This optimised guide breaks ISO 22301 implementation into seven clear steps aligned with Clauses 4 to 10 of Annex SL. Each section includes practical guidance, examples, risks, and expert support from AvISO and ISOvA to keep you compliant and operational under pressure.
(Clause 4 – Context of the Organisation)
What Clause 4 Covers
Organisations must:
• Understand internal and external issues that could impact continuity
• Identify relevant interested parties and their expectations
• Define the scope of the BCMS
• Determine key business processes and their continuity requirements
How to
• Map out legal, regulatory, and contractual requirements tied to continuity
• Identify critical activities and high-risk locations or services
• Consider external threats such as utilities, IT systems, and key suppliers
• Draft a clear scope statement defining what your BCMS will cover
Example
A regional law firm defines its BCMS scope as all legal advisory services provided from its head office, with a focus on IT systems and client data resilience.
Risks if Overlooked
• Critical services or systems excluded from scope
• Inaccurate understanding of continuity dependencies
• Missed stakeholder expectations or legal exposures
How AvISO and ISOvA Help
• BCMS scoping workshops
• Stakeholder mapping tools and scope templates in ISOvA
• Guidance on defining core and supporting services based on risk
(Clause 5 – Leadership)
What Clause 5 Covers
Organisations must:
• Show visible commitment from senior management
• Align business continuity policy with strategic goals
• Define roles, responsibilities, and authority for the BCMS
How to
• Appoint an executive sponsor for business continuity
• Approve and publish a Business Continuity Policy
• Define accountability for risk assessment, plan testing, and incident management
• Create a BCMS steering group to lead implementation
Example
A UK-wide logistics provider appoints the COO to sponsor the BCMS and sets up a continuity team with leads from operations, IT, HR, and customer service.
Risks if Overlooked
• No clear accountability during incidents
• Lack of leadership buy-in leading to weak plan ownership
• Failure to prioritise continuity in strategic decisions
How AvISO and ISOvA Help
• Leadership engagement briefings and policy templates
• Custom responsibility matrices within ISOvA
• Management review support to drive board-level commitment
(Clause 6 – Planning)
What Clause 6 Covers
Organisations must:
• Address business continuity risks and opportunities
• Set objectives aligned with stakeholder needs and risk appetite
• Plan actions to meet these objectives
How to
• Conduct a Business Impact Analysis (BIA) to assess disruption impacts
• Evaluate risks across internal and external threats
• Establish continuity and recovery time objectives (RTOs)
• Define measurable BCMS objectives and link them to planning
Example
A global SaaS provider defines recovery objectives for core customer support services to be operational within four hours following a network failure.
Risks if Overlooked
• Poorly prioritised plans that fail under pressure
• Inability to meet contractual obligations or SLAs
• Failure to improve resilience where needed most
How AvISO and ISOvA Help
• BIA templates and impact analysis support
• Risk and opportunity planning features in ISOvA
• Objective tracking and dashboard views to monitor readiness
(Clause 7 – Support)
What Clause 7 Covers
Organisations must:
• Provide adequate resources and trained personnel
• Ensure communication and awareness about continuity roles
• Manage documented information effectively
How to
• Identify continuity training needs by role and location
• Develop an awareness campaign for all employees
• Control documentation such as plans, policies, and contact trees
• Ensure access to plans during disruptions
Example
A data centre provides annual crisis simulation training to site leads and maintains printed recovery playbooks in each operations office.
Risks if Overlooked
• Critical staff unaware of their roles in an emergency
• Inaccessible or outdated continuity plans
• Loss of stakeholder trust due to slow or poor communication
How AvISO and ISOvA Help
• Continuity training and awareness programmes
• Document control tools in ISOvA
• Live access links and audit trails for plan updates and usage
(Clause 8 – Operation)
What Clause 8 Covers
Organisations must:
• Implement and maintain business continuity procedures
• Control outsourced activities and interdependencies
• Test and validate continuity arrangements regularly
How to
• Develop scenario-based business continuity and recovery plans
• Run tabletop and live continuity exercises
• Include communication, evacuation, IT recovery, and supplier fallback procedures
• Evaluate performance and revise based on lessons learned
Example
A hospital runs an annual flood simulation involving staff evacuation, emergency power checks, and ambulance rerouting.
Risks if Overlooked
• Plans that look good on paper but fail in practice
• Lack of alignment between departments during recovery
• Delayed response that worsens business disruption
How AvISO and ISOvA Help
• Business continuity planning templates and exercise facilitation
• Testing logs and plan update tracking in ISOvA
• Integration with operational risk registers and incident reporting
(Clause 9 – Performance Evaluation)
What Clause 9 Covers
Organisations must:
• Monitor and evaluate BCMS effectiveness
• Conduct internal audits of the BCMS
• Hold management reviews to assess performance
How to
• Define KPIs such as incident response times, recovery success rates, or test completion rates
• Schedule audits across BCMS components and roles
• Hold at least one formal management review per year
Example
A regional airport tracks continuity KPIs and holds quarterly reviews of critical incidents, feeding into annual strategy planning.
Risks if Overlooked
• Repeated failures or delayed recovery during real incidents
• Missed opportunities for improvement or lessons learned
• Poor engagement from senior leadership
How AvISO and ISOvA Help
• Internal audit and KPI dashboards
• Automated review prompts and data visualisation tools in ISOvA
• Templates for management review agendas, records, and outputs
(Clause 10 – Improvement)
What Clause 10 Covers
Organisations must:
• Respond to nonconformities and take corrective actions
• Identify opportunities for improvement
• Maintain the relevance and suitability of the BCMS
How to
• Investigate causes of any incidents or failures
• Log improvement actions and assign owners
• Schedule quarterly improvement reviews and system updates
Example
A telecoms firm discovers a backup failure during an exercise and implements enhanced offsite replication with weekly verification.
Risks if Overlooked
• Stagnant plans that lose relevance as the business evolves
• Unaddressed vulnerabilities that compound over time
• Regulatory or client scrutiny due to uncorrected findings
How AvISO and ISOvA Help
• Root cause analysis templates and improvement trackers
• Corrective action tools in ISOvA
• Linking improvements to objectives, risks, and KPIs
Need help with our how-to guide, have a question, or want to know more about how we can help you gain certification? Get in touch.
Kent: 01892 800476 | London: 02037 458 476 | info@avisoconsultancy.co.uk