ISO 22301:2019 is the international standard for implementing a Business Continuity Management System. It lets companies recover critical operations after incidents (cyber, physical, natural) within defined timeframes.

What does an ISO 22301 Business Continuity Management System include?

Five mandatory components. (1) Business impact analysis (BIA) identifying critical processes, RTO (Recovery Time Objective) and RPO (Recovery Point Objective). (2) Continuity risk assessment. (3) Continuity strategy: what is recovered first and with which resources. (4) Operating procedures: incident response plan, business continuity plan, disaster recovery plan (DRP). (5) Regular exercises and tests (at least annual) + management review.

How much does ISO 22301 certification cost?

For an SME of 20-100 employees with non-extremely-complex processes: €8,000-18,000 external consulting + €2,500-5,500 external audit by AENOR/BV/SGS/LRQA + €2,500-4,500/year maintenance. Deployment timeline 4-7 months. If ISO 27001 or ISO 9001 are already in place, the cost drops by 30-40% thanks to HLS structure reuse.

How does ISO 22301 connect with NIS2 and DORA?

ISO 22301 directly covers the "business continuity" area of NIS2 (article 21.2.c) and the "third-party risk management" and "operational resilience" pillars of DORA. An entity with a valid ISO 22301 almost automatically covers those blocks. For NIS2, ICT supply-chain management still needs to be added; for DORA, specific resilience testing (red team, advanced pentest) is still required.

Official sources

Frequently asked questions

What does an ISO 22301 Business Continuity Management System include?

Five mandatory components: (1) Business impact analysis (BIA) identifying critical processes, RTO and RPO. (2) Continuity risk assessment. (3) Continuity strategy. (4) Operating procedures: incident response, business continuity, disaster recovery. (5) Regular exercises and tests + management review.

How much does ISO 22301 certification cost?

For SMEs of 20-100 employees with non-extremely-complex processes: €8,000-18,000 external consulting + €2,500-5,500 external audit + €2,500-4,500/year maintenance. Timeline 4-7 months. With ISO 27001 or 9001 already in place, cost drops 30-40%.

How does ISO 22301 connect with NIS2 and DORA?

It directly covers the "business continuity" area of NIS2 (art. 21.2.c) and the "third-party risk" and "operational resilience" pillars of DORA. For NIS2, ICT supply-chain management still needs to be added; for DORA, specific resilience testing (red team, advanced pentest) is still required.

Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs.

Frequently asked questions

How does this apply to my SME?

It applies as long as you serve Spanish customers or process Spanish data; the framework is mandatory above thresholds we summarise in the table.

What does it cost in 2026?

Indicative ranges for SMEs 10-50 employees: 2,500-12,000 EUR for documentation + auditor fees vary by AENOR / BV / SGS / LRQA.

Which Spanish regulation applies?

BOE references RD 311/2022 (ENS), Regulation EU 2016/679 (GDPR), LOPDGDD, NIS2, DORA and the EU AI Act 2024/1689 depending on scope.

How long does the implementation take?

Average runs 4-7 months for a single ISO. Compound integrated SGI (9001+14001+27001) usually 8-12 months.

Can I co-finance it with Kit Digital or Kit Consulting?

Yes, Kit Consulting 2026 covers up to 24,000 EUR in advisory hours; Kit Digital covers tools (CRM, ERP, ciberseguridad) up to 29,000 EUR.