What do ISO 22301 auditors really look for?
To prepare for an ISO 22301 audit, organisations need to demonstrate that business continuity is embedded across the organisation, not just documented.
That means being able to evidence:
✅ A clear understanding of your organisation
✅ Leadership that’s genuinely engaged
✅ A joined-up approach to risk and planning
✅ People who know what to do
✅ Plans that work in the real world
✅ Ongoing review
✅ Continuous improvement in practice
A clear understanding of your organisation
Auditors want to see that you understand your organisation’s operating environment – its risks, dependencies, stakeholders and regulatory obligations.
This includes having a clearly defined BCMS scope that reflects what truly matters to the business. If the scope is vague, overly broad or not aligned to critical services, it quickly raises concerns about how effective the BCMS can be in practice.
Leadership that’s genuinely engaged
Business continuity can’t sit in a silo. Strong leadership involvement is critical.
Auditors will look for evidence that senior management are actively driving and supporting the BCMS, not just signing off policies. This includes owning the business continuity policy, setting direction, allocating resources and participating in management reviews.
Without visible leadership commitment, it’s difficult to demonstrate that resilience is embedded across the organisation.
A joined-up approach to risk and planning
Your risk assessment (RA), business impact analysis (BIA) and business continuity objectives should all connect.
Auditors will expect to see a clear process for identifying risks and opportunities, and how these translate into defined business continuity objectives. They will also look for alignment between your risk register, BC policy and continuity plans.
A well-structured approach shows that your organisation is not only managing risk but continually improving its resilience.
People who know what to do
In a disruption, clarity matters.
Auditors will assess whether people understand their roles and responsibilities during an incident, know how they will be contacted and can access the information they need.
This is supported by role-specific training, clear communication processes and organisation-wide awareness. Embedding business continuity into onboarding and regular training programmes helps to ensure that preparedness is visible across the business.
Plans that work in the real world
Your BIA and RA form the backbone of your BCMS. They identify your critical activities and define how quickly they need to be recovered.
Auditors will examine how these are developed, whether recovery objectives are justified, and whether they are regularly reviewed – at least annually or following significant business change.
From there, your business continuity and incident management plans must bring this to life. They should be:
- Practical and easy to follow under pressure
- Accessible during an incident
Auditors will also assess whether your exercising programme is effective. Regular testing is expected, but more importantly, organisations must demonstrate that lessons are identified, actions are taken, and improvements are made over time.
Ongoing review
A BCMS isn’t static – it needs to evolve with the organisation.
Auditors will expect evidence of internal audits, management reviews and performance monitoring to ensure the BCMS remains effective.
They may also review how your organisation has responded to real incidents, whether plans were effective, recovery objectives were met, and what lessons were learned. This feedback loop is key to maintaining resilience.
Continuous improvement in practice
No BCMS is perfect, and auditors don’t expect it to be.
What they do expect is a clear approach to managing nonconformities and corrective actions. This includes identifying issues, addressing root causes and evidencing improvements.
Strong organisations can demonstrate how lessons from exercises and real incidents feed directly into updates to plans, processes and strategy, ensuring the BCMS continues to mature over time.
One rule above all
There’s a simple truth that applies to any audit:
If you can’t evidence it, it didn’t happen.
It’s not enough to say you test plans or review risks – you need clear, consistent records to support it.
