Why Verifying ISO 22301 Certification Matters
ISO 22301 is the international standard for Business Continuity Management Systems. It tells you that an organisation has identified its critical functions, planned for disruptions, tested those plans, and had all of that independently audited by an accredited certification body. That is a serious commitment, and the certificate that comes out of that process carries real weight.
On this page
The problem is that not every company claiming ISO 22301 certification actually holds a valid, current, accredited certificate. Some certificates have lapsed. Some were issued by bodies that are not accredited. Some are outright fabrications. And some companies genuinely held certification once but failed their surveillance audit and never told anyone.
If you are a procurement manager, a supply chain lead, a risk officer, or simply a business owner vetting a potential partner, knowing how to verify ISO 22301 certification properly is not a nice-to-have. It is a basic due diligence step. This guide walks you through exactly how to do it, what to look for, and what the red flags are.
What ISO 22301 Certification Actually Means
Before you can verify something, it helps to understand what you are actually looking for. ISO 22301 certification means an independent, accredited certification body has audited a company's Business Continuity Management System and confirmed it meets the requirements of the standard. The current version is ISO 22301:2019.
Certification is not self-declared. A company cannot simply say it follows ISO 22301. It must go through a formal two-stage audit process conducted by a certification body that is itself accredited by a recognised national accreditation body. In Australia, that accreditation body is JAS-ANZ. In the UK it is UKAS. In the US it is ANAB. These bodies sit above the certification bodies and provide the oversight that gives ISO certificates their credibility.
Once certified, a company must undergo annual surveillance audits and a full recertification audit every three years to maintain its certificate. This means a certificate can expire or be suspended even after it has been legitimately issued. Verification is not a one-time event. It should happen every time you are relying on that certification status for a significant decision.
For a broader look at what ISO 22301 covers and how it differs from a basic disaster recovery plan, that context will help you ask better questions when you are checking a supplier's claims.
Step One: Ask for the Certificate Directly
The first and most obvious step is to ask the company to provide a copy of their ISO 22301 certificate. Any legitimately certified organisation should be able to produce this immediately. If there is hesitation, vague promises, or a certificate that takes days to materialise, treat that as a warning sign.
When you receive the certificate, check the following details carefully.
Certificate Holder Name
The name on the certificate must match the legal name of the company you are dealing with. Group certificates and subsidiary arrangements exist, but they need to be explicitly documented. If the name is slightly different, ask for a written explanation and verify it independently.
Certification Scope
This is one of the most important things people overlook. ISO 22301 certification always has a defined scope, meaning it only applies to specific activities, locations, or services. A company might be certified for its data centre operations but not its logistics arm. If you are relying on their certification for a particular function, check that the scope actually covers it. A certificate that excludes the exact service you are procuring is functionally useless for your purposes.
Certificate Validity Dates
Check the issue date and the expiry date. A three-year certificate cycle is standard. If the certificate expired six months ago and the company has not mentioned it, that tells you something important about how seriously they take their compliance obligations.
Issuing Certification Body
The name of the certification body that issued the certificate should be clearly printed on the document. Write it down. You will need it for the next step.
Step Two: Verify the Certification Body Is Accredited
This step is where most people stop short, and it is the step that matters most. A certificate is only as credible as the body that issued it. There are certification bodies operating in Australia and globally that are not accredited by any recognised accreditation body. Their certificates look identical to legitimate ones. The paper quality is the same. The logos are similar. But they carry no independent oversight and are not accepted by most sophisticated procurement teams or government agencies.
To check whether a certification body is accredited, go directly to the accreditation body's website and search their directory.
- Australia and New Zealand: Search the JAS-ANZ directory at jas-anz.org
- United Kingdom: Search the UKAS directory at ukas.com
- United States: Search ANAB at anab.org
- Global check: The IAF MLA Signatories list shows which national accreditation bodies are recognised internationally, and from there you can trace whether a certification body is properly accredited
If the certification body does not appear in any of these directories, the certificate it issued is not accredited. That does not necessarily mean the company has done no work, but it does mean the certificate cannot be relied upon for procurement, tendering, or compliance purposes. For a deeper explanation of the difference between certification and accreditation, that distinction is worth understanding before you make any decisions based on a certificate.
Step Three: Search the Certification Body's Online Registry
Most accredited certification bodies maintain a publicly searchable online register of current certificate holders. This is the most reliable way to confirm that a certificate is genuine and currently active, because it is maintained by the issuing body rather than provided by the company you are vetting.
Go to the certification body's website and look for a section labelled something like “certificate search,” “certified clients directory,” or “public register.” Search for the company by name. The result should show you the certificate number, the standard, the scope, and the current status.
If the company does not appear, or if the status shows as suspended or withdrawn, contact the certification body directly. Do not rely solely on the document the company provided. Certificates can be revoked after they are issued, and the company is not always obligated to proactively inform you of that fact.
Our guide on how to verify ISO certificates online covers the specific registries and search tools for the most common certification bodies operating in Australia, which will save you time if you are doing this regularly.
