On February 22, 2024, a single misconfigured AT&T network change took down wireless service for 125 million devices across all 50 states and blocked more than 25,000 calls to 911.
That same month, a ransomware attack on Change Healthcare froze medical claims processing for the largest clearinghouse in the United States. Neither organization lacked a business continuity plan. Both lacked a tested ISO 22301:2019 program.
Five months later, a faulty CrowdStrike Falcon software update crashed 8.5 million Windows devices worldwide and delivered an estimated $5.4 billion in direct losses to Fortune 500 firms — with the US healthcare sector alone absorbing $1.9 billion of that.
These three 2024 incidents, more than any rule change since 2019, are why ISO 22301:2019 is back at the top of every US chief risk officer’s agenda this year.
This 2026 practitioner guide walks through what ISO 22301:2019 actually requires, how the new climate amendment (Amd 1:2024) changes the standard, certification cost and timeline, how to map the BCMS to NIST CSF 2.0 and US financial regulators, and where mature programs stall. Audience: US risk, resilience, and compliance professionals building or renewing a BCMS in 2026.
Why ISO 22301:2019 Matters More in 2026 Than It Did in 2019
When ISO first published the current ISO 22301:2019 edition, most US firms treated it as a resilience-industry reference standard rather than a board-level priority.
That changed in 2024. For a broader view of how ISO 22301:2019 sits within a firm’s overall business continuity management program, the context has shifted from “nice to have” to “regulator-expected baseline” in under 18 months.
The three 2024 incidents did the heavy lifting. The OFR Change Healthcare cyberattack brief documented how a single third-party failure cascaded through US hospitals, pharmacies, and payers for months.
The FCC AT&T outage report showed that even basic configuration change controls failed at a trillion-dollar telecommunications firm. Both events translated resilience from a compliance topic into a board-reporting topic overnight.
Figure 1: Three 2024 US incidents made ISO 22301:2019 a board-level priority, not a resilience-team one.
The standard itself also moved. In February 2024, ISO published ISO 22301:2019/Amd 1:2024 on climate action changes, which updated Clauses 4.1 and 6.1.1 to require explicit consideration of climate change as a contextual issue and as a source of risk.
Practitioners who had treated the 2019 standard as static discovered in early 2025 that every BCMS audit now probes climate exposure by name.
US regulators reinforced the trend. The FINRA 2026 Annual Regulatory Oversight Report added third-party vendor cyber incidents as a focus area on top of the amended SEC Regulation S-P 30-day breach notification rule.
Firms running a certified ISO 22301:2019 BCMS found the transition easier than those starting from scratch — the clause structure already mapped to the new evidence examiners wanted to see.
The Structure of ISO 22301:2019: What the Standard Actually Requires
ISO 22301:2019 is organized around the high-level structure common to all modern ISO management system standards. Clauses 4 through 10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
The Schellman ISO 22301:2019 requirements guide summarizes each clause in plain English, but the structural point worth remembering is that Clauses 4, 5, and 6 establish the program; Clauses 7, 8, 9, 10 run and improve it.
Clause 8 (Operation) is where ISO 22301:2019 diverges from its siblings. It requires a documented business impact analysis and risk assessment, a continuity strategy informed by the BIA, documented business continuity plans, and exercising and testing of those plans.
No other ISO management system standard goes this deep into operational execution — that depth is the standard’s defining feature.
Figure 2: Clause 8 — BIA, strategy, BCP, and exercising — absorbs the lion’s share of ISO 22301:2019 audit effort.
Because Clause 8 is so dominant, most ISO 22301:2019 certifications pass or fail on the quality of three artifacts: the BIA, the continuity strategy, and the exercise programme.
For a concrete starting point on the first, see our business continuity plan template; for the BIA discipline, our business impact analysis guide gives the taxonomy your auditor will recognise on sight.
Clauses 4, 5, and 6 account for roughly 30% of audit effort between them. The DNV ISO 22301:2019 certification methodology spends the bulk of Stage 1 reviewing scope statements, leadership evidence, and risk-based planning — because a BCMS built on a weak context analysis cannot produce strong Clause 8 operational evidence, no matter how detailed the BCP.
ISO 22301:2019 Implementation: A Practitioner Roadmap That Survives Contact with Reality
Most ISO 22301:2019 implementations fail on sequencing, not on substance. Firms start with a BCP template, realize at month four they have no BIA data to drive it, then retrofit the analysis under audit pressure.
The sequence below inverts that failure mode — it anchors the complete risk assessment process first, then lets scope, strategy, and plans flow from evidence rather than from template inertia.
The roadmap is designed for a US mid-market firm running its first ISO 22301:2019 cycle. Smaller firms can compress Phase 2 and Phase 3; enterprise firms with existing operational resilience programs should expand Phase 4 to include cross-functional challenge. The five-phase shape — scope, analyse, design, implement, certify — is stable across firm size.
| Phase | Months | Key deliverables | Evidence the phase is done |
| 1. Scope and leadership | 1–2 | BCMS scope statement signed; policy approved; leadership commitment documented; ISO 22301 risk appetite set | Signed scope; approved policy; Clause 5 evidence pack |
| 2. Context and risk | 2–4 | Context analysis (incl. climate per Amd 1:2024); risk assessment; interested parties register | Clause 4 and Clause 6 evidence pack |
| 3. BIA and strategy | 4–7 | Business impact analysis across all in-scope activities; continuity strategy; resource requirements | BIA with RTO/RPO/MBCO for every critical activity |
| 4. BCP and testing | 7–10 | Documented business continuity plans; incident response; communications plan; first tabletop and functional exercise | BCPs signed; exercise after-action reports |
| 5. Audit and certify | 10–12 | Internal audit; management review; Stage 1 and Stage 2 certification audits | Certificate issued by accredited body |
The non-negotiable checkpoint is the end of Phase 3. If the BIA is incomplete — even one critical activity missing an RTO, RPO, or minimum business continuity objective — Phase 4 produces BCPs that will fail Stage 2.
Every BCP authored against a weak BIA requires rework, and rework is where certification timelines slip from twelve months to eighteen months.
Pair the roadmap with a structured risk register so every risk tied to a critical activity carries an owner, a treatment, and a review cadence.
The discipline prevents the common failure mode where the BCMS looks comprehensive on paper but cannot produce a traceable audit trail from risk to control to test result.
ISO 22301:2019 Certification: Cost, Timeline, and the Stage 1 / Stage 2 Audit
ISO 22301 certification cost depends on three variables: organization size, existing BCMS maturity, and whether the firm engages consultants.
Published guidance from NQA and DNV gives the headline ranges, but the number that actually matters is the three-year total cost — initial audit, two surveillance audits, and internal program overhead combined.
Figure 3: Three-year ISO 22301 certification cost by US organization size.
Small US firms (10–50 employees) typically invest $5,000–$20,000 for initial certification. Mid-market (50–500) runs $30,000–$75,000 over three years including surveillance.
Enterprise deployments exceed $150,000, with implementation costs frequently larger than audit fees. Annual surveillance audits run 30–40% of the initial audit fee — a cost line that consistently surprises finance teams during year-two budget planning.
Timeline is the other surprise. Most certifications run 9–15 months end to end. Stage 1 — the documentation review audit — happens around month 10 after Phase 4 testing completes.
Stage 2 — the on-site implementation audit — follows four to eight weeks later, depending on findings and remediation. Firms compressing into under nine months almost always get Stage 2 findings.
Certificates are valid for three years, with mandatory annual surveillance audits and a full recertification at the end.
The ISO 22301 publication page is authoritative on the clause requirements the audit probes, and PECB’s ISO 22301 training programs remain the most widely recognized certification route for US practitioners who will lead implementation or internal audit.
Mapping ISO 22301:2019 to NIST CSF 2.0, DORA, and FFIEC Examinations
ISO 22301 does not exist in isolation. In 2026 practice, a US firm’s BCMS has to satisfy ISO 22301 auditors, US financial regulators, healthcare regulators, and — for firms with EU operations — DORA examiners simultaneously.
The NIST Cybersecurity Framework 2.0 Recover function maps almost cleanly to ISO 22301 Clause 8, which is the single most valuable crosswalk in the practitioner’s toolkit.
Our NIST CSF 2.0 implementation guide walks through the crosswalk subcategory by subcategory. RC.RP (Recovery Plan Execution) overlaps with ISO 22301 Clauses 8.4 and 8.5; RC.CO (Communications) overlaps with Clause 8.4.2.
Firms producing evidence once and mapping to both frameworks save roughly 40% of audit preparation effort versus running two parallel evidence programs.
For EU exposure, the Digital Operational Resilience Act (DORA) references ISO 22301 as an acceptable framework for demonstrating operational resilience.
For US healthcare, HIPAA’s Contingency Plan Standard (45 CFR 164.308(a)(7)) has no direct ISO mapping, but ISO 22301 Clause 8 evidence satisfies the HIPAA auditor every time we have run the comparison during a US hospital system engagement.
