ISO 22301 Stage 1: what happens on the day, and what to have ready
Business continuity certification audits are structurally similar to information security audits but test a very different set of artefacts. The Business Impact Analysis carries most of the weight, the exercise programme catches many organisations off guard, and confusion between business continuity and IT disaster recovery is the classic Stage 1 finding.
Stage 1 of an ISO 22301 audit tests whether the Business Continuity Management System (BCMS) is ready to be evaluated in Stage 2. The event is structurally similar to ISO 27001 Stage 1 but the content is very different, and the pieces that most organisations under-prepare for are the pieces the auditor spends most of the audit on.
This piece walks through what an ISO 22301 Stage 1 auditor is actually looking for, what documentation matters most, and where organisations who transferred their 27001 discipline directly into 22301 tend to trip. It is the fourth piece in the Audit Day series.
Key takeaways
- Stage 1 for ISO 22301 is a readiness evaluation of the BCMS. The auditor tests whether the system is designed, documented, and coherent enough for a Stage 2 assessment of effectiveness.
- The pivotal artefact is the Business Impact Analysis. Auditors spend disproportionate time here because most other 22301 findings ultimately trace back to a weak or generic BIA.
- The exercise programme catches organisations off guard. A programme designed and scheduled will satisfy Stage 1; a programme that consists of “we plan to exercise after certification” will not.
- Confusion between business continuity and IT disaster recovery is the classic Stage 1 finding. Auditors probe the distinction, particularly whether non-IT critical activities are properly analysed.
- Common Stage 1 finding: the BIA has been produced by a central team with limited business input. Interviews with business function heads expose the gap.
What the Stage 1 auditor is actually doing
ISO 22301:2019 certification follows the same two-stage process as other management-system standards under ISO/IEC 17021-1. Stage 1’s formal objectives:
- Review the documented information required by 22301, including the BCMS scope, the business continuity policy, the BIA methodology and outputs, the risk assessment, continuity strategies and solutions, business continuity plans, and the exercise programme.
- Evaluate the organisation’s understanding of the standard’s requirements and the operational context of the BCMS.
- Confirm that internal audit and management review processes are established.
- Identify Areas of Concern that would prevent Stage 2 from proceeding, and agree an action plan.
- Establish the Stage 2 audit plan, including sampling of critical activities and any specific areas of focus.
The auditor is not testing plan invocation effectiveness at Stage 1. That is Stage 2’s job. Stage 1 tests whether the BCMS design is coherent enough that Stage 2 testing is worth doing.
What is specifically different from ISO 27001 Stage 1
Organisations that come to 22301 with a mature 27001 ISMS often assume the disciplines transfer directly. They don’t.
The BIA replaces the risk register as the pivotal artefact. Where 27001 lives around the risk register and Statement of Applicability, 22301 lives around the BIA. Recovery strategies flow from BIA outputs. Plans flow from strategies. Exercises test plans. If the BIA is weak, everything downstream inherits the weakness.
Risk assessment focuses on continuity threats. Loss of premises, unavailability of key staff, supplier failure, IT disruption, regional events (power, connectivity, weather). A generic security risk register recycled for 22301 will be flagged. The auditor wants to see risk assessment specifically framed for continuity.
Continuity strategies must match RTOs. For each critical activity, the strategy has to be capable of recovering the activity within the Maximum Tolerable Period of Disruption and to the required capacity. “Move staff to another office” without a named alternative is a problem. “Use a backup supplier” without a contract is a problem.
Exercise programme is a first-class concern. 22301 Clause 8.5 explicitly requires exercises. Stage 1 auditors want the programme designed with variety (tabletops, communications tests, technical recovery tests, full exercises) and cadence, even if the actual exercises will happen after certification for a first-time BCMS.
Invocation and communication procedures. Who has authority to invoke a BCP, out of hours, with what escalation. How staff, customers, suppliers, and regulators are contacted. Where 27001 has incident response, 22301 has invocation procedures with named authority.
Documentation to have ready
Stage 1 auditors ask for the following, roughly in this order:
- BCMS scope statement (Clause 4.3). Names the activities, sites, and operations in scope, with justification. Scope statements that conveniently exclude difficult parts (a recently acquired business, a difficult site) are a red flag.
- Business continuity policy (Clause 5.2). Approved by top management, communicated, reviewed.
- BCMS roles and responsibilities (Clause 5.3). Including BC Manager, BC coordinators for each business area, and named invocation authority.
- BIA methodology and completed BIA (Clause 8.2). The methodology explains how critical activities were identified and how MTPDs, RTOs, and RPOs were set. The BIA is the output.
- Risk assessment (Clause 8.2). Framed for continuity, with treatment linked to the BIA outputs.
