On a Tuesday morning in March 2020, the boards of organisations across Southeast Asia were confronted with a question most had never seriously considered: if our premises are inaccessible, our supply chains are disrupted, and a significant fraction of our workforce is unavailable simultaneously, how do we continue to operate? For organisations with a functioning Business Continuity Management System — one designed, tested, and embedded in operations before the crisis arrived — the answer was structured and rehearsed. For the majority, it was improvised under pressure.
ISO 22301 is the international standard that answers this question in advance. It provides a systematic framework for identifying which business activities are critical, what would happen if they were disrupted, how to recover them within acceptable timeframes, and how to demonstrate to regulators, clients, and stakeholders that this capability genuinely exists and works. It is not a checklist. It is a management system standard — and understanding that distinction is the foundation of effective BCMS implementation.
This article provides the foundational orientation every practitioner needs before engaging with the detailed requirements. It explains what ISO 22301 is, where it came from, how business continuity relates to the broader concept of organisational resilience, why disruption events have elevated BCMS to a board-level priority, and why certification is increasingly a commercial and regulatory requirement in the Indonesian market. Subsequent articles in this series address each component in depth.
What ISO 22301 Is: A Management System Standard, Not a Checklist
ISO 22301:2019 — Security and resilience — Business continuity management systems — Requirements — is an international standard published by the International Organization for Standardization. It specifies requirements for organisations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a Business Continuity Management System, or BCMS. That last phrase is the key: ISO 22301 is a management system standard. It does not prescribe a fixed set of security controls or continuity procedures. It requires organisations to build and operate a system for managing business continuity that is appropriate to their context, their critical activities, and their stakeholder requirements.
This distinction matters because it shapes how organisations approach implementation. A controls-based standard tells you what to do. A management system standard tells you how to manage — how to understand your context, set objectives, allocate resources, operate effectively, measure performance, and improve over time. ISO 22301 requires organisations to understand what disruption would actually mean for them specifically, design a recovery capability appropriate to that specific context, and prove through testing and auditing that the capability works. No two ISO 22301-compliant BCMSs look exactly alike, because no two organisations face identical disruption risks or have identical recovery requirements.
ISO 22301:2019 is the second edition of the standard, replacing ISO 22301:2012. It uses the High Level Structure (HLS) — a common architecture shared by ISO 9001 (quality management), ISO 14001 (environmental management), ISO 27001 (information security), and other management system standards — which makes it significantly easier to integrate with other management systems already operating within an organisation. For any organisation that holds or is pursuing ISO 27001 certification, the structural alignment means that the management system infrastructure — leadership, planning, support, performance evaluation, improvement — is largely shared rather than duplicated.
| KEY IDEA | A management system standard defines how to manage, not what to do. ISO 22301 requires every organisation to build a BCMS appropriate to its own context — which means every BCMS is different, and certification cannot be achieved by implementing a generic template. The certification auditor will test whether your BCMS addresses your specific critical activities, your specific disruption risks, and your specific recovery timeframe requirements. |
From BS 25999 to ISO 22301: The International Evolution of Business Continuity
Business continuity management as a formal discipline emerged from the insurance and banking sectors in the 1980s and 1990s, driven by the recognition that large-scale infrastructure failures — power outages, building fires, IT disasters — could threaten financial institutions whose obligations to counterparties and customers continued regardless of what happened to their premises or technology. The first attempt to codify best practice into a standard came from the British Standards Institution: BS 25999, published in two parts in 2006 and 2007.
BS 25999 established the vocabulary, concepts, and management system framework that ISO 22301 would later inherit and refine. It introduced the concept of the Business Impact Analysis, the Recovery Time Objective, the Maximum Acceptable Outage, and the distinction between business continuity — recovering critical activities — and disaster recovery — restoring technology infrastructure. BS 25999 Part 1 provided a code of practice; Part 2 provided certification requirements. Many organisations, particularly financial institutions, utilities, and public sector bodies in the UK and Commonwealth countries, achieved certification to BS 25999 Part 2, and the standard became the de facto international benchmark for BCM even outside the UK.
ISO 22301:2012 replaced BS 25999 as the premier international BCMS standard, adopting a global rather than UK-specific framing, strengthening the management system architecture, and adding the High Level Structure alignment that became standard for ISO management systems. The 2019 revision further refined the requirements around interested parties, leadership, planning, and the exercise programme, and clarified terminology that had caused inconsistent implementation in the 2012 version. Organisations certified to BS 25999 transitioned to ISO 22301; the standard is now recognised by accreditation bodies in more than 160 countries. The table below sets out the key differences across the three editions.
| Dimension | BS 25999:2007 | ISO 22301:2012 | ISO 22301:2019 |
|---|---|---|---|
| Origin | British Standards Institution — UK national standard | ISO/IEC — first international BCMS standard | ISO/IEC — current edition, second revision |
| Structure | Part 1 (Code of Practice) + Part 2 (Certification requirements) | Single integrated requirements document | Single document with clarified requirements and refined HLS alignment |
| High Level Structure (HLS) | Not applicable — predates HLS | Partial alignment only | Full Annex SL / HLS alignment with ISO 9001, ISO 14001, ISO 27001 |
| Scope of coverage | BCM program management | BCMS requirements including BIA, strategy, plans, exercises | Strengthened requirements for interested parties, leadership, exercises, and performance evaluation |
| Certification mechanism | Accredited third-party certification to BS 25999-2 | Accredited third-party certification by IAF-recognised CBs | Accredited third-party certification — KAN accredited in Indonesia |
| Geographic recognition | Primarily UK and Commonwealth | International recognition across 160+ countries | Global — primary BCMS certification standard worldwide |
| Current status | Withdrawn — superseded by ISO 22301 | Superseded by 2019 revision | Current — all certifications issued against this edition |
Business Continuity Management and Organisational Resilience
Business continuity management is frequently misunderstood — either reduced to IT disaster recovery, conflated with crisis management, or treated as a narrow compliance exercise relevant only to financial services. None of these characterisations is accurate, and the misunderstanding has practical consequences: BCM programmes designed around the wrong scope inevitably fail to address the disruptions that actually threaten operational continuity.
Business continuity management is concerned with the continuity of critical business activities — the processes, functions, and outputs that generate value for the organisation and its stakeholders. These may be supported by technology, people, premises, suppliers, or any combination of resources, and disruption can affect any of those resource types independently or in combination. A Business Continuity Plan addresses how the organisation continues to deliver its critical outputs if its primary premises are inaccessible, if key staff are unavailable, if critical suppliers fail to deliver, or if technology systems are unavailable for an extended period. IT disaster recovery — restoring technology infrastructure — is an important subset of BCMS operations, but far from the whole picture.
The relationship between business continuity management and organisational resilience is hierarchical. Resilience is the broader capability: the organisation’s ability to anticipate, absorb, adapt to, and recover from disruption, regardless of its nature or source. Business continuity is one of the structured disciplines within the resilience ecosystem — alongside crisis management, enterprise risk management, information security management, and supply chain risk management — that together give resilience its operational content. An organisation with a strong BCMS has a tested, documented capability to recover specific critical activities within defined timeframes. That is a concrete and auditable component of resilience. An organisation without it has aspiration but not capability. The table below compares the scope, outputs, and relationships of business continuity management, IT disaster recovery, and crisis management.
| Dimension | Business Continuity (ISO 22301) | IT Disaster Recovery | Crisis Management |
|---|---|---|---|
| Primary focus | Continuity of critical business activities — outputs, processes, and services | Recovery of technology infrastructure — servers, networks, applications | Command and communication during a major incident affecting reputation, safety, or stakeholder relationships |
| Scope | People, premises, technology, suppliers, and processes — all resource types | Technology systems and data only | Organisational leadership, stakeholder communication, and decision-making |
| Key output | Business Continuity Plans (BCPs) that specify how critical activities continue | DR runbooks and RTO/RPO targets for technology recovery | Crisis Communication Plans and command structure protocols |
| Time horizon | From immediate response through recovery to return to normal operations | Minutes to hours for technology restoration | Concurrent with the incident — may precede BCP activation |
| Standard / framework | ISO 22301 | ISO 27031, NIST SP 800-34 | ISO 22361 (Crisis management guidelines) |
| Relationship | Parent framework — integrates DR and may trigger crisis management | Subset of BCMS operations — ICT continuity plan | Parallel capability — activated when incident reaches threshold |
| IMPORTANT | Business continuity is not IT disaster recovery. A server that is restored in four hours is a successful DR outcome. A business that cannot serve its customers for three days because the operational processes, staff procedures, and supplier relationships needed to use that server were never part of the continuity plan is a BCM failure. ISO 22301 requires a complete business continuity capability — technology is one component of many. |
Why Disruption Events Have Made BCMS a Board-Level Priority
The history of business continuity is, in large part, the history of disruption events that revealed the gap between assumptions about resilience and operational reality. For three decades, that history has delivered the same lesson: organisations that had invested in genuine continuity capability recovered faster, lost less revenue, retained more client relationships, and emerged from disruption events in stronger competitive positions than organisations that had not. The events that delivered this lesson include natural disasters, pandemic, cyber incidents, and critical infrastructure failures — and the pattern has accelerated significantly in the past decade.
The COVID-19 pandemic was the most significant stress test the global business continuity community had ever faced, and its lessons were unambiguous. Organisations with functioning BCMSs — those that had conducted business impact analyses, developed remote working procedures, tested supply chain continuity, and maintained recovery plans that did not assume office access — transitioned to disrupted operations within days and maintained client service through what became months and years of sustained operational pressure. Organisations without this foundation improvised, and the improvisation was costly: in lost revenue, in client attrition, in regulatory attention, and in the accumulated cost of crisis response that a tested plan would have avoided.
In Indonesia specifically, the disruption risk landscape is both distinct and material. Indonesia sits on the Pacific Ring of Fire; major earthquakes and volcanic eruptions are not low-probability scenarios but recurring features of the operating environment. Tropical weather produces flooding that regularly interrupts operations in Jakarta and other major commercial centres. Power infrastructure instability affects operations across the archipelago, particularly outside Java. And the rapid digitisation of Indonesian commerce has increased exposure to cyber incidents — ransomware attacks and data breaches that, without ICT continuity plans, can suspend operations for weeks. The June 2024 PDNS ransomware incident — which disrupted government digital services across multiple ministries and 282 institutions — demonstrated the national-scale consequences of inadequate BCM governance in critical digital infrastructure. These are not hypothetical scenarios. They are the conditions in which Indonesian organisations actually operate.
| KEY IDEA | The business case for ISO 22301 is not primarily about the certificate. It is about the capability certification requires: a tested, documented, exercised continuity programme that has identified what the organisation needs to keep running, how it will keep running when normal conditions fail, and how it will know when the capability is sufficient. The certificate is evidence of the capability. The capability is the objective. |
The Indonesian Regulatory and Commercial Case for ISO 22301
In the Indonesian market, ISO 22301 certification operates at the intersection of three distinct demand drivers: regulatory requirement, commercial qualification, and enterprise risk management. For organisations in financial services, critical infrastructure, and enterprise technology services, all three apply simultaneously — and the commercial and regulatory cases have been strengthening consistently over the past five years.
The regulatory driver is most clearly articulated in the financial services sector. OJK — the Financial Services Authority — has embedded BCM requirements in its prudential framework, most significantly through POJK 11/2022 on information technology risk management for financial institutions, which includes explicit BCM obligations covering technology continuity, recovery time standards for critical systems, and annual testing requirements. Bank Indonesia’s payment system regulations set availability standards for payment infrastructure operators that are functionally equivalent to BCM requirements: a 99.5% availability SLA and a two-hour RTO for critical payment systems require a functioning continuity programme to achieve and sustain. BSSN — the National Cyber and Crypto Agency — has designated categories of critical information infrastructure operators for whom ICT continuity planning is part of the national security framework under Presidential Regulation 82/2022. For all of these organisations, ISO 22301 certification provides a structured, independently audited mechanism for demonstrating BCM compliance.
The commercial driver operates in parallel. Indonesian enterprises operating as suppliers to multinational corporations, government entities, or domestic enterprise clients are increasingly subject to supply chain BCM requirements: contractual obligations to maintain BCPs, obligations to make those plans available for review, and in some cases obligations to participate in joint exercises. State-owned enterprises and government procurement processes include BCM capability as a qualification criterion in technology tenders — a trend that accelerated significantly following the PDNS ransomware incident of 2024, which raised BCM governance expectations in government ICT procurement to a level now explicitly assessed in tender evaluations. ISO 22301 certification is the most efficient mechanism for satisfying these requirements consistently across multiple clients and procurement processes.
| Regulator / Framework | BCM Requirement | ISO 22301 Alignment |
|---|---|---|
| OJK — POJK 11/2022 | BCM policy, BIA, BCP for critical IT systems, annual testing, management reporting | Full — ISO 22301 BCMS satisfies all BCM governance and documentation requirements |
| Bank Indonesia — PBI 23/2021 | 99.5% availability for payment systems, 2-hour RTO for critical payment infrastructure, annual DR testing | Direct — ISO 22301 BIA and exercise program produces the evidence BI supervisors assess |
| BSSN — PP 82/2021 | ICT continuity planning for critical information infrastructure operators, incident response integration | Strong alignment — ISO 22301 Clause 8 covers ICT continuity; integrates with ISO 27001 incident management |
| UU PDP (Data Protection Law) | Data protection during disruption events; breach notification obligations apply even during continuity events | Complementary — BCMS data protection procedures address personal data handling during recovery |
| Enterprise / Government procurement | BCM capability statements, BCP availability for review, exercise participation, post-PDNS BCM governance expectations | ISO 22301 certificate satisfies all documentary BCM requirements in standard procurement processes |
| BUMN supply chain requirements | Contractual BCM obligations for critical suppliers; supplier BCP assessment | Certification demonstrates BCM maturity to BUMN procurement teams without requiring separate assessment |
| BITLION INSIGHT | Indonesian organisations pursuing ISO 22301 frequently discover that the compliance architecture needed to satisfy OJK, Bank Indonesia, BSSN, and enterprise client BCM requirements is essentially the same architecture that ISO 22301 certification requires — and that building it once, for certification, is materially more efficient than building it four times for four different audit audiences. The standard provides the structure; the certification provides the evidence that compounds across the 3-year surveillance cycle. |
What ISO 22301 Certification Demonstrates
ISO 22301 certification — issued by an accredited certification body following Stage 1 (documentation review) and Stage 2 (implementation audit) examinations — is a formal attestation that an independent auditor has examined the organisation’s BCMS against the requirements of the standard and found it to meet them. Certification does not mean the organisation has never experienced a disruption, or that disruptions will never occur. It means the organisation has a functioning management system for business continuity: the planning, the capability, the testing, and the improvement cycle that together constitute a genuine BCM programme.
The certification cycle is three years, with annual surveillance audits in the intervening years. This structure means that certification is not a point-in-time assessment but an ongoing attestation of the BCMS’s operational status. Surveillance audits assess whether the BCMS remains operational, whether exercises have been conducted and documented, whether corrective actions from exercises and disruption events have been implemented, and whether the BCMS has kept pace with organisational change. For organisations using certification to satisfy regulatory or commercial requirements, this ongoing attestation model is significantly more valuable than a one-time assessment — it provides continuous, independently verified evidence of BCM capability rather than a certificate that becomes stale within months of issue.