In brief: An ISO 22301 business continuity audit verifies that your organisation has a real plan to keep operating when something goes wrong — and that the plan is tested and improved. It reviews the business impact analysis, risk assessment, continuity strategies and plans, testing exercises, and continual improvement. There are two major stages: the internal audit you carry out first, and the certification audit executed by an ENAC-accredited body in two phases. Certification follows a three-year cycle with annual surveillance. Here I explain what each part looks at and how to arrive prepared.
What ISO 22301 is and what a BCMS is
ISO 22301 is the international standard for business continuity management systems. In plain terms: it sets out how to prepare your organisation so that, if a serious incident occurs — a fire, a cyberattack, the failure of a critical supplier, a flood — your company can continue delivering its essential services or restore them within a reasonable time.
A BCMS (Business Continuity Management System) is the set of policies, procedures, responsibilities, and resources that underpin that readiness. It is not a document kept in a drawer. It is a living thing that is maintained, tested, and updated. The standard follows the high-level structure common to other ISO management standards, so if you already work with ISO 9001 or ISO 27001 many elements will be familiar: organisational context, leadership, planning, support, operation, performance evaluation, and improvement.
What matters for understanding the audit is this: ISO 22301 does not tell you which risks to cover or how long you can afford to be offline. That is for you to decide based on your business. What it requires is that you have analysed it rigorously, that you have a plan coherent with that analysis, and that you can demonstrate it works. The audit verifies exactly that.
What an ISO 22301 audit checks
When I audit a continuity system, or prepare a client for an external certification audit, I always review the same blocks. These are the core of the standard and of any serious audit.
Business Impact Analysis (BIA)
The BIA is the starting point. Here you identify your activities, prioritise them, and define how long you can allow each one to be down before the damage becomes unacceptable. From this come two parameters the auditor will ask for: the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). The auditor does not want to see a polished BIA — they want to see that it is realistic and that someone has thought it through properly, with data rather than guesswork.
Risk assessment
Once you know which activities are critical, you assess which threats could disrupt them and with what probability and impact. The auditor checks that the methodology is consistent, that it covers the threats relevant to your sector and location, and that it connects with the decisions you make afterwards. If you have a site in a flood-prone area and it does not appear in the analysis, that stands out immediately.
Continuity strategies and plans (BCP)
With the BIA and risks on the table, you define your strategies: system redundancy, alternative sites, agreements with backup suppliers, remote working, backups. And you turn them into operational Business Continuity Plans (BCPs). The auditor checks that plans exist, that they are current, that people know they exist, and that they cover what the analysis identified as critical. A plan that does not match the BIA is a classic incoherence.
Tests and exercises
This is where many organisations fall short. A plan that has never been tested is worth little. The standard requires periodic exercises: drills, system recovery tests, tabletop exercises with the crisis committee. The auditor will ask for records of those exercises, what failed, what was learned, and what changed afterwards. Without evidence of real tests, certification is unlikely.
Continual improvement
The system must evolve. After every real incident, every exercise, and every audit, improvement actions arise. The auditor checks that previous non-conformities have been closed, that corrective actions worked, and that management reviews the system regularly. A stagnant BCMS is a system that no longer genuinely protects.
| Block audited | What the auditor asks for | Typical evidence |
|---|---|---|
| Context and leadership | Defined scope and real management commitment | Continuity policy, BCMS scope, assigned roles |
| Business Impact Analysis (BIA) | Critical activities with justified RTO and RPO | BIA report, prioritisation criteria |
| Risk assessment | Consistent methodology and relevant threats | Risk matrix, acceptance criteria |
| Continuity plans (BCP) | Operational plans coherent with the BIA | BCP, recovery plans, crisis contacts |
| Tests and exercises | Evidence of drills and lessons learned | Exercise records, post-test reports |
| Continual improvement | Closed non-conformities and management review | Action register, review minutes |
Internal audit vs certification audit
It is worth keeping two things separate that look similar but are not the same.
The internal ISO audit is organised by your own company, with in-house personnel or an external consultant who did not participate in building the system. It is mandatory under the standard and serves to detect failures before the certification body does. I always present it as a dress rehearsal: if you find the problems yourself, you fix them at your own pace; if the certification auditor finds them, you fix them under pressure and with a non-conformity on record.
The certification audit is carried out by an independent body and is split into two phases. Phase 1 is a documentary review: the auditor checks that you have the BCMS documentation, that the scope is clear, and that you are ready for the next phase. It typically flags significant gaps before going further. Phase 2 is the on-site audit: the auditor interviews staff, reviews records, and verifies that what is written on paper actually happens. If Phase 1 warns you that you are not ready, it is better to stop and correct before facing Phase 2.
The role of an ENAC-accredited certification body
For your certificate to carry weight with clients, public tenders, and partners, it must be issued by an independent certification body — and not just any one: you need a certification body accredited by ENAC, the Entidad Nacional de Acreditación (National Accreditation Body of Spain). Accreditation is what guarantees that the certification body operates with recognised competence and impartiality.
The difference is practical. A certificate issued by an ENAC-accredited body is accepted without question in public tenders and supplier approval processes. One issued by a body without recognised accreditation may be of limited use. Before signing, check on the ENAC website that the certification body is specifically accredited for ISO 22301, because accreditation is scope-specific, not blanket.
Non-conformities and how to prepare
An audit can produce two types of non-conformity. Major non-conformities are serious failures: a standard requirement you do not meet, or a systemic failure that affects the real continuity capability. Minor non-conformities are isolated deviations that do not compromise the entire system. A major non-conformity can hold up certification until you correct it and demonstrate the fix; minor ones are resolved with an agreed action plan within a set timeframe.
To arrive well prepared, here is what I recommend to my clients. Carry out the internal audit with time to spare — weeks before, not the night before. Close the non-conformities you find there with documented evidence. Make sure people know their responsibilities in the event of an incident, because the auditor will ask teams directly, not just the quality department. Have the exercise evidence ready, as that is what is most often forgotten. And prepare the management review, which demonstrates that senior leadership is genuinely involved rather than just signing off.
If your organisation has been through other certifications, much of this process will already be familiar. And if you are wondering about cost, it depends heavily on the size of the company, the number of sites, and the complexity of your processes. This article on how much certification costs for a comparable management standard can serve as a reference, because the audit fee logic is similar.
The three-year certification cycle
ISO 22301 certification is not a one-time exercise. It works in three-year cycles. In the first year you go through the full initial audit with Phase 1 and Phase 2, and if all goes well you receive the certificate. In the following two years the certification body carries out lighter surveillance audits to confirm you are keeping the system alive and continuing to improve. At the end of three years you face recertification — a full audit that renews the certificate for another cycle.
This has a consequence worth accepting from the outset: business continuity is not a project you finish; it is a capability you maintain. The certificate only reflects that at each visit the system was still working. That is why companies that treat it as an annual formality struggle at surveillance audits, while those that embed it into daily operations pass almost without breaking a sweat.
Conclusion
Auditing business continuity under ISO 22301 means demonstrating, with evidence, that your company can absorb a serious blow and keep operating. The audit reviews the impact analysis, risks, plans, tests, and continual improvement — first in an internal audit and then in a two-phase certification audit before an ENAC-accredited body, all within a three-year cycle. Done properly, it is not a bureaucratic burden: it is proof that you have thought through what you would do on the worst day.
In my regulatory compliance consultancy I support companies in Valladolid, Las Palmas, and across Spain in building and maintaining their continuity systems, preparing for audit, and choosing a certification body. If you would like to review where you stand, write to me and we will look at it together.