- Continuity strategies and solutions (Clause 8.3). For each critical activity, how it will be sustained during disruption. Assumptions and dependencies documented.
- Business continuity plans (Clause 8.4). The operational documents that get invoked. Named owners, current contact details, defined activation criteria.
- Warning and communication procedures (Clause 8.4.3). Internal and external communications during disruption.
- Exercise programme and any completed exercise records (Clause 8.5). Programme with variety and cadence; any completed exercises with findings and closure evidence.
- Evaluation of BCMS capability (Clause 8.6). Beyond exercises, how the organisation assures itself that recovery would work.
- Internal audit programme and reports (Clause 9.2). See our Clause 9.2 note for what an auditor looks for.
- Management review inputs and outputs (Clause 9.3).
- Nonconformity and corrective action records (Clause 10.2).
Missing BIA outputs or an undesigned exercise programme at Stage 1 will almost always trigger Areas of Concern. Both are load-bearing pieces of the BCMS.
The BIA: the pivotal artefact
More Stage 1 findings under 22301 trace back to weak BIAs than to any other single cause.
A defensible BIA covers, for each critical activity:
- The activity itself, clearly named and scoped
- The business function that owns it, with a named owner
- The impacts of disruption over time (financial, operational, reputational, regulatory)
- The Maximum Tolerable Period of Disruption, signed off by the business owner
- The Recovery Time Objective (how quickly the activity must be resumed) and Recovery Point Objective (how much data or state loss is acceptable)
- The dependencies: internal (people, technology, premises), external (suppliers, regulators, customers), and other (data, records, information)
- The minimum resources required to sustain the activity at recovery
Auditors probe the BIA in two ways. First, by reading it: is it specific, is it current, does it cover the critical activities the organisation obviously has? Second, by interviewing business function heads and comparing what they say about their critical activities to what the BIA records. Mismatches indicate the BIA was written centrally without genuine business input, which is the most common Stage 1 finding.
The BC vs IT DR trap
The classic 22301 Stage 1 finding is a BCMS that is essentially an IT disaster recovery programme with 22301 branding.
The tell-tale signs: critical activities defined as “IT services” rather than business activities. Recovery strategies framed around infrastructure recovery. Exercises that only test technical failover. No consideration of critical activities that require people, premises, or supplier cooperation. No plan for scenarios where IT works but the office cannot be occupied, or the key operations manager is unreachable, or a critical supplier goes dark.
The fix is not to abandon the IT DR work. It is to place it inside a wider BCMS that also addresses non-IT dimensions. A BIA that includes activities like “invoice processing,” “customer support,” and “regulatory reporting” (which need people, systems, and supplier inputs) sits at a level above IT DR. That is what 22301 audits.
A practical pre-Stage 1 checklist
Two weeks before Stage 1:
- Every mandatory documented information item above exists, is current, and is accessible.
- The BIA has been produced with genuine input from business function heads, not just central risk or BC teams.
- Each critical activity in the BIA has a named business owner who has signed off the MTPD, RTO, and RPO values.
- Continuity strategies exist for every critical activity and are demonstrably capable of meeting the stated RTOs.
- The exercise programme is designed with cadence and variety, even if actual exercises are scheduled post-certification.
- Warning and communication procedures name specific channels, specific responsible people, and specific out-of-hours arrangements.
- At least one internal audit cycle has been completed across the BCMS scope.
- At least one management review has taken place with BCMS performance as a substantive input.
- A named person owns the BCMS as a whole with authority proportionate to the invocation decisions the BCMS commits them to.
If any of the above is not true, address it before Stage 1. Some (methodology writing, ownership) is fast. Some (running a BIA with real business engagement across every function) takes weeks.
The Axlio Method at 22301 Stage 1
Stage 1 sits inside the Assure step of the Axlio Method. By this point, Understand (what the business does and depends on), Assess (against what could disrupt it), Prioritise (which activities matter most), and Implement (the BCMS itself) should already have happened. Stage 1 is the first independent test of that work.
Where Stage 1 raises significant issues, the response is usually to loop back to Understand or Assess. A weak BIA almost always signals that Understand was done from a central perspective rather than a business-function perspective. Rebuilding the BIA with business input is uncomfortable but usually faster than remediating everything downstream.
Closing
ISO 22301 Stage 1 is the audit event where the BCMS gets its first honest external evaluation. Organisations that treated 22301 as an extension of their IT DR discover the gap between the two. Organisations that built the BCMS around a real BIA with real business engagement pass Stage 1 cleanly and move to Stage 2 on schedule.
For support preparing for an ISO 22301 audit, or for a wider ISO 22301 or audit preparation engagement, get in touch. Our ISO 22301 audit preparation questions piece covers the questions Stage 2 auditors most commonly ask; this piece covers what Stage 1 will look for before you get there.