Step Four: Cross-Check the Certificate Number
Every legitimate ISO certificate has a unique certificate number. When you search the certification body's registry, the number on the physical certificate should match exactly what appears in the database. Even a single digit difference is a problem worth investigating.
If the registry search does not return any result for that certificate number, call the certification body. Give them the number directly and ask them to confirm whether it is valid. This takes five minutes and removes any ambiguity.
Fake certificates sometimes use real certification body names with fabricated certificate numbers. The only way to catch this is to check the number against the actual registry or call the body directly. Do not assume that because the certificate body name looks legitimate, the number is real.
Step Five: Check the Scope Matches Your Requirements
We touched on this earlier, but it deserves its own section because it is a common source of misunderstanding in procurement situations. ISO 22301 certification is always scoped. The scope statement on the certificate defines exactly what the certification covers.
Common scope limitations include specific geographic locations, particular product lines or services, named business units, or specific processes. A company with 500 staff and offices in three cities might only have their Sydney head office in scope. The Melbourne team, the subcontractors, and the offshore delivery partners may be entirely outside the certified system.
Ask for the full scope statement, not just the certificate. Some certificates print an abbreviated scope. The full scope document from the certification body will give you the complete picture. If the scope does not clearly include the activities or locations relevant to your relationship with this company, ask them to clarify in writing how their continuity management covers what you actually need.
Step Six: Ask for Evidence of Recent Surveillance Audits
A certificate issued three years ago is only valid today if the company has maintained annual surveillance audits in the intervening period. Asking for evidence of recent audit activity is a reasonable due diligence request, particularly for high-value or high-risk supplier relationships.
You do not need to see the full audit report. A surveillance audit completion letter or a copy of the audit summary showing the date, the auditor's firm, and the outcome is sufficient. If the company cannot produce evidence that a surveillance audit has occurred within the last 12 months, their certificate may technically still be within its validity window but their management system may have drifted significantly from what was originally certified.
For context on what maintaining ISO 22301 certification year after year actually involves, understanding that process will help you ask better questions and interpret the answers you receive.
Red Flags That Should Stop You in Your Tracks
After reviewing hundreds of certification claims over the years, certain patterns consistently signal that something is wrong. Here are the ones worth paying close attention to.
The Certification Body Cannot Be Found
If you search for the certification body and cannot find any trace of it in the JAS-ANZ, UKAS, or IAF directories, the certificate is almost certainly not accredited. Some bodies operate under names that sound official but carry no recognised accreditation. This is unfortunately common in certain markets.
The Certificate Has No Expiry Date
Every legitimate ISO certificate has an expiry date. Certificates without one are either fabricated or issued by non-accredited bodies that do not follow standard practice.
The Scope Is Vague or Absent
A scope statement that simply says “all operations” without any specifics is a red flag. Legitimate certification bodies require a defined, auditable scope. Vague scope language often means the certificate was not issued through a rigorous audit process.
The Company Resists Providing the Certificate
If a company claims certification but is reluctant to share the actual certificate, asks you to simply trust their word, or provides a logo on their website without documentation, do not proceed until you have seen the document and verified it independently.
The Certificate Number Does Not Match the Registry
As discussed above, this is a clear indicator of a fabricated document. Contact the certification body immediately if you find a discrepancy.
Our article on how to spot fake ISO certificates goes into more detail on the specific visual and documentary signs that a certificate may not be genuine.
Why This Matters Beyond Procurement
Verifying ISO 22301 certification is not just about protecting your business from a bad supplier. It is also about understanding the actual resilience of your supply chain and your own operational dependencies. If a key supplier claims to have a certified business continuity management system and that claim turns out to be false, your own continuity plans may have a gap you did not know existed.
For regulated industries, the stakes are even higher. Financial services firms, healthcare organisations, and critical infrastructure operators often have regulatory obligations to ensure their suppliers maintain adequate business continuity arrangements. Relying on an unverified or fake certificate to satisfy that obligation creates a compliance exposure that can be significant.
Even if you are not in a regulated sector, the reputational and financial consequences of a supplier failure that you could have foreseen through proper due diligence are hard to justify. Verification is cheap. Recovery is not.
Making Verification Part of Your Supplier Onboarding Process
If you regularly work with suppliers who hold or claim ISO 22301 certification, build verification into your standard onboarding checklist. The steps outlined in this article take less than an hour for each supplier and can be delegated to a procurement coordinator once the process is documented.
Set a calendar reminder to re-verify annually. Certification status changes. Companies lose their certificates, switch certification bodies, or let their surveillance audits lapse. A certificate that was valid when you onboarded a supplier may not be valid today.
If you are on the other side of this equation and your business is looking to obtain ISO 22301 certification so that your clients can verify your status with confidence, CertBetter can connect you with accredited certification bodies and experienced ISO consultants who specialise in business continuity management. You submit one form and receive up to three competing quotes from vetted providers, at no cost to your business. It is a straightforward way to start the process without spending hours researching providers on your own.
