What is the difference between ISO 22301 and a Disaster Recovery Plan (DRP)?

A DRP focuses on IT recovery (data, systems, infrastructure). An ISO 22301 BCMS is broader: covering people (key personnel replacement), processes (alternative ways of working), places (alternative workplaces), suppliers (critical vendor alternatives), and crisis communication. The DRP becomes one component of the wider BCMS.

How long from scratch to certificate?

For organizations starting from zero, 9–15 months is a realistic range. Key variables: business process complexity, number of sites, IT operations maturity, and whether a BCMS already exists. Bank/fintech with mature IT: 6–9 months. Multi-line corporate without a BCMS: 12–15 months.

Is ISO 22301 mandatory for any industries?

Not mandated directly by law, but many regulators require BCMS-equivalent substance. POJK 11/2022 IT risk management mandates BCP & DRP for banks and non-bank financial institutions. Bank Indonesia mandates BCMS for payment system operators. ISO 22301 becomes an efficient way to evidence this compliance.

How much does an ISO 22301 audit cost?

Determined by the certification body based on IAF MD 5 mandays. Main variables: employees in scope, sites (including DR sites), and business process complexity. Solicit quotes from 2–3 bodies for comparison.

What is the minimum defensible BIA output?

BIA per critical business process with minimum: process description, dependencies (IT, people, supplier, location), financial/regulatory/reputational/operational impact, MTPD, RTO, RPO, and minimum resources for recovery operations. A BIA with consistent methodology justification (e.g. impact per hour/day) is stronger at audit.

What is the ideal exercise frequency?

ISO 22301 clause 8.5 requires exercise & test at planned intervals. Good practice: tabletop exercises per quarter for specific scenarios, full simulation or live test at least once a year for critical scenarios. More important than frequency: scenario quality, cross-functional participation, and post-exercise improvement follow-through.

Can a small organization’s BCP be simple?

Yes, and ISO 22301 itself supports a proportional approach. A 30-employee organization with one office and cloud-based services can have a much leaner BCMS than a multi-branch bank. The critical points: realistic BIA, executable BCP (not an empty template), and exercises that test the important assumptions.

How does ISO 22301 interact with ISO 27001?

ISO 27001 Annex A.5.29 (information security during disruption) and A.5.30 (ICT readiness for business continuity) align strongly with ISO 22301. Many organizations integrate the BCMS and ISMS — one BIA used for both, one audit cycle covering both. ISO 27031 provides a more detailed technical bridge for IT readiness.

Awareness + Internal Auditor

Build a Business Continuity Management System toward ISO 22301:2019

Q: Can Neksus directly issue an ISO 22301 certificate?

No. ISO 22301 certificates can only be issued by accredited certification bodies (KAN in Indonesia, internationally recognized via the IAF MLA). Neksus trains your BCMS to readiness; you select the certification body.

Training for BCM managers, risk officers, IT operations, compliance, and internal auditors — understand the BCMS clauses, perform Business Impact Analysis, build BCPs & recovery plans, and run internal audits per ISO 19011.

Core clauses: Clauses 4–10Core clauses
Key outputs: BIA + BCP + Recovery PlanKey outputs
Companion guidance: ISO 22313:2020Companion guidance
Format: Inhouse, online, hybridFormat

Short answer

ISO 22301 Awareness + Internal Auditor training equips your team to understand the BCMS requirements, perform Business Impact Analysis, build continuity plans, and run internal audits per ISO 19011. Neksus trains to readiness; a KAN-accredited certification body performs the audit and issues your ISO 22301:2019 certificate.

About the Standard

The international standard for Business Continuity Management Systems

ISO 22301:2019 is the international standard for Business Continuity Management Systems (BCMS). Its clause structure follows the Annex SL High Level Structure (clauses 4–10), aligned with ISO 9001, 14001, 27001, and 37001. The core of ISO 22301 is Business Impact Analysis (BIA) — analysis of the impact of disruption on critical business processes, definition of Recovery Time Objective (RTO) and Recovery Point Objective (RPO), continuity & recovery strategies, incident response procedures, and exercise & test to validate the plans. ISO 22301 has gained relevance after pandemic-era experience, supply chain disruption, and major cyber incidents. Many financial regulators (e.g. OJK) link BCMS to IT risk management regulation.

BIA is the foundation — without valid BIA, RTO/RPO becomes guesswork
Clause 8.5 — exercise & test is mandatory and must be evaluated at least annually
Clause 8.2 — impact analysis must cover people, process, technology, suppliers, and locations
Aligned with POJK IT risk management and ISO 27031 (IT readiness for business continuity)

Neksus trains, the certification body certifies

ISO 22301 certificates can only be issued by accredited certification bodies (KAN in Indonesia, internationally recognized via the IAF MLA). Neksus prepares your BCMS to pass Stage 1 and Stage 2 — without promises of guaranteed certification.

BCMS is more than a Disaster Recovery Plan

A Disaster Recovery Plan (DRP) focuses on IT recovery. A Business Continuity Plan (BCP) is broader: people, processes, alternative workplaces, crisis communication, suppliers, and stakeholder management. ISO 22301 demands a holistic BCMS covering both.

Exercise & test is proof

ISO 22301 auditors pay close attention to exercise quality: realistic scenarios, cross-functional participation, post-exercise evaluation with corrective actions. Tabletop walkthroughs are insufficient for critical scenarios — full simulation or live failover testing is required.

Scope of Certification

Typical BCMS scopes that get certified

Scope definition affects BIA complexity and exercise expectations.

Banking & financial services

Scope: core banking, payment processing, branches, customer service. Frequently driven by POJK IT risk management and Bank Indonesia regulations.

Fintech & B2B SaaS

Scope: digital platform, customer support, vendor management. Often required by enterprise customers and vendor list audits.

Data centers & cloud providers

Scope: infrastructure and services. RTO/RPO are very tight for tier 3-4 data centers.

SOEs in utilities (power, water, gas)

Scope: critical public services. Disruption impact is broad — BIA covers socio-economic dimensions alongside the financial ones.

Healthcare & hospitals

Scope: critical clinical services (ED, ICU, OR), electronic medical records, medical supply. Low disruption tolerance.

Manufacturing with global supply chain

Scope: production and supply chain. Geopolitical risk and supplier concentration become BIA focus.

Organizational Readiness

Organizational readiness before inviting a certification body

Business continuity policy authorized by top management
Commitment to maintaining continuity of key products/services, allocated resources, compliance obligations.
BCMS context & written scope
Clause 4 — issue analysis, interested parties (regulators, clients, suppliers), in-scope products/services, geographic boundaries.
Business Impact Analysis (BIA) completed (clause 8.2.2)
Process identification, prioritization by impact (financial, regulatory, reputational, operational), MTPD (Maximum Tolerable Period of Disruption), RTO, RPO, and minimum resource requirements.
Risk Assessment for disruptions (clause 8.2.3)
Threat identification (cyber, natural, supplier, pandemic, key personnel loss) and vulnerability; prioritization by likelihood × impact.
Continuity & recovery strategies (clause 8.3)
Strategy choices per scenario: alternative workplaces, IT alternatives (failover, backup site), supplier alternatives, personnel alternatives.
Business Continuity Plan (BCP) & incident response plans (clause 8.4)
Incident detection & escalation procedures, command structure, internal/external communication procedures, recovery procedures per function/process.
Exercise & test (clause 8.5)
Annual exercise program: tabletop, walkthrough, full simulation, or live failover. At least one exercise for critical scenarios performed and evaluated.
One internal audit cycle + management review
Internal audit per ISO 19011, exercise result evaluation, and management review (clause 9.3) with standard inputs/outputs.

Certification Audit Path

Audit path from contract to certificate

Per ISO/IEC 17021-1 — 3-year certification cycle.

1
Application & contract
1–2 weeks
Submit scope, employees in scope, sites (including recovery sites), IAF sector. The body computes mandays per IAF MD 5.
2
Stage 1 — BCMS documentation review
1–2 days
Auditor reviews policy, scope, BIA, risk assessment, continuity strategies, BCPs, exercise & test documentation, internal audit results, and management review minutes.
3
Stage 2 — Implementation audit
3–8 days onsite
Auditor goes into the processes: BCM owner interviews, IT team, vendor management, communications. Review of exercise records (scenario, participation, results, corrective actions), BCP audit per critical process.
4
Closure of findings & certification recommendation
30–90 days
Major NCs closed. For BCMS, major NCs often involve a superficial BIA or tabletop-only exercise for critical scenarios without real simulation.
5
Certificate issuance (3-year cycle)
—
Certificate carries the scope. Often required for enterprise customer tenders & regulated sectors (banking, insurance).
6
Year 1 & 2 surveillance audits
Annual, 2–5 days
Focus on latest exercise results, real incidents & response, BIA changes (e.g. new services), and prior finding follow-up.
7
Recertification audit (year 3)
Before certificate expires
Full re-audit. Pass → renewed for another 3 years.

Internal Auditor (ISO 19011)

What an ISO 22301 Internal Auditor does — they test the BCP, beyond document review

Internal Auditor training follows ISO 19011:2018 with added BCM competency focus.

