How often does ISO 22301 need to be audited?

ISO 22301 follows a three-year certification cycle. Your certification body will conduct a surveillance audit approximately every twelve months, with a full recertification audit at the end of the three-year cycle. The surveillance audits are shorter than the initial certification audit but still require evidence of active BCMS management, including internal audits, exercises, management reviews, and corrective actions.

What happens if I miss a surveillance audit?

If you miss a scheduled surveillance audit without agreeing to a rescheduled date with your certification body, your certification may be suspended. If the audit is not completed within the allowed timeframe, your certificate can be withdrawn. Most certification bodies will work with you to reschedule if you communicate early, but leaving it too late creates real risk of losing your certification entirely.

How many exercises do I need to run each year to stay compliant with ISO 22301?

The standard does not specify a minimum number of exercises, but it does require that your exercise program is planned, that exercises are conducted at planned intervals, and that the results are used to drive improvement. In practice, most auditors expect to see at least one documented exercise per year, and a mature BCMS will typically run several exercises of varying types across the year to test different aspects of the BCPs.

Can I maintain ISO 22301 without a dedicated business continuity manager?

Yes, but it requires clear ownership and commitment from leadership. Many smaller organisations assign BCMS responsibilities to an existing role such as an operations manager, risk manager, or quality manager. What matters is that the person has the authority, time, and competence to keep the system running. If internal resources are stretched, a part-time external consultant can help fill the gap, particularly around internal audits and exercise facilitation.

What are the most common reasons organisations fail their ISO 22301 surveillance audit?

The most common failures are a lack of documented exercises or exercises with no follow-up improvement actions, an internal audit program that has not been completed or does not cover all required clauses, a corrective action register with items that have been open for an unreasonable period, BCPs that have not been reviewed since the initial certification, and a management review that was either not conducted or not properly documented. All of these point to the same underlying issue: the BCMS was built for certification and then left to gather dust.

How do I know if my BCMS is actually working or just compliant on paper?

A BCMS that works on paper but not in practice is one of the most common problems in business continuity management. The clearest test is whether your staff can actually execute your BCPs under pressure. Run a realistic simulation exercise and observe what happens. If people are confused about their roles, if contact lists are out of date, if systems cannot be recovered within the stated timeframes, or if no one knows where the plans are stored, your BCMS needs work regardless of what your last audit report says. For a broader look at checking whether your management system is genuinely effective, our article on how to check if your ISO management system is actually working covers the key indicators to look for.

How to Maintain ISO 22301 Certification Year After Year

Why ISO 22301 Maintenance Is Harder Than Getting Certified

Getting your ISO 22301 certification is a significant achievement. You have built a Business Continuity Management System, survived two audit stages, closed out your nonconformities, and received that certificate. It feels like the finish line.

On this page

But here is the honest truth: the certification is only valid for three years, and your certification body will be back every twelve months for a surveillance audit. If your system has been sitting untouched since your initial certification, those surveillance audits will expose it quickly. Auditors are not looking for a polished presentation. They are looking for evidence that your BCMS is alive, tested, and improving.

This guide walks you through exactly what it takes to maintain ISO 22301 certification year after year, what auditors actually check, and how to avoid the common mistakes that cause businesses to lose their certification or receive major nonconformities during surveillance.

Understanding the Three-Year Certification Cycle

ISO 22301 certification follows a three-year cycle managed by your certification body. Here is how it typically works:

Year 1: Initial certification audit (Stage 1 and Stage 2). Certificate issued.
Year 2: First surveillance audit. Focused review of key clauses and any outstanding corrective actions.
Year 3: Second surveillance audit. Broader review, often with more scrutiny.
Year 3 end: Recertification audit. Full reassessment before a new certificate is issued.

Surveillance audits are typically shorter than the initial certification audit, but do not let that fool you into thinking they are easy. Auditors will focus on the areas that matter most under ISO 22301, including your Business Continuity Plans, exercise program, management review outputs, and corrective action register. If those areas show no activity since the last audit, you have a problem.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

The Core Activities You Must Keep Running

1. Business Continuity Plan Reviews and Updates

Your Business Continuity Plans are the centrepiece of ISO 22301. Clause 8.4 requires that your plans are maintained, and that means reviewing them regularly, not just when something goes wrong.

At minimum, you should be reviewing your BCPs annually. But in practice, any significant change to your business should trigger a review. That includes changes to key personnel, new systems or technology, changes to your supply chain, new office locations, or significant shifts in your products and services.

A common failure point here is that businesses create excellent plans during the certification process, then file them away. When the auditor asks for evidence of the last review, the document metadata shows it was last modified two years ago. That is a red flag. Set a calendar reminder, assign a responsible person, and document every review even if no changes were made.

2. Business Impact Analysis and Risk Assessment

Your Business Impact Analysis and risk assessment are not one-time documents. Clause 8.2 and Clause 8.3 require that these are kept current. Your BIA identifies your critical activities and their recovery time objectives. If your business has changed, those figures may no longer be accurate.

Ask yourself: have you launched new products or services? Have you taken on new major clients with tighter service expectations? Have you outsourced functions that were previously in-house? Any of these changes can affect your critical activities and your recovery priorities.

Review your BIA at least annually, and update it whenever a material change occurs. The same applies to your risk assessment. New risks emerge constantly, whether from cyber threats, extreme weather, supplier instability, or geopolitical factors. Your risk register should reflect the current environment, not the one you were operating in when you first got certified.

3. The Exercise and Testing Program

This is where many organisations fall short. ISO 22301 Clause 8.5 requires that your organisation exercises and tests its business continuity procedures. Exercises are not optional. They are a core requirement, and auditors will ask for records of every exercise you have conducted.

There are several types of exercises you can run, and a mature BCMS will use a mix of them:

Tabletop exercises: Scenario-based discussions where key personnel talk through how they would respond to a disruption. These are low cost and easy to run, but they should not be your only method.
Structured walkthroughs: Teams step through the actual procedures in the BCP without activating them.
Simulation exercises: More realistic scenarios where teams actually perform recovery actions, such as switching to backup systems or activating an alternate work location.
Full activation tests: The most demanding option, involving actual activation of recovery procedures.

Plan your exercise program at the start of each year. Document the objectives, the scenario, who participated, what worked, what did not, and what actions were taken as a result. That last part is critical. An exercise that produces no improvement actions is an exercise that did not teach you anything, and auditors will notice.

4. Internal Audits

You must conduct internal audits of your BCMS at planned intervals. This is a requirement under Clause 9.2, and it is one of the first things your certification body auditor will ask about.

Your internal audit program needs to cover all clauses of ISO 22301 over time, not just the easy ones. Many organisations audit the same handful of clauses every year and avoid the difficult areas like Clause 8 or Clause 6. That is not a compliant program.

For practical guidance on running internal audits that actually find real issues rather than just confirming everything looks fine, take a look at our article on how to run ISO internal audits that actually find problems. The principles apply directly to ISO 22301.

Make sure your internal auditors are competent and, where possible, independent from the areas they are auditing. Document everything: the audit plan, the audit report, and the nonconformities or observations raised. Then make sure those items are tracked through to closure.

5. Management Review

Clause 9.3 requires that top management reviews the BCMS at planned intervals. This is not a box-ticking meeting. It is supposed to be a genuine leadership discussion about whether your BCMS is fit for purpose and what needs to change.

Your management review agenda must cover specific inputs, including the results of internal audits, the outcomes of exercises, the status of corrective actions, changes to the organisation and its context, and performance against your business continuity objectives.

The outputs of the management review must include decisions about continual improvement, resource needs, and any changes required to the BCMS. Document the meeting properly. An auditor will want to see the agenda, the minutes, the decisions made, and evidence that those decisions were acted upon.

Corrective Action Management: Closing the Loop

Every nonconformity, whether from an internal audit, an exercise, or a surveillance audit, requires a corrective action. ISO 22301 Clause 10.1 requires that you identify the root cause, implement corrective actions, and verify their effectiveness.

The corrective action register is one of the most scrutinised documents during a surveillance audit. Auditors want to see that nonconformities are not just recorded but actually resolved. They will look at the dates, the root cause analysis, the actions taken, and the verification evidence.

A common mistake is closing corrective actions too quickly without verifying that the fix actually worked. Another is letting the register grow with items that have been open for months with no progress. Neither of these is acceptable. Assign owners, set realistic deadlines, and review the register at every management review meeting.

Keeping Your Documentation Current

ISO 22301 requires a significant amount of documented information. The standard uses the terms “documented information to be maintained” and “documented information to be retained” throughout. Understanding which is which matters.

Documents you need to maintain include your BCMS policy, scope, objectives, risk assessment, BIA, BCPs, and procedures. Records you need to retain include exercise reports, audit reports, management review minutes, corrective action records, and evidence of competence.

Your document control process must ensure that current versions are available to the people who need them, and that obsolete versions are not accidentally used. This sounds basic, but it is a surprisingly common finding during audits. Someone activates a BCP that was superseded six months ago because the old version was still sitting in a shared folder.

Review your document control process at least annually. Check that version numbers are correct, that review dates are current, and that the right people have access to the right documents. For a broader understanding of how to manage controlled documents effectively, our guide on what controlled documents are and how to implement them covers the fundamentals well.

Managing Changes That Affect Your BCMS

Businesses change constantly. New staff, new systems, new locations, new clients, new threats. Every significant change has the potential to affect your BCMS, and ISO 22301 expects you to manage those changes in a controlled way.

When a key person leaves, their role in the BCP needs to be reassigned and the plan updated. When you move to a new cloud provider, your IT recovery procedures need to reflect that. When you take on a major new client, their requirements may affect your recovery time objectives.

Build a habit of asking: does this change affect our BCMS? Make it part of your change management process. If the answer is yes, trigger a review of the relevant plans and documents. This does not need to be bureaucratic. A simple checklist and a short review meeting can be enough for most changes.

Supplier and Third-Party Management

Many organisations rely heavily on third parties for critical functions. Cloud providers, logistics partners, IT support firms, and key suppliers can all be the source of a business disruption. ISO 22301 expects you to understand and manage these dependencies.

Clause 8.4 specifically addresses procedures for responding to incidents that affect critical activities, including those delivered by third parties. Your BCPs should address what happens when a key supplier fails. Do you have alternatives? Have you tested those alternatives?

Review your critical supplier list annually. Check that your contracts include appropriate provisions for business continuity. Engage key suppliers about their own continuity arrangements. This does not need to be a formal audit of every supplier, but you should have a reasonable level of assurance that your critical third parties can support your recovery objectives.

Preparing for Surveillance Audits

A surveillance audit is not something you prepare for in the week before it happens. It is the result of twelve months of consistent activity. That said, there are practical steps you can take in the weeks leading up to the audit to make sure you are presenting your BCMS in the best possible light.

Review your corrective action register and close out any items that are complete.
Confirm that your last internal audit covered the required clauses and that the report is finalised.
Check that your management review has been conducted and properly documented.
Confirm that at least one exercise has been conducted and the report is complete.
Review your BIA and risk assessment to confirm they reflect current operations.
Make sure your BCPs are current and accessible.

If you are unsure how your system will hold up, consider running a pre-audit review with your consultant or a qualified internal auditor. This is especially useful before your recertification audit at the end of the three-year cycle.

It is also worth understanding what your certification body will focus on. Different bodies have slightly different approaches. If you are not sure whether your current certification body is still the right fit, our article on why Australian businesses are leaving their ISO certification body in 2026 covers some of the common reasons organisations make a change.

Building a Culture of Resilience

The businesses that maintain ISO 22301 most effectively are not the ones with the thickest binder of procedures. They are the ones where business continuity thinking is embedded in how people work.

That means staff understand why the BCMS exists and what their role is in it. It means managers consider continuity implications when making decisions. It means exercises are taken seriously rather than treated as an inconvenience.

Training and awareness are a formal requirement under Clause 7.3. But beyond compliance, genuine awareness is what makes your BCMS work when it actually matters. Invest time in communicating with your team about what the BCMS is for, what their responsibilities are, and what they should do if a disruption occurs.

For a practical look at how to track and manage staff competence and training requirements across your management system, our guide on how to build an ISO training matrix for your team is a useful starting point.

When to Bring in External Support

Not every organisation has the internal resources to run a BCMS without some external assistance. That is perfectly normal. ISO 22301 is a demanding standard, and for smaller organisations in particular, maintaining it alongside day-to-day operations can be challenging.

External support is worth considering when you are approaching a recertification audit and want an independent review, when you have had a major nonconformity and need help with root cause analysis, when your internal auditor has left and you need someone to fill the gap, or when your BCMS has drifted and you need help getting it back on track.

The key is finding a consultant who genuinely understands business continuity, not just ISO management systems in general. Industry expertise matters enormously for ISO consultants, and ISO 22301 is a specialist area. Ask potential consultants about their specific experience with business continuity management and whether they have worked with organisations in your sector.

If you are looking for verified ISO 22301 consultants or certification bodies in Australia, CertBetter makes it straightforward. Submit one form, receive up to three competing quotes from vetted providers, and compare your options without the usual back-and-forth. The service is completely free for businesses seeking certification support.