Implementation Overview

Implementing ISO 22301 requires a structured approach that builds capabilities progressively. This roadmap provides a practical sequence for organizations seeking certification, typically spanning 6-9 months depending on organizational complexity and existing maturity.

Critical Success Factors

Successful BCMS implementation requires: executive sponsorship, dedicated resources (typically 0.5-1 FTE), stakeholder engagement across departments, and a willingness to exercise and learn. Without these, projects stall or produce paper-only systems that fail at audit.

The implementation follows six phases:

  1. Foundation: Establish governance, scope, and project structure
  2. Analysis: Conduct BIA and risk assessment
  3. Strategy and Planning: Develop BC strategies and plans
  4. Implementation: Deploy plans and build capabilities
  5. Testing and Refinement: Exercise, learn, and improve
  6. Certification Preparation: Internal audit, management review, final readiness

Phase 1: Foundation (Weeks 1-4)

Week 1-2: Project Initiation

  • Secure executive sponsorship and budget approval
  • Appoint BC Manager/Coordinator
  • Establish steering committee
  • Define project objectives and success criteria
  • Conduct gap assessment against ISO 22301

Week 3-4: Scope and Context

  • Document organizational context (Clause 4.1)
  • Identify interested parties and their requirements (Clause 4.2)
  • Define BCMS scope (Clause 4.3)
  • Draft business continuity policy (Clause 5.2)
  • Assign roles and responsibilities (Clause 5.3)

Phase 1 Deliverables

  • Gap assessment report
  • Project charter and plan
  • BCMS scope statement
  • BC policy (draft)
  • RACI matrix for BCMS roles

Phase 2: Analysis (Weeks 5-10)

Week 5-7: Business Impact Analysis

  • Identify all business activities
  • Determine which activities are critical (prioritization)
  • Assess impact of disruption over time
  • Identify dependencies (internal and external)
  • Determine Maximum Tolerable Period of Disruption (MTPD)
  • Set Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Document minimum resource requirements

Week 8-10: Risk Assessment

  • Identify threats to critical activities
  • Assess likelihood and impact of each threat
  • Evaluate existing controls and vulnerabilities
  • Determine risk levels
  • Select risk treatment options
  • Document risk register
BIA Best Practice

Conduct BIA through structured interviews with process owners, not just questionnaires. Face-to-face discussions uncover dependencies and nuances that surveys miss. Allow 1-2 hours per critical process area.

Phase 2 Deliverables

  • Business Impact Analysis report
  • Critical activities register with RTOs/RPOs
  • Dependency mapping
  • Risk assessment report
  • Risk register
  • Risk treatment plan

Phase 3: Strategy and Planning (Weeks 11-16)

Week 11-13: BC Strategy Development

  • Identify strategy options for each critical activity
  • Evaluate cost vs. recovery capability
  • Select strategies that meet RTO/RPO requirements
  • Address resource requirements (people, technology, facilities, suppliers)
  • Obtain management approval for strategy investments

Strategy Options to Consider

Strategy Type Examples Typical RTO
Active-Active Multiple live sites, real-time replication Minutes
Hot Standby Secondary site ready to activate Hours
Warm Standby Equipment ready, data restored from backup 1-3 days
Cold Site Space available, equipment procured on demand 1-2 weeks
Work from Home Remote working capability for staff Hours-Days
Manual Workaround Paper-based processes as interim Immediate

Week 14-16: BC Plan Development

  • Develop incident response structure
  • Create business continuity plans for each critical activity
  • Document recovery procedures
  • Establish communication protocols
  • Create contact lists (internal and external)
  • Develop plan activation criteria

Phase 3 Deliverables

  • BC strategy document
  • Incident response plan
  • Business continuity plans (per critical activity/department)
  • Communication plan
  • Contact directories
  • Plan activation procedures

Phase 4: Implementation (Weeks 17-22)

Week 17-19: Capability Build

  • Implement selected recovery strategies
  • Configure alternate site/technology
  • Establish backup and replication systems
  • Set up emergency communication systems
  • Procure emergency supplies if required
  • Establish supplier agreements for BC support

Week 20-22: Training and Awareness

  • Conduct BC awareness training for all staff
  • Train BC teams on specific procedures
  • Train incident management team
  • Communicate plan locations and activation process
  • Validate staff understand their BC roles

Phase 4 Deliverables

  • Implemented recovery capabilities
  • Training materials
  • Training records
  • Awareness communications
  • Supplier BC agreements

Phase 5: Testing and Refinement (Weeks 23-28)

Week 23-24: Exercise Planning

  • Design exercise programme covering different exercise types
  • Plan first exercises (start simple, build complexity)
  • Define exercise objectives and success criteria
  • Prepare exercise materials and scenarios

Exercise Types

Type Description When to Use
Walk-through Review plans step-by-step with team New plans, new team members
Tabletop Discussion-based scenario response Decision-making, coordination
Simulation Execute procedures without full activation Procedure validation
Functional Test specific capability (e.g., failover) Technical validation
Full-scale Complete activation of plans Annual major exercise

Week 25-28: Exercise and Improve

  • Conduct planned exercises
  • Capture observations and lessons learned
  • Conduct post-exercise debrief
  • Update plans based on findings
  • Address gaps and improvement opportunities
  • Re-test corrected areas

Phase 5 Deliverables

  • Exercise programme
  • Exercise reports
  • Lessons learned register
  • Updated BC plans
  • Improvement action log

Phase 6: Certification Preparation (Weeks 29-32)

Week 29-30: Internal Audit

  • Plan internal audit covering all ISO 22301 clauses
  • Conduct internal audit
  • Report findings
  • Initiate corrective actions for nonconformities
  • Verify corrective action effectiveness

Week 31: Management Review

  • Prepare management review inputs
  • Conduct management review meeting
  • Document decisions and actions
  • Confirm BCMS adequacy and effectiveness
  • Approve resources for continual improvement

Week 32: Final Readiness

  • Close outstanding corrective actions
  • Verify all documentation is current
  • Confirm evidence is accessible
  • Brief key personnel on audit process
  • Engage certification body for Stage 1

Phase 6 Deliverables

  • Internal audit report
  • Corrective action records
  • Management review minutes
  • Certification readiness checklist

Timeline Summary

Phase Duration Key Milestone
1. Foundation Weeks 1-4 Scope and policy approved
2. Analysis Weeks 5-10 BIA and risk assessment complete
3. Strategy and Planning Weeks 11-16 BC plans documented
4. Implementation Weeks 17-22 Capabilities deployed, training complete
5. Testing and Refinement Weeks 23-28 Exercises conducted, plans refined
6. Certification Preparation Weeks 29-32 Ready for Stage 1 audit

Total implementation time: approximately 8 months (32 weeks). Organizations with existing partial BC capabilities may compress this to 5-6 months. Complex organizations with multiple sites may require 12+ months.

ISO 22301 Implementation Roadmap