ISO 22301:2019 · Full PDCA Lifecycle

Enterprise Business Continuity
Management System

The only BCMS platform that covers every clause of ISO 22301 from BIA through management review — with AI throughout, HR integration, and complete lifecycle management for IT systems, facilities, suppliers, and equipment.

Built on 30+ years of enterprise resilience consulting expertise · ISO/TS 22317 BIA methodology · AI-powered throughout
88+
Database Tables
7
BIA Steps
9
Response Teams
6
Exercise Formats
Standards Aligned: ✓ ISO 22301:2019 ✓ ISO 22313:2020 ✓ ISO/TS 22317 ✓ ISO/TS 22318 ✓ ISO/TS 22330 ✓ ISO/TS 22331 ✓ ISO 22398 ✓ ISO 31000
Complete ISO 22301 Coverage

Full PDCA Lifecycle Management

Every clause of ISO 22301 has direct platform support. GRATEIC BCMS implements the Plan-Do-Check-Act cycle end-to-end — not just documentation, but operational execution from scope definition through continual improvement.

PLAN — Establish
Context & Strategy
ISO 22301 §4, §5, §6
  • Organizational context and scope definition
  • Interested party requirements
  • BC objectives and planning
  • Risk and opportunity identification
  • BIA — Process inventory, impact assessment
  • Recovery objectives (RTO, RPO, MTPD, MBCO)
  • Strategy selection and validation
DO — Implement & Operate
Execute the BCMS
ISO 22301 §7, §8
  • Competence, awareness & training (§7.2)
  • Documented information lifecycle (§7.5)
  • Full BIA workflow — all 7 steps
  • BC Plans — 3 tiers, 8 plan types
  • IT Systems, Facilities, Suppliers, Equipment
  • Exercise programme delivery
  • Incident response and recovery
CHECK — Monitor & Evaluate
Measure Performance
ISO 22301 §9
  • Performance monitoring and KPI dashboards
  • Internal audit programme (§9.2)
  • External audit and certification tracking
  • Management review inputs/outputs (§9.3)
  • Compliance status monitoring
  • Exercise findings analysis
  • Post-incident review and lessons learned
ACT — Continual Improvement
Improve the BCMS
ISO 22301 §10
  • Nonconformity and improvement tracking
  • Root cause analysis capture
  • AI-generated corrective action plans
  • KPI / KRI dashboards with trend analysis
  • Lessons learned integration from incidents
  • Improvement opportunity register
  • Board-ready AI management report
ISO 22301 §8.2.2 · ISO/TS 22317

7-Step Business Impact Analysis

The most rigorous BIA workflow available — 6 impact categories, 8 time periods, five recovery metrics, dependency mapping, and AI-assisted strategy selection. Built directly on ISO/TS 22317 methodology.

1
Process Inventory
Catalogue all processes. CORE / SUPPORT / MANAGEMENT. TIER 1–4 criticality rating.
2
Impact Assessment
6 categories × 8 time periods. NONE / LOW / MEDIUM / HIGH / CRITICAL weighted scoring.
3
Recovery Objectives
Define RTO, RPO, MTPD, MBCO, WRT per function — quantified in hours and percentages.
4
Dependency Mapping
Map IT systems, suppliers, facilities, staff, equipment — with workaround capture per dependency.
5
Resource Requirements
Minimum staffing, systems, and facilities required to operate at MBCO level.
6
Strategy Selection
Primary and secondary recovery strategies with achievable RTO validation per function.
7
Validation & Approval
Assign reviewers, track completion, multi-party review, management sign-off workflow.
RTO
Recovery Time Objective
RPO
Recovery Point Objective
MTPD
Max Tolerable Period of Disruption
MBCO
Minimum BC Objective
WRT
Work Recovery Time
ISO 22301 §8.4 · ISO/TS 22331

Three-Tier BC Plan Architecture

From enterprise-wide crisis management through operational process recovery procedures — every plan type with full section management, version control, and a five-stage approval workflow.

Enterprise Tier
Organization-Wide Response
Crisis Management Plan (CMP)
Business Continuity Plan (BCP)
IT Disaster Recovery Plan (IDRP)
Tactical Tier
Division & Department Level
Departmental Business Continuity Plan
Divisional Recovery Plan
Operational Tier
Process & System Level
Process Recovery Procedure
Work Area Recovery Plan
IT System Recovery Procedure
5-Stage Approval Workflow
Draft
Submit for Review
Reviewer Approve / Reject
Executive Approve / Reject
Published

Full section management, version history, BC Plan Viewer with PDF export, approval delegation. BCP Viewer scopes IT Systems and Facilities to BIA-identified dependencies only.

ISO 22301 §8.3.4 · Complete Resource Lifecycle Management

IT Systems, Facilities, Suppliers & Equipment

Four resource registries capture everything your BC plans depend on — with regulatory compliance tracking, DR planning, contract and SLA management, and AI-powered KPI analysis for each registry.

IT Systems Register

Complete IT System & DR Lifecycle

ISO 22301 §8.3.4 ISO 27001 A.8 NIST SP 800-34
Registry Features
  • Full CRUD with Google Maps geocoding — physical and DR site locations
  • Criticality scoring aligned to BIA RTO/RPO requirements
  • Owner, contact, and dependency assignment
  • Import/export via CSV template with bulk import
  • KPI Dashboard with AI analysis — DR readiness, RTO gap, recovery capability scoring
DR Plan Sub-Module (Per System)
  • Create, upload, view, and download DR documentation per system
  • AI DR document generation — complete DR procedures from system context
  • AI DR document review — gap analysis against ISO 27001 and DR best practices
  • In-browser content editing with autosave
  • Evidence file upload to Azure Blob Storage
  • DR issues and gaps register — log, track, and resolve DR weaknesses
  • DR readiness score and RTO compliance tracking per system
Facilities Register

Site & Facility Lifecycle Management

ISO 22301 §8.3.4 ISO 27001 A.7 ISO/TS 22317 Step 4
Facility Attributes Captured
  • Building type, floor area, capacity, occupancy, construction year
  • Fire suppression type, sprinkler coverage, fire alarm system
  • Backup power: generator capacity/fuel type, UPS, battery runtime
  • Physical security: access control, CCTV coverage, guards, biometric entry
  • Environmental: HVAC redundancy, cooling capacity, humidity/temp monitoring
  • Assembly points with GPS coordinates, capacity, accessibility flags
Platform Capabilities
  • Google Maps geocoding and interactive map display
  • Import/export via CSV template with bulk import
  • Image upload and gallery management per facility
  • BCP integration — Viewer filters to BIA-identified facilities only
  • KPI Dashboard with AI analysis — site risk trends, coverage gaps, backup power readiness
Suppliers Register

Full Vendor & Supply Chain Lifecycle — Contracts, SLAs & Performance

ISO/TS 22318 ISO 27001 A.5.19-22 ISO 28000 OSFI B-10 GDPR
Core Supplier Data
  • Criticality: CRITICAL / HIGH / MEDIUM / LOW
  • Single-source-of-supply flag and alternative supplier tracking
  • BIA dependency linkage from Step 4 mapping
  • Import/export, KPI Dashboard, AI analysis
Contacts Tab
  • Multiple contacts per supplier with role designation
  • Account Manager, Technical Lead, Emergency Contact types
  • Primary, secondary, and emergency contact designation
Contracts & SLA Tab
  • Upload contract documents — PDF/DOCX to Azure Blob Storage
  • Contract effective/expiry dates with auto-renewal alerts
  • Secure download via authenticated route
  • SLA records: metric, target %, current performance, review frequency
MEETING AT_RISK BREACHING
Performance & Documents
  • Performance review records with overall rating and category scores
  • Review history timeline and corrective action triggers
  • Attach BCMS documents — NDA, DPA, supplier-specific docs
  • Version-controlled documents with download access
Equipment Register

Critical Equipment & Asset Management

ISO 22301 §8.3.4 ISO/TS 22317 Step 5
  • Full CRUD — generators, UPS, servers, specialized tools, vehicles
  • Google Maps geocode for equipment location
  • Criticality scoring and RTO/RPO requirements per item
  • Image upload and gallery management
  • Maintenance schedule and certification tracking
  • Import/export via CSV template
  • KPI Dashboard with AI analysis — criticality gaps, maintenance schedule
  • Dependency linkage to business processes via BIA Step 4
ISO 22313 Table 5 · ISO 22301 §8.4.2

9 Response Team Types

Pre-configured response team structures aligned with ISO 22313 Table 5 — covering every operational function required to respond to and recover from a disruption. Team leads linked to Contacts Register.

Strategic
Crisis Management Team
Declare incidents, activate BCMS, executive decisions, external communications
Technical
IT Recovery Team
ICT restoration, data recovery, cyber response, DR plan execution
Operational
Business Recovery Team
Business function resumption, workaround implementation, customer continuity
Communications
Communications Team
Internal/external comms, media liaison, staff briefings, stakeholder updates
People
HR & Welfare Team
Staff accountability, welfare support, family liaison, BC-trained personnel tracking
Logistical
Facilities Team
Alternate workspace setup, facilities access, equipment deployment
Third-Party
Supply Chain Team
Supplier activation, alternative sourcing, logistics continuity
Financial
Finance Team
Emergency payments, insurance claims, financial continuity, cost tracking
Regulatory
External Relations Team
Regulator notification, customer communication, government liaison
ISO 22313 Table 6 · ISO 22398 · ISO 22301 §8.5

Exercise Programme

6 exercise types from discussion through full-scale simulation. 9 built-in scenarios plus custom. Findings feed directly into the NCCI Register for corrective action tracking.

Discussion
Awareness building
Tabletop
Decision testing
Walk-Through
Plan validation
Drill
Single capabilities
Functional
Multi-team coordination
Full-Scale
Maximum stress test
9 Built-In Scenarios
🔥 Fire 🌊 Flood ⚡ Power 🔐 Cyber 🦠 Pandemic 🚚 Supplier 📡 Telecom 🌪 Weather + Custom
ISO 22301 §8.4.3

Incident Management

Real-time response lifecycle from REPORTED through CLOSED — structured timeline logging, plan activation, team mobilisation, and post-incident review feeding into continual improvement.

REPORTEDPreliminary assessment. 5-level severity classification (P1 CRITICAL–P5 INFORMATIONAL).
OPENTeams activated. Structured timeline log. BC plans invoked with timestamp.
CONTAINEDSituation stabilised. Recovery operations commenced at MBCO level.
RESOLVEDBC operations implemented. Business functions restored.
CLOSEDPost-incident review done. Lessons learned → NCCI Register §10.1.
ISO 22301 §7.5

Document Register

Full ISO 22301 §7.5 documented information lifecycle — creation through approval, publication, and periodic review.

  • Auto-generated document control numbers
  • File upload (PDF, Word, Excel) + in-browser editing
  • AI document generation — complete policy/procedure/plan content
  • AI document review — gap analysis against ISO 22301 requirements
  • AI summarise — executive summary generation
  • Full version history with per-version download
  • 5-stage approval workflow: Draft → Published
  • Seed mandatory ISO 22301 documents in one click
  • Document portal for read-only published document access
  • Expiry and review date tracking per document
ISO 22301 §10.1 · Continual Improvement

NC & Improvement Register

Track nonconformities and improvements from any source — internal audit, external audit, exercise findings, incidents, or management review. Feed directly into §10.1 corrective actions.

  • ISO clause reference, severity classification, source tracking
  • OPEN → UNDER_REVIEW → CLOSED workflow
  • Actions sub-module with owners, due dates, status tracking
  • Import findings directly from exercise and audit modules
  • AI root cause assessment and corrective action plan generation
  • AI management report — ISO 22301 §9.3 board-ready section
KPI / KRI Dashboard
KRIs
Overdue, closure rate, major NCs, avg age
12mo
Trend chart — Chart.js
By ISO
Clause and severity breakdown
AI
Board-ready §9.3 report
ISO 22301 §9 — Check Phase

Audit, Management Review & Risk Assessment

Complete §9 coverage with internal audit programmes, external audit and certification tracking, ISO-aligned management reviews, and an ISO 31000 risk assessment module — all AI-assisted.

§9.2 Internal Audit

Audit Programme Management

  • Audit programmes with scope, dates, lead auditor
  • MAJOR NC / MINOR NC / OBSERVATION / OFI findings
  • AI checklist-based gap assessment
  • Findings feed to NCCI for corrective action
  • KPI dashboard and trend reporting
External Audit & Certification

BSI & Certification Body Tracking

  • Stage 1, Stage 2, Surveillance, Recertification
  • Findings per audit with severity classification
  • Certificates module: issue/expiry dates, certification body
  • Certificate renewal alerts before expiry
  • Export audit data for management reporting
§9.3 Management Review

ISO-Aligned Review Records

  • All §9.3 inputs and outputs captured
  • Actions per review with owner and due date
  • AI-generated structured review output
  • Approval workflow and KPI dashboard
ISO 31000 Risk Assessment

BC-Specific Risk Register

  • Multiple registers, likelihood × impact scoring
  • Treatment actions and controls per risk
  • 5×5 risk matrix heat map visualization
  • AI risk analysis and treatment recommendations
  • CSV export for management reporting
ISO 22301 §7.2 · §7.3 · ISO/TS 22330

Training & Competence Management

Track BC training across the entire organization — programmes, sessions, completion records, and AI-generated training plans. BC training flags surface in team assignment to ensure only trained personnel are activated.

  • Training programmes — define BC training requirements by role and maturity
  • Training sessions — schedule in-person, virtual, or e-learning delivery
  • Training register — record completion per staff member with result and expiry
  • bc_training_completed flag per staff — surfaced in team activation workflow
  • Compliance view — training completion by department, division, team
  • AI Generate Plan — complete BC training programme by role and gap analysis
  • AI Save Programs — auto-populate training records from AI output
Organizational Structure

Org Chart, Divisions & Departments

Maintain an accurate organizational mirror that keeps BC plans and team assignments aligned with how your organization actually operates.

  • Divisions — CRUD, VP and BC Coordinator assignment, drag-and-drop reorder
  • Departments — CRUD, BC Coordinator, bulk leadership assignment, auto-codes
  • Org Chart — interactive hierarchy, BC structure view, reporting lines, location view
  • Print view and JSON export of org structure
  • Process categories, locations, and BC role configuration
  • Leadership assignments: CEO, CRO, BCM Lead, Deputy BCM Lead
  • Impact categories and time periods — fully configurable for BIA Step 2
ISO/TS 22330 — People Aspects

HR Integration & Staff Management

Real-time synchronisation with enterprise HR systems ensures BC Plans always reflect the current organisation. Nine change event types automatically assessed for BC impact.

Supported HR Integrations
NetSuite
Real-time sync via SuiteApp API — bidirectional employee lifecycle
Workday HCM
SCIM-based integration for org structure and employee data
Active Directory / Azure AD
LDAP/AD synchronisation for accounts and organisational units
SAP SuccessFactors
OData API for employee lifecycle events and org structure
CSV Import
Scheduled or on-demand import for non-API environments
9 Staff Change Events → Auto BC Impact Assessment
NEW_HIRE
TERMINATION
DEPT_CHANGE
MANAGER_CHANGE
TITLE_CHANGE
LEAVE_START
LEAVE_END
CONTACT_UPDATE
FACILITY_CHANGE
BC Training Tracking
Staff BC training completion is tracked per employee and surfaced in team assignment — ensuring only trained personnel are assigned to active response roles during incidents.
Anthropic Claude API — Throughout Every Module

AI-Powered BCMS Management

The Claude API is integrated across every BCMS module. AI assistance is always contextual, always optional, and never blocks primary workflows — wrapped in try/catch so AI failures never disrupt operations.

BIA

AI process summaries and recovery strategy recommendations per function. KPI analysis and actionable insights.

IT Systems DR

Generate complete DR procedure documents per system. Review existing DR docs for gaps against ISO 27001 and DR standards.

Document Register

Generate policies, procedures, and BC plans. Review against ISO 22301. Summarise complex documents for management.

NCCI & Management Report

Root cause assessment, corrective action plans, and full ISO 22301 §9.3 management review report — HIGH/MEDIUM/LOW risk rated.

Audit & Review

Internal audit checklist-based gap analysis. Management review structured output from BCMS performance data.

Training & Risk

Complete BC training programme generation by role and maturity. Risk context analysis and ISO 31000 treatment recommendations.

Suppliers & Facilities

SLA compliance trends, contract expiry analysis, criticality distribution. Site risk trends, backup power readiness, coverage gap analysis.

Specialty Plans

Generate content for Invocation & Decision-Making Plans, Communications Management Plans, and other company-wide specialty plans.

Ready to implement ISO 22301?

Access the GRATEIC BCMS Platform and build a defensible, audit-ready business continuity management system

Access BCMS Platform Request Demo View Pricing