Skip to main content

Stage 1 of an ISO 22301 audit tests whether the Business Continuity Management System (BCMS) is ready to be evaluated in Stage 2. The event is structurally similar to ISO 27001 Stage 1 but the content is very different, and the pieces that most organisations under-prepare for are the pieces the auditor spends most of the audit on.

This piece walks through what an ISO 22301 Stage 1 auditor is actually looking for, what documentation matters most, and where organisations who transferred their 27001 discipline directly into 22301 tend to trip. It is the fourth piece in the Audit Day series.

Key takeaways

  • Stage 1 for ISO 22301 is a readiness evaluation of the BCMS. The auditor tests whether the system is designed, documented, and coherent enough for a Stage 2 assessment of effectiveness.
  • The pivotal artefact is the Business Impact Analysis. Auditors spend disproportionate time here because most other 22301 findings ultimately trace back to a weak or generic BIA.
  • The exercise programme catches organisations off guard. A programme designed and scheduled will satisfy Stage 1; a programme that consists of “we plan to exercise after certification” will not.
  • Confusion between business continuity and IT disaster recovery is the classic Stage 1 finding. Auditors probe the distinction, particularly whether non-IT critical activities are properly analysed.
  • Common Stage 1 finding: the BIA has been produced by a central team with limited business input. Interviews with business function heads expose the gap.

What the Stage 1 auditor is actually doing

ISO 22301:2019 certification follows the same two-stage process as other management-system standards under ISO/IEC 17021-1. Stage 1’s formal objectives:

  • Review the documented information required by 22301, including the BCMS scope, the business continuity policy, the BIA methodology and outputs, the risk assessment, continuity strategies and solutions, business continuity plans, and the exercise programme.
  • Evaluate the organisation’s understanding of the standard’s requirements and the operational context of the BCMS.
  • Confirm that internal audit and management review processes are established.
  • Identify Areas of Concern that would prevent Stage 2 from proceeding, and agree an action plan.
  • Establish the Stage 2 audit plan, including sampling of critical activities and any specific areas of focus.

The auditor is not testing plan invocation effectiveness at Stage 1. That is Stage 2’s job. Stage 1 tests whether the BCMS design is coherent enough that Stage 2 testing is worth doing.

What is specifically different from ISO 27001 Stage 1

Organisations that come to 22301 with a mature 27001 ISMS often assume the disciplines transfer directly. They don’t.

The BIA replaces the risk register as the pivotal artefact. Where 27001 lives around the risk register and Statement of Applicability, 22301 lives around the BIA. Recovery strategies flow from BIA outputs. Plans flow from strategies. Exercises test plans. If the BIA is weak, everything downstream inherits the weakness.

Risk assessment focuses on continuity threats. Loss of premises, unavailability of key staff, supplier failure, IT disruption, regional events (power, connectivity, weather). A generic security risk register recycled for 22301 will be flagged. The auditor wants to see risk assessment specifically framed for continuity.

Continuity strategies must match RTOs. For each critical activity, the strategy has to be capable of recovering the activity within the Maximum Tolerable Period of Disruption and to the required capacity. “Move staff to another office” without a named alternative is a problem. “Use a backup supplier” without a contract is a problem.

Exercise programme is a first-class concern. 22301 Clause 8.5 explicitly requires exercises. Stage 1 auditors want the programme designed with variety (tabletops, communications tests, technical recovery tests, full exercises) and cadence, even if the actual exercises will happen after certification for a first-time BCMS.

Invocation and communication procedures. Who has authority to invoke a BCP, out of hours, with what escalation. How staff, customers, suppliers, and regulators are contacted. Where 27001 has incident response, 22301 has invocation procedures with named authority.

Documentation to have ready

Stage 1 auditors ask for the following, roughly in this order:

  • BCMS scope statement (Clause 4.3). Names the activities, sites, and operations in scope, with justification. Scope statements that conveniently exclude difficult parts (a recently acquired business, a difficult site) are a red flag.
  • Business continuity policy (Clause 5.2). Approved by top management, communicated, reviewed.
  • BCMS roles and responsibilities (Clause 5.3). Including BC Manager, BC coordinators for each business area, and named invocation authority.
  • BIA methodology and completed BIA (Clause 8.2). The methodology explains how critical activities were identified and how MTPDs, RTOs, and RPOs were set. The BIA is the output.
  • Risk assessment (Clause 8.2). Framed for continuity, with treatment linked to the BIA outputs.
  • Continuity strategies and solutions (Clause 8.3). For each critical activity, how it will be sustained during disruption. Assumptions and dependencies documented.
  • Business continuity plans (Clause 8.4). The operational documents that get invoked. Named owners, current contact details, defined activation criteria.
  • Warning and communication procedures (Clause 8.4.3). Internal and external communications during disruption.
  • Exercise programme and any completed exercise records (Clause 8.5). Programme with variety and cadence; any completed exercises with findings and closure evidence.
  • Evaluation of BCMS capability (Clause 8.6). Beyond exercises, how the organisation assures itself that recovery would work.
  • Internal audit programme and reports (Clause 9.2). See our Clause 9.2 note for what an auditor looks for.
  • Management review inputs and outputs (Clause 9.3).
  • Nonconformity and corrective action records (Clause 10.2).

Missing BIA outputs or an undesigned exercise programme at Stage 1 will almost always trigger Areas of Concern. Both are load-bearing pieces of the BCMS.

The BIA: the pivotal artefact

More Stage 1 findings under 22301 trace back to weak BIAs than to any other single cause.

A defensible BIA covers, for each critical activity:

  • The activity itself, clearly named and scoped
  • The business function that owns it, with a named owner
  • The impacts of disruption over time (financial, operational, reputational, regulatory)
  • The Maximum Tolerable Period of Disruption, signed off by the business owner
  • The Recovery Time Objective (how quickly the activity must be resumed) and Recovery Point Objective (how much data or state loss is acceptable)
  • The dependencies: internal (people, technology, premises), external (suppliers, regulators, customers), and other (data, records, information)
  • The minimum resources required to sustain the activity at recovery

Auditors probe the BIA in two ways. First, by reading it: is it specific, is it current, does it cover the critical activities the organisation obviously has? Second, by interviewing business function heads and comparing what they say about their critical activities to what the BIA records. Mismatches indicate the BIA was written centrally without genuine business input, which is the most common Stage 1 finding.

The BC vs IT DR trap

The classic 22301 Stage 1 finding is a BCMS that is essentially an IT disaster recovery programme with 22301 branding.

The tell-tale signs: critical activities defined as “IT services” rather than business activities. Recovery strategies framed around infrastructure recovery. Exercises that only test technical failover. No consideration of critical activities that require people, premises, or supplier cooperation. No plan for scenarios where IT works but the office cannot be occupied, or the key operations manager is unreachable, or a critical supplier goes dark.

The fix is not to abandon the IT DR work. It is to place it inside a wider BCMS that also addresses non-IT dimensions. A BIA that includes activities like “invoice processing,” “customer support,” and “regulatory reporting” (which need people, systems, and supplier inputs) sits at a level above IT DR. That is what 22301 audits.

A practical pre-Stage 1 checklist

Two weeks before Stage 1:

  • Every mandatory documented information item above exists, is current, and is accessible.
  • The BIA has been produced with genuine input from business function heads, not just central risk or BC teams.
  • Each critical activity in the BIA has a named business owner who has signed off the MTPD, RTO, and RPO values.
  • Continuity strategies exist for every critical activity and are demonstrably capable of meeting the stated RTOs.
  • The exercise programme is designed with cadence and variety, even if actual exercises are scheduled post-certification.
  • Warning and communication procedures name specific channels, specific responsible people, and specific out-of-hours arrangements.
  • At least one internal audit cycle has been completed across the BCMS scope.
  • At least one management review has taken place with BCMS performance as a substantive input.
  • A named person owns the BCMS as a whole with authority proportionate to the invocation decisions the BCMS commits them to.

If any of the above is not true, address it before Stage 1. Some (methodology writing, ownership) is fast. Some (running a BIA with real business engagement across every function) takes weeks.

The Axlio Method at 22301 Stage 1

Stage 1 sits inside the Assure step of the Axlio Method. By this point, Understand (what the business does and depends on), Assess (against what could disrupt it), Prioritise (which activities matter most), and Implement (the BCMS itself) should already have happened. Stage 1 is the first independent test of that work.

Where Stage 1 raises significant issues, the response is usually to loop back to Understand or Assess. A weak BIA almost always signals that Understand was done from a central perspective rather than a business-function perspective. Rebuilding the BIA with business input is uncomfortable but usually faster than remediating everything downstream.

Closing

ISO 22301 Stage 1 is the audit event where the BCMS gets its first honest external evaluation. Organisations that treated 22301 as an extension of their IT DR discover the gap between the two. Organisations that built the BCMS around a real BIA with real business engagement pass Stage 1 cleanly and move to Stage 2 on schedule.

For support preparing for an ISO 22301 audit, or for a wider ISO 22301 or audit preparation engagement, get in touch. Our ISO 22301 audit preparation questions piece covers the questions Stage 2 auditors most commonly ask; this piece covers what Stage 1 will look for before you get there.

Common questions

Is a Business Impact Analysis really that important?
Yes. The BIA is to a BCMS what the AI system inventory is to a 42001 AIMS or the Statement of Applicability is to a 27001 ISMS: the artefact everything else depends on. If the BIA is generic, everything downstream (recovery strategies, plans, exercises, metrics) is questioned. If the BIA is current and business-owned, the rest of the audit is largely a matter of confirming details. Auditors know this and spend disproportionate time there.
Do we need to have exercised the plan before Stage 1?
Not necessarily fully, but you need the exercise programme designed with realistic scenarios, cadence, and expected outputs. At Stage 1, the auditor is testing readiness for evaluation. An exercise programme that exists on paper and has been scheduled will usually satisfy Stage 1. An exercise programme where the first exercise is 'planned for after certification' will be flagged.
What is the difference between business continuity and IT disaster recovery?
IT disaster recovery is a subset of business continuity. IT DR addresses the technical recovery of systems and data. Business continuity addresses the continuation of critical activities including but not only IT: people, premises, suppliers, communications, decision-making authority. Organisations that treat 22301 as an IT DR exercise miss most of the standard. Stage 1 auditors specifically probe the distinction, particularly whether non-IT critical activities are properly analysed and addressed.
How does 22301 differ from 27001 in scope?
27001 addresses information security. 22301 addresses continuity of business operations during disruption. They overlap where a security incident disrupts operations, but the risks assessed, the mitigations planned, and the tests conducted are different. Where organisations run both, integration is possible but requires attention to which standard-specific requirements need standard-specific evidence. Our note on [integrated management systems](/insights/integrated-management-systems-what-actually-integrates/) covers what genuinely integrates.
Who should sign off the BIA?
Named business owners for each critical activity, plus top management for the overall BIA. A BIA signed only by the BC manager or the risk team is a red flag: it usually means the BIA reflects an outside-in view of the business rather than input from the people who actually run the critical activities. Auditors will often interview a business function head and compare their description of the critical activity to what the BIA records. Mismatches trigger findings.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk