How To Guide

A Practical, Optimised Guide to ISO 22301 Implementation with AvISO and ISOvA

A Practical, Optimised Guide to ISO 22301 Implementation with AvISO and ISOvA

Introduction

Step 1

Define Organisational Context and Continuity Needs

(Clause 4 – Context of the Organisation)

What Clause 4 Covers
Organisations must:
• Understand internal and external issues that could impact continuity
• Identify relevant interested parties and their expectations
• Define the scope of the BCMS
• Determine key business processes and their continuity requirements

How to
• Map out legal, regulatory, and contractual requirements tied to continuity
• Identify critical activities and high-risk locations or services
• Consider external threats such as utilities, IT systems, and key suppliers
• Draft a clear scope statement defining what your BCMS will cover

Example
A regional law firm defines its BCMS scope as all legal advisory services provided from its head office, with a focus on IT systems and client data resilience.

Risks if Overlooked
• Critical services or systems excluded from scope
• Inaccurate understanding of continuity dependencies
• Missed stakeholder expectations or legal exposures

How AvISO and ISOvA Help
BCMS scoping workshops
• Stakeholder mapping tools and scope templates in ISOvA
• Guidance on defining core and supporting services based on risk

Hold cross-functional workshops to understand disruption risks and determine who relies on your organisation in a crisis. This shapes the scope and depth of your BCMS.

Step 2

Engage Leadership and Clarify Responsibilities

(Clause 5 – Leadership)

What Clause 5 Covers
Organisations must:
• Show visible commitment from senior management
• Align business continuity policy with strategic goals
• Define roles, responsibilities, and authority for the BCMS

How to
• Appoint an executive sponsor for business continuity
• Approve and publish a Business Continuity Policy
• Define accountability for risk assessment, plan testing, and incident management
• Create a BCMS steering group to lead implementation

Example
A UK-wide logistics provider appoints the COO to sponsor the BCMS and sets up a continuity team with leads from operations, IT, HR, and customer service.

Risks if Overlooked
• No clear accountability during incidents
• Lack of leadership buy-in leading to weak plan ownership
• Failure to prioritise continuity in strategic decisions

How AvISO and ISOvA Help
Leadership engagement briefings and policy templates
• Custom responsibility matrices within ISOvA
• Management review support to drive board-level commitment

Link continuity responsibilities to performance reviews, operations meetings, or internal audits. This embeds ownership beyond crisis response plans.

Step 3

Identify Risks, Impacts, and Continuity Objectives

(Clause 6 – Planning)

What Clause 6 Covers
Organisations must:
• Address business continuity risks and opportunities
• Set objectives aligned with stakeholder needs and risk appetite
• Plan actions to meet these objectives

How to
• Conduct a Business Impact Analysis (BIA) to assess disruption impacts
• Evaluate risks across internal and external threats
• Establish continuity and recovery time objectives (RTOs)
• Define measurable BCMS objectives and link them to planning

Example
A global SaaS provider defines recovery objectives for core customer support services to be operational within four hours following a network failure.

Risks if Overlooked
• Poorly prioritised plans that fail under pressure
• Inability to meet contractual obligations or SLAs
• Failure to improve resilience where needed most

How AvISO and ISOvA Help
BIA templates and impact analysis support
• Risk and opportunity planning features in ISOvA
• Objective tracking and dashboard views to monitor readiness

Use RTOs to prioritise investments in resilience. Test assumptions with operational data or historical incident reviews to validate impact ratings.

Get In Touch

Step 4

Support and Resource the BCMS

(Clause 7 – Support)

What Clause 7 Covers
Organisations must:
• Provide adequate resources and trained personnel
• Ensure communication and awareness about continuity roles
• Manage documented information effectively

How to
• Identify continuity training needs by role and location
• Develop an awareness campaign for all employees
• Control documentation such as plans, policies, and contact trees
• Ensure access to plans during disruptions

Example
A data centre provides annual crisis simulation training to site leads and maintains printed recovery playbooks in each operations office.

Risks if Overlooked
• Critical staff unaware of their roles in an emergency
• Inaccessible or outdated continuity plans
• Loss of stakeholder trust due to slow or poor communication

How AvISO and ISOvA Help
Continuity training and awareness programmes
Document control tools in ISOvA
• Live access links and audit trails for plan updates and usage

Make business continuity part of onboarding, especially for front-line roles. Use digital tools for document access and version control, but also consider physical backups in case of system outages.

Get In Touch

Step 5

Establish and Test Continuity Plans

(Clause 8 – Operation)

What Clause 8 Covers
Organisations must:
• Implement and maintain business continuity procedures
• Control outsourced activities and interdependencies
• Test and validate continuity arrangements regularly

How to
• Develop scenario-based business continuity and recovery plans
• Run tabletop and live continuity exercises
• Include communication, evacuation, IT recovery, and supplier fallback procedures
• Evaluate performance and revise based on lessons learned

Example
A hospital runs an annual flood simulation involving staff evacuation, emergency power checks, and ambulance rerouting.

Risks if Overlooked
• Plans that look good on paper but fail in practice
• Lack of alignment between departments during recovery
• Delayed response that worsens business disruption

How AvISO and ISOvA Help
Business continuity planning templates and exercise facilitation
• Testing logs and plan update tracking in ISOvA
• Integration with operational risk registers and incident reporting

Focus your plans on real-world threats. The more practical the exercise, the more likely it will surface gaps. Document outcomes and assign follow-up actions.

Get In Touch

Step 6

Monitor, Measure, and Review Performance

(Clause 9 – Performance Evaluation)

What Clause 9 Covers
Organisations must:
• Monitor and evaluate BCMS effectiveness
• Conduct internal audits of the BCMS
• Hold management reviews to assess performance

How to
• Define KPIs such as incident response times, recovery success rates, or test completion rates
• Schedule audits across BCMS components and roles
• Hold at least one formal management review per year

Example
A regional airport tracks continuity KPIs and holds quarterly reviews of critical incidents, feeding into annual strategy planning.

Risks if Overlooked
• Repeated failures or delayed recovery during real incidents
• Missed opportunities for improvement or lessons learned
• Poor engagement from senior leadership

How AvISO and ISOvA Help
Internal audit and KPI dashboards
• Automated review prompts and data visualisation tools in ISOvA
• Templates for management review agendas, records, and outputs

Use continuity performance data to secure future investment. Align reviews with IT, HR, or ops to ensure continuity is embedded across departments.

Get In Touch

Step 7

Drive Continual Improvement

(Clause 10 – Improvement)

What Clause 10 Covers
Organisations must:
• Respond to nonconformities and take corrective actions
• Identify opportunities for improvement
• Maintain the relevance and suitability of the BCMS

How to
• Investigate causes of any incidents or failures
• Log improvement actions and assign owners
• Schedule quarterly improvement reviews and system updates

Example
A telecoms firm discovers a backup failure during an exercise and implements enhanced offsite replication with weekly verification.

Risks if Overlooked
• Stagnant plans that lose relevance as the business evolves
• Unaddressed vulnerabilities that compound over time
• Regulatory or client scrutiny due to uncorrected findings

How AvISO and ISOvA Help
Root cause analysis templates and improvement trackers
Corrective action tools in ISOvA
• Linking improvements to objectives, risks, and KPIs

Make improvement part of your culture. Even minor updates, like clarifying contact roles, can significantly improve performance during a crisis.

Get In Touch
Need help, or got a question?

Need help with our how-to guide, have a question, or want to know more about how we can help you gain certification? Get in touch.
Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk

By filling out this form, you agree to the terms laid out in our privacy policy
Thank you!
Your submission has been received, one of our team members will be in touch soon.
Oops! Something went wrong while submitting the form.
ISO consultants kent
Ask a Question
By clicking “Continue To Site”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.