ISO 22301:2019 · Implementation
The ISO 22301
Implementation Roadmap
Seven phases take a BCMS from blank page to certification audit — and their order is not a style choice. The BIA sets the targets, strategies meet them, plans operationalise them, exercises prove them, and the internal audit checks the chain before the certification body does. This roadmap sequences the build week by week, with the deliverables each phase must leave behind.
Built from the playbook our consultants used to prepare ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.
ISO/IEC 22301:2019 · Seven-phase roadmap · Last reviewed June 2026
The Roadmap
Seven Phases, In the Only Order That Works
Each phase exists to feed the next. Auditors read the finished BCMS backwards — from exercise evidence to plans to strategies to the BIA — so the build must run forwards through the same chain.
Phase 1 — Scoping & context
Weeks 1–2Clause 4 work first: define the products and services the BCMS protects, the locations in scope, the interested parties — the bank, regulator, or contract that set your deadline — and every legal and contractual continuity requirement. A gap assessment against all of Clauses 4–10 turns the distance into a sequenced project plan.
Deliverables this phase leaves behind
- BCMS scope statement with justified exclusions
- Interested-party and continuity-requirements registers
- Gap report against ISO 22301:2019
- Project plan anchored to your regulator or contract deadline
Phase 2 — BIA & risk assessment
Weeks 2–5The analytical core (Clause 8.2). Facilitated workshops with activity owners rank impact over time, identify prioritised activities and their dependencies — people, sites, technology, suppliers — and set RTO, RPO, and MTPD for each. A disruption risk assessment then tests what could break those activities.
Deliverables this phase leaves behind
- Signed-off BIA report with impact-over-time analysis
- Recovery-target register: RTO / RPO / MTPD per prioritised activity
- Dependency map across people, sites, technology, and suppliers
- Disruption risk assessment with treatment decisions
Phase 3 — Strategies & solutions
Weeks 5–7For every recovery target, select and resource a continuity strategy that genuinely meets it (Clause 8.3) — alternate sites, failover infrastructure, workforce arrangements, supplier substitution. This is where budget decisions land: a strategy that assumes uncontracted resources is the single most common Stage 2 finding.
Deliverables this phase leaves behind
- Strategy options analysis per prioritised activity
- Documented strategy selections traceable to BIA targets
- Resourcing decisions and solution designs
- Supplier-continuity requirements for critical providers
Phase 4 — Plans & procedures
Weeks 6–9Turn strategies into activation-ready documents (Clause 8.4): a response structure with named teams and deputies, business continuity plans with explicit invocation criteria, IT disaster-recovery procedures, and warning-and-communication arrangements. The business continuity policy and objectives are finalised alongside.
Deliverables this phase leaves behind
- Business continuity policy and measurable objectives
- Response structure with invocation authority and deputies
- Business continuity plans and recovery procedures
- Stakeholder and customer communication templates
Phase 5 — Exercise programme
Weeks 9–11Plans earn their keep here (Clause 8.5). Tabletop walkthroughs first, scenario-based exercises after — each producing a report, findings, and corrective actions. Stage 2 cannot pass without exercise evidence, and a bank’s vendor-risk team will ask for your last exercise report before anything else.
Deliverables this phase leaves behind
- Exercise programme covering all plans and teams
- Scenario designs reflecting your real disruption risks
- Post-exercise reports with findings and actions
- Corrective-action log with closures verified
Phase 6 — Internal audit & management review
Weeks 10–12The two records the certification body checks before Stage 1 can even be booked (Clauses 9.2 and 9.3). An impartial internal audit covers every clause; top management reviews the BCMS against the required inputs and records decisions; remaining corrective actions are closed.
Deliverables this phase leaves behind
- Internal audit programme and report — impartiality documented
- Management review minutes with decisions and owners
- Closed corrective actions with effectiveness checks
Phase 7 — Certification audit
Weeks 12–14The accredited certification body runs its Stage 1 documentation review, you close any areas of concern, then Stage 2 samples implementation evidence — interviews, records, exercise results. TCSA sits beside you through both stages and supports finding closure until the certificate is issued.
Deliverables this phase leaves behind
- Stage 1 readiness pack and concern closures
- Stage 2 evidence walkthroughs supported by TCSA
- ISO 22301 certificate — issued by the accredited body, valid three years
The clause-level requirements behind each phase are covered in the requirements guide; how the certification body tests the finished system is in the certification guide.
Week by Week
An Indicative 14-Week Build Schedule
For a single-scope organisation starting from limited maturity. Phases overlap deliberately — the BIA feeds strategy work while late workshops are still running, and plan drafting starts before every strategy is final.
| Phase | Indicative weeks | Focus | Key deliverables |
|---|---|---|---|
| 1 · Scoping & context | Weeks 1–2 | Scope, interested parties, requirements, gap assessment (Clause 4) | Scope statement, registers, gap report, project plan |
| 2 · BIA & risk assessment | Weeks 2–5 | Impact over time, RTO/RPO/MTPD, dependencies, disruption risks (Clause 8.2) | Signed-off BIA, recovery-target register, risk assessment |
| 3 · Strategies & solutions | Weeks 5–7 | Strategy selection and resourcing against each recovery target (Clause 8.3) | Strategy record, resourcing decisions, solution designs |
| 4 · Plans & procedures | Weeks 6–9 | Response structure, BC plans, DR procedures, communications (Clause 8.4) | Policy, plans, procedures, communication templates |
| 5 · Exercise programme | Weeks 9–11 | Tabletop then scenario exercises with evaluated results (Clause 8.5) | Exercise reports, corrective-action log |
| 6 · Internal audit & management review | Weeks 10–12 | Impartial audit of every clause; management review with required inputs (Clause 9) | Audit report, review minutes, closed actions |
| 7 · Certification audit | Weeks 12–14 | Stage 1 documentation review, Stage 2 evidence audit by the accredited body | ISO 22301 certificate on a three-year cycle |
TCSA engagements are custom-scoped and confirmed as a fixed, all-inclusive quote after a scoping call; the accredited certification body’s Stage 1 and Stage 2 audit fee is quoted separately by that body. Stage dates are booked early so your regulator or contract deadline drives the plan.
Learn From Other Projects
Six Pitfalls That Sink ISO 22301 Implementations
Every one of these comes from real Stage 2 findings and vendor-assessment rejections — and every one is a sequencing or resourcing decision made months before the audit.
Plans written before the BIA
Template plans with invented recovery targets are the fastest route to a major nonconformity. Auditors trace every RTO back to impact analysis — if the BIA came second, the traceability chain is visibly reversed.
Recovery targets set by IT alone
IT can tell you how fast systems restore; only the business can say how fast they must. RTOs without documented business validation and management sign-off fail the first interview question at Stage 2.
Strategies that assume uncontracted resources
Alternate seats nobody leased, failover capacity nobody provisioned, suppliers nobody signed. If the strategy depends on a resource, evidence of that resource must exist before the audit — not in next year’s budget.
Exercises postponed until after certification
Stage 2 requires exercise reports and closed actions as evidence the plans work. Teams that defer exercising to "save time" discover the audit cannot proceed — and bank vendor-risk teams ask for exercise results even earlier.
A binder BCMS nobody works in
If staff cannot describe their role in a disruption, the documentation is dead weight. Auditors interview people at random; awareness, accessible plans, and current call trees matter as much as the documents themselves.
Internal audit without impartiality
The person who built the BCMS cannot audit it. Certification bodies check who performed the internal audit and how impartiality was safeguarded — a self-audit invalidates a precondition for Stage 1.
Division of Labour
Who Does What — Your Team vs TCSA
A BCMS the consultant owns is a BCMS the auditor sees through. TCSA carries the drafting, analysis, and facilitation load; decisions, sign-offs, and participation stay with you — because that is what auditors test.
| Workstream | Your team | TCSA |
|---|---|---|
| Scoping & context | Nominate the executive sponsor and activity owners; confirm products, services, and sites in scope | Run the gap assessment; draft the scope statement, registers, and the deadline-anchored project plan |
| BIA workshops | Activity owners attend workshops and validate impacts and targets | Facilitate the workshops, run the impact-over-time analysis, draft the BIA for sign-off |
| Risk assessment | Confirm risk appetite and validate the disruption scenarios that matter | Assess disruption risks to prioritised activities and draft treatment decisions |
| Strategies & solutions | Make and fund the resourcing decisions — sites, failover, suppliers | Prepare the options analysis, recommend strategies, design the solutions |
| Plans & procedures | Name invokers and deputies; validate that documented steps reflect reality | Draft the policy, response structure, continuity plans, and recovery procedures |
| Exercise programme | Participate in exercises — including top management at least once | Design scenarios, facilitate every exercise, write the reports and actions |
| Internal audit & review | Top management holds the review and records decisions | Conduct the impartial internal audit and prepare the management review pack |
| Certification audit | Host the auditors; staff answer interviews in their own words | Coordinate the certification body, stage the evidence, support finding closure |
Indicative split for a standard engagement — adjusted at scoping if you have an internal BCM team or an existing ISO 27001 function that can absorb more of the build.
“When an implementation slips, it is almost never the documentation — it is sequencing. Teams write plans in week one to feel productive, then spend week ten rewriting them around a BIA they should have run first. Run the analysis, then build; the calendar rewards it every time.”
See verified client reviews and audit outcomes from 500+ engagements across India, USA, UK, Australia and UAE.
ISO 22301 Implementation — Frequently Asked Questions
Sequencing, effort, and ownership answers from the consultants who have run this roadmap with Middle East banks.
How long does ISO 22301 implementation take?
Plan on 8–14 weeks for a single-scope organisation: scoping and gap assessment in weeks 1–2, the BIA and risk assessment by week 5, strategies and plans through week 9, exercises by week 11, internal audit and management review by week 12, and the certification body’s Stage 1 and Stage 2 audits in weeks 12–14. Multi-site groups and complex supply chains run longer; an existing ISO 27001 ISMS shortens the governance phases because the Annex SL machinery is shared.
What is the first step in implementing ISO 22301?
Scoping — before any documentation. Define the products and services the BCMS protects, the sites in scope, the interested parties (the bank, regulator, or contract that set your deadline), and the legal and contractual continuity requirements that apply. Then run a gap assessment against all of Clauses 4–10. Everything that follows — the BIA, the strategies, the plans — inherits its boundaries from this step, which is why a scope written around departments instead of products and services causes rework for the rest of the project.
Can we implement ISO 22301 ourselves, without consultants?
Yes — the standard does not require a consultant, and ISO 22313 provides implementation guidance. The honest trade-offs are time and audit risk: an internal team doing this for the first time typically takes two to three times longer, and the most common self-build failures (plans before the BIA, unresourced strategies, no impartial internal audit) only surface at Stage 2, when fixing them is most expensive in calendar terms. Many clients split the difference: TCSA runs the BIA, the exercise design, and the internal audit — the three places experience moves the result most — while their team owns the system day to day.
In what order should the BCMS documents be written?
Follow the dependency chain: scope and context records first, then the BIA and risk assessment, then strategy selections, then the policy, response structure, and continuity plans, and finally the exercise, audit, and review records the operating system produces. The one document teams most often write first — the business continuity plan — is the one that depends on everything else. A plan can only be as good as the recovery targets it serves, and those come from the BIA.
Does an existing ISO 27001 ISMS speed up ISO 22301 implementation?
Substantially. Both standards share the Annex SL structure, so your context analysis, document control, competence and awareness machinery, internal audit programme, and management review cadence are largely reusable — and ISO 27001’s Annex A controls 5.29 and 5.30 mean some continuity thinking already exists. What remains genuinely new is the operational core: the BIA, the disruption risk assessment, continuity strategies and plans, and the exercise programme. We scope integrated engagements so the shared layer is extended once, not rebuilt.
How much does ISO 22301 implementation cost?
Every engagement is custom-scoped — headcount, number of sites, products in scope, your regulator or contract deadline, and whether an existing ISO 27001 ISMS can be reused all move the effort. After a short scoping call you receive a fixed, all-inclusive quote covering the gap assessment, BIA, risk assessment, strategies, documentation, exercises, internal audit, and certification-audit support — no hourly billing, no scope creep. The accredited certification body’s Stage 1 and Stage 2 audit fee is quoted separately by that body, because the consultant and the certifier must remain independent.
Keep Exploring
Related Reading
ISO 22301 Knowledge Hub
Every guide in the business-continuity cluster, in one place.
Read moreBusiness Impact Analysis
RTO, RPO and MTPD — the analysis every continuity decision flows from.
Read moreISO 22301 Certification Guide
Gap to certificate: Stage 1, Stage 2, and the 3-year cycle.
Read moreISO 22301 Requirements
Clauses 4–10 explained, with what auditors actually look for.
Read moreSAMA CSF & BCM
The Saudi Central Bank's cyber and continuity frameworks, demystified.
Read moreMiddle East — UAE & Saudi Arabia
How we serve Gulf banks, vendors and enterprises, remote + on-site.
Read moreWritten By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours