ISO 22301 Business Continuity Management Certification Services

If operational resilience and uninterrupted service delivery are critical to your business, Linford & Company LLP can guide you through ISO 22301 with an organized, evidence-driven approach refined across hundreds of SOC, HITRUST, and ISO/IEC 27001 engagements.

Request an ISO 22301 Certification Assessment

Service Page Contact Form TOP

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name
Privacy Policy*

ISO 22301 Business Continuity Management Certification Services

Service Availability

Linford & Company LLP is not currently accredited to perform third-party certification audits against ISO 22301:2019 (incorporating Amendment 1:2024). Services available today are limited to pre-certification readiness assessments and gap evaluations against this standard. This page describes the certification policies and processes Linford & Company will follow when accredited certification audits for this standard become available; until then, no certificate issued under this scheme is an accredited certificate.

Linford & Company LLP is an ANAB-accredited certification body for ISO/IEC 27001:2022; that accredited service is delivered separately and is described on our ISO 27001 services page.

The International Organization for Standardization (ISO) is a non-governmental, independent global body. One of ISO’s main objectives is to bring together experts to develop relevant international standards that drive process innovation and address shared challenges across industries worldwide.

What is ISO 22301:2019?

ISO 22301:2019, “Security and resilience — Business continuity management systems — Requirements,” specifies the requirements for establishing, implementing, maintaining, and continually improving a business continuity management system (BCMS). The BCMS protects against, reduces the likelihood of, prepares for, responds to, and recovers from disruptive incidents, ranging from local outages to large-scale events.

Amendment 1:2024 incorporates explicit climate-change considerations into clauses 4.1 (context of the organization) and 4.2 (needs and expectations of interested parties), consistent with the harmonized amendments ISO applied across all management system standards in 2024.

Who is ISO 22301 for?

ISO 22301 applies to any organization whose service continuity is material to its customers, regulators, or stakeholders; financial services, healthcare, critical infrastructure, SaaS/cloud providers, manufacturers, and government contractors most commonly. It is frequently expected by regulators implementing operational resilience regimes (such as the EU’s DORA and U.S. FFIEC/OCC guidance) and by large enterprise customers conducting supply-chain due diligence.

Organizations that already hold a SOC 2 report often reach the ISO 22301 vs SOC 2 question as a natural next step in evaluating their assurance posture. The two are complementary rather than redundant: SOC 2’s availability criteria attest that specific controls operated over a defined period, while ISO 22301 certifies an ongoing, auditable business continuity management system, including formalized business impact analysis, recovery objectives, and continual improvement, that the availability criteria alone do not fully address.

What is ISO 22301 certification?

ISO 22301 business continuity management certification is independent assurance that an organization’s BCMS conforms to the requirements of the standard. Certification is issued by an accredited BCMS certification body following a structured, two-stage audit and is maintained through annual surveillance over a three-year cycle. Audit competence is governed by ISO/IEC TS 17021-6.

Certification is not a guarantee of uninterrupted operations; it is independent evidence that the organization has performed a business impact analysis, defined recovery objectives, documented and exercised business continuity plans, and operates a management system designed to learn from events and continually improve.

What is the cost of an ISO 22301 certification assessment?

The cost of an ISO 22301 certification audit varies based on the scope of the BCMS, the number and criticality of products and services in scope, the number of physical and virtual locations, the complexity of the supply chain, and whether the engagement is performed standalone or jointly with other management system audits. Linford & Company provides an accurate, detailed, and dependable quote before any audit engagement begins.

How can an organization achieve ISO 22301 certification?

The ISO 22301 audit and certification process is structured and consistently repeatable. The activities include the following steps:

  1. Step One: Complete the application process with Linford & Company.
  2. Step Two: Engage in pre-certification activities to determine the start date of the initial audit and confirm scope.
  3. Step Three: Begin the Initial Audit – Stage 1 (design of the BCMS), including review of the business impact analysis, risk assessment, and continuity strategies.
  4. Step Four: Begin the Initial Audit – Stage 2 (implementation and operating effectiveness), including review of plans, exercises, and incident handling.
  5. Step Five: Obtain Year 1 of the three-year ISO 22301 certification cycle.
  6. Step Six: Continue with annual surveillance audits and recertification at the end of the three-year cycle.

Initial & Continuing Certification Activity Details

The following steps describe the typical certification activities Linford & Company performs, based on the requirements of ISO/IEC 17021-1 and ISO/IEC TS 17021-6.

Initial Certification Activity

Application and Pre-certification Process

The application and pre-certification processes at Linford & Company are streamlined and efficient. Interested applicants enter their organization details into the “Request a Certification Assessment” form at the top of this services page. Applicants are then contacted and provided with an application to gather additional scope information used to determine technology expertise, staffing requirements, level of effort including auditor hours, and other scoping details. The applicant returns the completed application to is***********@*******co.com or to their primary contact at Linford & Company. Client acceptance and impartiality review activities will be performed; based on the results, the applicant will enter into an executed certification agreement with Linford & Company.

Linford & Company will request the necessary artifacts and confirm with the client that the initial audit is ready to commence. The audit plan will be communicated to the client and audit dates agreed upon in advance. The audit program for the initial certification includes a two-stage initial audit.

Stage 1 Audit

An evaluation of the design of the BCMS is performed in Stage 1. Linford & Company will audit the BCMS documentation supporting the design of the system. Inquiries are made and documents supporting the BCMS scope, including personnel, products/services, sites within scope, prioritized activities, and key supply-chain dependencies, are reviewed and evaluated. The auditor confirms that the organization has performed a business impact analysis, completed risk assessment activities, defined recovery time and recovery point objectives, and conducted internal audit and management review activities. With this information evaluated, Linford & Company will determine whether the client is ready to move to Stage 2.

Stage 2 Audit

The objective of Stage 2 is to assess the implementation and operating effectiveness of the BCMS. Stage 2 is performed at the client’s site(s) and through virtual meetings that provide evidence of operating environments and continuity arrangements. Testing covers the BIA, continuity strategies and solutions, business continuity plans (BCP) and procedures, the exercising and testing program (including evidence of recent exercises), performance evaluation, and the effectiveness of corrective action following incidents or exercises. At the conclusion of Stage 2, Linford & Company will determine whether to issue certification.

When all certification steps are completed satisfactorily, Linford & Company will grant certification in the form of a certificate to the client. The initial three-year certification cycle starting date will be on, or reasonably timed after, the date of the certification decision.

If it is determined that the client does not meet the requirements necessary for certification, a certification refusal will be communicated to the client with sufficient detail regarding the rationale for the decision and the available next steps.

Continuing Certification Activity

Surveillance Audits
In order to maintain certification, continuing certification activity is required. This is carried out through surveillance audits. Linford & Company conducts surveillance audits at least once annually, except during recertification years. The first surveillance audit after initial certification must occur within 12 months of the documented certification cycle starting date.

Process to Maintain Certification
Along with the continuing surveillance audits, the client is expected to operate its controls and processes in the manner understood during the initial examination procedures. Linford & Company will enable the client to retain certification by demonstrating ongoing compliance with the requirements of the management system standard.

Additional Information: Detailed Public Information

Linford & Company makes additional details publicly available, in accordance with ISO/IEC 17021-1 §8.1, in the companion “ISO 22301:2019 (incorporating Amendment 1:2024) Certification — Detailed Public Information” PDF. The PDF covers:

  • Procedures for modifying the scope of certification
  • Process for renewing and recertification
  • Process for restoring certification
  • Process for withdrawing certification
  • Complaints process
  • Appeals process
  • Process for handling information requests
  • Interested parties and impartiality policies
  • Use of Linford & Company’s name, certification mark, and references to certification
  • Status of granted, suspended, and withdrawn certifications

Download the full ISO 22301:2019 (incorporating Amendment 1:2024) Certification — Detailed Public Information PDF.

Big 4 Resilience Auditors

Our seasoned auditors translate ISO 22301 requirements into a clear, evidence-driven assessment of your business continuity management system so you can be certified with confidence.

Why Choose Linford & Company LLP?

Designed for Real Disruption

We audit your BCMS the way it will actually be used; against realistic disruption scenarios, with attention to dependencies, RTO/RPO, and supply-chain resilience.

Aligned with Regulator Expectations

Our audits surface evidence that supports DORA, FFIEC, and other operational resilience expectations; so a single ISO 22301 investment supports multiple compliance obligations.

Big 4 Auditors, Resilience-Focused

Our 22301 engagements are led by senior auditors who have audited business continuity for financial services, SaaS, healthcare, and critical infrastructure clients.

Ready for an ISO 22301 Certification Assessment?

Looking to get ISO 22301 certified? Complete the form above, and we will connect you with one of our expert auditors. We keep your contact information private and use it solely to communicate with you regarding your ISO 22301 audit. We do not sell or share your details with third parties.

Request an ISO 22301 Certification Assessment

Service Page Contact Form BOTTOM

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Name
*

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
I understand and agree to the Linford & Company LLP privacy policy.**