Skip to main contentChat with us

ISO 22301:2019 · Requirements

ISO 22301 Requirements:
Clauses 4–10 Explained

ISO 22301:2019 states its requirements in seven auditable clauses — context, leadership, planning, support, operation, performance evaluation, and improvement. This guide walks through each one the way a certification auditor reads it: what the clause demands, the evidence that satisfies it, and the nonconformities that most often appear in Stage 2 findings.

Written by the consultants who prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.

Get a BCM Scoping CallExplore the ISO 22301 Hub
500+audits across India, USA, UK, Australia & UAE
250+SOC 2 attestations to date
7mandatory clauses (4–10)

ISO/IEC 22301:2019 · Clauses 4–10 · Last reviewed June 2026

The Structure

How ISO 22301 States Its Requirements

ISO 22301:2019 follows the Annex SL high-level structure shared by ISO 27001, ISO 9001, and every modern management-system standard: Clauses 0–3 are introductory, and certification is assessed against Clauses 4–10. There is no Annex A of selectable controls and no Statement of Applicability — every requirement applies, scoped to the products and services your BCMS protects.

In practice the clauses split into two groups. Clauses 4–7, 9, and 10 are the governance shell — scope, leadership, objectives, competence, audit, review, and improvement. Clause 8 is the operational core: the business impact analysis, the risk assessment, the strategies, the plans, and the exercise programme. Auditors read the system as one chain of traceability — from the BIA’s recovery targets, through the strategies, into the plans, and out to exercise evidence proving the targets are achievable.

New to the standard? Start with the ISO 22301 overview — or see the certification guide for how these requirements are tested at Stage 1 and Stage 2.

Clauses 4–7

The Governance Clauses — Context to Support

These four clauses build the frame the operational core sits in. Auditors check them first at Stage 1 — and revisit them at Stage 2 through interviews and records.

4

Clause 4Context of the organization

Clause 4 makes you define what the BCMS exists to protect. You identify internal and external issues (4.1), interested parties and their requirements — regulators, customers, contracts — including legal and regulatory continuity obligations (4.2), and from those set a defensible BCMS scope (4.3) before establishing the system itself (4.4).

What auditors look for

  • A scope statement that names the products and services protected, the locations covered, and the justification for anything excluded.
  • An interested-party register that captures the regulator or bank that triggered the project — CBUAE, SAMA, or APRA expectations where relevant — and contractual continuity clauses.
  • A legal, regulatory, and contractual requirements register that is owned, dated, and kept current.

Common nonconformities

  • Scope written around departments or IT systems instead of the products and services customers actually receive.
  • Interested-party analysis that misses the very regulator or contract clause driving the certification.
  • A requirements register copied from an ISMS with no continuity-specific obligations in it.
5

Clause 5Leadership

Top management must own the BCMS: demonstrable commitment and resourcing (5.1), a business continuity policy appropriate to the organisation (5.2), and assigned roles, responsibilities, and authorities (5.3) — including who is empowered to invoke continuity plans and who reports BCMS performance upward.

What auditors look for

  • A signed, communicated policy that aligns with the organisation’s purpose and provides a framework for objectives.
  • Interview evidence that executives can speak to continuity priorities, recovery targets, and their own role in a disruption.
  • Documented role assignments with invocation authority and deputies for every continuity-critical role.

Common nonconformities

  • A policy that was signed once and never communicated, reviewed, or reflected in resourcing decisions.
  • Leadership interviews where management cannot name the RTOs for their most critical services.
  • A single named invoker with no alternate — the plan fails if one person is unreachable.
6

Clause 6Planning

Clause 6 addresses risks and opportunities to the management system itself (6.1), measurable business continuity objectives at relevant functions and levels (6.2), and controlled planning of changes to the BCMS (6.3). These are management-system risks — distinct from the disruption risks assessed under Clause 8.

What auditors look for

  • Objectives that are genuinely measurable — exercise coverage, RTO achievement in tests, plan-review currency — with owners and target dates.
  • Evidence the objectives are tracked and reported, not just written down at implementation.
  • Change control over the BCMS when scope, sites, or critical suppliers change.

Common nonconformities

  • Objectives that merely restate the policy with no metric, owner, or date attached.
  • Confusing Clause 6 management-system risks with Clause 8 disruption risks — auditors check the distinction.
  • Major organisational changes (a new site, a new critical supplier) made without updating the BCMS.
7

Clause 7Support

Clause 7 covers resources, competence, awareness, communication, and documented information (7.1–7.5). People in continuity roles need demonstrable competence; all staff must know their part in disruption response; and BCMS documents must be controlled, current, and available even when the primary site or network is not.

What auditors look for

  • Competence records for continuity roles — training certificates, exercise participation, role-specific briefings.
  • Awareness across the workforce: auditors interview staff at random about what they would do in a disruption.
  • Document control with versions and owners, plus access arrangements that survive the very scenarios in the plans (offline or out-of-band copies).

Common nonconformities

  • Plans stored only on an intranet that would be unavailable in the scenarios being planned for.
  • No evidence that new joiners receive business continuity awareness as part of onboarding.
  • Out-of-date contact lists and call trees inside otherwise controlled documents.

Clause 8 — Operation

The Operational Core — Where the BCMS Lives

Clause 8 is where Stage 2 auditors spend most of their time. Its six elements form a single chain: the BIA sets the targets, the strategies meet them, the plans operationalise them, and the exercise programme proves they hold.

8.1Operational planning & control

Plan, implement, and control the processes needed to meet your continuity requirements — including processes you outsource. Supply-chain continuity sits here: critical suppliers must be identified and their continuity arrangements managed.

Auditors look for: Continuity clauses and assessments for the suppliers your prioritised activities depend on.

Common nonconformity: Critical suppliers with no continuity clause, assessment, or substitution arrangement on record.

8.2BIA & risk assessment

Run a documented business impact analysis that ranks impacts over time, identifies prioritised activities and their dependencies, and sets RTO, RPO, and MTPD. Then assess the disruption risks to those prioritised activities.

Auditors look for: Methodology, results, management sign-off, and review at planned intervals or on significant change.

Common nonconformity: A BIA older than the last organisational change, or RTOs set by IT without business validation.

8.3Strategies & solutions

Select continuity strategies and solutions that meet the recovery targets from the BIA — alternate sites, failover infrastructure, workforce arrangements, supplier substitution — and resource them before disruption, not during it.

Auditors look for: Traceability from BIA output to chosen strategy to implemented, resourced solution.

Common nonconformity: Strategies that assume resources — alternate seats, failover capacity — nobody has actually contracted.

8.4Plans & procedures

Establish a response structure with defined teams, warning and communication arrangements, and business continuity plans with clear invocation criteria, roles, resources, and steps to recover and return to normal.

Auditors look for: Invocation criteria, named owners, currency, and alignment between plans and the selected strategies.

Common nonconformity: Generic template plans with no organisation-specific detail and no documented stand-down process.

8.5Exercise programme

Exercise and test the plans on a planned schedule using realistic scenarios — from tabletop walkthroughs to full failover tests — so that, over time, the programme collectively validates the entire BCMS. Each exercise produces a report and actions.

Auditors look for: A programme covering all plans and teams across the cycle, with post-exercise reports and closed actions.

Common nonconformity: Only tabletop walkthroughs ever conducted, or exercises that never involve top management.

8.6Evaluation of documentation & capabilities

Evaluate the continued suitability and effectiveness of the BIA, risk assessment, strategies, and plans — after exercises, after real incidents, and whenever significant change occurs — and feed the results into improvement.

Auditors look for: Post-incident and post-exercise evaluations that demonstrably changed the BCMS.

Common nonconformity: Real disruptions handled without a post-incident review ever reaching the BCMS.

The BIA in 8.2 is the load-bearing element — every later requirement traces back to it. Our business impact analysis guide covers methodology, RTO/RPO/MTPD setting, and management sign-off in full.

Clauses 9–10

Checking and Improving the System

The final two clauses keep the BCMS alive between audits — and they are where surveillance audits concentrate after certification.

9

Clause 9Performance evaluation

Clause 9 closes the loop on whether the BCMS works: monitoring and measurement of continuity capability (9.1), an internal audit programme that covers every requirement over time and is conducted impartially (9.2), and management review with defined inputs and outputs (9.3).

What auditors look for

  • Metrics actually reported — exercise results against RTOs, plan currency, training coverage — not just defined.
  • An internal audit that covers all clauses including Clause 8 evidence, performed by someone independent of the BCMS build.
  • Management review minutes addressing the required inputs — audit results, exercise outcomes, risks, improvement opportunities — with decisions and assigned actions.

Common nonconformities

  • Internal audit performed by the same person who built the BCMS, with no impartiality safeguard.
  • Management reviews that skip required inputs or record no decisions.
  • Performance indicators defined at implementation and never measured again.
10

Clause 10Improvement

Clause 10 requires nonconformities to be corrected at root cause (10.1) and the BCMS to continually improve (10.2). Exercises, incidents, audits, and management reviews must all feed a corrective-action loop whose effectiveness is verified.

What auditors look for

  • A nonconformity and corrective-action log with root-cause analysis, not just symptom fixes.
  • Effectiveness checks recorded after corrective actions are closed.
  • Evidence that lessons from exercises and real incidents demonstrably changed plans, strategies, or the BIA.

Common nonconformities

  • Corrective actions closed the day they are raised, with no root cause and no effectiveness verification.
  • Exercise findings that never enter the corrective-action system.
  • An improvement record that shows no change to the BCMS since initial certification.

Documented Information

The Documents Each Clause Demands

ISO 22301 calls these “documented information”. This is the set a Stage 1 auditor expects on the table — versioned, owned, and available even when your primary site is not.

ClauseDocumented information the auditor expects
Clause 4 — ContextBCMS scope statement (4.3); register of legal, regulatory, and contractual continuity requirements (4.2.2).
Clause 5 — LeadershipBusiness continuity policy (5.2); evidence that roles, responsibilities, and authorities — including invocation authority — are assigned and communicated (5.3).
Clause 6 — PlanningBusiness continuity objectives and the plans to achieve them, with owners and measures (6.2).
Clause 7 — SupportCompetence records for continuity roles (7.2); controlled documented information required by the standard and needed for the BCMS to work — versioned, owned, and available during disruption (7.5).
Clause 8 — OperationBIA methodology and results with RTO/RPO/MTPD (8.2); disruption risk assessment (8.2); continuity strategies and solutions (8.3); response structure, business continuity plans, and recovery procedures (8.4); exercise programme, scenarios, and post-exercise reports (8.5); evaluations after exercises and incidents (8.6).
Clause 9 — Performance evaluationMonitoring and measurement results (9.1); internal audit programme and audit reports (9.2); management review minutes with decisions and actions (9.3).
Clause 10 — ImprovementRecords of nonconformities, root-cause analysis, corrective actions taken, and verification of their effectiveness (10.1).

Auditors also accept records held in tooling (GRC platforms, ticketing systems) as documented information — provided versions, owners, and retention are controlled under Clause 7.5.

ISO 22301 Requirements — Frequently Asked Questions

Clause-level answers from the consultants who have prepared Middle East banks for ISO 22301.

Which ISO 22301 clauses are mandatory for certification?

Clauses 4–10: context of the organization, leadership, planning, support, operation, performance evaluation, and improvement. Clauses 0–3 (introduction, scope, normative references, terms and definitions) carry no auditable requirements. Unlike ISO 27001, there is no Annex A of selectable controls and no Statement of Applicability — every requirement in Clauses 4–10 applies to every certified organisation, scoped to its BCMS.

What is the most important clause in ISO 22301?

Clause 8 (Operation). It contains the business impact analysis and risk assessment (8.2), the continuity strategies and solutions (8.3), the plans and procedures (8.4), the exercise programme (8.5), and the post-exercise evaluation (8.6). Stage 2 certification audits spend most of their time here, because this is where the BCMS either demonstrably works or does not. The governance clauses (4–7, 9, 10) exist to keep Clause 8 honest and current.

What documents does ISO 22301 require?

The headline set: the BCMS scope, the business continuity policy, business continuity objectives, competence records, the BIA methodology and results, the disruption risk assessment, the documented strategies and solutions, the business continuity plans and procedures, exercise reports, internal audit reports, management review minutes, and nonconformity and corrective-action records. The documentation table on this page maps each item to its clause. Auditors also expect document control — versions, owners, and availability during disruption.

What are the most common ISO 22301 nonconformities?

From the audit floor: a BIA that predates the last organisational change; recovery targets set by IT without business validation; strategies that assume uncontracted resources; template plans with no invocation criteria or organisation-specific detail; exercise programmes that never progress beyond a tabletop walkthrough; plans stored only on systems that would be down in the scenario; internal audits without impartiality; and corrective actions closed without root cause or effectiveness checks.

Do we need ISO 22313 as well?

No. ISO 22313 is the guidance companion to ISO 22301 — it explains how to implement the requirements but is not certifiable and adds no obligations. You are audited against ISO 22301:2019 alone. ISO 22313 is useful background reading for the team building the BCMS, and good consultants bring its guidance into the design without you needing to study it.

How much does it cost to close gaps against the ISO 22301 requirements?

It depends entirely on where you start — an organisation with a tested DR capability and an existing ISO 27001 ISMS closes gaps far faster than one starting cold, because the Clause 4–7, 9, and 10 machinery is largely reusable. Engagements are custom-scoped to your size, sites, and regulator deadlines, and we provide a fixed, all-inclusive quote after a short scoping call — covering the gap assessment, BIA, documentation, exercises, internal audit, and certification-audit support. The accredited certification body’s audit fee is quoted separately by that body.

Keep Exploring

Related Reading

ISO 22301

ISO 22301 Knowledge Hub

Every guide in the business-continuity cluster, in one place.

Read more
ISO 22301

Business Impact Analysis

RTO, RPO and MTPD — the analysis every continuity decision flows from.

Read more
ISO 22301

ISO 22301 Certification Guide

Gap to certificate: Stage 1, Stage 2, and the 3-year cycle.

Read more
ISO 22301

Implementation Roadmap

The 7-phase build, week by week, with deliverables per phase.

Read more
ISO 22301

Regulator Mapping

One BCMS mapped to CBUAE, SAMA, APRA CPS 230 and DORA.

Read more
ISO 22301

ISO 22301 Overview

What a BCMS is, who demands it, and how certification works.

Read more

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations