ucstoolkitucstoolkitucstoolkit
0
SME manager reviewing ISO 22301 without a consultant documentation checklis

Can You Get ISO 22301 Certified Without Hiring a Consultant?

Many SMEs search for ISO 22301 without a consultant because the business need is real but the budget is not unlimited. A customer asks for certification before awarding a contract. A tender requires a recognised Business Continuity Management System. Leadership wants proof that the company can keep operating during disruption. Then the same question appears: do you really need to pay for a full consultant-led project, or can your internal team prepare using structured documents, templates, and practical guidance?

The honest answer is yes, many businesses can prepare for ISO 22301:2019 certification without hiring a full-time consultant. But success depends on understanding what auditors expect: clear scope, documented responsibilities, realistic business impact analysis, tested continuity plans, internal audit evidence, and management review records. A toolkit can save weeks of writing, but your team still has to customise and implement the system.

Quick Answer

Yes, you can get ISO 22301 certified without hiring a consultant. ISO 22301:2019 certification does not legally require a consultant; it requires your organization to implement a working Business Continuity Management System, keep appropriate documented information, and pass an independent certification body audit.

For many SMEs, the most cost-effective route is not starting from a blank page. An ISO 22301 documentation toolkit can provide editable policies, procedures, forms, records, and implementation structure so your internal team can focus on customisation, evidence, testing, and audit readiness.

In This Guide

Can You Get ISO 22301 Without a Consultant?

You can pursue ISO 22301 certification without a consultant because the certification body is not auditing whether you hired external help. It is auditing whether your Business Continuity Management System, or BCMS, meets ISO 22301:2019 requirements and works in practice.

A consultant can guide the project, interpret requirements, run workshops, and prepare documentation. That can be useful, especially for complex organizations. But the consultant cannot operate the BCMS for you. Your business must still decide the scope, understand its critical activities, set recovery priorities, test continuity arrangements, train relevant people, and keep evidence.

What does ISO 22301 certification actually require from your team?

Your team needs to show that business continuity is not just a document folder. Auditors will expect to see how the BCMS is planned, implemented, checked, and improved. That means documented information under Clause 4 to Clause 10, including the BCMS scope, leadership commitment, risks and opportunities, business impact analysis, continuity plans, performance evaluation, internal audit, management review, and corrective action.

The practical question is not “Can we avoid a consultant?” The better question is “Do we have someone internally who can coordinate the project, collect evidence, and keep people accountable?” If the answer is yes, a structured documentation approach can work well.

For a broader introduction to the standard before you start implementation, read what ISO 22301 is and why your business needs it.

Quick check: If one person in your business can own the BCMS project for 6–8 weeks, coordinate inputs from operations, IT, HR, facilities, and senior management, and maintain version-controlled records, you may not need full consultant-led implementation.

ISO 22301 Documentation Requirements Before Certification

The biggest obstacle in ISO 22301 certification without consultant support is usually documentation. Not because every document is difficult, but because there are many moving parts and they must match how the business actually operates.

ISO 22301 uses the term documented information. In practical terms, this includes policies, procedures, plans, registers, completed forms, meeting records, exercise reports, audit evidence, and corrective action records.

What ISO 22301 documents do you need before certification?

Before your certification audit, you should be ready with a controlled set of BCMS documents and records. At minimum, most SMEs should prepare the following:

  • BCMS scope: Defines the products, services, sites, departments, and boundaries covered by certification.
  • Business continuity policy: Shows leadership commitment and sets the direction for the BCMS.
  • Business continuity objectives: Practical objectives linked to continuity performance, such as test completion or recovery capability.
  • Business impact analysis: Identifies critical activities, dependencies, maximum tolerable periods of disruption, and recovery priorities.
  • Risk assessment: Assesses threats that could disrupt critical activities, services, sites, systems, people, or suppliers.
  • Business continuity strategies and solutions: Describes how the organization will maintain or recover critical activities.
  • Business continuity plans: Provides actionable steps for disruption scenarios, recovery teams, escalation, resources, and responsibilities.
  • Incident response procedures: Explains how incidents are assessed, escalated, managed, and closed.
  • Communication plan: Defines internal, customer, supplier, regulator, and media communication responsibilities.
  • Testing and exercise records: Evidence that plans have been tested, reviewed, and improved.
  • Training and awareness records: Evidence that relevant people understand their continuity roles.
  • Internal audit records: Evidence that the BCMS was checked before the certification audit.
  • Management review records: Evidence that top management reviewed BCMS performance, risks, audit results, and improvement actions.
  • Corrective action records: Evidence that issues, audit findings, and exercise gaps were investigated and resolved.

Why must ISO 22301 templates match your real business?

Templates are useful only when they are customised. A generic business continuity plan that says “restore operations within 24 hours” will not help if your business impact analysis shows that one critical service must resume in 4 hours while another can wait 3 days.

Auditors look for consistency. Your scope should match your policy. Your business impact analysis should drive your continuity strategies. Your continuity plans should reflect your actual people, systems, suppliers, locations, and recovery priorities. Your exercise records should test the plans you claim to rely on.

If you want ready-made business continuity management system documentation instead of building everything manually, browse the full ISO documentation toolkit collection.

Pro tip: Before writing continuity plans, finish the business impact analysis first. If plans are written before critical activities, recovery time objectives, dependencies, and priorities are agreed, the plans usually become generic and weak under audit questioning.

When Do You Actually Need an ISO 22301 Consultant?

A consultant is not mandatory, but there are situations where external support is genuinely useful. The decision should be based on risk, complexity, time pressure, and internal capability — not fear of the audit.

When is a consultant useful for ISO 22301 certification?

Consider consultant support if your business has multiple sites, operates in a highly regulated sector, has no internal project owner, or must achieve certification under a tight deadline. A consultant may also help if your organization has failed a certification audit before, has complex supply chains, delivers critical services, or needs to align ISO 22301 with existing ISO 27001, ISO 9001, or risk management systems.

Consultants are also valuable when senior management needs facilitation. For example, setting maximum tolerable periods of disruption, approving continuity investment, and deciding recovery priorities can involve difficult business trade-offs.

Can small businesses manage ISO 22301 internally?

Yes, many small and mid-sized businesses can manage the project internally if they keep the scope realistic. A 30-person service company with one main office, a small number of critical services, and existing IT backup arrangements may be able to implement ISO 22301 with a toolkit and internal coordination.

A 500-person organization with 6 sites, regulated clients, outsourced operations, and 24/7 service commitments will usually need more planning, workshops, and technical input. That does not always mean full consultant-led implementation, but it may justify limited expert review.

If your company is comparing ISO 22301 with other management system standards, the guide to ISO 27001, ISO 22301, and ISO 42001 implementation can help you decide how business continuity fits into your wider compliance roadmap.

ISO 22301 Certification Cost With and Without a Consultant

ISO 22301 certification cost depends on company size, number of sites, headcount, audit duration, certification body, internal workload, and whether you use external support. The certification body audit fee is separate from implementation cost. Hiring a consultant increases implementation cost but may reduce internal effort and rework.

For many SMEs, the lowest-risk budget decision is the middle ground: use an ISO 22301 documentation toolkit, assign an internal project owner, and only buy limited consultant support if you need review or coaching.

Option Best For Cost Level Pros Cons
Do it yourself from scratch Teams with ISO experience and enough time to write all documents internally Lowest direct spend, highest internal time cost Full control over every document and process Slow, easy to miss requirements, high risk of inconsistent documentation
Use an ISO 22301 documentation toolkit SMEs with an internal project owner who want ready-made templates Low to medium Saves writing time, provides structure, supports audit preparation Still requires customisation, implementation, testing, and evidence
Toolkit plus limited consultant support Businesses that want document structure plus expert review Medium Good balance of cost control and external assurance Requires coordination between internal team and consultant
Full consultant-led implementation Complex, regulated, multi-site, or urgent projects Highest Strong guidance, faster decision-making, reduced uncertainty Can become expensive and may create dependence if internal ownership is weak

Quick check: When comparing costs, include internal time. A “free” DIY approach can become expensive if your operations manager spends 60–100 hours writing documents that a structured toolkit already provides.

ISO 22301 Implementation Checklist and 8-Week Timeline

ISO 22301 implementation without a consultant is manageable when the work is sequenced properly. Most SME delays happen because teams jump straight into writing continuity plans before defining scope, responsibilities, business impact, and recovery priorities.

How long does ISO 22301 implementation take without a consultant?

A focused SME can often prepare for certification in about 8 weeks, assuming management support, a clear scope, and availability from key process owners. Larger or more complex organizations may need 3–6 months, especially where multiple sites, outsourced suppliers, or critical customer services are involved.

  1. Week 1 — Define scope and responsibilities: Confirm which sites, services, departments, and activities are included in the BCMS. Assign a project owner, process owners, response roles, and management approval responsibilities.
  2. Week 2 — Prepare core BCMS documents: Draft the business continuity policy, BCMS procedure, objectives, interested parties, document control approach, and core registers.
  3. Week 3 — Complete business impact analysis: Identify critical activities, dependencies, maximum tolerable periods of disruption, recovery time objectives, minimum resources, and priority services.
  4. Week 4 — Complete risk assessment and continuity plans: Assess disruption risks, define continuity strategies, and build practical plans for incident response, recovery, communications, and resource management.
  5. Week 5 — Train staff and test plans: Brief relevant employees, confirm roles, run a tabletop exercise or scenario test, and record lessons learned.
  6. Week 6 — Run internal audit: Audit the BCMS against ISO 22301:2019 requirements and your own procedures. Record findings clearly and assign corrective actions.
  7. Week 7 — Complete management review and corrective actions: Hold a formal management review covering audit results, exercise outcomes, objectives, risks, resources, and improvement actions.
  8. Week 8 — Prepare for certification audit: Check document control, evidence folders, staff awareness, open actions, scope statement, audit agenda, and readiness for Stage 1 and Stage 2 certification audits.

What evidence do auditors expect for ISO 22301 certification?

Auditors will not only read your documents. They will ask for records proving that the BCMS is active. This includes completed business impact analysis forms, risk assessment records, approved continuity plans, exercise reports, attendance records, internal audit findings, management review minutes, corrective actions, and evidence that people understand their roles.

If your organization operates in the Gulf region or has regional continuity requirements, the post on ISO 22301 business continuity lessons in Qatar after FIFA gives useful context for resilience planning.

ISO 22301 Certification Mistakes That Make Audits Harder

ISO 22301 certification becomes harder when the BCMS looks polished on paper but weak in operation. Certification bodies such as BSI, Bureau Veritas, DNV, SGS, and LRQA are used to seeing template-based systems. Templates are not the problem. Uncustomised templates are.

What mistakes should you avoid when preparing ISO 22301 documentation?

  • Downloading generic templates and not customising them: Names, roles, recovery times, suppliers, systems, and escalation routes must reflect your business.
  • Missing the business impact analysis: Without BIA evidence, continuity priorities are usually unsupported.
  • Writing plans that do not match real operations: Plans should reflect actual locations, teams, tools, systems, and dependencies.
  • No evidence of testing or exercises: Clause 8.5 expects exercising and evaluation, not just written plans.
  • No internal audit before certification: Clause 9.2 requires internal audit evidence before the certification body audit.
  • No management review records: Clause 9.3 requires top management review of BCMS performance and improvement needs.
  • Staff do not understand continuity roles: If people named in plans cannot explain their responsibilities, auditors will question implementation.
  • Documents are written but not implemented: A folder of policies is not a functioning BCMS.

Pro tip: Before the certification audit, interview 3–5 people named in your continuity plans. Ask them what happens first during a disruption, who they contact, what system or site they depend on, and where the latest plan is stored. Weak answers reveal training gaps before the auditor finds them.

Can an ISO 22301 Documentation Toolkit Replace a Consultant?

An ISO 22301 documentation toolkit can replace much of the document-writing workload, but it does not certify your company and it does not replace the certification body audit. Think of it as a structured starting point: policies, procedures, forms, registers, plans, and records that your team adapts to your organization.

A toolkit is most useful when the business has someone internally managing the project, wants editable documents, needs a clear implementation structure, and is prepared to customise templates properly. It is not a magic certificate. It is a way to avoid starting from a blank page.

How do ISO 22301 templates reduce consultant costs?

ISO 22301 templates reduce consultant costs by giving you the first draft of the system. Instead of paying someone to write a business continuity policy, BIA form, risk register, continuity plan, exercise record, internal audit checklist, and management review template from scratch, your team starts with a structured package and spends time making it accurate.

This can also make limited consultant support more efficient. If you decide to hire a consultant for review only, they can assess your customised toolkit documents, identify gaps, and coach your team instead of billing hours to create basic forms.

What should you customise in an ISO 22301 documentation toolkit?

At a minimum, customise your scope, organizational context, interested parties, critical activities, recovery time objectives, supplier dependencies, communication contacts, response team roles, escalation routes, exercise scenarios, and corrective action records. Replace example text with your real business information. Remove anything that does not apply.

Auditors can usually tell when a document has not been adapted. References to irrelevant departments, unrealistic recovery times, generic job titles, and copied risk examples all create avoidable questions.

What Should You Do Next for ISO 22301 Certification Without Consultant Support?

If you want ISO 22301 certification without consultant involvement, start with a practical action plan. Do not begin by writing every document at once. Build the system in the same order an auditor will expect to understand it: scope, leadership, planning, operation, performance evaluation, and improvement.

  1. Confirm why your business needs ISO 22301: Identify whether the driver is a tender, client requirement, regulatory expectation, internal resilience goal, or supply chain requirement.
  2. Define the BCMS scope: Decide which locations, departments, services, and activities are included.
  3. Identify required documents: Create a document list covering policies, procedures, plans, forms, records, and registers.
  4. Complete business impact analysis: Identify critical activities, disruption impacts, recovery times, dependencies, and minimum resources.
  5. Prepare business continuity plans: Build practical plans for incident response, communications, recovery, and continuity of critical activities.
  6. Test the plans: Run at least one exercise, record results, capture lessons learned, and update plans.
  7. Complete internal audit and management review: Check the system formally before the certification body audit.
  8. Book the certification audit: Choose an accredited certification body and prepare for Stage 1 and Stage 2 assessment.

Need ready-made ISO 22301 documents? The ISO 22301:2019 BCMS Documentation Toolkit from ucstoolkit.store includes editable policies, procedures, forms, and records to help you prepare faster without writing everything from scratch.

Frequently Asked Questions

Can you get ISO 22301 certified without a consultant?

Yes, you can get ISO 22301 certified without a consultant. Certification depends on whether your organization has implemented a Business Continuity Management System that meets ISO 22301:2019 requirements and passes an independent certification body audit. A consultant can help, but your organization is still responsible for scope, business impact analysis, continuity plans, testing, internal audit, management review, and corrective actions.

What documents are required for ISO 22301 certification?

ISO 22301 certification normally requires documented information such as the BCMS scope, business continuity policy, objectives, business impact analysis, risk assessment, continuity strategies, business continuity plans, incident response procedures, communication plan, exercise records, training records, internal audit records, management review minutes, and corrective action records. The exact documents depend on your scope, activities, sites, risks, and certification body expectations.

How long does ISO 22301 implementation take?

ISO 22301 implementation can take around 6–8 weeks for a focused SME with a clear scope, management support, and an internal project owner. Larger organizations, multi-site businesses, regulated companies, or companies with complex supply chains may need 3–6 months. The timeline depends on existing documentation, business continuity maturity, staff availability, and how quickly testing, internal audit, and management review can be completed.

How much does ISO 22301 certification cost?

ISO 22301 certification cost includes implementation time, documentation preparation, training, internal audit, management review, and the certification body audit fee. Consultant-led implementation is usually the most expensive option, while doing everything from scratch has the lowest direct spend but the highest internal time cost. Many SMEs reduce total cost by using an ISO 22301 documentation toolkit and only buying limited consultant support if needed.

Can an ISO 22301 toolkit help with certification?

Yes, an ISO 22301 toolkit can help with certification by providing editable policies, procedures, forms, registers, plans, and records aligned with the standard. A toolkit does not guarantee certification and does not replace implementation, testing, or the certification body audit. It is most useful when your team wants to save writing time, follow a structured approach, and customise documents to match real business operations.

What is the difference between ISO 22301 and a business continuity plan?

ISO 22301 is a full Business Continuity Management System standard, while a business continuity plan is one part of that system. A plan explains how the organization responds to disruption and recovers critical activities. ISO 22301 also covers leadership, scope, risk assessment, business impact analysis, objectives, support, competence, exercising, performance evaluation, internal audit, management review, and continual improvement.

Do small businesses need ISO 22301 certification?

Small businesses may need ISO 22301 certification if customers, tenders, regulators, insurers, or enterprise supply chains require formal proof of business continuity capability. Certification can also help SMEs show that they have planned for disruptions affecting people, premises, suppliers, systems, and critical services. Not every small business needs certification, but many benefit from using ISO 22301 as a structured resilience framework.

Next Steps

You can pursue ISO 22301 without a consultant if your business has internal ownership, management support, realistic scope, and the discipline to create evidence — not just documents. The work is manageable when you follow the right order: define scope, complete the business impact analysis, assess risks, build continuity plans, test them, run internal audit, hold management review, and close corrective actions before the certification audit.

Ready to reduce the writing workload? The ISO 22301:2019 BCMS Documentation Toolkit gives you editable policies, procedures, forms, plans, and records so your team can prepare faster and avoid starting from a blank page.

ISO 22301 Documentation Requirements: 2026 ChecklistBack to blogISO 27701:2025 Without ISO 27001: Separate Certification?

Related Articles

How Long Does ISO Certification Take From Scratch? 2026

Can ChatGPT Write ISO Documentation for Certification? 2026

Client Asked for ISO Certification? What to Do Next in 2026

Can a One-Person Company Get ISO Certified? 2026 Guide

Which ISO Certification Do I Need for My Business? 2026 Guide

Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday
January,February,March,April,May,June,July,August,September,October,November,December
Not enough items available. Only [max] left.
Shopping cart

Your cart is empty.

Return To Shop

Enable cookies to use the shopping cart
Add Order NoteEdit Order Note
Add A Coupon
Subtotal:
$0.00

View cart

Add A Coupon

Coupon code will work on checkout page

Shop
Sidebar
0Cart
Filter
Search
Menu