BIA, RTO/RPO and business continuity plan in 3 seconds.
ISO 22301 is the international business continuity standard. IgeraIndustria makes every requirement queryable: impact analysis (BIA), RTO and RPO definition per critical process, continuity plans (BCP), simulation exercises and audits. The business continuity manager gets the answer in seconds.
80% of companies have a BCP they have never tested
Business continuity is the discipline most often deferred until the incident actually happens. When the ERP fails, the warehouse floods or a cyberattack paralyses servers, companies without a tested BCP lose weeks of recovery time that could have been reduced to hours. ISO 22301 provides the framework to prevent this.
60%
of SMEs that suffer a serious incident close within the following 6 months due to lack of a business continuity plan.
£65,000
average cost of downtime per hour in mid-sized companies. Without a defined RTO, the financial impact is unpredictable.
80%
of companies have a written BCP that has never been tested. An untested BCP is worthless when the incident actually occurs.
45 min
average time to locate the current BCP during a crisis. IgeraIndustria finds it and makes it queryable in seconds.
The business continuity manager spends hours searching for exactly what clause 8.2.2 requires for the BIA, how to define the RTO for critical processes, or what the difference is between a tabletop exercise and a full-scale simulation. IgeraIndustria answers those questions in seconds, with an exact citation from ISO 22301, so the continuity team can focus on implementing plans that actually work.
Instant ISO 22301 queries by requirement
IgeraIndustria locates the exact requirement that applies to each question and responds with the methodology, mandatory documentation and the most common errors detected by ISO 22301 certification auditors.
Business Impact Analysis (BIA)
Complete BIA methodology per clause 8.2.2: identification of critical activities, impact criteria (financial, reputational, regulatory, operational), determination of MTPD, RTO and RPO per process. What management approves and how frequently it is reviewed.
RTO and RPO definition per critical process
How to determine the RTO and RPO of each process or system: the difference between what IT can deliver and what the business needs. Relationship between RTO, MTPD (Maximum Tolerable Period of Disruption) and the recovery strategies selected (clause 8.3).
Business Continuity Plans (BCP)
Minimum BCP structure per ISO 22301 clause 8.4.4: purpose and scope, activation conditions, recovery roles and responsibilities, communication procedures, recovery steps per scenario, and criteria for return to normal operations.
Exercises and simulations (clause 8.5)
Types of exercises: tabletop exercise, technical failover test, full-scale simulation. What each one documents, how to plan them, what role management plays, and how to manage the deviations detected to close the continuous improvement cycle.
Continuity risk assessment
ISO 22301 clause 8.2.3: identification of threats (cyberattacks, IT failures, natural disasters, loss of key suppliers, pandemics) and assessment of their likelihood and impact. Relationship between risk analysis and the continuity strategies selected.
Management review and continual improvement
Mandatory inputs to the management review (clause 9.3): exercise results, actual incidents activated, changes in the organisational context, BCMS performance. Outputs: decisions on resources and improvements. What minutes the auditor verifies.
Complete support for ISO 22301 audits
Whether for internal audits or visits from certification bodies, IgeraIndustria provides the support that the continuity team needs at every stage of the audit cycle.
Gap analysis vs ISO 22301:2019
Compares the current state of the BCMS against the requirements of each clause. Identifies which requirements are fully implemented, which are partial, and which are absent. Particularly useful for organisations migrating from ISO 22301:2012 or implementing a BCMS for the first time.
Mandatory documentation checklist by clause
For each clause of ISO 22301:2019, IgeraIndustria indicates what documented information is mandatory: continuity policy (5.3), BIA (8.2.2), strategies (8.3), BCP plans (8.4.4), exercise results (8.5) and internal audit records (9.2).
Mock audit with real auditor questions
IgeraIndustria poses the questions that ISO 22301 certification auditors typically ask: “How did you determine the MTPD for the invoicing process?”, “When was the BCP last activated?”, “What deviations were identified in the last simulation?”
Non-conformity closure support
Support for the NC response process: root cause analysis, corrective action definition, deadline and responsible party. The most common NCs in ISO 22301 audits are BCPs never activated, RTOs not verified through technical tests, and BIAs not reviewed within the past 12 months.
RTO/RPO verification with evidence
How to demonstrate that RTOs are achievable? IgeraIndustria explains what evidence auditors validate: failover test results, backup recovery logs, emergency plan activation times, and comparison against the RTO defined in the BIA.
Crisis communication management (clause 8.4.3)
Communication requirements during a disruption: alert and BCP activation protocol, internal communication to employees, external communication to clients and suppliers, notification to regulators where applicable. How to document the call tree and authorised spokespersons.
The 4 key clauses of ISO 22301:2019
These clauses concentrate the majority of non-conformities in ISO 22301 certification audits. IgeraIndustria explains them with the exact requirements, practical examples and the most common implementation errors.
8.2.2 — BIA (Business Impact Analysis)
The most critical clause in ISO 22301. The BIA must identify the organisation's critical activities, evaluate the impact of their disruption over time (financial, reputational, legal, operational) and determine the MTPD, RTO and RPO for each. The BIA must be approved by senior management and reviewed at minimum whenever critical processes or the business context change. A BIA without a management signature or with data more than 2 years old is an automatic NC in a certification audit.
8.3 — Continuity strategies and solutions
Building on the BIA, the organisation must define and implement strategies to ensure that critical processes can be recovered within the defined RTO. Typical strategies include: alternative sites, agreements with backup suppliers, structured remote working, IT service level agreements for recovery, and alternative supply contracts. Auditors verify that the strategies are proportionate to the impact identified in the BIA and that formal contracts or agreements back them up.
8.4 — Business Continuity Plans (BCP)
ISO 22301 clause 8.4 requires BCPs to include: purpose and scope, activation conditions, disruption response procedures, named roles and responsibilities, required resources, communications during the crisis, and criteria for return to normal operations. A common error is having a single generic BCP instead of scenario-specific plans (IT failure, fire, loss of key personnel, critical supplier failure). Auditors also verify that BCPs are accessible without relying on systems that may be down during the incident.
8.5 — BCP exercises and tests
Without testing, the BCP is theoretical. Clause 8.5 requires an exercise programme with defined objectives, different types of tests (from tabletop exercises to full-scale simulations with real activation), and documentation of results. Findings from each exercise must feed into an improvement plan with an owner and deadline. Insurers covering business interruption loss accept claims more readily when there is evidence of a BCP testing programme. This is the clause that most differentiates companies with a mature BCMS from those with a paper-based ISO 22301.
How IgeraIndustria works for ISO 22301
Five steps from uploading your continuity system to receiving an answer with the exact requirement, mandatory documentation and implementation recommendations.
Index your business continuity management system
Upload your BIA, scenario-specific BCP plans, results from previous exercises and simulations, activated incident log, and approved continuity strategies. IgeraIndustria processes them together with the full ISO 22301:2019 standard in under 24 hours.
Connect the assistant to the continuity team
Embed in your business continuity portal, Teams, Slack or as a WhatsApp bot for the BCMS manager. One line of code. Accessible from mobile for queries during real incidents.
The continuity manager asks in natural language
“What must the BIA include according to ISO 22301?”, “How do I define the RTO for the invoicing process?”, “What is the difference between MTPD and RTO?”, “How often must the BCP be tested?”
IgeraIndustria searches across 2 layers of knowledge
First in your internal documentation (BIA, BCPs, exercise results, continuity strategies), then in the indexed ISO 22301:2019 standard with all its requirements, definitions and application notes.
Response with clause, requirements and mandatory documentation
The response cites the applicable ISO 22301 clause, indicates what documentation is mandatory and how it must be approved, and flags the most common errors that certification auditors detect in that area.
IgeraIndustria in action — ISO 22301 clause 8.2.2
Query about RTO for critical systems answered in under 3 seconds, with an exact reference to ISO 22301 clause 8.2.2.
Business Continuity Manager
How do I define the RTO for our critical systems under ISO 22301? What is the difference from the MTPD?
IgeraIndustria
ISO 22301:2019 — Clause 8.2.2 BIA: RTO and MTPD
MTPD (Maximum Tolerable Period of Disruption):
- • Maximum time the organisation can endure without the process before consequences become unacceptable
- • Determined by the business (Management, Finance, Sales) — not IT
- • Example: order processing → MTPD = 24h (beyond that, customer loss occurs)
RTO (Recovery Time Objective):
- • Maximum time to recover the process/system — MUST be less than the MTPD
- • Set by the business; IT validates whether it is achievable with current strategies
- • If IT RTO > business MTPD → investment in faster recovery strategies is required
⚠️ The BIA (cl.8.2.2) must document the MTPD and RTO of each critical process, approved by senior management
✓ ISO 22301:2019 Clause 8.2.2 · Confidence: 99.5%
400
employees, logistics company
-70%
incident recovery time
✓ OK
BCP tested and approved by insurer
We suffered a ransomware cyberattack two years ago and it took us 3 weeks to restore operations. Since we implemented ISO 22301 using IgeraIndustria to resolve our doubts about the BIA and RTO definitions, our BCP specifies exactly what to do in each scenario. We passed our last simulation in 4 hours. The insurer validated it and reduced our premium by 18%.
*Representative testimonial based on results from real clients
Frequently asked questions — ISO 22301:2019
What is ISO 22301 and what is it for?
ISO 22301:2019 is the international standard for Business Continuity Management Systems (BCMS). It sets out the requirements for planning, implementing, maintaining and improving an organisation's ability to continue operating during critical disruptions. Unlike ISO 9001 (quality) or ISO 14001 (environment), ISO 22301 focuses on operational resilience: what the company does when its critical systems fail, when a supplier stops delivering, or when a disaster prevents access to facilities. The standard requires a Business Impact Analysis (BIA), defining RTO/RPO per critical process, developing Business Continuity Plans (BCP) and testing them through exercises and simulations at regular intervals.
What is the difference between RTO and RPO?
RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are the two fundamental parameters of business continuity. The RTO defines the maximum acceptable time to recover a process or system after a disruption: if the ERP system's RTO is 4 hours, the organisation must be able to have it operational in less than 4 hours. The RPO defines the maximum acceptable amount of data that can be lost, expressed in time: if the order database RPO is 1 hour, backups must be performed at least every hour. ISO 22301 (clause 8.2.2) requires the BIA to determine the RTO and RPO for each critical process, and that continuity strategies satisfy them. A common mistake is confusing RTO with the IT department's actual recovery time, which is typically longer.
What is a BIA (Business Impact Analysis)?
The Business Impact Analysis (BIA) is the central process of ISO 22301. It identifies and prioritises the organisation's critical processes and activities, evaluates the impact of their disruption over time (financial, reputational, regulatory, operational) and determines the minimum RTO and RPO for each. The BIA answers: which processes are most critical? how long can the company survive without them? which resources (people, technology, suppliers) are essential? Clause 8.2.2 of ISO 22301 describes the BIA requirements. Without an up-to-date BIA approved by management, it is impossible to define proportionate continuity strategies or pass a certification audit. IgeraIndustria resolves queries about BIA methodology, impact criteria, review frequency and report format.
How often must the Business Continuity Plan (BCP) be tested?
ISO 22301 (clause 8.5) requires organisations to schedule and conduct BCP exercises and tests at planned intervals to verify that plans work in practice. The standard does not prescribe an exact minimum frequency, but certification bodies expect at least one full exercise (simulation) per year, in addition to partial tests (tabletop exercises, technical failover tests, communications tests) more frequently. Exercise results must be documented and any deviations identified must generate improvement actions. One of the most common non-conformities in ISO 22301 audits is having a written BCP that has never been tested, or whose last test was conducted more than 24 months ago.
Is ISO 22301 mandatory or voluntary?
ISO 22301 is a voluntary standard globally: no law requires certification. However, certain sectors require it contractually: financial entities (DORA regulation in Europe from 2025 imposes equivalent operational resilience requirements), critical infrastructure operators, telecommunications operators and large industrial groups frequently include ISO 22301 as a requirement in their contracts with critical suppliers. Additionally, some insurers reduce premiums on business interruption policies when the company can demonstrate a certified BCMS or at least a tested BCP. For SMEs, formal certification is not always necessary: implementing the standard's requirements (BIA, BCP, exercises) without formal certification already delivers significant value.
How long does it take to implement ISO 22301 from scratch?
A complete ISO 22301 implementation from scratch to certification typically takes between 6 and 18 months, depending on the size of the organisation, the complexity of its processes and the resources dedicated. The main phases are: context and gap analysis (1-2 months), BIA and risk assessment (2-3 months), strategy design and BCP drafting (2-4 months), training and awareness (1 month), exercise/simulation (1 month) and certification audit (1-2 months). IgeraIndustria accelerates this process by answering queries about what each clause requires, what documentation is mandatory and what errors to avoid at each stage, reducing the time spent on documentary research by up to 70%.
IgeraIndustria ISO 22301 plans
No lock-in. Cancel any time.
Starter
For SMEs that want to implement a basic BCMS under ISO 22301 without hiring an external consultant, and produce their first documented BCP.
- ISO 22301:2019 pre-indexed
- BIA and RTO/RPO queries
- Mandatory documentation checklist
- 1,000 queries/month
- Widget for the continuity manager
- Email support
Professional
For companies with an active BCMS, periodic audits, an exercise programme and need for ongoing support for the continuity and crisis team.
- ISO 22301 + internal documentation indexed
- BCP and BIA queryable in real time
- Exercise and simulation support
- 5,000 queries/month
- Regulatory change alerts
- Priority support
Enterprise
For industrial groups with ISO 22301 integrated with ISO 27001 (security) and DORA, multiple sites and distributed crisis teams.
- Multi-site and multi-standard
- ISO 22301 + ISO 27001 + DORA integrated
- Real-time assisted crisis management
- Unlimited queries
- 99.9% uptime SLA
- Dedicated customer success
BIA, BCP and simulations under control. Start today.
- Free 14-day trial — no credit card required
- Full ISO 22301:2019 pre-indexed from day one
- Upload your BIA, BCP and exercise results to make them queryable in seconds
- Support for defining RTO/RPO and preparing certification audits
