ISO 22301 Business Continuity Management Systems
|
|
| Regulator |
ISO |
| Jurisdiction |
Global |
| Status |
live |
| Applicability |
Platform |
ISO 22301:2019 specifies requirements for a Business Continuity Management System (BCMS) — the
planning, implementing, maintaining, and continually improving of a documented management system
that protects against, reduces the likelihood of occurrence of, prepares for, responds to, and
recovers from disruptive incidents. It is a certification-based standard; the bank targets ISO
22301 certification as its BCMS framework.
ISO 22301 compliance is voluntary but referenced as the expected standard by APRA CPS 230
(Operational Risk Management, effective 1 July 2025) and RBNZ DTA operational resilience
standards. Meeting ISO 22301 provides a structured evidence base for regulatory examination.
Key clauses include: 6.2 — business continuity objectives and planning; 8.2 — business impact
analysis (BIA) and risk assessment; 8.3 — business continuity strategy and solutions (defines
recovery time objectives (RTO) and recovery point objectives (RPO)); 8.4 — business continuity
plans (BCP); 8.5 — business continuity exercises and testing (annual minimum); 9.1 — monitoring,
measurement, analysis, and evaluation; 10.2 — continual improvement. The standard requires a
designated BCM management role and a documented crisis management team structure.
Compliance register
This register maps every material obligation under ISO 22301 to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — BCM programme management, crisis management team, annual exercises. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Clause 6 — Planning
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Cl. 6.2 — BC objectives |
Define and document measurable business continuity objectives (RTO, RPO, MTPoD) for each critical function |
🏛 Institutional |
OPS-001 |
BCM programme team defines RTO/RPO targets; MOD-076 (ALERT) — observability platform monitors uptime against RTO thresholds; platform evidence input only |
— |
Clause 8 — Operation
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Cl. 8.2 — BIA |
Conduct and maintain a Business Impact Analysis (BIA) covering criticality, dependencies, and recovery priorities for all business activities |
🏛 Institutional |
OPS-001 |
BCM programme team owns the BIA; MOD-076 (ALERT) — observability data provides the empirical basis for recovery time analysis |
— |
| Cl. 8.3 — RTO/RPO |
Implement solutions (redundancy, failover, backup) that meet the RTO and RPO targets defined in the BIA |
🤖 Automated |
OPS-001 |
MOD-103 and MOD-104 — multi-AZ AWS infrastructure provides the physical resilience layer; MOD-143 (AUTO) — OBR resolution-state controls applied atomically on activation |
🔨 |
| Cl. 8.4 — BCP |
Document, maintain, and communicate business continuity plans covering response procedures, escalation, and recovery steps for each critical function |
🏛 Institutional |
OPS-001 |
BCP documents are an institutional programme deliverable; MOD-076 provides the operational monitoring that activates BCP triggers |
— |
| Cl. 8.5 — Exercises |
Conduct business continuity exercises at least annually; test BCPs under realistic conditions; document outcomes and improvement actions |
🏛 Institutional |
OPS-001 |
Annual BC exercises are an institutional programme function; MOD-076 (ALERT) — observability infrastructure provides monitoring during exercises; exercise results are not platform-generated |
— |
| Cl. 8.5 — Failover monitoring |
Monitor platform availability continuously against RTO/RPO; alert on degradation before threshold breach |
🤖 Automated |
OPS-001 |
MOD-076 (ALERT) — platform-level system events, errors, and performance anomalies captured; alerting rules detect degradation and surface notifications to on-call team before breach |
🔨 |
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Cl. 9.1 — Performance evaluation |
Monitor, measure, analyse, and evaluate BCMS performance; produce metrics for management review |
📊 Evidenced |
OPS-001 |
MOD-076 (LOG, ALERT) — metrics collected from all services, alerting rules evaluated, logs aggregated with 90-day retention; provides the data foundation for BCMS performance reporting |
🔨 |
| Cl. 9.3 — Management review |
Conduct periodic management review of the BCMS; review exercise outcomes, incidents, and improvement actions |
🏛 Institutional |
OPS-001 |
BCM manager leads management review; MOD-076 provides operational data inputs |
— |
Clause 10 — Improvement
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Cl. 10.2 — Continual improvement |
Implement continual improvement of the BCMS based on exercise outcomes, incidents, and management review actions |
🏛 Institutional |
OPS-001 |
Improvement programme is owned by the BCM manager; MOD-076 provides the ongoing performance data |
— |
| Obligation |
Owner |
Platform evidence input |
| BCM Manager designation and programme ownership |
COO |
Institutional HR and governance record |
| Crisis Management Team structure and activation procedures |
COO / CEO |
MOD-143 provides OBR activation audit log; MOD-076 provides incident timeline data |
| Annual BIA review and update |
COO / BCM Manager |
MOD-076 uptime metrics inform BIA criticality ratings |
| Annual BC exercise planning, execution, and reporting |
BCM Manager |
MOD-076 provides monitoring data during exercises |
| ISO 22301 certification audit and surveillance audits |
BCM Manager / CISO |
Full BCMS documentation required; platform provides operational evidence |
| Third-party and outsourcer BCM requirements |
COO / Procurement |
Institutional contractual process |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Clause 6 — Planning |
1 |
0 |
0 |
1 |
0 |
| Clause 8 — Operation |
5 |
2 |
0 |
3 |
0 |
| Clause 9 — Evaluation |
2 |
0 |
1 |
1 |
0 |
| Clause 10 — Improvement |
1 |
0 |
0 |
1 |
0 |
| Total |
9 |
2 (22%) |
1 (11%) |
6 (67%) |
0 |
ISO 22301 is predominantly an institutional programme standard — the platform provides the
operational infrastructure (multi-AZ resilience, observability) but the BCMS governance, BIA,
BCP, and exercise obligations sit with the COO and BCM programme team. All attributed modules are
currently build_status: Not started.
| Policy |
Title |
| OPS-001 |
Business Continuity Policy |
See D09 Operational Risk for the full risk domain.
Official documentation
Policies referencing this standard
- OPS-001 — Business Continuity Policy
Compiled 2026-05-22 from source/entities/regulations/industry-iso-22301.yaml