ISO 22301 Internal Audit Checklist: How to Prepare for Your BCMS Audit

The internal audit isn’t the one that gives you the certificate. It’s the one that determines whether the external audit goes smoothly — or surfaces the same gaps your certifying body would have found.

Most BCMS internal audits underdeliver. They check whether documents exist rather than whether the program would function under a real disruption. They interview the BC team, not the business lines. They treat “no changes since last year” as a conclusion rather than a hypothesis to test.

By the time a certification body auditor is on-site and asking a frontline employee to describe their recovery responsibilities, internal audit should have already found that gap.

This is the checklist that should have been used months ago — and the one to run before your next external surveillance audit.

TL;DR

• ISO 22301:2019 Clause 9.2 requires documented internal audits at planned intervals — annual is the industry norm and the minimum before certification
• Auditors must be independent of audited activities and must retain documented evidence of the audit programme, results, and corrective action closure
• The 10 most common nonconformities are predictable and preventable — BIA currency, plan operational detail, contact list accuracy, and lessons-learned follow-through dominate the finding list
• Internal audits fail when they check documentation existence rather than operational effectiveness — ask whether the BCMS would actually work, not just whether it’s written down

What ISO 22301:2019 Clause 9.2 Actually Requires

ISO 22301:2019 splits the internal audit requirement across two sub-clauses:

Clause 9.2.1 — General: The organization shall conduct internal audits at planned intervals to determine whether the BCMS:

• Conforms to the organization’s own requirements for the BCMS
• Conforms to the requirements of ISO 22301
• Is effectively implemented and maintained

Clause 9.2.2 — Audit Programme: The organization shall plan, establish, implement, and maintain one or more audit programmes. The programme must consider the importance of the processes concerned, changes affecting the organization, and results of previous audits.

Documented information you must retain:

You cannot claim an internal audit happened without documentation. ISO 22301 requires evidence of:

• The audit programme (scope, criteria, frequency, auditor selection process, procedures)
• Audit plan for each individual audit
• Audit results (findings, nonconformities, opportunities for improvement)
• Corrective action tracking and closure evidence

These are not optional. Certification body auditors will ask to see all of it.

Competency and Independence Requirements

Two requirements that often get treated as formalities:

Independence: Auditors cannot audit activities in which they have responsibility. The BC manager cannot audit the business continuity function. An IT lead cannot audit IT recovery procedures they authored. For small organizations where a dedicated internal audit team isn’t available, this may require cross-functional auditor assignments, hiring a consultant, or using a peer review approach with clear scope boundaries.

Competency: Auditors must have relevant qualifications, knowledge, and experience. BSI’s ISO 22301 Internal Auditor training (4 hours eLearning plus 2-day VILT with exam) is the standard qualification path recognized by most certification bodies. ISO 19011:2018 — the international guideline for auditing management systems — is the reference standard for audit methodology.

Before You Start: Setting Up the Audit Programme

The audit programme is not the audit plan. The programme is the standing framework governing how all internal audits are conducted over a defined period. For most organizations, the audit programme covers a 12-month cycle.

Audit programme components:

• Scope: Which clauses, processes, and organizational units are in scope
• Criteria: What standards and internal requirements will be audited against (ISO 22301, internal BCMS policies, documented procedures)
• Frequency: Planned schedule for each audit within the cycle
• Audit team: Named auditors, their qualifications, and assigned scope (respecting independence requirements)
• Methodology: Interview, document review, observation — what approach for each area
• Reporting and escalation: How findings are reported, to whom, and in what timeframe
• Corrective action process: How nonconformities flow to the corrective action programme (Clause 10)

For initial certification, you must complete at least one full audit programme cycle and one management review before the Stage 1 external audit. Certification bodies will ask for the audit programme, audit reports, and evidence of management review.

Clause-by-Clause Internal Audit Checklist

Work through each clause systematically. For each area, audit questions are followed by the evidence you should expect to collect.

Clause 4 — Context of the Organization

Audit questions:

• How were internal and external issues relevant to the BCMS identified? When was this last reviewed and updated?
• Who are the interested parties (customers, regulators, suppliers, employees)? What are their relevant requirements? Where is this documented?
• How was the scope of the BCMS defined? What was excluded and what justified those exclusions?
• What legal and regulatory requirements apply to the BC program? Where are they captured and tracked?

Evidence to collect:

• Context analysis document with review dates
• Interested parties register with their requirements mapped
• BCMS scope statement (including explicit exclusions)
• Legal and regulatory requirements register

Common gap: Context analysis done once for initial certification and never revisited. An organization that has entered new markets, added significant vendors, or changed its regulatory profile since the last context review has an outdated Clause 4 assessment.

Clause 5 — Leadership

Audit questions:

• How does top management demonstrate active commitment to the BCMS — not just that a policy was approved?
• Has a BC policy been formally approved, communicated, and made accessible to all relevant personnel?
• Are BCMS roles, responsibilities, and authorities clearly assigned and communicated?
• What resources have been allocated to the BCMS? Is there documented evidence of resource allocation decisions?

Evidence to collect:

• BC policy with approval signatures and version date
• Organizational chart showing BCMS responsibilities
• Evidence of leadership participation in management reviews and exercise sign-offs
• Resource allocation records (budget, staffing)

Common gap: A policy that leadership signed but has never referenced since. External auditors specifically interview top management — if the executive can’t speak to the BCMS program, that’s a Clause 5 finding.

Clause 6 — Planning

Audit questions:

• Are BC objectives documented? Are they specific, measurable, and communicated across relevant functions?
• How is progress against BC objectives tracked and reported?
• Were organizational risks and opportunities considered when setting BC objectives?

Evidence to collect:

• Documented BC objectives with measurable targets
• Progress tracking evidence (dashboard, scorecard, management report)
• Planning records linking objectives to actions and owners

Common gap: BC objectives stated as vague aspirations (“maintain resilience”) rather than measurable targets (“achieve RTO of ≤4 hours for Tier 1 processes in 100% of exercises”).

Clause 7 — Support

Audit questions:

• Is there a documented competency matrix for BCMS roles?
• Are training records current for all personnel with BC responsibilities?
• Can you demonstrate that relevant employees are aware of their BC roles and the consequences of not fulfilling them?
• How are BCMS documents created, controlled, revised, and distributed? What version control process is in place?

Evidence to collect:

• Competency matrix with qualifications required per role
• Training records for BC team and key function staff
• Awareness program materials and evidence of delivery (attendance records, quiz results)
• Document control procedure and version history for key BCMS documents

Interview test: Pull aside an employee from outside the BC team — operations, IT, finance. Ask: “What is your role if a business continuity event is declared right now?” Their answer is your Clause 7 evidence. An external certification auditor will do exactly this.

Common gap: Formal training records exist for the BC team but not for function-level recovery team members who appear in the BC plans.

Clause 8 — Operations

This is where most audit effort should be concentrated. Clause 8 is the operational heart of the BCMS — where the BIA, risk assessment, strategies, plans, and exercise program live.

Clause 8.2 — Business Impact Analysis and Risk Assessment

Audit questions:

• When was the BIA last conducted and reviewed? What triggered that review?
• Are MTPD (Maximum Tolerable Period of Disruption), RTO, and RPO values defined for all critical processes?
• How were MTPD/RTO/RPO values determined and validated?
• Does the BIA cover all processes within the BCMS scope?
• What threat scenarios does the risk assessment cover? When was the risk assessment last updated?
• Are BIA findings directly reflected in recovery strategies and BC plan content?

Evidence to collect:

• BIA document with dated review log
• RTO/RPO values with documented rationale
• Risk assessment covering BC-relevant threat scenarios
• Evidence linking BIA outputs to strategy selection (Clause 8.3)

Interview test: Ask a process owner: “What’s the RTO for your function? How was that determined?” If they don’t know, or if their answer doesn’t match the BIA, that’s a gap.

Common gap (top finding): BIA completed for certification, never reviewed following a major system migration, M&A, or significant vendor change.

Clause 8.3 — Business Continuity Strategies and Solutions

Audit questions:

• Can recovery strategies be traced directly to BIA outputs? (Strategy selection should be driven by MTPD/RTO requirements.)
• Do strategies cover all required resource categories: people, data, activities, facilities, ICT, suppliers?
• Has the organization verified that proposed recovery solutions are actually achievable within the RTO?
• Are alternate resource options documented and available, not just theoretical?

Evidence to collect:

• Strategy documentation with BIA linkage
• Alternate facility / resource agreements, contracts, or testing evidence
• Supplier BC requirements documented in vendor agreements

Common gap: Alternate recovery sites identified in the strategy but never tested. Listing “we can work from the Southfield office” as a strategy without having validated capacity, connectivity, and access creates a paper solution that won’t survive an actual event.

Clause 8.4 — Business Continuity Plans and Procedures

Audit questions:

• Do BC plans contain operational-level detail — not just “activate the recovery team” but who, in what order, based on what activation criteria?
• Are contact lists current? When were they last verified?
• What is the activation process? Who makes the activation decision, at what threshold, using what criteria?
• Are communication procedures defined for each stakeholder group (employees, customers, regulators, bank partners)?
• Are plans stored where they can be accessed during an incident that takes down your primary systems?

Evidence to collect:

• BC plans with named roles, current contacts, and activation criteria
• Contact verification records (date and method)
• Off-site or offline copies of plans
• Communication templates and notification procedures

Interview test: Ask a recovery team lead: “It’s 3am, your primary data center just went down. What are your first five steps?” Their answer against the plan is your Clause 8.4 evidence. Plans written for management review rather than for operational use fail this test consistently.

Common gap: Plans drafted at high abstraction level that tell the recovery team what to do but not how. “Activate IT recovery procedures” is not a procedure.

Clause 8.5 — Exercise Programme

Audit questions:

• Is there a documented exercise programme with a schedule and defined objectives?
• Does the exercise programme cover multiple scenarios and test different aspects of the BCMS?
• Are exercise results formally documented?
• For each exercise finding, can you show the corrective action taken and how it was verified as effective?
• When did you last test activation of alternate recovery capabilities (alternate site, backup systems)?

Evidence to collect:

• Annual exercise schedule and completion records
• Exercise reports for each conducted exercise (scenario, participants, findings)
• Corrective action records linked to each exercise finding
• Evidence that findings drove BIA or plan updates

Common gap: Organizations run the same tabletop scenario annually. External auditors look for scenario variety (cyberattack, facility loss, pandemic-style absence, key supplier failure, cloud outage) and evidence of a maturing programme. An after-action report with findings and no subsequent plan updates is a Clause 8.5 nonconformity.

Clause 8.6 — Evaluation and Exercise of Business Continuity Procedures

Audit questions:

• Does the organization conduct periodic reviews to confirm BC procedures remain valid?
• Are exercise outcomes reviewed against documented objectives?
• Is there evidence that BC capabilities are periodically evaluated against recovery requirements?

Evidence to collect:

• Post-exercise evaluation records
• Procedure review log with dates and outcomes

Clause 9 — Performance Evaluation

Audit questions:

• What metrics is the organization using to monitor BCMS effectiveness? Where are they tracked?
• Has management review been conducted at planned intervals?
• Do management review records show that all required inputs were addressed: audit results, exercise outcomes, status of corrective actions, stakeholder feedback, risk assessment updates, opportunities for improvement?
• What decisions and actions came out of management review? Are they documented and being tracked?

Evidence to collect:

• Monitoring and measurement data (exercise results, training completion, BIA currency)
• Management review minutes showing required inputs and outputs
• Action items from management review with owners and due dates

Common gap (frequently cited): Management review meetings happened, but minutes don’t show that all nine required inputs were reviewed. Or management review produces discussion but no documented decisions or assigned actions.

Clause 10 — Improvement

Audit questions:

• Is there a formal nonconformity log? Does it include all findings from audits, exercises, and incidents?
• For each nonconformity, is there a documented root cause analysis?
• Are corrective actions assigned, tracked to closure, and verified as effective?
• Can you demonstrate that the BCMS has improved over time — not just fixed problems, but gotten meaningfully better?

Evidence to collect:

• Nonconformity register with root cause analysis for each finding
• Corrective action plans with status and closure evidence
• Evidence of year-over-year improvement (better exercise outcomes, faster RTOs achieved, BIA coverage expansion)

Common gap: Corrective actions are assigned and documented as “closed” without verification that the root cause was resolved — not just the symptom. An external auditor will re-test closed items.

The 10 Most Common ISO 22301 Nonconformities

Based on findings across certification body audits (BSI, NQA, Glocert, BCI) and practitioner guidance:

Internal Audit vs. External Certification Audit: What’s Different

Understanding how external auditors approach the BCMS — and where internal audits habitually fall short — lets you calibrate your internal programme to find what the external auditor would find.

Where internal audits systematically underdeliver:

Interview depth. Internal auditors know their colleagues and often go easy on probing questions. External auditors interview people outside the BC team — operations staff, IT leads, frontline managers — and ask: “What do you do if an incident is declared right now?” An internal audit that only interviews the BC team has only audited the BC team.

Scope boundary questioning. Internal auditors accept the defined BCMS scope. External auditors push on whether the scope is appropriately defined — or artificially narrow to exclude complex areas. If your BCMS scope excludes a major business function “because we’re still building the plan,” that exclusion is a finding.

Evidence quality vs. existence. Internal audits check whether documents exist. External auditors test whether documents are accurate, current, and operational. A BC plan that exists is not the same as a BC plan that would work.

Management review rigor. Internal audits often treat a completed management review meeting as evidence. External auditors verify that all required inputs under Clause 9.3 were genuinely reviewed — not just mentioned — and that management made substantive, documented decisions as outputs.

Familiarity bias. Internal auditors know the organization’s history and may unconsciously overlook longstanding issues. Running the same internal audit programme year after year with the same auditors produces diminishing returns. Rotate auditors across areas and periodically bring in a qualified external resource for a fresh perspective.

Pre-Audit Preparation Checklist

Run this before scheduling your internal audit cycle:

Documentation readiness:

• BIA and risk assessment current (reviewed within 12 months or after material change)
• BC plans version-controlled with dated review history
• Contact lists verified within the last 90 days
• Exercise programme and schedule documented for the current audit cycle
• Training records current for all named recovery team members
• Management review minutes with all required inputs documented

Process readiness:

• Nonconformity log current with open items tracked to resolution
• Corrective actions from previous cycle verified as effective (not just closed)
• Document control procedure active — no uncontrolled versions of key plans circulating
• Interested parties requirements review completed
• Context analysis current relative to any organizational changes

Audit programme readiness:

• Audit programme documented with scope, criteria, schedule, and auditor assignments
• Independence confirmed — no auditor assigned to areas where they have responsibility
• Audit plan drafted for each scheduled audit
• Corrective action management process defined and understood by the audit team

So What? Using the Internal Audit to Actually Improve the BCMS

The internal audit isn’t a pre-certification checkbox. Organizations that run effective internal audits consistently outperform on external certification metrics because they find and fix gaps before the certification auditor does.

Practical approach:

1. Audit for operational effectiveness, not document existence. For every key requirement, ask: “Would this actually work if we needed it?” If the answer relies on tribal knowledge or heroic effort from a single individual, that’s a finding.

2. Include cross-functional interviews. Every internal audit should include at least three interviews outside the BC team — a function-level recovery owner, an IT lead, and a frontline operational employee. Their answers are your best proxy for external auditor experience.

3. Sample corrective action effectiveness. Don’t close the audit when corrective actions are assigned. Follow up on a sample of prior-cycle findings to verify they were resolved — not just documented as resolved.

4. Compare against external audit scope rotation. Certification bodies rotate which areas they sample in each surveillance audit. If you know a particular clause hasn’t been deeply reviewed in your last two external audits, weight your internal audit toward it this cycle.

5. Treat every exercise finding as a potential audit finding. Lessons learned that don’t make it into the BIA or BC plans are Clause 8.5 nonconformities. Build a direct workflow from exercise after-action reports to the corrective action programme.

Looking for a BCP/DR template built to support structured audits and FFIEC examination requirements? The Business Continuity & Disaster Recovery Kit includes BCP and BIA templates with version control structure, exercise tracking, and a format designed to hold up under both ISO 22301 internal audit and regulatory examination.

Related Reading

• ISO 22301 Business Continuity: Requirements, Implementation, and How It Maps to Your BCP
• ISO 22301 Certification: Cost, Timeline, and Step-by-Step Roadmap for 2026
• Business Continuity Testing: How to Test Your BCP Without Shutting Down Operations

Frequently Asked Questions

What does ISO 22301 require for internal audits? Clause 9.2 requires internal audits at planned intervals to verify BCMS conformance with both organizational requirements and the ISO 22301 standard. The audit programme, scope, criteria, results, and corrective action evidence must all be retained as documented information.

How often should an ISO 22301 internal audit be conducted? The standard requires “planned intervals” — no specific frequency is set. Annual is the industry norm and the minimum before certification. Higher-risk organizations often audit twice per year. At minimum, one complete audit cycle must be completed before your Stage 1 external audit.

Who can conduct an ISO 22301 internal audit? Auditors must be independent of the activities they audit and must be competent. BSI’s 2-day ISO 22301 Internal Auditor course with exam is the recognized qualification. Using ISO 19011:2018 as the methodology standard is common practice.

What documentation is required? The audit programme, individual audit plans, audit reports, and corrective action tracking through closure are all required documented information under Clause 9.2.

What are the most common ISO 22301 nonconformities? BIA not reviewed after organizational changes, BC plans lacking operational detail, outdated contact lists, repetitive exercise scenarios without progression, and lessons learned not formally actioned are the most frequently cited. Management review with incomplete inputs is also common.

What is the difference between a major and minor nonconformity? A major nonconformity is the absence or complete breakdown of a required element — the certificate cannot be issued until it is resolved. A minor nonconformity is an isolated lapse — certification can proceed with an accepted corrective action plan.