Measurable business continuity objectives and plans to address risks and opportunities to the management system itself. |
| Clause 7 | Support | Resources, competence, awareness, communication arrangements, and control of documented information. |
| Clause 8 | Operation | The operational core: business impact analysis and risk assessment, business continuity strategies and solutions, plans and procedures, and the exercise programme. |
| Clause 9 | Performance evaluation | Monitoring and measurement of continuity capability, internal audit of the BCMS, and management review. |
| Clause 10 | Improvement | Nonconformity handling, corrective action, and continual improvement of the BCMS based on exercises, audits, and incidents. |
The Drivers
Why ISO 22301 Demand Is Surging
Operational-resilience regulation has shifted from advising banks to auditing their suppliers. Three regulators — and every enterprise procurement team — are now pushing ISO 22301 down the supply chain.
Proven in the Middle East
Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.
UAE — CBUAE vendor mandate
The Central Bank of the UAE’s business-continuity and outsourcing rules require banks to ensure critical vendors maintain robust continuity arrangements. Banks have operationalised this by requiring ISO 22301-aligned — and increasingly certified — BCMS from suppliers, with the first contract-deadline wave landing in December 2025. Vendors without evidence risk failed assessments and removal from approved-supplier lists.
Saudi Arabia — SAMA BCM framework
The Saudi Central Bank’s Business Continuity Management Framework is mandatory for member organisations — banks, finance companies, insurers, and payment providers — and is built directly on ISO 22301. Those obligations flow down the supply chain: suppliers to SAMA-regulated entities are asked to evidence an equivalent BCMS in vendor due diligence.
Australia — APRA CPS 230
APRA’s Prudential Standard CPS 230 on operational risk management, in force since 1 July 2025, requires Australian banks, insurers, and superannuation trustees to keep critical operations within tolerance through disruption — and to manage the risks of material service providers, including continuity testing that covers them. ISO 22301 is the cleanest way for a supplier to evidence its side of that obligation.
Global enterprise procurement
Beyond regulators, enterprise buyers increasingly gate contracts on continuity evidence: RFPs ask for a certified BCMS, documented recovery objectives, and recent exercise results. An accredited ISO 22301 certificate answers the continuity section of a security questionnaire in one line.
Primary sources: the CBUAE Rulebook business-continuity requirements, the SAMA Business Continuity Management Framework, and APRA Prudential Standard CPS 230. Bank-specific vendor deadlines vary by institution and contract — confirm yours during scoping.
Implementation Path
From Gap Assessment to Certified BCMS
An indicative 8–14 week path for a single-scope organisation. Multi-site groups and regulated-vendor scopes run longer; an existing ISO 27001 ISMS shortens it.
| Phase | Indicative timing | What happens |
|---|---|---|
| Phase 1 — Scoping & gap assessment | Weeks 1–2 | Define the BCMS scope, products and services, interested parties, and regulatory or contractual continuity requirements (Clause 4); assess current state against every ISO 22301:2019 requirement. |
| Phase 2 — BIA & risk assessment | Weeks 2–5 | Run the business impact analysis, set RTO, RPO, and MTPD for each prioritised activity, and assess the disruption risks that threaten them (Clause 8). |
| Phase 3 — Strategies, plans & documentation | Weeks 5–9 | Select continuity strategies and solutions that meet the recovery targets, then draft the policy, business continuity plans, and response procedures (Clauses 5–8). |
| Phase 4 — Exercises, internal audit & review | Weeks 9–12 | Exercise the plans against realistic scenarios, run the internal audit and management review, and close corrective actions (Clauses 8–10). |
| Phase 5 — Certification audit support | Weeks 12–14 | Stage 1 documentation review and Stage 2 certification audit conducted by an independent accredited certification body, with TCSA supporting evidence walkthroughs and finding closure. |
TCSA consulting is quoted as a fixed, all-inclusive fee after a scoping call — scope depends on headcount, sites, and whether the BCMS is standalone or integrated with an existing ISMS. The accredited certification body’s Stage 1 / Stage 2 audit fee is billed separately; certificates run a three-year cycle with annual surveillance audits.
Complementary Standards
ISO 22301 vs ISO 27001
One protects information, the other keeps the business running — and they share the same Annex SL skeleton, so building both together is far cheaper than building them apart.
| Dimension | ISO 22301 (BCMS) | ISO 27001 (ISMS) |
|---|---|---|
| Question it answers | Can you keep delivering prioritised products and services through disruption? | Can you protect the confidentiality, integrity, and availability of information? |
| Management system | BCMS — business continuity management system | ISMS — information security management system |
| Core analysis | Business impact analysis (RTO / RPO / MTPD) plus disruption risk assessment | Information-security risk assessment mapped to Annex A controls |
| Headline outputs | Continuity strategies, business continuity plans, exercise programme and reports | Statement of Applicability, security policies, implemented controls |
| Structure & certification | Annex SL harmonised structure (Clauses 4–10); certified by accredited bodies on a 3-year cycle | Same Annex SL structure and 3-year certification cycle — governance work is reusable across both |
| Typical trigger | CBUAE, SAMA, and CPS 230 continuity mandates; continuity clauses in enterprise contracts | Security questionnaires, data-protection contracts, customer security mandates |
ISO 27001:2022 itself expects ICT readiness for business continuity (control 5.30), and ISO 22301 assumes the information feeding your recovery is secure — the two systems reference each other. If you already hold ISO 27001, much of the Clause 4–7, 9, and 10 machinery is reusable, and we scope the engagement accordingly. New to both? See our ISO 27001 certification guide for the ISMS side.
“A Gulf bank’s vendor-assessment team doesn’t ask whether you have a continuity plan — they ask for your BIA, your RTOs, and your last exercise report. We build the BCMS so those three answers are on the table before the assessor asks.”
See verified client reviews and audit outcomes from 500+ engagements across India, USA, UK, Australia and UAE.
ISO 22301 — Frequently Asked Questions
Straight answers from the consultants who have prepared Middle East banks for ISO 22301.
What is ISO 22301?
ISO 22301:2019 — formally “Security and resilience — Business continuity management systems — Requirements” — is the international, certifiable standard for business continuity. It specifies requirements across Clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement) for a management system that keeps prioritised activities running through disruption. Its operational core is a business impact analysis with RTO/RPO/MTPD targets, a disruption risk assessment, documented continuity strategies and plans, and a tested exercise programme.
Who needs ISO 22301 certification?
Any organisation whose regulators, customers, or contracts demand demonstrable continuity. Right now the strongest demand comes from vendors to UAE banks — CBUAE business-continuity and outsourcing rules pushed banks to set ISO 22301 deadlines for critical suppliers from December 2025 — suppliers to SAMA-regulated entities in Saudi Arabia, and material service providers to APRA-regulated entities in Australia under CPS 230. Data centres, BPOs, managed service providers, payment processors, and SaaS platforms with uptime commitments are the most common adopters.
How is an ISO 22301 engagement priced?
Engagements are custom-scoped to your size, regulator deadlines, and existing maturity, and cover the gap assessment, BIA, risk assessment, strategy and plan documentation, exercises, internal audit, and certification-audit support. We provide a fixed, all-inclusive quote after a short scoping call — no hourly billing, no scope creep. The accredited certification body’s audit fee is billed separately and varies with headcount, sites, and scope. Building the BCMS alongside an existing ISO 27001 ISMS reduces effort, because the Annex SL governance layer is shared.
How long does ISO 22301 take?
Plan on 8–14 weeks of consulting work to become certification-ready (indicative — driven by organisation size, number of sites, and how mature your existing recovery arrangements are). The certification body then conducts a Stage 1 documentation review and a Stage 2 audit. Certificates run on a three-year cycle with annual surveillance audits, and your exercise programme must keep producing evidence between audits.
What is the difference between ISO 22301 and ISO 27001 — and do we need both?
ISO 27001 protects information; ISO 22301 keeps the business running. They are complementary, not competing: both share the Annex SL high-level structure (Clauses 4–10), so leadership, document control, internal audit, and management review are largely reusable, and ISO 27001:2022 itself expects ICT readiness for business continuity (control 5.30). Gulf banks increasingly ask vendors for both — an ISMS for security and a BCMS for resilience — and an integrated implementation is significantly cheaper than running the two sequentially.
Does TCSA issue the ISO 22301 certificate?
No — and no consultant should. ISO 22301 certificates are issued only by independent, accredited certification bodies after a Stage 1 and Stage 2 audit. TCSA prepares you for that audit: we build the BCMS, run the BIA and exercises, conduct the internal audit, and sit beside you during certification. Keeping the consultant and the certifier separate is exactly what the accreditation rules require.
Keep Exploring
Related Reading
ISO 22301 Knowledge Hub
Every guide in the business-continuity cluster, in one place.
Read moreISO 22301 Requirements
Clauses 4–10 explained, with what auditors actually look for.
Read moreISO 22301 Certification Guide
Gap to certificate: Stage 1, Stage 2, and the 3-year cycle.
Read moreOperational Resilience Consulting
One ISO 22301-grade BCMS that answers CBUAE, SAMA, CPS 230 and DORA.
Read moreSAMA CSF & BCM
The Saudi Central Bank's cyber and continuity frameworks, demystified.
Read moreMiddle East — UAE & Saudi Arabia
How we serve Gulf banks, vendors and enterprises, remote + on-site.
Read moreWritten By Expert Auditors
Get Started
Facing a Bank’s
BCMS Deadline?
Get a BCMS built to ISO 22301:2019 — BIA, recovery objectives, plans, and exercise evidence ready for the vendor assessor and the certification auditor. Start with a scoping call.
ISO 22301:2019 BCMS · Serving the GCC, India, USA, UK & Australia
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours