Categories
GRC

ISO 22301:2019 as a Pillar of Resilience: Bridging Information Security with ISO 27001 and NIS 2 Compliance

February 12, 2026

We live in a world where organisations no longer operate in predictable, stable environments. Instead, they face multiple risks that can disrupt their operations – cyberattacks, natural disasters, pandemics and other events that can create meaningful damages on various levels. In 2025, the global average cost of a data breach is ≈ 4,08 million euros; therefore to address these challenges, organisations invest in international standards for guidance on how to increase their resilience and safeguard business continuity in case of disruption.  This is the part where ISO 22301, the standard for establishing a Business Continuity Management System (BCMS), becomes essential. 

ISO 22301 in Context 

The ISO 22301, published by the International Organisation for Standardisation (ISO), provides a framework for organisations to prepare, respond and recover from disruptive events. This standard operates on the Plan-Do-Check-Act (PDCA) cycle, a continuous improvement model that ensures business continuity procedures are regularly reviewed and adapted to evolving risks. 

This standard follows the Annex SL framework, which is common to most modern ISO management systems standards, including:

  • Clause 4: Context of the Organisation;
  • Clause 5: Leadership;
  • Clause 6: Planning;
  • Clause 7: Support;
  • Clause 8: Operation; 
  • Clause 9: Performance Evaluation; 
  • Clause 10: Improvement.

 

While the structure is aligned with other standards, the 22301 standard focuses on critical business operations. There are several key steps that form the foundation of this standard, such as the Business Impact Analysis (BIA), the Risk Assessment and Continuity Strategies, the Business Continuity Plans and the Tests/Exercises to these procedures. 

Business Impact Analysis (BIA)

The BIA is one of the core elements of ISO 22301. This process helps to identify and prioritise the organisation’s critical activities and assesses how their disruptions would affect the operations and other business vectors (ex: financial, reputation, compliance etc). The outputs of this process are the objective metrics, more specifically the: 

  • Maximum Tolerable Period of Disruption (MTPD): maximum downtime that an organisation can experience before the consequence reach an unacceptable level;
  • Recovery Time Objective (RTO): maximum acceptable period of time that an application, system or process can be unavailable without causing significant damage to the business. It can also be described as the target time which a process/application/system must be restored; 
  • Recovery Point Objective (RPO): Maximum amount of data (measured in time) that an organisation can afford to lose after a failure or disaster. It defines the organisation’s tolerance for data loss;
  • Minimum Business Continuity Objective (MBCO): minimum service or output level required during a disruption. Unlike the other objectives measured in time, MBCO defines the volume, quality or scope of service the business must maintain. 

This analytical process searches to answer the question “What must be restored first and how quickly to avoid unacceptable consequences?” in order to develop the recovery strategies. While ISO 22301 requires to perform the BIA process, it does not provide a methodology, however there is a standard dedicated to it – ISO/TS 22317:2021 – a technical specification that provides guidance and support throughout the BIA. 

Risk Assessment and Continuity Strategies 

The risk assessment process complements the Business Impact Analysis (BIA) by identifying the threats, vulnerabilities, and potential scenarios that could disrupt the operations. Here, it is contemplated the question “What could cause such disruptions?” and evaluated by their likelihood and impact. 

This process is methodologically similar to the risk assessment required by the ISO 27001, supported by ISO 27005, as both standards share the common structure. Therefore, they undergo the same stages – risk identification, analysis, evaluation and treatment – and what distinguishes the standards are the outputs. In the case of 22301, the output of the risk assessment process are the business continuity strategies. 

These strategies are the connection between the analysis and the action phases – a set of measures and arrangements that ensure that the organisation can keep operating under a disruption. This standard requires strategies for during a disruptive event, but also for before and after. Similar to the standard that supports the BIA process, the ISO/TS 22331:2018 provides guidance on how to design, select and implement business continuity strategies. 

 

ISO 22301 2019 as a Pillar of Resilience Bridging Information Security with ISO 27001 and NIS 2 Compliance 2

Business Continuity Plans

In the context of ISO 22301, Business Continuity Plans (BCPs) are the operational “heart” of the BCMS. These plans aim to provide a structured and coordinated guide to responding and recovery from an eventual incident and should be developed around the critical processes, resources dependencies and continuity strategies.

While ISO 22301 does not prescribe a single format for a BCP, it does describe the elements that should be part of it – plan activation criteria, objectives and scope, roles and responsibilities, incident management structure, communications management, operational procedures, resources requirements, recovery and restoration sections and, finally, the testing and review sections. An effective and comprehensive BCP should be able to answer the questionwhat to do, when to do it and who is responsible?”

This plan should be regularly tested and reviewed to adapt to new threat landscapes, to organisational changes, to technological developments or to any significant event. It is fundamental to raise awareness of every employee involved in the business continuity actions – this can be achieved through testing exercises. 

Tests/Exercises 

Testing and exercising are essential parts of the Business Continuity Management System. The purpose of testing is to validate that the recovery objectives are achieved in practice, that resources are sufficient and to ensure all the personnel understand their roles and responsibilities in these events. More so, the exercises verify if the business continuity strategies and plans are working as intended. 

The standard specifies the criteria for those exercises and requires a post-exercise reporting for continual improvement. These exercises will be the key to analyse what is missing – gaps, inconsistencies – and will provide evidence that the system is capable of running itself, giving the organisation credibility for certifications. There are various types of exercises that organisations can choose from – according to ISO 22301, exercises should be realistic and progressive ensuring that the scope of the BCMS is validated. 

Tabletop/discussion-based exercises involve structured discussions around hypothetical disaster scenarios, crucial for evaluating decision-making, coordination, and communication among stakeholders. These exercises familiarize participants with plans and test theoretical knowledge. Failover exercises, focused on IT systems, validate RTOs, RPOs, and backup environment functionality.

ISO 22398:2013 recommends good practices and guidelines for an organisation to plan and conduct exercises. 

ISO 22301 2019 as a Pillar of Resilience Bridging Information Security with ISO 27001 and NIS 2 Compliance 2

Top 5 Recommendations for the BCMS

 

Organisations should be pragmatic in their approach and adapt the standard to their size and nature, although there are measures that fit universally, such as: 

  • Define a clear scope and boundaries: it is more beneficial to start with a smaller and well-defined scope that concentrates on the most critical business processes and expand progressively as maturity grows; 
  • Use existing frameworks: For risk management, there are standards such as ISO 31000 or Enterprise Risk Management (ERM) already in place that can be integrated into the system; 
  • Keep Business Continuity Plans actionable and practical: This plan should be known as a tool for action, not just another document. Therefore, should include only essential information (what, when, who, how) that can be understood by anyone in the organisation; 
  • Test and Improve: Testing all defined plans is the most reliable way to put the theory into practice. The goal is not to “pass” or “fail” but instead to identify gaps, weaknesses, elements to improve before a real disruption occurs; 
  • Promote a resilience culture: Organisations should actively foster a culture of resilience by demonstrating visible, top-down commitment to business continuity. By allocating resources, developing awareness campaigns, including all relevant stakeholders into decision-making will ensure that every contribution is valued, making the entire business continuity framework more effective. 

 

Synergies with ISO 27001 and NIS 2 Directive

In the current regulatory landscape, organisations are facing a centralised pressure to demonstrate operational resilience, cybersecurity maturity and information security. Following the guidelines of ISO 22301, of the NIS 2 Directive and of ISO 27001 it is possible to converge efforts. Each one of these regulatory “tools” have distinct objectives and areas of focus, nevertheless it can be highly beneficial to analyse the requisites and frameworks together. 

One of NIS 2 Directive provisions is Article 21 (“Cybersecurity risk-management measures”). This article requires entities (essential and important) to implement a range of technical, operational and organisational measures to manage risks and ensure business continuity of the critical services. ISO 22301 can relate to these requirements being this standard’s focus on the resilience and continuity of critical activities. Both share a common goal: to ensure that organisations can respond to and recover from disruptive incidents

On another note, information security and business continuity are two elements that every organisation must have to survive in today’s threat environment. This is where ISO 27001 and ISO 22301 align – protecting data without ensuring the business continuity of those processes or restoring operations after a disruptive event that compromised the information assets won’t benefit the organisation. Both standards follow the Annex SL framework, enabling organisations to integrate them into a single management system. 

 

NIS 2, ISO 27001 AND ISO 22301 ROADMAP
NIS 2 (ARTICLE 21) ISO 27001 MATCH ISO 22301 MATCH
21.2. (a) policies on risk analysis and information system security
  • Clause 5.2) Policy
  • Clause 6.1.) Actions to address risks and opportunities
  • Annex A 5.1) Information Security Policies
  • Clause 6.1) Actions to address risks and opportunities
  • Clause 8.2) Business Impact Analysis and risk assessment
21.2. (b) incident handling
  • Annex A 5.24) Information security incident management planning and preparation
  • Annex A 5.25) Assessment and decision on information security events
  • Annex A 5.26) Response to information security incidents
  • Annex A 5.27) Learning from information security incidents
 Clause 8.4.2) Response structure
21.2. (c) business continuity
  • Annex A 5.29) Information security during disruption
  • Annex A 5.30) ICT readiness for business continuity
  • Annex A 8.13) Information backup
  • Annex A 8.14) Redundancy of information processing facilities
 Entire standard highlight:

  • Clause 6.2) Business continuity objectives and planning to achieve them
  • Clause 8.3) Business continuity strategies and solutions
  • Clause 8.4) Business continuity plans and procedures
  • Clause 8.6) Evaluation of business continuity documentation and capabilities
21.2. (d) supply chain security
  • Annex A 5.19) Information security in supplier relationships
  • Annex A 5.20) Addressing information security within supplier agreements
 Clause 8.3) Business continuity strategies and solutions (ISO/TS 22318 can be used for support)
21.2. (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  • Annex A 8.8) Management of technical vulnerabilities
  • Annex A 8.25) Secure development lifecycle
  • Annex A 8.26) Application security requirements
  • Annex A 8.27) Secure system architecture and engineering principles
  • Annex A 8.28) Secure coding
  • Annex A 8.29) Security testing in development and acceptance
  • Annex A 8.30) Outsourced development
  • Annex A 8.31) Separation of development, test and production environments
  • Annex A 8.32) Change management
 Clause 8.3) Business continuity strategies and solutions (ISO/TS 22318 can be used for support)
21.2. (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Clause 9) Performance Evaluation
  • Clause 10) Improvement
  • Annex A 5.36) Independent review of information security
  • Clause 8.5) Exercise Programme
  • Clause 9) Performance Evaluation
  • Clause 10) Improvement
21.2. (g) basic cyber hygiene practices and cybersecurity training
  • Clause 5.2) Policy
  • Clause 7.2) Competence
  • Clause 7.3) Awareness
  • Annex A 5.1) Policies for information security
  • Annex A 6.3) Information security awareness, education and training
  • Clause 5.2) Policy
  • Clause 7.2) Competence
  • Clause 7.3) Awareness
  • Clause 8.5) Exercise Programme
21.2. (h) policies and procedures regarding the use of cryptography Annex A 8.24) Use of cryptography Clause 8.3) Business continuity strategies and solutions (ISO/TS 22318 can be used for support)
21.2. (i) human resources security, access control policies and asset management
  • Annex A 5.9) Inventory of information and other associated assets
  • Annex A 5.15) Access control
  • Annex A 5.16) Identity management
  • Annex A 5.17) Authentication information
  • Annex A.18) Access rights
  • Annex A6) People Controls
  • Clause 7.1) Resources
  • Clause 8.3) Business continuity strategies and solutions (ISO/TS 22318 can be used for support)
21.2. (j) the use of multi-factor authentication
  • Annex A 5.17) Authentication information
  • Annex A 8.5) Secure authentication
 Clause 8.3) Business continuity strategies and solutions (ISO/TS 22318 can be used for support)

 

Conclusion

In an environment where risks can pose a threat to multiple chains, it is crucial to mature cybersecurity, information security and business resilience. This article demonstrated that ISO 22301 can help reach compliance with regulatory directives and standards and increase business resilience as well – with this standard in the toolbox, it will be possible to form a unified resilience ecosystem that is not only regulatory aligned but also will enhance confidence and organizational maturity. 

Additionally, the convergence of NIS 2, ISO 27001 and ISO 22301 marks a turning point on how organisations can achieve compliance and organizational maturity all at once – It is possible to achieve regulatory compliance, operational resilience and information protection. Organisations must embrace the mindset that improving business resilience is no longer an option, but instead a must-have.

Find more articles about GRC here

Author

Patrícia Bastos