What they do

An ISO 22301 internal auditor verifies BIA quality (whether the impact analysis is realistic), RTO/RPO validity (whether feasible given the chosen strategy), BCP completeness per critical process (whether procedures are executable), and exercise quality (whether scenarios are challenging, whether evaluation & corrective action are performed). A good auditor reviews exercise records: how many participated, whether the scenario was realistic, what findings emerged, and whether findings were followed up. Independence: an auditor does not audit a BCP for the function they manage.

Competencies built

Understanding of ISO 22301 clauses 4–10 and the Annex SL structure
Business Impact Analysis methods: process identification, financial/regulatory/reputational impact, MTPD, RTO, RPO
Risk assessment for disruptions: threat scenarios, vulnerabilities, prioritization
Audit of continuity & recovery strategies (IT alternatives, locations, suppliers, personnel)
Audit of BCPs per critical process: response procedures, command structure, communication
Audit of exercise & test: scenario quality, participation, evaluation, corrective actions
ISO 19011 — independence, objectivity, evidence-based

Findings Categories

Major NC
E.g. BIA absent or superficial for a critical process, exercise never performed for a critical scenario, or RTO unrealistic given the chosen strategy.
Minor NC
E.g. exercise documentation incomplete, one BCP not updated after organizational change, or post-exercise evaluation produces no corrective actions.
OFI
E.g. recommendation to escalate exercise complexity from tabletop to simulation, or to adopt a BCM tool (e.g. Fusion, Riskonnect) for visibility.
Observation
E.g. note on single-source supplier dependency with potential single point of failure.

Outcomes

Expected outcomes for your team

Valid & defensible BIA

Class output: BIA for critical processes with MTPD, RTO, RPO defensible at Stage 2.

Documented continuity & recovery strategies

Strategies per disruption scenario (IT, location, supplier, personnel) with feasibility justification.

BCPs per critical process

Executable BCPs — clear procedures, assigned roles, structured communications.

Annual exercise program

Exercise schedule covering different levels (tabletop → full simulation) with at least one full simulation exercise per year.

Active BCM internal auditors

4–8 internal auditors capable of auditing BIA, BCP, and exercise quality.

Decision Aid

Awareness vs Internal Auditor vs Lead Auditor preparation (BCM)

Criterion	Awareness	Internal Auditor ★	Lead Auditor preparation
Typical duration	1 day	3 days	5 days (IRCA-style)
Target audience	Critical function managers + BCM team	Internal audit & risk officer team	Aspiring Lead Auditors / BCM consultants
Main output	Basic BIA & BCP understanding	Audit checklists + audit simulation + finding reports	Individual certificate from a registered training scheme
Delivered by	Training vendor (e.g. Neksus)	Training vendor (e.g. Neksus)	Registered training organization (e.g. BCI / DRI International / PECB)

Engagement Path with Neksus

Engagement path with Neksus for ISO 22301

1
Kickoff & gap analysis
Week 1
2-hour workshop with the BCM Manager/Risk: critical process mapping, existing BIA (if any), and documentation readiness.
2
1-day awareness
Week 2
For critical function managers: why BCMS matters, their role in BIA & BCP, and exercise expectations.
3
3-day Internal Auditor workshop
Weeks 3–4
Clauses 4–10, BIA methods, audit of continuity strategies, BCP audit, and exercise & test audit per ISO 19011.
4
Mock audit + exercise observation
Week 5
Facilitator accompanies the internal audit team in reviewing existing BIA & BCP, then observes one exercise (ideally a full simulation).
5
Readiness review & recommendations
Week 6
Report: remaining gaps, priority actions, Stage 1 document readiness.
6
Handoff to the certification body
Week 7+
Stage 1 document package is ready. Body selection is entirely your decision.

Target Roles

Target roles

BCM Manager / Head of Business Continuity

Senior

BCMS owner, primary contact with the certification body.

Risk Officer / ERM Manager

Links the BCMS with the enterprise risk management framework.

IT Operations & DRP Manager

Accountable for IT RTO/RPO and failover exercises.

Critical Function Process Owners

Business process owners who document the function BCP.

Internal Audit Team

4–8 cross-functional internal auditors for audit independence.

Communications & Crisis Communication Lead

Accountable for internal/external incident communication procedures.

Vendor & Supply Chain Management

Audits critical supplier continuity and manages alternatives.

Top Management

Directs the business continuity policy and leads the management review.

Examples of Accredited Certification Bodies

Examples of accredited certification bodies for ISO 22301 in Indonesia

The list below is not a Neksus recommendation. Body selection is entirely your organization’s decision.

BSI (British Standards Institution)

UKAS + KAN

UK-origin body; original author of BS 25999 which preceded ISO 22301.

TÜV Rheinland

DAkkS + KAN

BCMS audit experience for banking and multinational corporates.

SGS

UKAS / ANAB + KAN

Cross-sector BCMS audit experience — financial, telecommunications, manufacturing.

TÜV SÜD

DAkkS + KAN

Often integrated with ISO 27001 (information security) for combined audits.

Bureau Veritas

COFRAC + KAN

BCMS audit experience in energy and public services.

Sucofindo / TUV NORD Indonesia

KAN

Frequently used in SOE/government tenders and OJK fintech ecosystem.

Important — Transparency

The bodies above are examples of organizations accredited (typically through KAN and the IAF MLA network) that can perform certification audits. They are not Neksus partners and do not receive referrals from Neksus. Choosing a certification body is entirely your organization’s decision based on scope, sector, and internal procurement requirements.

Typical Outcome Patterns

Typical outcome patterns from comparable clients

Context

Mid-size bank with core banking + multi-channel digital, certifying to meet POJK IT risk management.

Intervention

Awareness for function managers + 3-day Internal Auditor for 6 people + observation of a live core banking failover test to the DR site.

Indicative result

Stage 1 passed without critical findings; Stage 2 produced 2 Minor NCs (critical vendor exercise documentation) closed within 60 days.

Context

B2B SaaS with SOC 2 + ISO 22301 demand from enterprise customer.

Intervention

BIA across engineering & customer support; 3-day Internal Auditor focused on platform RTO/RPO & cloud failover integration.

Indicative result

ISO 22301 certificate issued within 5 months; together with SOC 2 Type 2, satisfied Fortune 500 enterprise customer onboarding.

Context

SOE utilities with public-service continuity demands.

Intervention

BIA covered the socio-economic impact of service disruption; coaching on large-scale simulation exercise with cross-region participation.

Indicative result

ISO 22301 certificate issued; documented improvement of readiness for rainy-season disruption & natural disasters.

Procurement Info

Procurement information

Contract format
Inhouse training, continuous program, or integrated awareness + Internal Auditor + exercise observation package.
Location
Onsite at the client site (Jabodetabek with no extra travel charge), regional onsite, or live online.
Language of delivery
Indonesian or bilingual ID/EN.
Materials & participant certificate
Modules, handouts, BIA template, BCP template, audit checklists, Neksus participation certificate.
Tax documentation
VAT invoice, receipt, BAST. SOE/government e-procurement support available.
Payment terms
30% advance on contract, 70% on training completion.
Optional exercise design coaching
Separate manday-based scheme: designing realistic exercise scenarios and post-exercise evaluation.

Frequently Asked Questions

Discuss ISO 22301:2019 readiness for your organization

Send your BCMS scope and target certification schedule. The Neksus team studies your context and prepares a program design within 2 business days.

Awareness, Internal Auditor, and observation of real exercises
Facilitators with BCM Manager and BCMS audit backgrounds
Materials covering alignment with POJK IT risk management
Structured handoff to your chosen certification body

Build a Business Continuity Management System toward ISO 22301:2019

The international standard for Business Continuity Management Systems

Typical BCMS scopes that get certified

Organizational readiness before inviting a certification body

Audit path from contract to certificate

Application & contract

Stage 1 — BCMS documentation review

Stage 2 — Implementation audit

Closure of findings & certification recommendation

Certificate issuance (3-year cycle)

Year 1 & 2 surveillance audits

Recertification audit (year 3)

What an ISO 22301 Internal Auditor does — they test the BCP, beyond document review

Expected outcomes for your team

Awareness vs Internal Auditor vs Lead Auditor preparation (BCM)

Engagement path with Neksus for ISO 22301

Kickoff & gap analysis

1-day awareness

3-day Internal Auditor workshop

Mock audit + exercise observation

Readiness review & recommendations

Handoff to the certification body

Target roles

Examples of accredited certification bodies for ISO 22301 in Indonesia

Neksus training topics that reinforce an ISO 22301 BCMS

Employee Cybersecurity Awareness

Executive Communication & Presentation

Organizational Change Management

Typical outcome patterns from comparable clients

Procurement information

Frequently Asked Questions

Can Neksus directly issue an ISO 22301 certificate?

What is the difference between ISO 22301 and a Disaster Recovery Plan (DRP)?

How long from scratch to certificate?

Is ISO 22301 mandatory for any industries?

How much does an ISO 22301 audit cost?

What is the minimum defensible BIA output?

What is the ideal exercise frequency?

Can a small organization’s BCP be simple?

How does ISO 22301 interact with ISO 27001?

Discuss ISO 22301:2019 readiness for your organization