Internal audit

“Internal audit” in ISO 22301 is not a generic quality activity or a once-a-year checkbox. Clause 9.2 expects a controlled, repeatable audit process that tests whether your BCMS matches what you said you would do (your policies, procedures, objectives, and controls) and whether it aligns to ISO 22301 requirements, then proves it is actually operating in the real world. The phrase “planned intervals” is doing a lot of work here: auditors will look for a rational, risk-informed schedule, clear scope boundaries, competent and independent auditors, and follow-through on findings.

For a Compliance Officer, CCO, or GRC lead, the fastest path to compliance is to treat internal audit as a closed-loop system: plan audits, perform them with documented criteria, record nonconformities and opportunities for improvement, assign corrective actions with owners, and verify closure. If you already run internal audits under ISO 9001, ISO 27001, or an internal enterprise audit methodology, you can reuse that machinery, but you must align the criteria and evidence to the BCMS lifecycle (BIA, risk assessment, continuity strategies, plans, exercises, incident learnings, and management review).

Regulatory text

Requirement excerpt: “The organization shall conduct internal audits at planned intervals.” ¹

Operator interpretation (what you must do):

• Establish an internal audit program for the BCMS with defined timing, scope, methods, responsibilities, and criteria.
• Conduct audits according to the plan.
• Use audits to determine whether the BCMS:
  • Conforms to your organization’s own BCMS requirements (your documented policies, procedures, and commitments).
  • Conforms to ISO 22301 requirements.
  • Is effectively implemented and maintained. ¹

Plain-English interpretation

You need a documented, repeatable way to “check your own work” on business continuity. That means you (1) schedule audits, (2) audit against specific criteria, (3) record what you found, and (4) fix what’s broken with documented corrective actions. A solid BCMS internal audit function prevents the classic failure mode where the organization has plans on paper but cannot demonstrate real operational readiness.

Who it applies to

Entity types: Organizations implementing or certifying a BCMS; business continuity practitioners operating a BCMS program. ¹

Operational contexts where this shows up in practice:

• ISO 22301 certification or surveillance audits: Internal audit evidence is a common prerequisite artifact.
• Regulated organizations with resilience expectations: Even where ISO 22301 is voluntary, internal audit provides defensible governance and assurance.
• Outsourced/third-party continuity dependencies: If critical services are delivered by third parties, your BCMS internal audits should include how you set continuity requirements for those third parties and how you validate performance.

What you actually need to do (step-by-step)

1) Define your BCMS audit program

Create an “Internal Audit Program” document (or equivalent) that includes:

• Audit objectives: Conformity to ISO 22301 and your BCMS requirements; effectiveness of implementation and maintenance. ¹
• Audit scope: Business units, locations, products/services, and BCMS processes included (and exclusions with rationale).
• Audit criteria: ISO 22301 requirements plus internal policies, standards, and procedure requirements that you expect teams to follow.
• Methods: Interviews, document review, sampling of records, observation of exercises/tests, walk-throughs.
• Roles and independence: Identify auditors and how you avoid auditing your own work (peer audits, cross-functional rotation, internal audit team support).

Practical control point: Tie scope and schedule to real BCMS risk. If some sites or services are higher criticality, audit depth should reflect that.

2) Build an audit plan that can be executed

For each audit, produce a short “Audit Plan” that states:

• Audit period and activities to be tested (for example: BIA maintenance, plan updates, exercising, incident learnings, management review inputs/outputs).
• Stakeholders to interview (BC owner, IT DR lead, facilities, third-party manager, crisis management lead).
• Evidence you will sample (exercise records, plan sign-offs, training logs, corrective action closures).

3) Prepare audit tools that drive consistent evidence collection

Use a checklist or audit work program mapped to:

• ISO 22301 BCMS clauses relevant to your scope. ¹
• Your internal BCMS requirements (policy statements, defined RTO/RPO requirements if you set them, plan maintenance rules, exercise expectations).

Operator tip: A checklist is not the audit. It is the guardrail that makes your conclusions defensible.

4) Execute the audit and document work performed

During fieldwork:

• Validate design (what the process says it does) and operation (evidence it happened).
• Capture evidence references: record IDs, plan versions, exercise dates, ticket numbers, minutes, approvals.
• Document exceptions precisely: condition, criteria, cause (if known), risk/impact, and recommended corrective action approach.

5) Classify findings and open corrective actions

Create a consistent taxonomy for outcomes, such as:

• Conformity
• Nonconformity
• Opportunity for improvement
• Observation

For each nonconformity:

• Assign an owner, due date, and remediation approach (corrective action, not just a patch).
• Require root-cause thinking appropriate to the severity. Avoid “retrained staff” as the default corrective action unless you can prove training was the root cause.

6) Verify closure (don’t stop at “action assigned”)

Closure should include:

• Evidence the fix was implemented (updated procedure, updated plan, implemented control).
• Evidence it works in operation (a record created under the new process, a successful exercise, or a review result).
• A closure sign-off by the audit function or BCMS governance owner.

7) Report results into BCMS governance and management review

Aggregate audit results into a short report for leadership:

• Coverage (what was audited), key themes, material nonconformities, repeat issues, and overdue actions.
• Trend insights: which BCMS processes are stable vs. where execution drifts.

This connects directly to “maintained” in the requirement: you are demonstrating continuous oversight and correction, not sporadic checking. ¹

Required evidence and artifacts to retain

Auditors and certifiers typically expect a clean evidence pack. Keep:

• Internal Audit Program (scope, criteria, responsibilities, schedule)
• Audit Plan for each audit
• Auditor competency/assignment records (training, experience, independence notes)
• Audit checklists/workpapers (completed)
• Evidence references (documents reviewed, records sampled, interview notes)
• Audit report with findings and conclusions
• Nonconformity records and corrective action tickets
• Corrective action verification/closure evidence
• Communications to BCMS governance and management review inputs

Retention practice: Store these in a controlled repository with version control and consistent naming. Daydream is a practical place to centralize BCMS audit plans, workpapers, and corrective action workflows so closure evidence stays attached to the original finding.

Common exam/audit questions and hangups

Expect questions like:

• “Show me your internal audit schedule and the rationale for the intervals.” ¹
• “Which ISO 22301 requirements did you test, and what evidence supports conformity?” ¹
• “How do you ensure auditor independence?”
• “Show a nonconformity from an internal audit and prove corrective action closure.”
• “How do internal audit results feed management review and BCMS improvement?”

Hangups that cause findings:

• Planned intervals exist on paper, but audits slip with no re-plan.
• Findings are recorded, but corrective actions lack verification.
• Audits focus only on documentation, not operational evidence (exercises, incident learnings, plan maintenance records).

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Auditing “business continuity” generally instead of the BCMS requirements.
   Fix: Audit against ISO 22301 clauses and your own policy/procedure requirements so conclusions are tied to criteria. ¹

2. Mistake: No independence.
   Fix: Use cross-functional auditors, rotate assignments, or involve internal audit. Document how conflicts are avoided.

3. Mistake: Treating internal audit as a document review only.
   Fix: Require evidence of operation: exercise records, maintenance logs, corrective action closures, third-party continuity requirements reviews.

4. Mistake: Weak corrective action discipline.
   Fix: Enforce owner assignment, due dates, root-cause thinking proportional to risk, and closure verification by the audit function.

5. Mistake: Poor evidence hygiene.
   Fix: Standardize templates and a single repository. If evidence is scattered, you will lose time during certification and surveillance cycles.

Enforcement context and risk implications

No public enforcement cases were provided for ISO 22301 Clause 9.2 in the supplied source catalog. Practically, the risk is commercial and operational: certification delays, surveillance nonconformities, and reduced assurance that BCMS capabilities will perform during disruption. Internal audit is also your best early-warning signal for chronic issues like outdated BIAs, untested plans, and unowned third-party continuity dependencies.

A practical 30/60/90-day execution plan

First 30 days (stand up the mechanism)

• Confirm BCMS scope, key processes, and “must meet” internal requirements.
• Draft the Internal Audit Program: scope, criteria, roles, and a schedule concept tied to BCMS risk and criticality. ¹
• Select auditors and document independence approach.
• Create templates: audit plan, checklist/workpapers, finding log, corrective action record.

Days 31–60 (run the first audits)

• Execute at least one pilot internal audit on a high-impact BCMS process (for example, plan maintenance and exercising).
• Produce an audit report with clear evidence references.
• Open corrective actions for nonconformities and assign ownership.
• Socialize results with BCMS governance so remediation is resourced.

Days 61–90 (close the loop and operationalize)

• Verify closure for initial corrective actions, or document status with proof of progress and revised timelines.
• Expand audit coverage to additional BCMS processes and key sites/teams.
• Build a recurring reporting rhythm to management review inputs (themes, repeat findings, overdue actions).
• Operationalize a single system of record for audits and corrective actions. If you use Daydream, configure an audit workflow with required fields (criteria, evidence links, owner, closure verification) so nothing is “closed” without proof.

Frequently Asked Questions

What does “planned intervals” mean for the internal audit requirement?

ISO 22301 requires audits at planned intervals but does not define a fixed frequency. You need a documented schedule and rationale that fits your BCMS scope and risk, then evidence that audits occurred as planned. ¹

Do we need an independent internal audit department to meet Clause 9.2?

No specific organizational structure is mandated, but you do need auditor independence in practice. Many teams use cross-functional auditors or rotate auditors across areas to avoid self-audit.

What’s the minimum evidence a certification auditor will expect?

Expect to show an audit program, completed audit plans/workpapers, reports, and proof that nonconformities trigger corrective actions and verified closure. The evidence must map to ISO 22301 requirements and your internal BCMS requirements. ¹

Can we combine ISO 22301 internal audits with ISO 27001 or ISO 9001 internal audits?

Yes, combined audits can work if the audit criteria explicitly cover ISO 22301 BCMS requirements and you keep BCMS-specific evidence and conclusions. Don’t let the BCMS become a small add-on that never tests operational continuity performance.

How do we audit third-party continuity dependencies under a BCMS internal audit?

Audit how you define continuity requirements for third parties, how you assess their ability to meet them, and what evidence you keep (attestations, test participation, service reviews). Focus on whether your BCMS controls for third-party reliance operate as designed.

What’s the difference between an “observation” and a “nonconformity” in BCMS internal audits?

A nonconformity is a failure to meet stated criteria (ISO 22301 or your own requirements) and must trigger corrective action management. An observation or opportunity for improvement highlights risk or maturity gaps without a clear breach of criteria.

Footnotes

1. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements