In This Guide
- ISO 22301 certification follows a two-stage audit process identical to other ISO management system standards.
- Stage 1 reviews BCMS documentation, BIA, risk assessment, and management review evidence.
- Stage 2 verifies implementation through interviews, exercise records, and process observation.
- Surveillance audits occur annually covering approximately 30-40% of the initial audit scope.
- The certification cycle is 3 years, after which a full recertification audit is required.
ISO 22301 Certification Overview
ISO 22301 certification demonstrates that your organization has implemented a Business Continuity Management System (BCMS) that meets international standards. The certification process follows a two-stage audit approach, followed by ongoing surveillance to maintain certification.
The certification cycle spans three years:
- Year 1: Initial certification (Stage 1 + Stage 2 audits)
- Year 2: Surveillance Audit 1
- Year 3: Surveillance Audit 2
- Year 4: Recertification audit (new cycle begins)
Before certification audit, your BCMS must have been operational for at least 3 months. You must have completed at least one full internal audit cycle and one management review. Additionally, business continuity exercises must have been conducted.
Selecting a Certification Body
Your choice of certification body (CB) significantly impacts your audit experience and certificate credibility.
Accreditation Requirements
Verify the CB holds accreditation from a recognized national accreditation body:
- IAS (United States of America)
- ANAB (United States of America)
- UKAS (United Kingdom)
- DAkkS (Germany)
- JAS-ANZ (Australia/New Zealand)
Accreditation ensures auditor competence, process consistency, and international recognition of your certificate through the IAF MLA.
Selection Criteria
- BC Expertise: Does the CB have experienced ISO 22301 auditors?
- Industry Experience: Has the CB audited organizations in your sector?
- Geographic Coverage: Can they audit all locations in your scope?
- Timeline Flexibility: Can they accommodate your certification timeline?
- Integration Capability: If you have other certifications, can they perform integrated audits?
Stage 1 Audit: Documentation Review
The Stage 1 audit assesses whether your organization is ready for the full certification audit. It focuses on documentation completeness and preliminary BCMS implementation.
Stage 1 Objectives
- Review BCMS documentation against ISO 22301 requirements
- Evaluate the scope and context of your BCMS
- Assess understanding of the standard
- Verify internal audit and management review completion
- Review business impact analysis and risk assessment
- Confirm business continuity plans and exercise evidence exist
- Plan Stage 2 audit activities
Key Documents Reviewed in Stage 1
- BCMS Scope Statement: Clear definition of boundaries and critical activities
- Business Continuity Policy: Top management commitment and direction
- Business Impact Analysis (BIA): Critical activities, RTOs, RPOs, dependencies
- Risk Assessment: Threats to critical activities and treatments
- Business Continuity Strategy: Approach to maintaining critical activities
- Business Continuity Plans: Response and recovery procedures
- Exercise Programme: Testing approach and schedule
- Exercise Records: Evidence of exercises conducted
- Internal Audit Records: BCMS audit planning and results
- Management Review Minutes: Leadership oversight evidence
Stage 1 Duration
Stage 1 typically takes 1-2 days depending on organization size and scope complexity. It can be conducted on-site, remote, or hybrid.
Stage 1 Outcomes
- Proceed to Stage 2: Organization is ready for the implementation audit
- Proceed with Observations: Minor issues to address; Stage 2 can proceed
- Delay Stage 2: Significant gaps require remediation before proceeding
Stage 2 Audit: Implementation Verification
Stage 2 is the main certification audit, verifying that your BCMS is implemented and operating effectively.
Stage 2 Objectives
- Confirm BCMS conforms to all ISO 22301 requirements
- Verify policies and procedures are implemented and followed
- Assess effectiveness of business impact analysis and risk assessment
- Evaluate business continuity plans and procedures
- Review exercise programme effectiveness
- Verify internal audit and management review effectiveness
- Confirm awareness and competence of personnel
- Assess continual improvement mechanisms
Stage 2 Audit Methods
- Interviews: Discussions with BC coordinators, team members, management, and operational staff
- Document Review: Examination of plans, procedures, records, and logs
- Observation: Reviewing BC arrangements, alternate sites, communication systems
- Exercise Review: Examining exercise design, execution, and lessons learned
- Sampling: Selecting incidents, changes, and exercise records to verify consistent application
What Auditors Focus On
| Area | Auditor Focus |
|---|---|
| BIA Quality | Are RTOs/RPOs realistic? Are dependencies identified? Is prioritization clear? |
| BC Plans | Are plans actionable? Do they cover identified scenarios? Are contact details current? |
| Exercise Programme | Are exercises varied and challenging? Are lessons learned captured and actioned? |
| Awareness | Do staff know their BC roles? Can they locate and use plans? |
| Incident Management | Is there a clear escalation process? Has it been tested? |
Stage 2 Duration
Audit duration is calculated based on IAF guidelines:
| Organization Size | Stage 2 Days | Total Initial Audit |
|---|---|---|
| 1-10 employees | 2 days | 3 days |
| 11-45 employees | 3 days | 4 days |
| 46-125 employees | 4-5 days | 5-6 days |
| 126-425 employees | 5-7 days | 7-9 days |
| 426-625 employees | 7-8 days | 9-10 days |
Managing Audit Findings
Types of Findings
- Major Nonconformity: Absence or complete breakdown of a required element. Must be resolved before certification.
- Minor Nonconformity: Single instance of non-compliance. Certificate can be issued with accepted corrective action plan.
- Observation/OFI: Area that could be improved but is not a conformity issue.
Common ISO 22301 Findings
- BIA not reviewed annually or after significant changes
- BC plans lack sufficient detail for activation
- Contact lists not maintained or tested
- Exercise programme not varied (always tabletop, never operational)
- Lessons learned from exercises not formally captured
- Dependencies on suppliers not addressed in BC plans
- Alternate site arrangements not tested
Corrective Action Process
- Acknowledge: Understand and accept the finding
- Root Cause Analysis: Determine why the nonconformity occurred
- Correction: Immediate action to fix the specific instance
- Corrective Action: Systematic changes to prevent recurrence
- Evidence: Document actions and results
- Verification: CB verifies closure
Timeframes
- Major Nonconformity: Must be closed within 90 days, verified before certification
- Minor Nonconformity: Corrective action plan accepted; verified at surveillance audit
Surveillance Audits
Annual surveillance audits verify continued BCMS conformity.
Surveillance Scope
- Internal audits and management review
- Actions on previous nonconformities
- BIA and risk assessment currency
- Exercise programme progress and results
- BC plan maintenance
- Handling of incidents (if any occurred)
- Changes to the organization and BCMS
- Continual improvement activities
Surveillance Duration
Typically 30-40% of initial audit duration per visit. Over the 3-year cycle, all clauses and critical activities are sampled.
Recertification Audit
Before certificate expiry, a recertification audit confirms continued BCMS suitability.
Recertification Scope
- Complete BCMS review (all clauses)
- BCMS performance over the certification cycle
- Exercise programme effectiveness
- Changes to scope, organization, or threats
- Previous audit findings and actions
- Real incident handling (if applicable)
Timing
Plan recertification 3-4 months before certificate expiry. If the certificate expires before recertification completes, certification lapses.
Complete Certification Timeline
| Phase | Duration | Key Activities |
|---|---|---|
| CB Selection | 2-4 weeks | RFP, proposal review, contract signing |
| Pre-Audit Preparation | 2-4 weeks | Documentation finalization, internal audit, management review, exercise |
| Stage 1 Audit | 1-2 days | Documentation review, readiness assessment |
| Gap Closure | 2-6 weeks | Address Stage 1 findings, finalize implementation |
| Stage 2 Audit | 2-8 days | Implementation verification |
| Corrective Actions | 2-12 weeks | Resolve nonconformities, verify effectiveness |
| Certificate Issuance | 1-2 weeks | CB technical review and approval |
Total Time from Stage 1 to Certificate: Typically 6-14 weeks depending on findings and responsiveness.
Frequently Asked Questions
What happens in a Stage 1 ISO 22301 audit?
Stage 1 is a documentation review covering BCMS scope, business continuity policy, business impact analysis (BIA), risk assessment, BC strategies, exercise records, internal audit results, and management review evidence. The auditor assesses whether the organisation is ready to proceed to the Stage 2 implementation audit.
How long is the ISO 22301 Stage 2 audit?
The Stage 2 audit typically takes 2-5 days depending on organisation size and scope complexity. Smaller organisations (1-10 employees) may require 2 days, while larger organisations (126-425 employees) may need 5-7 days. Duration is calculated based on IAF guidelines.
What do auditors look for in ISO 22301?
Auditors focus on BIA completion and quality, tested business continuity plans, exercise records and lessons learned, incident management procedures, management review outputs, staff awareness of BC roles, and evidence of continual improvement. They verify both documentation and actual implementation through interviews, observation, and sampling.
Can ISO 22301 be combined with ISO 27001 audits?
Yes, integrated audits are common and efficient since both ISO 22301 and ISO 27001 share the Annex SL high-level structure. A single audit team can assess both management systems simultaneously, reducing total audit days and cost. Glocert International regularly conducts integrated BCMS and ISMS audits.
How often are surveillance audits?
Surveillance audits occur annually, covering rotating portions of the BCMS over the 3-year certification cycle. Each surveillance audit covers approximately 30-40% of the initial audit scope, ensuring all clauses and critical activities are sampled across the cycle.