Professional ISO 22301 advice

Smooth and fast ISO 22301 certification of your BCMS - From consulting and planning to implementation and certification:
Highest security standards and efficient business continuity management.

We ensure your ability to do business – in every situation!

Find out more

Business Continuity

Why is business continuity so essential?

Business continuity management is more than just technical precautions against IT failures. Rather, it is a strategic concept that is intended to ensure the protection and continuation of all company-critical processes. At a time when the risk of business interruptions is constantly increasing and competition is fierce, a professionally implemented BCM is a crucial success factor. Those who prepare in good time protect their reputation, reduce financial losses and strengthen the trust of customers, partners and employees alike. Business continuity is therefore a central element in ensuring the future viability and resilience of a company.

Our advice

In a free initial consultation, we will first assess your specific needs. On this basis, we develop an individual package of measures that is optimally tailored to the requirements of your company.

Our offer includes the implementation of a Business Continuity Management Systems (BCMS) according to ISO 22301, so that your essential business processes can be maintained even in crisis situations. If desired, we integrate the BCMS into existing management structures, for example into an existing information security management system (ISMS).

Depending on your focus, we can also support you in meeting important regulatory requirements, such as: NIS-2 directive or more relevant BSI standards, provided they are relevant to your company. We also offer training for your employees in order to permanently anchor awareness of the topics of business continuity and crisis prevention in the company.

Your advantages

Benefit from our collaboration

Security

Ensuring your business-critical processes deserve the highest attention. A Business Continuity Management System (BCMS) according to ISO 22301 ensures that essential processes can be protected and quickly restored in an emergency.

Speed

Proven methods and standardized procedures ensure that potential gaps in your emergency and recovery plans are quickly closed. This ensures that business operations can be resumed quickly in the event of disruptions.

Customer trust

A high level of operational safety strengthens the trust between you and your customers. A professionally implemented BCMS demonstrates a sense of responsibility and promotes the long-term loyalty of your business partners.

Integrative approach

We either integrate the new regulations into your existing organizational and documentation structures or, if necessary, provide you with a suitable platform. This is how we ensure that your BCMS is seamlessly embedded into your company.

Personal support on site

Unlike many of our competitors, we are available to assist you personally on site whenever you need us.

Process of a business continuity consultation

Our experienced business continuity management consultants are very familiar with the particular risks, regulatory requirements and challenges of SMEs, large companies and public institutions. Whether it's about NIS2, banking and insurance, KRITIS, telecommunications or the healthcare sector - we provide you with well-founded, cross-industry advice on the introduction or optimization of your business BCMS according to ISO 22301. Benefit from our many years of expertise to make your company future-proof and protect it from potential threats.

1. Setup

Together with your management and the relevant departments, we determine which measures are necessary to ensure the continuation of your essential business processes. The focus is on risk identification and assessment, so that the business continuity concept is tailored precisely to the requirements of your company - in accordance with ISO 22301.

2. Analysis

Our team analyzes your core business processes, resources and infrastructure in detail. Instead of just looking at formal specifications, we create a holistic risk assessment. This gives you a well-founded picture of the possible disruption scenarios and the resulting requirements for functioning Business Continuity Management (BCM).

3. Concept

Based on the analysis, we develop a tailor-made business continuity concept. In it, we determine which strategies and measures should be taken in the event of an emergency in order to restore your operations as quickly as possible or to continue business operations without major interruptions. You always retain the power to decide on the final priorities and implementation steps.

4. Solution

We derive the appropriate measures – from short-term emergency measures to long-term prevention strategies. We consider not only technical aspects, but also organizational, personnel and infrastructural aspects. The goal: robust resilience to the identified risks that can be seamlessly integrated into your company.

5. Reporting

Our experts will accompany you during the practical implementation and monitor the transition to regular operations. With regular reports and complete documentation, you will always stay informed. We also ensure that any weak points are identified and remedied quickly so that your BCMS is continuously improved.

6. Advice

Through ongoing reviews as part of a continuous improvement process (CIP), we ensure that your BCMS always remains up to date and can respond to new threats or changed business structures. From planning to implementation and ongoing maintenance of your BCMS according to ISO 22301 - we accompany you as a reliable partner and consultant to make your company sustainably crisis-proof.

Frequently asked questions about business continuity, BCMS

What is meant by Business Continuity Management (BCM) and why is it so important

Business Continuity Management (BCM) is a systematic approach that ensures that critical business processes in an organization can be maintained or restored as quickly as possible even in the event of disruptions or crisis situations. This is not just about technical measures, but above all about organizational structures, processes and roles. The goal is to reduce the impact of emergencies (e.g. natural disasters, cyber attacks, pandemics) to a tolerable level. The importance of BCM is particularly evident in today's increasingly connected business world, where downtime can cause significant financial and reputational damage.

ISO 22301 is an international standard that defines requirements for a systematic business continuity management system (BCMS). It determines how organizations can protect and maintain their essential functions and processes. By implementing ISO 22301 compliant measures, companies can:

  • Structure and clarity: A clearly defined framework helps establish responsibilities and processes for emergency and crisis situations.
  • Trust among stakeholders: Customers, business partners and authorities see ISO 22301 certification as a sign that a robust BCM exists.
  • Risk minimization: Through regular analysis, weak points can be identified and remedied at an early stage.
  • Competitive advantage: Solid preparation and the ability to react quickly can secure business operations and reduce downtime costs in an emergency.

ISO 27001 is an international standard for information security management systems (ISMS). Although ISO 22301 focuses primarily on maintaining business processes in the event of a crisis and ISO 27001 on information security, there is a lot of overlap. This includes:

  • Risk analysis: Both standards rely on a systematic risk analysis to identify and address weak points.
  • Management processes: Both standards are based on the PDCA (Plan-Do-Check-Act) cycle and require continuous improvement.
  • Documentation requirements: Extensive documentation and proof requirements are required for both the implementation of an ISMS and a BCMS.
  • Information security interface: Business continuity also includes the availability of IT systems. Close coordination with the ISMS is essential here.


By implementing both standards in an integrated management system, synergy effects can be used, redundant processes can be reduced and overall efficiency can be increased.

A BCMS is a structured framework of policies, processes, procedures and responsibilities that helps companies be prepared and respond appropriately to disruptions and crisis situations. It includes, among other things:

  1. Analysis of business processes (Business Impact Analysis, BIA) to identify critical processes.
  2. Risk assessment to determine potential threats and their impact.
  3. Strategies and plans for emergency response, recovery and continued maintenance of essential functions.
  4. Continuous review and improvement: Exercises and audits ensure plans remain current and weaknesses are addressed.


With a BCMS according to ISO 22301, companies create the basis for acting in a structured and effective manner in an emergency and thus minimizing economic losses and reputational damage.

Business Impact Analysis (BIA) is an essential part of business continuity management. It is used to identify all relevant business processes and assess their criticality. The BIA examines the following aspects:

  • Process dependencies: Which processes depend on each other?
  • Possible damage: What happens if a specific process fails (financial, reputational, legal or regulatory damage)?
  • Recovery priorities: Which processes need to be restored first and within what time frame?


The results of the BIA form the basis for the development of tailored emergency and recovery plans. Only those who can realistically assess the consequences of failures can define effective continuity strategies.

Risk management complements BIA and is a key element in any BCM approach. By systematically identifying, assessing and treating risks, preventive measures can be taken before failures occur. Typical steps are:

  1. Risk analysis (e.g. cyber risks, natural disasters, supply shortages).
  2. Classification according to probability and impact.
  3. Risk treatment: Implementation of measures to reduce, avoid or accept risks.
  4. Monitoring and review: Continuous adaptation of measures to changing conditions.

Through solid risk management, companies can not only cope better with crises, but ideally also avoid them altogether.

An ISMS according to ISO 27001 focuses on protecting information assets and IT systems, while a BCMS covers the organizational and procedural maintenance of entire business operations. The integration has the following advantages:

  • Common management framework: Both systems follow the PDCA cycle and can therefore be easily bundled in one management system.
  • Same or similar documentation requirements: Hazard documentation, risk analyzes and internal audits can be partially combined.
  • Increased efficiency: Duplicate processes and overlaps are reduced, saving time and costs.
  • Better coverage of all company areas: An integrated management system covers both information security and business continuity and ensures comprehensive risk management.

Central factors when introducing a BCMS are:

  1. Management support: Management must recognize the importance of BCM and provide resources.
  2. Culture and consciousness: Employees must be trained and sensitized to understand their role in an emergency.
  3. Clear roles and responsibilities: Who coordinates the emergency exercises, who is the contact person for external service providers, etc.?
  4. Continuous updating: Business processes and risks change, so BCM plans need to be updated regularly.
  5. Exercises and tests: Only through realistic emergency or crisis simulations can the effectiveness of the plans be checked and improved.

Careful planning and structured implementation are essential so that the BCMS does not just exist on paper, but actually works in an emergency.

Certification according to ISO 22301 takes place in several steps:

  1. Preparatory phase: Gap analysis is carried out here and the BCMS is set up.
  2. Internal audits: Checking the system for compliance with the standard and internal optimization.
  3. Certification Audit – Level 1 (Document Check): An auditor first evaluates the documentation (e.g. BIA, risk assessments, emergency plans).
  4. Certification audit – level 2 (on-site inspection): The auditor checks the practical implementation in the company, carries out interviews and visual inspections.
  5. Certificate issuance: If the audit is successful, a certificate is issued that is usually valid for three years. Surveillance audits take place annually to check ongoing compliance.


With ISO 22301 certification, companies prove that they are systematically prepared for emergencies.

BCM plans should be reviewed and adjusted regularly, but at least once a year or when significant changes occur in the company or environment, for example:

  • Organizational changes (Restructuring, new locations).
  • Technological changes (new IT systems, cloud migration).
  • New or changing threats (e.g. new cyber risks, geopolitical risks).

In addition to document revisions, exercises and tests should be carried out at regular intervals (e.g. semi-annually or annually) to check the effectiveness of the plans. The more realistic the simulations are, the more meaningful the results are for the further development of the BCMS.

When implementing a BCMS, organizations often encounter the following hurdles:

  1. Underestimating the effort: Effective BCM is complex and requires time, resources and management commitment.
  2. Employee resistance: Changes to process flows or additional documentation requirements are not always immediately accepted.
  3. Lack of risk and awareness training: Employees must be trained to act correctly in an emergency.
  4. Lack of integration into existing systems: A BCMS without coordination with the ISMS or other management systems leads to duplication and redundancies.
  5. Unclear responsibilities: In crisis situations you have to be able to act quickly. An unclear distribution of roles slows down effective action.

In order to overcome these hurdles, clear communication and structured project management are essential.

By integrating a BCMS into an ISMS, companies benefit from:

  • Holistic view: Both standards complement each other (BCM for process continuity, ISMS for information security).
  • Reduction of duplication of work: Risk analyses, documentation and audits can be brought together.
  • Optimized resources: Shared budgets and teams ensure more effective management.
  • Increased compliance: Organizations meet several standard requirements at the same time and can therefore comply with regulatory requirements more reliably.
  • Strengthening security awareness: Employees internalize the requirements of both security and continuity processes.

Integrated management systems increase overall efficiency and ensure the ability to act in critical situations.

Typically, the following roles are defined in business continuity management:

  1. BCM responsible (BCM Manager): Coordinates the introduction and maintenance of the BCMS, plans exercises and audits.
  2. Crisis team: A team of managers and technical experts who take over operational and strategic management in the event of a crisis.
  3. Specialist responsible: Responsible for the continuity plans in their respective departments (e.g. IT, Production, Human Resources).
  4. Employees: Are informed about emergency and evacuation plans and know their tasks in a crisis.
  5. External consultants (optional): Support in interpreting standards, conducting audits and training.

A clear definition of responsibilities and communication channels is crucial for being able to act efficiently in an emergency.

The success of a BCMS can be determined by several indicators:

  • Time to restore (Recovery Time Objective, RTO): How quickly can critical processes be restored?
  • Availability of critical resources (Recovery Point Objective, RPO): What is the maximum amount of data that can be lost without endangering business operations?
  • Number and quality of emergency drills: How frequently are exercises carried out and how realistic are they? How were deficiencies corrected?
  • Audit results: What deviations have internal and external audits identified?
  • Employee feedback: How confident do employees feel when dealing with emergency scenarios?


A BCM should be continuously improved. Measuring these parameters shows whether the set goals are being achieved and where there is a need for optimization.

Although BCM and IT emergency management are often closely linked, there are differences in focus:

  • BCM: Deals holistically with maintaining all critical business processes in all areas of the company (e.g. production, logistics, human resources, sales).
  • IT emergency management: Focuses primarily on restoring IT systems, data and infrastructure after an outage or cyberattack.


BCM is therefore higher-level and includes IT emergency management as an important sub-area. Ideally, both concepts are closely interlinked to ensure smooth operations in the event of a crisis.

Key documents in an ISO 22301 BCMS include:

  1. BCM policy: Principles and goals for business continuity management.
  2. Business Impact Analysis (BIA): Identification and evaluation of business-critical processes.
  3. Risk assessment: Description and assessment of relevant risks.
  4. Business continuity strategy: Guidelines on how to maintain business operations during crises.
  5. Emergency and crisis plans: Detailed processes for different scenarios (e.g. IT failure, fire, natural disaster).
  6. Practice and testing protocols: Evidence of exercises carried out, test results and improvement measures.
  7. Communication plans: Description of how and with what means communication is carried out internally and externally in the event of a crisis.


These documents are regularly updated and form the basis for successful implementation of the BCMS.

To successfully conduct an emergency test, companies should pay attention to the following:

  1. Realistic scenarios: The exercises should realistically depict typical threats and crisis scenarios.
  2. Extensive planning: Roles, processes and communication channels must be clearly defined in advance.
  3. Transparency: Everyone involved should be aware of the intention of the exercise and the desired learning effect.
  4. Detailed evaluation: Weak points and potential for improvement must be precisely documented.
  5. Binding measures: Improvements derived from the test results should be implemented promptly.


Regular emergency testing increases awareness and ensures that emergency plans work even under stressful conditions.

Implementing a BCMS can be complex and resource intensive. External advice offers a variety of advantages:

  • Experience and best practices: Consultants have usually already supported numerous BCM projects and bring valuable practical experience.
  • Neutral point of view: External experts can look more objectively at company processes and point out risks that may be overlooked internally.
  • Know-how transfer: During implementation, internal teams are trained and can later pass on the knowledge independently.
  • Time saving: An experienced consultant identifies stumbling blocks at an early stage and thereby accelerates project progress.
  • Faster certification capability: Anyone seeking certification benefits from the expertise of consultants who know the ISO requirements exactly.


Especially for companies that have no experience with BCM, it is worth investing in external advice in order to achieve their goal quickly and efficiently.

Building or expanding a BCMS makes sense in every phase. However, there are certain triggers that make it clear that more action is needed:

  • Significant corporate changes: mergers, acquisitions, new locations.
  • Increased compliance requirements: New legal requirements or industry standards.
  • Increase in crisis incidents: Increase in disruptions, hacker attacks or natural disasters.
  • After the introduction of an ISMS: Since a BCMS can be easily integrated into the ISMS, it makes sense to coordinate both management systems.

It is important that management recognizes the need and provides sufficient resources. An effective BCM is always an investment in the future security of the company.

A well-established and regularly maintained BCMS has numerous positive effects:

  1. Greater resilience: The company can react more quickly to unforeseen events and minimize business disruptions.
  2. Competitive advantage: Customers and partners trust organizations more that have a proven continuity strategy.
  3. Cost savings: Prevention is usually cheaper than dealing with the consequences of a crisis.
  4. Positive image: Professional crisis management strengthens the reputation and shows that the company acts responsibly.
  5. Employee satisfaction: Employees feel safer and better prepared when they know the company is prepared for emergencies.


Overall, a robust BCM increases the sustainability and future security of a company because it not only reacts to acute risks, but also initiates a continuous improvement process.

Your experts in business continuity issues

Whether CISO, CIO, IT manager, IT manager or those responsible for crisis and emergency management – our experienced consultants for Business Continuity Management bring many years of practice and develop Tailor-made solutions according to ISO 22301, that are tailored precisely to the needs of your company.

  • Many years of experience in management systems with a focus on ISO 9001, 14001, 27001, 27701, 22301
  • Advice for DAX
  • Implementation, auditing, certification
  • ISO 9001 Lead Auditor, ISO 14001 Lead Auditor
  • EMAS environmental verifier
  • ISO/IEC 27001 Lead Auditor, ISO/IEC 27001 Lead Implementer, ISO 22301 Lead Auditor
  • Data protection officer (TÜV), data protection auditor (TÜV).
  • Digital Transformation Manager (TÜV), Business Continuity Manager (TÜV).
  • PMP, PRINCE2, MSP, ITIL Expert, CISSP, CISSP-ISSAP, CISM
  • Development of training material on IT security and management systems
  • Conference speaker

Initial consultation free of charge

Would you like to introduce a business continuity management system? We operate in Germany, Austria and Switzerland and support you.