Skip to main content

Preparing for an ISO 22301 audit: the questions auditors actually ask

ISO 22301 audits test whether your business continuity programme would survive contact with reality, not just whether it is documented. A practical walk-through of the questions an auditor is likely to ask and the evidence they need to see.

An ISO 22301 certification audit is structurally similar to an ISO 27001 audit: a stage 1 documentation review, a stage 2 evidence walk-through, and surveillance audits between recertification cycles. The substance is different.

ISO 27001 auditors are mostly asking whether the management system describes what you actually do. ISO 22301 auditors are mostly asking whether the management system would survive what would actually happen. The difference matters because business continuity programmes can look complete on paper and still fail their first real test. Auditors know this, and the questions they ask reflect it.

This piece walks through the questions an ISO 22301 auditor is likely to ask, the evidence they need to see, and the cross-cutting themes that determine whether a programme reads as healthy or theoretical.

Key takeaways

  • ISO 22301 audits test whether the BCMS would actually work, not just whether it is documented.
  • The BIA is the single document an auditor will spend the most time on. If the BIA is weak, everything downstream will be questioned.
  • Exercises that have been conducted, learned from, and acted on are the strongest evidence in the audit.
  • Management review and internal audit outputs are the simplest way to demonstrate the BCMS is alive.
  • The pattern that makes audits go well is traceability: business priorities to BIA to strategies to plans to exercises to improvements.

How auditors think about the BCMS

Most ISO 22301 auditors approach the audit with two questions running in the background. First, can you trace a claim through to evidence? Second, does the evidence support the claim, or does it just exist?

The strongest BCMS reads as a closed loop. Business priorities feed the BIA. The BIA shapes the strategies. The strategies shape the plans. The plans get exercised. The exercises produce findings. The findings drive improvements. Each step references the one before it and is verifiable from documented evidence.

The weakest BCMS reads as a collection of artefacts produced once and never connected. Each individual document may look fine. The connection between them is missing.

Most of the questions below are auditor probes to test that connection.

Context and scope (Clause 4)

Typical questions:

  • What is in scope of your BCMS? What is out of scope? Why?
  • Who are your interested parties for business continuity? Customers, suppliers, regulators, staff, board.
  • Has your context changed materially since the last audit? How is that reflected in the documentation?

What auditors look for: a credible scope that matches the rest of the organisation’s operations. Scope statements that conveniently exclude difficult parts (a particular site, a particular product line, a recently acquired business) are a red flag. Interested parties analysis that does not reflect the regulatory environment the organisation actually operates in raises the same kind of concern.

Leadership commitment (Clause 5)

Typical questions:

  • Who is the business continuity sponsor at executive level?
  • How does business continuity feature in board-level discussions?
  • Show me the business continuity policy. Who signed it off and when?
  • What resources are committed to business continuity? How is that documented?

What auditors look for: visible top-management commitment, not just signatures on a policy nobody reads. A policy that has not been reviewed since the last certification and a sponsor who cannot answer questions about the programme are both warning signs.

The BIA (Clause 8.2)

The Business Impact Analysis is the single most important artefact in an ISO 22301 audit. Expect substantial time here.

Typical questions:

  • Can you walk me through your BIA?
  • How recent is it? When was it last refreshed and why?
  • Who participated in the BIA workshops?
  • What activities are in scope? How were they prioritised?
  • What is the maximum tolerable period of disruption (MTPD) for each critical activity? Who signed it off?
  • What are the dependencies, internal and external? Have you traced them?
  • How does the BIA inform your continuity strategies?

What auditors look for: evidence that the BIA reflects actual business reality. A common probe is to interview a line manager about their critical activities and compare what the manager describes to what the BIA records. Mismatches indicate the BIA was produced by a central team without genuine business engagement.

The BIA also drives credibility for everything downstream. If the BIA is current, business-owned, and traceable to strategies and plans, the rest of the audit becomes a matter of confirming details. If the BIA is stale or generic, every subsequent section will be questioned more sharply.

Risk assessment (Clause 8.2)

Typical questions:

  • What risks are in scope for business continuity?
  • How does this risk assessment differ from your information security risk assessment?
  • What treatment have you applied to high-priority risks?

What auditors look for: a risk assessment focused on continuity-relevant threats. Loss of premises, key staff unavailability, supplier failure, IT disruption, and regional events. A generic security risk register reused for BC purposes will be flagged.

Continuity strategies (Clause 8.3)

Typical questions:

  • For each critical activity, what is your recovery strategy?
  • What are the assumptions behind the strategy? Are they realistic?
  • What if the assumption fails? For example, your primary supplier is also affected.
  • How were strategies costed and approved by management?

What auditors look for: strategies that match the BIA, with documented assumptions and dependencies. “Move staff to another office” without a named alternative is a problem. “Use a backup supplier” without an actual contract in place is a problem. Strategies that exist on paper but have never been validated are the most common source of major nonconformities.

Business continuity plans (Clause 8.4)

Typical questions:

  • Can I see your business continuity plan? Who owns each section?
  • How would the plan be activated out of hours? Who has authority to decide?
  • How do you maintain plan currency?
  • Are critical contact details validated regularly?

What auditors look for: usable, current, owned. Long shelf documents that nobody updates score badly. A plan with phone numbers for people who left two years ago tells the auditor the plan is not actively maintained.

Exercise programme (Clause 8.5)

After the BIA, the exercise programme is the second-most important area in an ISO 22301 audit.

Typical questions:

  • Show me your exercise schedule.
  • What was your last exercise? What scenarios were used?
  • What were the findings? What changed as a result?
  • Have you exercised invocation, communications, and recovery as separate activities?
  • When did you last fully test the plan, not just run a tabletop?

What auditors look for: a programme, not a one-off. A schedule that runs across the year, varying scenarios and scopes. Findings that have been recorded, tracked, and verifiably closed. Tabletops are acceptable as part of the mix but not as the entire programme at maturity. A tabletop exercise is the floor, not the ceiling.

Evaluation of capabilities (Clause 8.6)

Typical questions:

  • Beyond exercises, how do you know your business continuity capability would actually work?
  • Have you reviewed plans following any real incidents in the last year, even minor ones?
  • How do you assure that your RTO and RPO targets are achievable?

What auditors look for: ongoing, critical assessment of capability, not just box-ticking reviews. Real-world incidents (a brief power outage, a supplier going dark for an afternoon, a sick leave cluster) are valuable evidence when they have been treated as input to the BCMS rather than ignored.

Performance evaluation (Clause 9)

Typical questions:

  • Show me your internal audit programme for business continuity.
  • When was your last management review? What was discussed in relation to BC?
  • What metrics do you track for BC performance?
  • How are exercise outcomes reported to leadership?

What auditors look for: management review and internal audit outputs that reference real business continuity issues. A management review that lists “BC programme on track” with no detail is not credible.

Improvement (Clause 10)

Typical questions:

  • How are nonconformities tracked?
  • How is corrective action verified for effectiveness?
  • How are exercise findings closed out?

What auditors look for: closed loops on findings, with verification rather than assertion. A finding marked “closed” with no evidence of what changed and how it was checked will be reopened.

Cross-cutting themes auditors flag

Across audit findings on ISO 22301 programmes, the same themes recur:

  • Realism versus aspiration. Strategies and plans that would work in theory but rely on optimistic assumptions about people, suppliers, technology, or time.
  • Traceability. Whether an auditor can walk from a top-level business priority through the BIA, the strategies, the plans, the exercises, the findings, and the actions taken in response.
  • Currency. Whether the documents in the BCMS have been reviewed within the last 12 months and updated to reflect what has changed.
  • Ownership. Whether named individuals own plans, exercises, and decisions rather than the documents existing in an ownerless central repository.
  • Integration. Whether the BCMS integrates with information security, incident response, IT disaster recovery, and supplier management, or sits in a silo.
  • Evidence of life. Whether the programme is producing exercises, findings, and changes month to month, or only in the run-up to the audit.

A pre-audit self-check

If you are preparing for an ISO 22301 certification, surveillance, or recertification audit, the questions to ask yourself are:

  • Can you trace from a top-level business priority through to a closed corrective action?
  • Has the BIA been refreshed in the last 12 months, with business engagement?
  • Has the BCP been exercised in the last 12 months at more than tabletop level?
  • Are critical contact details, supplier details, and recovery instructions validated?
  • Does the management review minutes reference business continuity inputs substantively?
  • Are exercise findings tracked through to verified closure?

If most of these answers are clear, the audit will go well. If several are not, the time to address them is now, not the week before the audit visit.

How this relates to our other services

Audit preparation for ISO 22301 often sits alongside other engagements. Our ISO 22301 service covers implementation and ongoing programme support. The broader audit preparation service applies the same readiness review approach to multiple standards. For organisations operating multiple management systems, an integrated internal audit programme makes the cross-standard evidence base more efficient to maintain.

If you are working through any of these questions ahead of a certification or surveillance audit, get in touch for an independent view.

Common questions

How is an ISO 22301 audit different from an ISO 27001 audit?
ISO 27001 auditors are mostly asking whether the management system describes what you actually do. ISO 22301 auditors are mostly asking whether the management system would survive what would actually happen. Both rely on the same Annex SL clause structure, but ISO 22301 places much more emphasis on the realism of strategies, the quality of exercises, and the link between the BIA and downstream plans.
How often do we need to exercise the BCP for the audit?
Clause 8.5 requires the exercise programme to be planned and conducted at planned intervals. There is no specific number, but in practice most certified organisations run at least one substantive exercise per year, with smaller exercises (tabletops, communications tests, recovery tests) more frequently. A single tabletop in the week before the audit will not be credible.
Can we rely on tabletop exercises alone?
At an early stage of certification, often yes. As the BCMS matures, auditors expect to see a variety of exercise types: tabletops, communications tests, partial activations, technical recovery tests, and at least occasional full-scale exercises. Tabletops are the floor, not the ceiling.
What is the most common finding in ISO 22301 audits?
Across recent client engagements, the most common findings cluster around exercise programmes that lack follow-through, BIAs that have not been refreshed, and recovery strategies whose assumptions have not been tested. The technical work of writing plans is usually done. The discipline of keeping the programme alive is where most organisations slip.
How long should the BIA be?
Long enough to cover every critical activity in scope, with documented dependencies, MTPDs, RTOs, and ownership. Short enough that it is actually maintained. For most mid-sized organisations, the BIA is a structured document or spreadsheet covering 20 to 80 activities. Auditors prefer a tight, current BIA over an exhaustive one that has not been reviewed for two years.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk