How often does ISO 22301 require business continuity exercises to be conducted?

ISO 22301:2019 Clause 8.5 requires that exercises are conducted at planned intervals but does not specify a minimum frequency. In practice, most certification bodies expect at least one documented exercise per year, with many organisations running multiple exercises of different types throughout the year. Your exercise programme should be documented and approved as part of your BCMS, and the frequency should be proportionate to the complexity and risk profile of your organisation.

Can a tabletop exercise satisfy the ISO 22301 exercise requirement?

Yes, a tabletop exercise can satisfy the requirement, particularly for organisations in the early stages of their BCMS or for specific scenarios where a functional exercise would be impractical. However, auditors will expect to see a variety of exercise types over time, and a programme that only ever uses tabletop exercises may be questioned. The key is that the exercise genuinely tests your plans and produces documented findings and corrective actions.

What documentation do I need to keep after a business continuity exercise?

You need to retain the exercise plan or design document, a record of who participated, the scenario and injects used, the exercise report including observations and identified gaps, and the corrective action register showing how findings were addressed. This documented evidence is what your ISO 22301 auditor will request during surveillance and recertification audits, so keeping records organised and accessible is important.

What is the difference between an exercise and a test under ISO 22301?

ISO 22301 uses the terms exercise and test together in Clause 8.5, and in practice they are often used interchangeably. However, a test typically refers to the technical validation of a specific capability, such as restoring data from a backup or failing over to an alternate system, while an exercise refers to a broader simulation of your response and recovery procedures. Both are required, and a comprehensive BCMS programme will include both types of activity.

What happens if my exercise reveals that our recovery time objectives are not achievable?

This is actually a successful outcome for the exercise. The finding should be documented in your exercise report and raised as a corrective action. You then need to either improve your recovery capability to meet the existing objective, or formally revise the recovery time objective based on realistic constraints and update your Business Impact Analysis accordingly. An auditor will not penalise you for discovering a gap through an exercise. They will penalise you for discovering a gap and doing nothing about it.

Do we need to notify our ISO 22301 certification body before running an exercise?

In most cases, no. You are not required to notify your certification body before conducting an internal exercise. However, some organisations invite their certification body or an external observer to attend exercises as part of a surveillance visit, which can provide valuable independent feedback. Check your certification agreement for any specific requirements, and if in doubt, contact your certification body directly to clarify expectations.

How to Run a Business Continuity Exercise ISO 22301

Why Running a Business Continuity Exercise Actually Matters

Most businesses that hold ISO 22301 certification have a business continuity plan sitting in a shared drive somewhere. It was written during the implementation project, reviewed once, and has not been touched since. Then a real disruption hits and the team discovers the plan references a server that no longer exists, a supplier that closed down two years ago, and a recovery time objective that nobody actually tested.

On this page

A business continuity exercise under ISO 22301 is how you find those gaps before a crisis does. The standard explicitly requires organisations to test their business continuity plans through exercises and to evaluate the results. This is not optional. Clause 8.5 of ISO 22301:2019 requires that organisations exercise and test their plans at planned intervals, and that those exercises are designed to validate the plans, not just confirm that people can read them aloud.

This article walks you through exactly how to plan, run, and debrief a business continuity exercise in a way that satisfies your auditor and, more importantly, actually prepares your business for a real disruption.

What ISO 22301 Actually Requires From Exercises

Before you start planning an exercise, it helps to understand what the standard is actually asking for. ISO 22301:2019 Clause 8.5 requires that your organisation exercises and tests its business continuity plans and procedures. The standard does not prescribe a single exercise format, which gives you flexibility, but it does set some clear expectations.

Your exercises must be consistent with the scope of your Business Continuity Management System (BCMS). They need to be based on appropriate scenarios that are relevant to your organisation. Results must be documented, and any identified weaknesses or gaps must feed back into your improvement process. You also need to demonstrate that exercises are conducted at planned intervals, which typically means at least annually for most organisations seeking certification.

Auditors will look for evidence that exercises are genuine tests of your plans, not scripted walkthroughs where everyone already knows the answers. They will also check that findings from exercises have been acted on. An exercise report that identifies ten gaps, followed by no corrective actions, is a red flag that will attract a nonconformity.

For a broader understanding of how management systems handle compliance obligations like this, the guide to implementing ISO 37301 provides useful context on building compliance into your operations rather than treating it as a tick-box exercise.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

The Four Main Types of Business Continuity Exercises

Not every exercise needs to involve your entire organisation shutting down operations for a day. ISO 22301 recognises that different exercise types serve different purposes, and a mature BCMS will use a mix of them over time.

Tabletop Exercise (Discussion-Based)

This is the most common starting point for organisations new to ISO 22301 or those testing a plan for the first time. A facilitator presents a scenario, and key stakeholders talk through how they would respond. No systems are actually activated, no one relocates, and operations continue normally.

Tabletop exercises are excellent for identifying gaps in decision-making, clarifying roles and responsibilities, and testing whether your escalation procedures make sense. They are low cost, low disruption, and can be completed in a few hours. The limitation is that they do not test whether your actual recovery procedures work in practice.

Walkthrough or Structured Walkthrough

A step above the tabletop, a structured walkthrough involves participants actually following their documented procedures step by step, checking whether each action is achievable. Someone might physically locate the backup communication list, attempt to access the offsite document repository, or verify that the contact numbers in the plan are current.

This type of exercise is particularly good at finding documentation errors, outdated information, and procedural gaps that a discussion-based exercise would miss entirely.

Functional Exercise

A functional exercise activates specific parts of your response without a full operational shutdown. For example, you might activate your crisis management team, test your emergency communication system, or simulate the recovery of a specific IT system in a test environment. Real actions are taken, but the scope is limited to avoid disrupting live operations.

These exercises are more resource-intensive but provide much stronger evidence that your plans actually work. They are particularly useful for testing technical recovery capabilities like data restoration, failover systems, or alternate site activation.

Full-Scale Exercise

A full-scale exercise simulates a real disruption as closely as possible. Staff may be asked to work from an alternate location, IT systems may be failed over to backup infrastructure, and the crisis management team operates as if the event is real. These exercises are the most demanding and disruptive, but they provide the highest level of confidence in your plans.

Most organisations run a full-scale exercise every two to three years, supplemented by tabletop and functional exercises in between. For your ISO 22301 audit, being able to show a programme of varied exercise types over time is far more convincing than running one large exercise every few years.

How to Plan a Business Continuity Exercise Step by Step

Good exercises do not happen by accident. The planning phase is where most of the value is created, and shortcuts here will undermine the entire effort.

Step 1: Define the Objectives

Start by being specific about what you want to test. Vague objectives like “test the business continuity plan” lead to vague results. Good objectives sound more like: verify that the crisis management team can be assembled within 30 minutes of a declared incident; confirm that the IT team can restore the core finance system from backup within the agreed recovery time objective; or identify gaps in the communication chain between the operations manager and department heads during an unplanned site closure.

Write down two to five specific objectives before you do anything else. Every other planning decision flows from these.

Step 2: Select a Realistic Scenario

Your scenario needs to be plausible for your organisation and relevant to the risks identified in your Business Impact Analysis (BIA). Common scenarios include a prolonged power outage, a cyberattack rendering key systems unavailable, a fire or flood affecting your primary site, a critical supplier failure, or the sudden unavailability of key personnel.

The best scenarios are ones that genuinely challenge your plans. If your team can comfortably answer every question within the first ten minutes, the scenario is not stretching them enough. At the same time, avoid scenarios so extreme or implausible that participants disengage.

Step 3: Identify Participants and Assign Roles

Decide who needs to be involved based on your objectives. At minimum, you want the people who would actually respond to the type of incident you are simulating. For a crisis management tabletop, that means your crisis management team. For a functional IT recovery exercise, that means your IT team and the business owners of the systems being recovered.

Assign a lead facilitator, an observer or evaluator, and a note-taker. The facilitator drives the scenario. The observer watches what happens and records it without intervening. The note-taker captures decisions, actions, and gaps in real time.

Step 4: Develop the Scenario Script and Injects

An inject is a piece of information or an event introduced during the exercise to advance the scenario or create a new decision point. For example, in a cyberattack scenario, an inject might be: “The IT team has confirmed that the ransomware has also encrypted the backup files stored on the network-attached storage device. The offsite cloud backup is intact but will take six hours to restore.”

Good injects are timed, specific, and designed to test particular aspects of your plan. Prepare at least five to eight injects for a two-hour tabletop exercise. Not all of them need to be used. The facilitator can choose injects based on how the exercise is progressing.

Step 5: Brief Participants in Advance

Participants should know the exercise date, the format, and the general topic area. They should be asked to bring their relevant plans and procedures. What they should not know is the specific scenario details or the injects. The exercise needs to be a genuine test, not a rehearsal.

Send a short briefing note one week before the exercise. Confirm logistics, remind people to review their relevant procedures, and set expectations about the format and duration.

Running the Exercise on the Day

The facilitator opens by explaining the ground rules. Remind participants that the exercise is a safe environment to identify gaps, not a performance assessment. Reinforce that finding a problem during an exercise is a success, not a failure.

Present the scenario clearly and allow participants time to orient themselves. Then begin introducing injects at planned intervals. Let the discussion develop naturally. The facilitator should probe with questions like: who makes that decision in your current plan, what does your procedure say to do at this point, and how long would that actually take given your current resources.

The observer should be watching for specific things: decisions that contradict the documented plan, actions that cannot be completed because of missing resources or outdated information, gaps in communication between teams, and assumptions that have never been validated. These observations are the raw material for your exercise report.

Do not rescue participants when they get stuck. The discomfort of not knowing what to do next is exactly the kind of gap the exercise is designed to surface. A facilitator who jumps in with the answer every time a team struggles will produce a polished exercise and a useless report.

Documenting and Debriefing After the Exercise

The debrief is one of the most important parts of the entire process. Run it immediately after the exercise while observations are fresh. Give every participant a chance to speak. Ask what worked well, what did not work as expected, and what specific changes need to be made to the plans or procedures.

Within two weeks, produce a formal exercise report. This document is what your ISO 22301 auditor will want to see. It should include the exercise objectives, the scenario and injects used, a summary of key observations, a list of identified gaps and weaknesses, and a corrective action plan with owners and due dates.

The corrective action section is critical. If your exercise identified that your recovery time objective for the accounts payable system is not achievable with current resources, that needs to become a corrective action with a named owner, a specific remediation plan, and a target completion date. Exercises that produce reports with no corrective actions, or corrective actions that are never completed, will create problems at your next certification audit.

This connects directly to the broader principle of internal audit and continuous improvement. If you want to understand how to make your management system reviews genuinely effective, the article on how to run ISO internal audits that actually find problems covers the same mindset applied to the audit process.

Common Mistakes That Undermine Business Continuity Exercises

After years of working with organisations on ISO 22301 implementation and auditing, the same mistakes come up repeatedly. Here are the ones that matter most.

Testing the Plan Instead of Testing Reality

Many exercises test whether people know what the plan says, not whether the plan is actually achievable. The question to ask is not “what does the plan say you should do” but “can you actually do that right now with what you have.” These are very different questions.

Only Involving Senior Management

Business continuity exercises that only involve the executive team miss the people who will actually be doing the recovery work. Involve team leaders, technical staff, and frontline workers in exercises relevant to their roles. The gap between what senior management thinks will happen and what the operations team knows will happen is often significant.

Not Updating Plans After Exercises

An exercise that identifies gaps but does not result in plan updates is worse than no exercise at all, because it creates false confidence. Every gap identified must be tracked to closure. Build this into your BCMS review cycle.

Running the Same Exercise Every Year

If you run the same tabletop exercise with the same scenario every year, your team will start memorising the answers rather than testing their thinking. Vary the scenarios, the exercise type, and the participants over time. ISO 22301:2019 itself encourages a programme of exercises rather than a single annual event.

Treating It as a Compliance Activity

The moment an exercise becomes something you do to satisfy an auditor rather than to actually improve your resilience, it stops being useful. The best exercises are the ones where something genuinely unexpected is discovered. Celebrate those discoveries. They are the whole point.

Integrating Exercises Into Your BCMS Calendar

A mature BCMS has a rolling programme of exercises built into the annual management calendar. A practical structure for most organisations looks like this: one tabletop or structured walkthrough per quarter focused on different business units or risk scenarios, one functional exercise annually testing a specific technical or operational recovery capability, and one full-scale exercise every two to three years covering the full scope of the BCMS.

Document this programme in your BCMS as a planned exercise schedule. When your auditor asks about your exercise programme, you should be able to show a forward schedule, past exercise reports, and evidence that findings have been addressed. This is the kind of systematic approach that distinguishes organisations that genuinely use ISO 22301 from those that just hold the certificate.

For organisations also managing risk across other standards, the principles here align closely with the risk-based thinking described in ISO 31000 risk management, which provides a useful framework for thinking about how exercise findings feed back into your broader risk register.

Getting Help With Your ISO 22301 Exercise Programme

If you are building your business continuity exercise programme from scratch, or if your existing programme has stalled, working with an experienced ISO 22301 consultant can save significant time and reduce the risk of getting it wrong before your certification audit.

The challenge is finding a consultant who has genuine hands-on experience with ISO 22301 exercises, not just someone who has read the standard. Finding a trustworthy ISO consultant is harder than it should be, which is why CertBetter exists. The platform connects businesses seeking ISO 22301 support with verified consultants who have demonstrated experience with business continuity management systems. You submit one form, receive up to three competing quotes from vetted providers, and can compare them side by side. It costs nothing to use and removes much of the guesswork from finding the right support.

How to Run a Business Continuity Exercise Under ISO 22301