The practical discipline is to build the BCMS with a “map once, satisfy many” philosophy. Tag every control in the risk register with the ISO 22301 clause it supports, the NIST CSF 2.0 subcategory it maps to, and the US regulator that will ask for the evidence.
That three-column tagging turns multi-framework audits from a cost multiplier into a controlled preparation cycle.
ISO 22301:2019/Amd 1:2024 — What the Climate Amendment Adds to the Standard
In February 2024, ISO published ISO 22301:2019/Amendment 1:2024, an amendment addressing climate action changes across the ISO management system family.
Two clauses were updated. Clause 4.1 now requires organizations to determine whether climate change is a relevant contextual issue.
Clause 6.1.1 requires organizations to consider climate change-related risks when planning for the BCMS.
The change looks small on paper. In audit practice, it is not. Since Q2 2024, ISO 22301 auditors have expected firms to demonstrate that the context analysis includes an explicit climate-risk consideration — even if the conclusion is “not material for this organization.”
Firms that gestured at climate without documenting the consideration are now receiving major nonconformities at their first post-amendment surveillance audit.
The practical response has three parts. Update the BCMS context statement to address climate change explicitly, using quantified exposure data where possible.
Add climate-related threats to the risk register alongside traditional disruption scenarios. Build climate scenarios into the exercise programme — coastal flooding, wildfire smoke, prolonged heat events — at least once per three-year cycle.
For US firms without an existing climate-risk methodology, CISA’s critical infrastructure resilience guidance provides a useful starting point for climate-scenario parameters and regional exposure data.
The ISMS.online ISO 22301 hub publishes worked examples of climate-inclusive context statements that auditors from the major certification bodies have accepted without challenge during routine surveillance audits.
AI, Third-Party Risk, and the Next Wave of ISO 22301:2019 Updates
The 2024 CrowdStrike incident made one point unavoidable: ISO 22301 programs that treat third-party failures as someone else’s risk fail in the first real disruption.
Our third-party risk management framework walks through how to integrate vendor resilience into the BCMS. The short version — every critical activity’s BIA must include the third-party dependencies, with an RTO that assumes the vendor is the single point of failure.
AI is the next frontier. Generative AI tools are now embedded in customer-facing operations at most US firms, and their failure modes look nothing like the IT outages ISO 22301 exercises were designed around.
Firms running an AI risk assessment need to extend it into the BCMS explicitly — model-outage scenarios, data-poisoning scenarios, and vendor-model-withdrawal scenarios all belong in the 2026 exercise programme.
Figure 4: Worldwide ISO 22301 certificates have roughly tripled since 2019.
ISO itself is moving. The ISO 22301 standard page confirms the 2019 edition entered systematic review in March 2025, with a revision expected by December 2025.
Practitioners should expect the next edition to consolidate the climate amendment, add AI governance language, and tighten third-party dependency requirements. Firms on the current edition should plan for a transition window, not a surprise rewrite.
ISO 22301:2019 FAQs: Expert Answers to Critical Questions
These are the questions US resilience, risk, and compliance professionals ask most often when scoping an ISO 22301 program, preparing for certification, or explaining the BCMS to an audit committee.
Short, direct answers with the regulatory anchor on each response — no marketing padding and no vendor positioning pretending to be practitioner advice.
What is ISO 22301:2019?
ISO 22301 is the international standard for business continuity management systems, published by the International Organization for Standardization.
It specifies requirements for establishing, implementing, maintaining, and continually improving a BCMS that protects against, reduces the likelihood of, and ensures recovery from disruptive incidents. The 2019 edition is current, updated by Amendment 1:2024 for climate action changes.
Is ISO 22301:2019 certification mandatory?
ISO 22301 certification is voluntary for most US organizations but is effectively required in certain procurement contexts — federal contracting, financial services RFPs, and large-enterprise supply chains.
In Europe, DORA-regulated financial institutions use ISO 22301 as the default evidence framework. Most US firms certify because buyers ask, not because a regulator demands it, but the procurement benefit is substantial in 2026.
How long does ISO 22301:2019 certification take?
A typical ISO 22301 implementation runs 9–15 months from project kickoff to Stage 2 certification audit. Organizations with existing business continuity management programs compress this to 6–9 months.
Organizations starting from scratch with no BIA and no tested plans almost always run to 12–18 months. The BIA is the rate-limiting step, not the audit.
What is the difference between ISO 22301 and ISO 27001?
ISO 22301 covers business continuity. ISO 27001 (see our template) covers information security management. The two standards share the same high-level management system structure and overlap on incident response, backup, and supplier management.
Most mature US firms certify to both and operate them as a single integrated management system with shared Clause 4 context and Clause 5 leadership evidence.
How does ISO 22301:2019 relate to disaster recovery?
Disaster recovery addresses the technology layer — backup, replication, failover. ISO 22301 addresses the business layer — who does what, in what order, to keep critical activities running. Our disaster recovery plan guide covers the DR side.
A mature program needs both, and ISO 22301’s Clause 8.3 expects the continuity strategy to reference the supporting DR capability explicitly.
How often must the ISO 22301:2019 BCMS be exercised?
ISO 22301 Clause 8.5 requires exercising at planned intervals, but does not specify frequency. Audit practice has converged on at least one full functional exercise per year, supplemented by tabletop exercises against different scenarios.
US firms in regulated industries — healthcare, financial services, energy — typically run two to four exercises annually, with at least one including a third-party dependency scenario.
Does ISO 22301:2019 satisfy operational resilience requirements?
It is a strong foundation but not sufficient alone. Operational resilience as US regulators use the term extends beyond the BCMS to include third-party oversight, IT resilience, and stress testing. See our operational resilience vs. business continuity comparison for the gap analysis. ISO 22301 covers roughly 70% of a US operational resilience expectation.
What does a good ISO 22301:2019 policy look like?
A good ISO 22301 policy states the organization’s commitment to continuity, defines the BCMS scope, names the owner, sets objectives measurable against Clause 9, and references the risk appetite.
Our risk assessment policy guide gives the structural scaffolding that works for BCMS policies too — same governance spine, different content focus.
Where ISO 22301 Programs Stall — And How to Unstick Them
Every ISO 22301 program has stalled at least once. The difference between firms that recover and firms that quietly let certification lapse is pattern recognition — knowing which failure mode you are watching and what fix works.
The BCI guide to understanding ISO 22301 documents the common failures; the remedies below come from practitioner experience.
| Pitfall | Root cause | Remedy |
| BIA treated as a checklist | Template copied without business interviews | Run interviews with every critical activity owner; document RTOs against revenue and safety evidence, not guesses |
| BCPs exist but are never exercised | No exercise calendar owned by a named principal | Assign annual exercise ownership to the BCM function; budget 40 hours per exercise for preparation and after-action |
| Climate amendment ignored | Program built before February 2024 | Update Clause 4 context and Clause 6 risk register with explicit climate scenarios; run one climate exercise per cycle |
| Third-party dependencies missing from BIA | BIA scoped internally only | Add vendor columns to every critical activity’s BIA entry; require vendors to provide tested RTOs contractually |
| Certification lapses at year three | No recertification budget line | Treat recertification as a program budget item from year one, not an audit-year surprise |
| Single point-of-failure resilience lead | Knowledge concentrated in one person | Cross-train a deputy; document every process in the BCMS management review evidence pack |
| Audit evidence scattered across drives | No document management system for BCMS artifacts | Adopt a GRC platform or shared evidence repository with version control before Stage 1 audit |
The Next Wave: ISO 22301 Trends Every US Practitioner Should Track
Three trends will reshape ISO 22301 programs between 2026 and 2028. The first is the transition from annual to continuous assessment. The regulatory cadence — 30-day breach notifications, event-driven Reg BI re-evaluations, real-time SAR escalations — outruns an annual BCMS refresh.
Leading firms now update inherent risk monthly and run quarterly BIA deltas, with the formal annual refresh as the confirmation step rather than the discovery step.
The second trend is AI-assisted BIA. Generative AI now produces a first-pass BIA in hours using process documentation, application inventories, and HRIS feeds — a task that took eight to twelve weeks in the 2022 playbook.
The NIST SP 800-34 IT contingency planning guide still anchors the methodology, but the authoring tool has changed. Practitioners edit rather than draft. Deployment timelines compress materially as a result.
The third trend is the next ISO 22301 revision. The ISO Survey of Certifications documents the standard’s global growth since 2019; the next edition — expected to emerge from the current systematic review — will likely consolidate the climate amendment, add AI governance requirements, and tighten third-party dependency expectations. Firms on the current edition should plan a 12-month transition window, not a surprise rewrite.
For firms benchmarking across adjacent domains — data protection, financial services, healthcare, critical infrastructure — the risk assessment templates library on riskpublishing.com is a practical starting point.
Cross-domain benchmarking surfaces the 15% of local practice that is actually differentiated versus the 85% that is shared across every modern management system standard.
Need help designing, implementing, certifying, or auditing an ISO 22301 BCMS for your US organization? Explore our risk advisory services or get in touch for a scoped engagement.
We size the work to your firm’s complexity, regulatory profile, and existing resilience architecture — not to a generic implementation checklist designed for a different industry.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.