Regulatory compliance
Sooner or later something fails: a cyberattack, a fire, an outage that stops your activity. ISO 22301 is the standard that prepares your organization to hold up and recover without sinking. We implement the business continuity management system and prepare you for certification.
Certified ISO 22301 auditors (CISA, CISSP, CISM), with experience in continuity and resilience.
What it is
ISO 22301 is the international business continuity standard. It is not about preventing bad things from happening, because some will, but about being prepared: knowing which processes are critical, how long you can hold out without them and how to recover them quickly. It follows the same structure as ISO 27001, so it integrates without duplication.
Like ISO 27001, it is certified with an accredited body through an audit. The certificate proves to clients and partners that your organization is prepared to withstand a disruption.
Large clients, public administrations and regulated sectors are starting to require continuity plans from their providers. Having it certified is an advantage in tenders and contracts.
If you are in the financial sector or serve it, ISO 22301 fits what DORA requires on operational resilience, so it gets much of the work done ahead of time.
The heart of it
The core of ISO 22301 is the business impact analysis, the BIA. Before making any plan you have to understand which processes sustain your activity, what happens if they stop and how long you can hold out. Everything else comes from there.
Which are the processes without which your activity stops, and what they depend on to function.
How long each process can be down before the damage becomes serious. This is what is called RTO.
How much data you can afford to lose in an outage without it being a serious problem. This is the RPO.
Which people, systems and providers are needed to sustain each critical process.
With those answers clear, the recovery strategies and plans stop being guesswork and become based on what truly matters to your business.
Who it serves
ISO 22301 serves any organization that cannot afford to be down, and that is asked to prove it has thought about it. Industry and agri-food live it up close: a stopped line or a broken cold chain cost money by the hour.
And, in general, any company that depends on its systems to operate: a prolonged technology outage, today, can completely stop an organization that has not prepared.
Service
Business impact analysis (BIA): we identify your critical processes, their dependencies and how long you can hold out without them.
Continuity risk assessment: which threats can interrupt your activity and with what probability and impact.
Recovery strategies: how to keep operating or get back to it within the timeframe your business needs.
Continuity and recovery plans that are clear and actionable, so each team knows what to do when the moment comes.
Tests and exercises: a plan that has not been tested is no use, so we put it to the test with drills and exercises.
Support through certification: we prepare you for the audit and the closure of findings up to the certificate.
Method
We carry out the BIA and the risk assessment: what is critical, what threatens it and how long you can hold out.
We define how to recover each process and write the actionable continuity plans.
We put the plans to the test with exercises and drills, and fix whatever does not work.
We support you through the audit and the closure of findings until you obtain the certificate.
Synergies
ISO 22301 and ISO 27001 share their structure and complement each other: information security includes keeping systems available, and that is continuity. In fact, ISO 27001 already calls for continuity plans, so ISO 22301 develops them in depth. If we work on both, the management system is a single one and you do not duplicate effort.
And there is a direct bridge to DORA: the financial regulation requires testing operational resilience, and ISO 22301 is exactly the framework that organizes it. In addition, disruptions usually start with a security incident, so continuity and the monitoring of a SOC like Sondriva work the same chain, from the moment something fails until you are operating again.
Questions
It is the international business continuity standard. It sets out how to prepare an organization to withstand disruptions, whether a cyberattack, a fire, a systems outage or any unexpected event that stops activity, and to recover within a reasonable timeframe. It does not prevent things from happening, but it prepares you so that, when they do, your business does not sink. It is certifiable, like ISO 27001.
The BIA, business impact analysis, is the heart of ISO 22301. It involves identifying which processes sustain your activity, what happens if they stop, how long you can hold out without them and what resources they need to function. It is the foundation of everything: without a solid BIA, continuity plans are built blind. That is why it is the first thing we work on with you.
They are two key measures that come out of the BIA. The RTO is the recovery time objective: how long a process can be down before the damage becomes serious. The RPO is the recovery point objective: how much data you can afford to lose in an outage. Defining them for each critical process is what makes it possible to design realistic recovery strategies rather than generic ones.
A lot. ISO 22301 shares its structure with ISO 27001, so if you already have a security management system much of the framework is in place: governance, roles, risk assessment and continual improvement are reused. In addition, ISO 27001 already calls for continuity plans, so 22301 develops them in depth without starting from scratch.
Yes, and very directly. DORA requires financial entities and their providers to demonstrate operational resilience, with tested continuity plans. ISO 22301 is exactly the framework that organizes that resilience, so implementing it gets you well ahead of much of what DORA requires. If your case is financial, working on both at the same time makes a lot of sense.
Not much, and that is why ISO 22301 insists on testing it. A continuity plan that is written and filed away in a drawer is no use when the crisis hits: people do not know what to do and the plan has gaps that nobody has spotted. That is why we put it to the test with exercises and drills, so that when it is really needed, it works.
Across all of Spain. Much of continuity work is analysis and documentation, so we work with you wherever you are, although the exercises and drills may require on-site sessions. We are in Tudela, in an area of strong industry and agri-food, sectors where a stoppage is costly, so we know their continuity needs well.
Shall we talk?
Tell us what would happen if your activity stopped tomorrow. In a first conversation we tell you where to start so your organization is prepared.
Get in touch