CONSUVATION GmbH guides you in building an effective business continuity management system according to ISO 22301:2019 – from the Business Impact Analysis through to successful certification. With more than 25 years of consulting experience, our own correlation matrix, and 100% senior consultants. For the DACH region and international clients.
Quick Check
Find out in 30 seconds where your company stands on business continuity management according to ISO 22301 – free & without registration.
At a Glance
ISO 22301 is the world's leading standard for business continuity management (BCM). It defines how organisations prepare for, withstand and recover from disruptions – in order to maintain critical business processes.
The current version ISO 22301:2019 is a genuine certification standard (Type A). Core elements are the Business Impact Analysis (BIA), a risk assessment, continuity strategies, and documented, tested contingency plans (BCP).
Since the 2024 climate change amendment, organisations must also consider the impact of climate change on their business continuity – relevant, for example, to supply chains and site risks.
Our consultants combine BCM expertise with practical experience from ISO 27001, risk management and critical infrastructure projects. This cross-cutting perspective makes us an experienced partner for integrating ISO 22301 into your existing management systems in the DACH region.
ISO 22301:2019 – Standard Structure
ISO 22301 requires a documented management system with clearly defined core elements – from analysing critical processes to regularly exercising contingency plans.
Element 1
Identification of critical business processes and evaluation of the impact of a disruption over time. Provides the basis for recovery time objectives (RTO) and maximum tolerable periods of disruption (MTPD).
Basis for RTO/MTPDElement 2
Systematic identification and evaluation of threats to business continuity – from cyberattacks to natural events and supply chain failures.
Risk-Based ApproachElement 3
Selecting suitable strategies for pre-disruption, active disruption and recovery – aligned with the timeframes established in the BIA and contractual obligations.
Before, During, After DisruptionElement 4
Documented business continuity plans (BCP) with clear roles and escalation pathways. Regular exercises and tests ensure that plans actually work when needed.
BCP & Exercise ProgrammeElement 5
Documented end-to-end processes for identifying, evaluating, planning and monitoring business continuity risks – visualised as a flowchart and directly applicable in day-to-day operations.
Documented & VisualisedOur Tool
Rather than just a collection of policies, we deliver a documented and visualised process model including ready-made policies, BIA templates and exercise guides that translates the requirements of ISO 22301 into a repeatable, auditable workflow – from identifying critical processes through to effectiveness verification.
Our Approach
Structured, predictable and without surprises – our proven approach follows the ISO 22301 BCM process and results in a system that genuinely works when it matters.
01
Free initial consultation, defining the scope, identifying critical business processes and stakeholders, creating a project plan.
02
Identifying critical processes, evaluating the impact of disruptions, establishing recovery time objectives (RTO) and maximum tolerable periods of disruption.
03
Identifying and evaluating threats to business continuity, deriving protection requirements, creating a risk register.
04
Selecting suitable strategies for pre-disruption, active disruption and recovery, clarifying resource requirements.
05
Documenting business continuity plans, defining roles and escalation pathways, conducting exercises and tests.
06
Conducting an internal audit and management review, supporting the certification audit (Stage 1 & 2), establishing continual improvement.
ISO 22301 & Other Standards
ISO 22301 integrates seamlessly with existing management systems – the shared High-Level Structure across ISO standards makes this possible. CONSUVATION connects business continuity with your established standards.
Information security incidents are one of the most common causes of business disruption. ISO 27001 provides the technical and organisational measures, while ISO 22301 ensures operations continue even in a worst-case scenario.
The risk assessment within the BCMS follows the methodology of ISO 31000. Companies already applying ISO 31000 can use their established risk methodology directly for business continuity risks.
Article 21 of NIS2 explicitly requires affected companies to implement business continuity measures – including backup management, disaster recovery and crisis management. An ISO-22301-compliant BCMS provides the structured, audit-ready implementation rather than isolated point measures. Together with the KRITIS-Dachgesetz (CER Directive), it covers key resilience obligations.
The EU's DORA regulation requires financial institutions to maintain robust incident response and business continuity management. ISO 22301 covers essential parts of these requirements and simplifies demonstrating DORA compliance.
TISAX ISA requires automotive suppliers to provide evidence of availability and recovery for production and information environments. An established BCMS per ISO 22301 directly delivers usable evidence for the TISAX assessment.
CADIS (Cybersecurity Assessment for Defence Industry Suppliers) also assesses contingency and continuity capability for defence suppliers in its modules. ISO 22301 provides the structured foundation to meet these requirements verifiably.
IEC 27031 focuses on IT recovery after disruptions. ISO 22301 embeds these technical recovery plans within an overarching, organisation-wide continuity management framework.
Both standards follow the same High-Level Structure and PDCA cycle. Organisations with an established QMS can incorporate BCM requirements into their integrated management system with significantly less effort.
Core Elements
ISO 22301 demands more than a contingency manual sitting in a drawer – it's about lived resilience, clear responsibilities and regularly tested plans.
Identifying critical products and services, defining the scope of the BCMS, involving the expectations of relevant stakeholders.
Senior leadership actively takes responsibility for business continuity, provides resources, and assigns clear roles for crisis situations.
Systematically capturing critical processes and their dependencies, evaluating the impact of disruptions, prioritising risks.
Creating documented response and recovery plans for critical processes, clearly defining responsibilities and escalation pathways.
Regularly exercising contingency plans in realistic scenarios, identifying weaknesses, feeding findings back into the plans.
Regularly evaluating BCMS effectiveness through internal audits and management review, systematically tracking incidents, incorporating lessons learned.
Implementation Checklist
Services
From the Business Impact Analysis to successful certification – everything from a single source, with senior consultants and our own correlation matrix.
01
Systematic comparison of current state vs. target state against the requirements of ISO 22301:2019: what exists, what's missing, what needs to be prioritised – clearly documented with a measures plan.
02
Identifying critical business processes, evaluating the impact of disruptions, establishing recovery time objectives (RTO) and maximum tolerable periods of disruption.
03
Complete build-up according to ISO 22301: governance, roles, risk assessment, continuity strategies, contingency plans and documentation.
04
Linking the BCMS with ISO 27001, ISO 31000, ISO 9001, TISAX and CADIS – a consistent resilience framework instead of isolated point solutions. We also use the BCMS to structurally demonstrate NIS2 resilience requirements (Article 21).
05
Developing concrete strategies for pre-disruption, active disruption and recovery, creating documented business continuity plans (BCP).
06
Planning and conducting realistic exercise scenarios, verifying the effectiveness of contingency plans, deriving improvement measures from test results.
07
Support from documentation through to the certification audit (Stage 1 & 2): system analysis, internal audit, management review – prepared to withstand audit scrutiny.
08
Ongoing support for BCM operations: regular exercises, updating the BIA and risk registers, support for recertification after three years.
Frequently Asked Questions
Our ISO 22301 Solutions
Project plan, BIA templates, training portal, exercise programme and an external business continuity officer – all from a single source. Scalable for small, medium and large enterprises.
The 6 Building Blocks of Our Complete ISO 22301 Solution
Business Continuity Management System
Foundation & Steering
BIA & Risk Register
Critical Processes Captured
BCM Process Model
Policies & Working Materials
Training Portal
DE & EN, with test
Exercise Programme
Tests & Effectiveness Checks
External BC Officer
Remote + optional on-site
Entry-level solution for small companies. Includes all essential building blocks for a first functioning business continuity management system – pragmatic, fast and cost-efficient.
Complete ISO 22301 solution for mid-sized companies – including exercise programme, training portal and an external business continuity officer on demand.
Maximum solution for complex organisations – with an individual project structure plan, on-site support, certification preparation, and integration with ISO 27001, ISO 31000 or NIS2/critical infrastructure regulations.
All packages include an individual project plan tailored to your company. Remote guidance included – on-site appointments available on request. Schedule a Consultation Now →
Our Expertise
CONSUVATION exclusively employs senior consultants. With more than 25 years of consulting experience in information security, risk management and crisis management, we are among the most experienced business continuity consultancies in the DACH region.
Our consultants bring BCM experience from numerous ISO 27001, ISO 31000 and critical infrastructure projects. They combine this practice-proven knowledge with the requirements of ISO 22301:2019 to develop a BCMS that genuinely works when it matters.
As active members of ISO working groups, we bring insider knowledge that flows directly into your business continuity implementation.
Our Tool: ISO 22301 Correlation Matrix
CONSUVATION has developed its own correlation matrix for business continuity requirements, mapping all relevant standards – ISO 22301, ISO 27001, ISO 31000, ISO 9001 and NIS2/critical infrastructure regulations. This allows us to spot synergies immediately and produce a complete gap analysis in the shortest possible time – without duplicate work, with maximum standard coverage.
Experienced business continuity management consultants – from the Business Impact Analysis to successful certification
The most renowned ISACA certifications – from IT audit to IT governance to business continuity management
Integrated resilience framework for all related standards – in one project, without duplicate work
Business continuity experience from information security, risk management and crisis management projects
Get Started Now
Get advice from an experienced CONSUVATION consultant – free, non-binding and without empty phrases.