All insights
ArticleArticle · ISO 22301in the ISO 22301 series

ISO 22301 Stage 1 vs Stage 2 Audit: What Each Auditor Actually Does

Stage 1 is documentation. Stage 2 is operational. Knowing the difference — and what each auditor will ask for — is the difference between a clean certification and an avoidable major finding.

The BCM DeskBCMStack Editorial · Riyadh
18 February 20265 min read

The ISO 22301 certification process is a two-stage audit performed by an accredited certification body. Stage 1 and Stage 2 are sometimes treated as a single event in internal discussion, but they are very different exercises with different success criteria. This article walks through what each one actually involves — based on what we have seen go well and badly across audits we have supported.

The parent topic is our ISO 22301 implementation pillar.

Stage 1: documentation review

Stage 1 is the certification body's check that your BCMS exists on paper. They are not yet looking at whether it works operationally — that comes in Stage 2. They are looking at the structural completeness of the documented system.

What they ask for:

  • BCM policy (signed and dated)
  • BCMS scope statement
  • BCM committee charter and recent minutes
  • BIA methodology document
  • BIA records for in-scope services
  • Risk assessment methodology and the risk register
  • BCP register and a sample of plans
  • Exercise programme document and recent AARs
  • Internal audit programme and the most recent internal audit report
  • Management-review minutes
  • Improvement-action register

What they look for:

  • Coverage. Are all clauses of the standard addressed somewhere in the documentation?
  • Coherence. Do the documents reference each other consistently? Does the scope statement match the BIA scope?
  • Currency. Are documents recent? A policy signed three years ago and never reviewed is a flag.
  • Approval. Have documents been approved at the right level (top management for policy, BCM committee for procedures)?

The likely Stage 1 finding pattern:

Stage 1 rarely fails outright. More commonly, the auditor identifies "areas of concern" or "minor non-conformities" that must be addressed before Stage 2. The most common Stage 1 findings:

  • Scope statement is too vague — doesn't clearly delimit in-scope services, locations or subsidiaries.
  • BIA methodology is documented but BIA records are missing for some critical services.
  • Plans exist but the §8.4.4 fields are inconsistent across plans (see our §8.4.4 deep dive).
  • Internal audit programme exists but the most recent audit didn't cover the full standard.

Between Stage 1 and Stage 2 you typically have one to three months to close out findings. Use the time well — Stage 2 will not lower the bar to compensate.

Stage 2: operational verification

Stage 2 is the audit most teams fear. The certification body sends one or more auditors on-site (or remote, increasingly) for two to five days, depending on organisation size. They sample critical processes end-to-end.

What they sample:

For each sampled process, they will trace it through every artefact:

  • The BIA record. Are the impact ratings, RTO, RPO and dependencies current?
  • The strategy decision. Is the choice between mitigate, recover, transfer or accept evidenced?
  • The BCP. Are the §8.4.4 fields specific? Are activation criteria threshold-based? Is the procedure executable under stress?
  • The exercise record. Has this plan been exercised within the past twelve months? Where is the AAR?
  • The improvement actions. Are the AAR findings tracked? Closed? Reflected in the current plan version?
  • The §8.5 log. Has the plan been activated for real? What was the outcome?
  • The management review. Did leadership see the result of the exercises? What decisions were taken?

That trace is end-to-end. Any missing link is a finding. The pattern that fails most often is a plan that exists, has been authored, has §8.4.4 fields — but has not been exercised, has no activation log, and does not appear in any management-review record. The plan is dead.

The likely Stage 2 finding pattern:

  • Plans authored but not exercised within twelve months.
  • BIAs older than the agreed refresh cycle.
  • AAR improvement actions open past their due date with no documented re-prioritisation.
  • §8.5 activation log gaps — exercises performed but not logged formally.
  • Management-review minutes that record attendance but not decisions.

Major non-conformities will block the certificate; the organisation has a fixed window (typically 90 days) to resolve them, often with a follow-up audit. Minor non-conformities allow the certificate to be issued with a remediation plan.

What to do in the 90 days before Stage 2

The activities that move the needle most in the run-up to Stage 2:

  1. Run a tabletop on the highest-criticality plan. Capture an AAR. Close at least one improvement action visibly.
  2. Refresh the §8.5 log. Every exercise and every real-world activation from the past twelve months, with timestamps and outcomes. Gaps are flags.
  3. Verify BIA currency. Re-attest every BIA for an in-scope service. Catch the stale ones now.
  4. Walk the end-to-end trace yourself. Pick three critical processes. Trace them through BIA → strategy → BCP → exercise → AAR → improvement → management review. Find the breaks. Fix them.
  5. Brief the people who will be interviewed. Process owners, IT operations, the comms lead. They do not need to memorise the standard, but they need to be able to articulate what they own, where the relevant artefacts live, and how they would respond in a real activation.

Surveillance audits afterwards

Certification is not a one-time event. After Stage 2, surveillance audits run annually — shorter than Stage 2, but covering a sample of the standard each cycle. The full standard is re-covered over the three-year certificate validity. Treat the surveillance cycle as the operational rhythm of the BCMS rather than as an annual stress event.

The ISO 22301 implementation pillar covers the full certification path. For the platform surface that makes the end-to-end trace queryable, the BCMStack reporting module is built around exactly this audit pattern.

Read the pillar

ISO 22301:2019 Implementation Guide — From Clause 4 to Certificate

A practitioner's walk-through of ISO 22301:2019: every clause explained, the certification path, the gaps auditors find most often, and how to operationalise the standard.

Open guide

Related reading

Article5 min read

ISO 22301 §9.3 Management Review: A Template That Survives Audit

Management review is one of the most under-invested clauses in ISO 22301 — and one of the most-sampled. A practical template covering required inputs, decision capture and outputs.

Read article
Article7 min read

The BCM Lifecycle Explained: From Policy to Continual Improvement

The BCM lifecycle is the operating rhythm of every BCMS — the cycle that keeps plans, BIAs, exercises and reviews in motion together. A practical walk-through of the six phases.

Read article
Article5 min read

ISO 22301 §8.4.4 Fields, Explained Line by Line

The sub-clause that decides whether your BCPs survive audit. A practical walk-through of each §8.4.4 field, with examples and the common ways teams get them wrong.

Read article

BCMStack platform

Put what you've just read into practice.

Native ISO 22301 §8.4.4 plans, ISO 22398 exercise programme, SAMA-mapped reporting. Built for KSA & GCC continuity teams.

Request access