ISO 22301:
Business Continuity
When Disruption Strikes, Your System Responds.
Every organisation faces disruption — natural disasters, cyber incidents, power failures, supply chain collapses, or pandemic-level crises. The difference between those that survive and those that don't is rarely luck. It is the system they built before the disruption arrived. ISO 22301 provides the internationally recognised framework for building that system, and this programme teaches professionals how to design, implement, and sustain it.
Resilience Is Not a Reaction —
It Is a System You Build
Most organisations believe they are resilient until they are tested. A server failure brings operations to a standstill. A key supplier collapses. A natural disaster disables a facility. In that moment, the absence of a structured Business Continuity Management System becomes acutely, expensively apparent.
This programme is delivered by practitioners who have designed business continuity frameworks across complex, multi-site organisations — across sectors including financial services, healthcare, critical infrastructure, and logistics. Every module is structured around real-world application, not theoretical compliance.
Participants leave with a working BCMS architecture, a completed Business Impact Analysis for a real function, recovery strategy options documented, and a tested business continuity plan — built during the programme and immediately applicable to their organisation.
What You Will Walk Away With
The ability to design and implement a Business Continuity Management System fully aligned to ISO 22301:2019 — from scoping and policy through to continual improvement.
A working mastery of Business Impact Analysis — identifying critical functions, dependencies, MTPoD, RTO, and RPO with confidence and precision.
Practical skills in designing recovery strategies — people, premises, technology, supply chain, and communications — that are realistic and achievable under pressure.
The ability to write a Business Continuity Plan that crisis responders can actually use — clear, structured, pre-tested, and maintained over time.
Confidence designing and running BCMS exercises — from tabletop walkthroughs to full simulations — and using the findings to strengthen the programme.
Ready-to-use outputs: BCMS scope statement, BIA template, recovery strategy worksheet, BCP structure, exercise design guide, and crisis communications framework.
How ISO 22301 Structures Your Resilience Programme
ISO 22301:2019 follows the Plan-Do-Check-Act (PDCA) high-level structure common to all ISO management system standards. This programme walks participants through each stage of the BCMS lifecycle — ensuring they can design a programme that is not just implemented once, but continually maintained and improved.
Understand the organisation, its stakeholders, and the environment it operates in. Define the BCMS scope and establish leadership commitment and policy.
Identify critical activities, map dependencies, establish recovery time objectives (RTOs), and determine the maximum tolerable period of disruption (MTPoD).
Design proportionate, realistic recovery strategies across all resource categories — people, technology, premises, supply chain, and information.
Document actionable, role-based BCPs that cover incident response, crisis communications, workaround procedures, and escalation protocols.
Validate plans through structured exercises — tabletop walkthroughs, functional drills, and full simulations — and use findings to identify gaps before a real incident does.
Monitor BCMS performance, conduct internal audits and management reviews, and embed the continual improvement cycle that keeps the programme current and credible.
The Disruption Scenarios This Course Covers
A robust BCMS is scenario-agnostic — it prepares the organisation to respond to any disruption, not just the ones you can predict. This programme uses real-world disruption scenarios throughout, ensuring participants can apply their learning across the full range of threats their organisation faces.
Flooding, fire, extreme weather, and facility loss
Ransomware, data breaches, and system outages
Critical supplier collapse or logistics disruption
Power outages, telecoms failure, and connectivity loss
Workforce unavailability and public health emergencies
Media incidents, regulatory action, and stakeholder trust failures
What the Course Covers
- What is business continuity? Definitions, objectives, and the difference between continuity, resilience, and recovery
- The evolution of BC management — from disaster recovery to enterprise resilience
- Overview of ISO 22301:2019 — structure, high-level structure (HLS), and how it differs from the 2012 version
- How ISO 22301 relates to ISO 31000, ISO 27001, and crisis management frameworks
- The business case for a BCMS — regulatory drivers, client requirements, and reputational protection
- Understanding the organisation and its context: internal and external factors relevant to business continuity
- Identifying interested parties and determining their continuity-related requirements
- Scoping the BCMS: defining boundaries, inclusions, and exclusions — and the common scoping mistakes that undermine programmes
- Top management obligations under ISO 22301 — what senior leadership must own, not just endorse
- Writing a business continuity policy that reflects strategic intent — not just compliance language
- Roles, responsibilities, and authorities within the BCMS — the governance structure that makes it work
- Communication and awareness requirements — building a continuity-conscious organisational culture
- Understanding the BIA: purpose, scope, and why it is the most critical document in your BCMS
- Identifying and prioritising critical activities — the functions the organisation cannot afford to lose
- Mapping dependencies: people, technology, premises, suppliers, and information
- Establishing Maximum Tolerable Period of Disruption (MTPoD) — how long can each activity be unavailable?
- Determining Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical activity
- Documenting resource requirements at the point of recovery — not at normal operating level
- Hands-on: conducting a full BIA for a real-world function using structured templates
- The five resource categories for recovery strategy design: people, premises, technology, supply chain, information
- People strategies: cross-training, staff redeployment, mutual aid, and contractor arrangements
- Premises strategies: work-from-home, alternate sites, reciprocal arrangements, and split operations
- Technology strategies: data backup, cloud recovery, alternative systems, and manual workarounds
- Supply chain strategies: dual sourcing, emergency supplier agreements, and stockpiling
- Evaluating strategy options against cost, feasibility, and alignment with RTOs from the BIA
- Hands-on: designing and documenting recovery strategies for a complex, multi-dependency scenario
- The anatomy of an effective BCP — structure, format, and the common mistakes that make plans unreadable under pressure
- Incident response procedures: detection, notification, escalation, and initial response actions
- Workaround procedure documentation: step-by-step, role-based, and scenario-specific
- Crisis management team design: composition, roles, decision-making protocols, and activation criteria
- Crisis communications planning: internal communications, media handling, regulatory notifications, and stakeholder management
- Hands-on: drafting a business continuity plan section using real-world incident scenarios
- Why exercising is the most neglected and most important element of any BCMS
- Types of exercises: document reviews, tabletop walkthrough, functional exercise, and full simulation — when to use each
- Designing an exercise: scenario selection, participant roles, inject design, and facilitation techniques
- Capturing and acting on exercise findings — turning lessons learned into genuine programme improvements
- Internal audit of the BCMS: scope, methodology, and reporting findings to leadership
- Management review requirements under ISO 22301 — what must be reviewed and how often
- Embedding continual improvement: maintaining the BCMS through organisational change and emerging threats
Built For These Professionals
Those responsible for designing, implementing, or managing a BCMS — whether building from scratch or maturing an existing programme.
Senior managers overseeing critical operations who need structured frameworks to protect business continuity through any disruption scenario.
Risk managers and compliance officers who need to integrate business continuity requirements into enterprise risk frameworks and regulatory submissions.
Board members, directors, and C-suite executives who bear strategic responsibility for organisational resilience and stakeholder trust through crises.
Audit professionals preparing to assess BCMS effectiveness against ISO 22301 requirements — or supporting external certification audits.
GRC and resilience advisory professionals supporting organisations through BCMS implementation, gap assessments, or ISO 22301 certification preparation.
What Past Delegates Say
Before this programme, our business continuity plan was a document that sat in a folder and hadn't been tested in three years. After completing ISO 22301, I led our organisation through a full BIA, redesigned our recovery strategies, and ran our first realistic tabletop exercise. When a real incident hit eight months later, we responded with a clarity that genuinely surprised our leadership team.
The Business Impact Analysis module alone changed how our entire organisation thinks about critical functions. We had assumptions about what was important — the BIA methodology forced us to test those assumptions with data. Several of our findings were genuinely surprising and led to strategic decisions we would never have made otherwise.
Ready to Build an Organisation That Survives Anything?
Join resilience leaders, risk professionals, and operations managers who have used ISO 22301 to transform their organisation's ability to withstand, respond to, and recover from disruption.
