Certification CostsISO guides & calculators
ISO 22301 · Finance, IT, critical services, supply-chain dependent firms

Business Continuity certification

Business continuity management systems

What is ISO 22301?

ISO 22301 specifies requirements for a Business Continuity Management System (BCMS) — the discipline of preparing for, responding to and recovering from disruptive incidents so that an organisation can continue delivering its products and services.

The current edition is ISO 22301:2019. It centres on the Business Impact Analysis (BIA) and risk assessment, from which organisations derive continuity strategies, plans and tested recovery capabilities.

In the UK it is widely adopted by financial services (supporting operational resilience expectations from the FCA and PRA), data centres, and any organisation where downtime carries serious commercial or regulatory consequences.

How to get ISO 22301 certified

  1. Carry out a Business Impact Analysis and risk assessment to identify priority activities and recovery objectives.
  2. Develop continuity strategies and documented response and recovery plans.
  3. Implement the BCMS and embed it across the organisation.
  4. Exercise and test the plans, and keep evidence of the results.
  5. Run internal audits and management review.
  6. Certify with a UKAS-accredited body and maintain via surveillance and three-yearly re-certification.

Choosing a certification body

For a certificate to carry weight, choose a body accredited by UKAS, the UK's national accreditation body. Accredited certification is recognised by customers and procurement teams; unaccredited certificates often are not. Get quotes from at least three bodies, as fees vary.

How much does ISO 22301 certification cost?

There is no single price — total cost depends on your organisation's size, how much you already have in place, the number of sites, and whether you use a consultant. Broadly, the cost splits into three parts: implementation (building the system), the certification audit (paid to the certification body), and ongoing costs (annual surveillance and a three-yearly re-certification).

  • Plan testing and exercising is a distinctive recurring cost that auditors expect to see evidenced.
  • Audit length scales with the number of critical activities and sites in scope.
  • Often pursued alongside ISO 27001 because the two share risk-assessment and resilience themes.

To get a tailored figure for your organisation, use our free calculator:

Open the ISO 22301 cost calculator →

Official & useful resources

Explore related standards

ISO 9001 ISO 27001 ISO 14001 ISO 45001