Do we have to certify against ISO 22301 to use the BCMS?

No. The BCMS module is useful with or without certification. If you pursue ISO 22301, KaitoSec supports the full lifecycle. If you do not, the same module satisfies the continuity and resilience expectations of NIS2, DORA, BAIT, VAIT and customer due diligence.

How does ISO 22301 relate to NIS2 and DORA?

NIS2 Article 21 explicitly requires business continuity and crisis management. DORA expects financial entities to maintain digital operational resilience including ICT business continuity policies. A BCMS aligned to ISO 22301 satisfies both, plus produces the evidence supervisory authorities expect. KaitoSec maps ISO 22301 controls to NIS2 measures and DORA articles on one data model.

What is the difference between a BC plan and a disaster recovery plan?

A BC plan covers the overall response: which processes keep going, who decides, how the organisation communicates, how the business escalates. A disaster recovery plan covers the technical restoration of systems. KaitoSec carries both and keeps the relationships explicit, so neither plan drifts from the other.

How often should BC plans be tested?

ISO 22301, NIS2 and DORA all expect regular testing, typically at least annually for critical plans and more often for high-impact processes. KaitoSec schedules, documents and tracks exercises in the same place as the plans themselves, so the cadence is provable without manual record-keeping.

We already run an ISMS. What changes if we add the BCMS?

The asset register, the risk surface and the policy library stay in place; the BCMS extends them with BIA, recovery strategies, BC plans, exercises and crisis activation. Your ISBs work in the same workspace, your management review covers both systems, and audit evidence compiles from one source.

KaitoSec

ISO 22301

A certificate does not keep operations running. A BCMS does.

ISO 22301 is the standard for Business Continuity Management. KaitoSec runs it as a full management system, BIA, recovery strategies, BC plans, exercises and management review, sharing one data model with the ISMS, DSMS and AIMS.

Book a Demo Explore Platform

BCMS as a peer to your ISMS, not a side project

ISO 22301 sits alongside the ISMS, the DSMS and the AIMS on KaitoSec, on one data model. A risk identified in the ISMS becomes a BC scenario, a critical asset feeds both control selection and recovery planning, the management review covers all four. No parallel registers, no silo handovers.

From BIA to operating recovery

Identify critical processes and services, model disruption impact over time, set RTO, RPO, MTPD and MBCO per process. Derive recovery strategies with cost, feasibility and resource information, link each strategy to the processes, assets and suppliers it protects. The same data feeds your ISMS, vendor management and reporting.

Plans tested before reality tests them

Plan and run tabletop walkthroughs, functional tests and full-scale simulations. Capture findings, lessons learned and follow-up actions, then link them back to the BC plan that was tested. ISO 22301, NIS2 and DORA evidence is generated by the work, not compiled after it.

Business Impact Analysis at the depth your operation needs

Run BIA at strategic, process, service or asset level. Score criticality, model impact curves over time and define recovery targets per object. KaitoSec uses the same asset and process register as your ISMS, so the BIA stays current without duplicate data entry.

Recovery strategies linked to the real operation

Recovery requirements are generated from your BIA results. Each strategy carries cost, feasibility and resource information and is linked to the protective controls and continuity dependencies it covers.

BC plans that work under pressure

Structured plans cover roles, escalation, communication, decision authority and dependencies. Plans are versioned, approved, distributed and acknowledged in the same workflow you use for policies, so the plan in force is always the plan people have actually read.

Crisis activation with a clear chain of command

Define activation criteria, escalate from operational disruption to crisis, log decisions and communications in real time. The crisis log feeds incident reporting under NIS2 and DORA without parallel paperwork.

Management review and continuous improvement

BCM-specific audits are supported with structured evidence and traceability. Management reviews, exercise outcomes and incident follow-ups feed continuous improvement, so your BCM is a working system rather than a binder in a drawer.

Built on open catalogs: BSI, MITRE, OWASP, ENISA

ISO 27001

ISO 22301

BSI IT-Grundschutz

NIST CSF

GDPR / DSGVO

SOC 2

NIS2

DORA

FAQ

Related platform features

Business Continuity Risk Management Asset Management Compliance Mapping Reporting

A certificate does not keep operations running. A BCMS does.

BCMS as a peer to your ISMS, not a side project

From BIA to operating recovery

Plans tested before reality tests them

Business Impact Analysis at the depth your operation needs

Recovery strategies linked to the real operation

BC plans that work under pressure

Crisis activation with a clear chain of command

Management review and continuous improvement

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal

A certificate does not keep operations running. A BCMS does.

BCMS as a peer to your ISMS, not a side project

From BIA to operating recovery

Plans tested before reality tests them

Business Impact Analysis at the depth your operation needs

Recovery strategies linked to the real operation

BC plans that work under pressure

Crisis activation with a clear chain of command

Management review and continuous improvement

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal