Standard: ISO 22301:2019 — Security and resilience — Business continuity management systems
Tier: 1 — Foundational
Framework role: Resilience pillar and MSP business continuity service offers
ISO 22301 specifies requirements for a BCMS. The ICT Governance Framework addresses continuity through the Resilience pillar, RPAS recovery design, and asset register DR posture fields.
| 22301 element | Framework implementation | Status |
|---|---|---|
| Context and leadership | BC service tiers in README, governance council | Documented |
| Business impact analysis | FAIR loss magnitude, asset criticality | Partial |
| BC strategies | Git-to-cloud recovery, RPAS | Designed |
| BC plans | RPAS rollback/recovery guides | Documented |
| Exercising and testing | — | Gap (G-B3) |
| Performance evaluation | DR fields in asset register | Partial |
| Continual improvement | Improvement focus area 6 | In progress |
| Component | Location |
|---|---|
| Resilience pillar contracts | tests/contracts/resilience.contract.test.js |
| DR fields on assets | sql/asset_dr_fields.sql, migrations |
| RPAS recovery | docs/implementation/guides/RPAS-Rollback-Recovery-Ransomware-Example.md |
| Business continuity services | README § BC |
| Verification scripts | verify-gb3-recovery.js |
| Domain | Maturity |
|---|---|
| Business Continuity (ISO 22301, NIST SP 800-34) | Level 3 (62%) |
~55–65% — strong design; attestation weak until end-to-end DR test with RTO/RPO.