Selection of strategies and solutions

ISO 22301 Clause 8.3.3 requires you to choose business continuity strategies and solutions through a documented, formal evaluation that uses your BIA and risk assessment outputs and weighs cost versus risk, including the impact of doing nothing. You also need clear top management approval for what you select and why. ¹

Key takeaways:

• Document a repeatable evaluation method tied to BIA/risk outputs, not preferences or past practice. ¹
• Show cost-risk reasoning, including the consequences of not implementing a strategy. ¹
• Get explicit top management approval and retain evidence that connects decisions to requirements and tolerances. ¹

“Selection of strategies and solutions” is the point where business continuity planning becomes an accountable business decision. Upstream work like the BIA and risk assessment produces priorities and risk scenarios, but Clause 8.3.3 expects you to convert those inputs into choices: which continuity strategies you will adopt (and which you will not), what solutions enable them, and why those choices are appropriate for your organization. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path to operationalizing this clause is to treat it as a controlled decision workflow: define evaluation criteria, compare feasible options, document cost-risk tradeoffs (including “do nothing”), and route the final recommendation for top management approval. Then, preserve the record as auditable evidence and as a living reference for change management, budgeting, third-party contracting, and testing. ¹

This page gives you requirement-level implementation guidance you can assign, track, and defend in an audit.

Regulatory text

ISO 22301:2019 Clause 8.3.3 (excerpt): “The organization shall select appropriate strategies based on formal evaluation, BIA/risk assessment output, and cost-risk considerations.” ¹

What the operator must do: maintain a documented method for evaluating continuity strategy options, use BIA and risk assessment outputs as decision inputs, evaluate cost versus risk (including the consequences of not acting), and retain evidence of selection and approval by top management. ¹

Plain-English interpretation (what auditors expect you to mean)

• You cannot pick continuity strategies because “that’s what we’ve always done.” You need a formal evaluation that is repeatable and reviewable. ¹
• Your evaluation must trace back to BIA and risk assessment outputs (for example, prioritized activities, dependencies, disruption impacts, and plausible scenarios). ¹
• “Cost-risk considerations” means you weigh cost, feasibility, and residual risk for each option, and you explicitly consider the consequences of not implementing a strategy where gaps remain. ¹
• You need top management approval of the selected set of strategies and solutions, not just informal agreement in a meeting. ¹

Who it applies to (entity and operational context)

This clause applies to any organization operating a business continuity management system (BCMS) aligned to ISO 22301. ¹

Operationally, you will involve:

• BCM/Resilience lead to run the evaluation and assemble evidence.
• Business owners for prioritized activities and acceptable disruption impacts from the BIA.
• IT/Security/Facilities/Operations for solution feasibility (technology, sites, workforce, supply chain).
• Procurement and third-party risk when strategies require external services (for example, alternate sites, cloud recovery, outsourced operations).
• Finance for cost modeling and constraint validation.
• Top management as the approving authority for decisions and residual risk. ¹

What you actually need to do (step-by-step)

Step 1: Define the “formal evaluation” method (make it auditable)

Create a short procedure or work instruction that answers:

• What triggers the evaluation (new BIA, major change, recurring review cycle, major incident learnings).
• Who participates and who owns the final recommendation.
• What evaluation criteria you will score or compare (examples below).
• What artifacts are required before approval. ¹

Practical evaluation criteria (use what fits your environment):

• Alignment to BIA outputs (priority activities, dependencies, tolerable disruption).
• Scenario coverage from risk assessment outputs.
• Recovery feasibility (skills, staffing, site access, technology).
• Time to activate; complexity; operational burden.
• Third-party reliance and concentration risk.
• Residual risk after the strategy is implemented.
• Cost categories (build, run, test, contractual minimums).
• Compliance constraints (data residency, privacy, regulated operations). ¹

Step 2: Compile the decision inputs from BIA and risk assessment

Build a one-page “decision input pack” per critical activity/service that includes:

• BIA priority and impact narrative.
• Key dependencies (people, process, technology, facilities, third parties).
• Risk assessment scenarios that drive continuity requirements.
• Constraints (budgetary, contractual, technical, regulatory). This prevents teams from evaluating strategies in a vacuum. ¹

Step 3: Identify strategy options and associated solutions

For each prioritized activity, list a small set of feasible strategies and the concrete solutions that enable them. Keep it grounded:

• Workforce strategies: cross-training, role-based coverage, remote work enablement.
• Technology strategies: redundancy, backups, recovery environments, alternate connectivity.
• Site strategies: alternate workspace, split operations, work area recovery.
• Supply chain/third-party strategies: alternate suppliers, contractual continuity commitments, inventory buffers.
• Process strategies: manual workarounds, deferred processing, customer comms playbooks. ¹

Tie each option to what must be built, bought, contracted, or trained.

Step 4: Evaluate options using a documented decision matrix

Use a simple matrix that a reviewer can follow. Example structure:

Option	BIA alignment	Risk scenario coverage	Feasibility	Residual risk	Cost view	“Do nothing” consequence	Recommendation

Cost-risk considerations are not limited to price. Capture:

• What risks remain after implementation (residual risk).
• What failure modes still exist (single points of failure, third-party outages, staffing constraints).
• What happens if you do not act (service downtime, safety impacts, contractual breaches, regulatory exposure, reputational damage). ¹

Step 5: Select the strategy set and document rationale

Your output should read like a decision record:

• Selected strategies and solutions by activity/service.
• Why they are “appropriate” given BIA/risk outputs.
• Assumptions and dependencies (including third parties).
• Accepted residual risks and who accepts them.
• Implementation actions and owners.
• Testing/validation approach so the strategy can be proven. ¹

Step 6: Obtain top management approval and integrate with governance

Top management approval should cover:

• The selected strategies/solutions.
• Funding or resourcing intent (even if budget approval occurs elsewhere).
• Explicit acceptance of residual risk and known gaps. ¹

Then connect the decision to:

• Change management (reassess when dependencies change).
• Third-party onboarding/contracting (add continuity requirements to contracts and due diligence).
• Training and exercising plans (prove the strategy works). ¹

Required evidence and artifacts to retain

Auditors usually struggle when strategy decisions are tribal knowledge. Retain:

• Strategy selection procedure defining the formal evaluation method. ¹
• BIA and risk assessment outputs referenced by the evaluation. ¹
• Options analysis / decision matrix with scoring or documented comparisons. ¹
• Cost-risk narrative (what you considered, why costs are justified or not, and the consequences of not acting). ¹
• Top management approval evidence (signed minutes, approval memo, governance ticket, or formal sign-off). ¹
• Implementation roadmap and ownership tied to strategy decisions (projects, backlog items, contracts).
• Assumptions/dependency register, especially third-party dependencies that are required for the strategy to work.

If you run Daydream for third-party due diligence and risk workflows, store third-party continuity commitments, test attestations, and contract obligations next to the strategy decision record so you can show end-to-end traceability from “we chose this strategy” to “this third party supports it.”

Common exam/audit questions and hangups

Expect questions like:

• “Show me where the BIA results directly influenced strategy selection.” ¹
• “What alternatives did you evaluate, and why were they rejected?” ¹
• “How did you evaluate cost versus risk, and how did you account for doing nothing?” ¹
• “Where is top management approval recorded?” ¹
• “What residual risks remain, and who accepted them?” ¹
• “How do you ensure strategies remain appropriate after changes to systems or third parties?”

Hangups that derail audits:

• No defined “formal evaluation,” only a slide deck.
• Strategies documented at a high level without the enabling solutions, dependencies, or feasibility checks.
• No traceability from decisions to BIA/risk outputs.
• Approval exists for the plan, but not for the strategy selection and residual risk acceptance. ¹

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating the strategy as a template choice.
   Fix: Require each critical activity to have an option analysis tied to BIA/risk outputs. ¹

2. Mistake: Collapsing “strategy” and “plan” into one document.
   Fix: Keep a separate decision record for strategy selection, then reference it from plans and playbooks.

3. Mistake: Ignoring third-party feasibility.
   Fix: If a strategy depends on a third party (cloud recovery, alternate facilities, outsourced operations), include contract and due diligence checks as entry criteria for approval.

4. Mistake: No explicit “do nothing” consideration.
   Fix: Add a required row in the matrix for consequences of inaction. If you accept the gap, document the risk acceptance and approver. ¹

5. Mistake: No governance hook after approval.
   Fix: Map each strategy to owners, enabling projects, and validation tests, then track completion and changes.

Enforcement context and risk implications

No public enforcement cases are provided for ISO 22301 Clause 8.3.3 in the source catalog, but the operational risk is straightforward: weak strategy selection creates a BCMS that looks complete on paper and fails under real conditions. The most common failure mode is untested feasibility, especially around staffing assumptions, technology dependencies, and third-party service availability. ¹

A practical 30/60/90-day execution plan

First 30 days (stabilize the decision workflow)

• Publish a short procedure for formal evaluation and approval routing. ¹
• Gather current BIA and risk assessment outputs and identify gaps that block strategy selection. ¹
• Stand up a standard decision matrix template and require it for new or revised strategies.
• Identify the set of critical activities/services that need documented strategy selection first (start where audit and operational exposure is highest).

By 60 days (complete initial selections and approvals)

• Run workshops with business owners and SMEs to generate options and evaluate them against the matrix.
• Document cost-risk considerations and consequences of not acting for each critical activity. ¹
• Prepare a top management approval packet that includes residual risk and known constraints. ¹
• Create action items for enabling solutions (projects, procurement actions, third-party contract changes).

By 90 days (operationalize and make it durable)

• Connect strategy decisions to implementation tracking and change management so updates happen when systems, sites, or third parties change.
• Add strategy selection evidence to your audit-ready repository (decision records, matrices, approvals, dependency lists).
• Start validation planning: how you will test that the chosen strategies and solutions actually meet the needs defined by BIA/risk outputs. ¹

Frequently Asked Questions

Do we need a quantitative scoring model to meet “formal evaluation”?

No specific scoring approach is mandated, but the evaluation must be documented, repeatable, and traceable to BIA/risk outputs and cost-risk considerations. A qualitative matrix can pass if it is consistent and shows clear rationale. ¹

What counts as “top management approval” in practice?

Use whatever mechanism your governance recognizes as authoritative: signed minutes, a formal memo, or an approval workflow record. The evidence should show what was approved and that residual risk and gaps were visible to the approver. ¹

How do we document “cost-risk considerations” without hard numbers?

You can document cost qualitatively by category and relative magnitude, then pair it with a clear narrative on risk reduction and residual risk. The key is to show you weighed tradeoffs and considered the consequences of not acting. ¹

Our BIA is dated. Can we still select strategies?

You can proceed if you document assumptions and limitations, but expect audit friction if the BIA cannot credibly support the strategy choice. A practical path is to refresh the BIA for the most critical activities first, then complete strategy selection for those. ¹

How should third-party dependencies show up in strategy selection?

Treat third-party services as enabling components of the solution and document feasibility evidence, contract expectations, and failure modes. If a third party is critical to the strategy working, capture that dependency and route it through your third-party due diligence workflow. ¹

What artifact is the “single source of truth” for auditors?

A strategy selection decision record that references the BIA/risk outputs, contains the options analysis, documents cost-risk and “do nothing” consequences, and includes top management approval. Supporting artifacts can live in other systems if they are linked and controlled. ¹

Footnotes

1. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements