Internal audit — General

ISO 22301 Clause 9.2.1 requires you to run internal audits that determine whether your Business Continuity Management System (BCMS) conforms to both ISO 22301 and your own BCMS requirements, and whether it is effectively implemented in day-to-day operations ¹. Operationalize it by defining audit criteria and scope, executing evidence-based audits, documenting results, and driving corrective actions to closure.

Key takeaways:

• Audit both conformity (meets requirements) and effectiveness (works in practice) ¹.
• Evidence must link BCMS requirements to audited controls, testing, incidents, and corrective actions.
• Your biggest risk is a “paper BCMS”: good documents, weak execution, and no proof of follow-through.

“Internal audit — General” is the ISO 22301 checkpoint that forces you to prove your BCMS works beyond policy statements. The clause is short, but the audit expectation is not: you must be able to demonstrate, with auditable evidence, that your BCMS conforms to defined requirements and is effectively implemented ¹.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat this as a repeatable program: define what “conformity” means in your environment (ISO 22301 clauses plus your own BCMS policies, procedures, and commitments), then test implementation through interviews, sampling, and records review. Your outputs must be decision-grade: clear findings, severity/impact, root cause, corrective actions, owners, and closure evidence.

This page gives requirement-level implementation guidance you can apply immediately: who needs to do what, how to structure the audit so it survives certification audits and internal scrutiny, what artifacts to retain, and where teams commonly fail (especially around effectiveness testing, independence, and corrective action closure).

Regulatory text

Requirement (excerpt): “The organization shall determine whether the BCMS conforms to requirements and is effectively implemented.” ¹

What the operator must do:
You must operate an internal audit function for the BCMS that produces a defensible determination on two questions:

1. Conformity: Does your BCMS meet ISO 22301 requirements and your internal BCMS requirements (policies, standards, procedures, objectives, and commitments)? ¹
2. Effectiveness: Is the BCMS actually implemented and working as intended across relevant parts of the organization, not just documented? ¹

Auditors will look for disciplined audit methods, traceability from requirements to evidence, and proof that findings lead to corrective action and system improvement.

Plain-English interpretation (what this really means)

You need a repeatable way to check whether business continuity controls exist, are followed, and produce outcomes. “Conforms to requirements” means you can map BCMS obligations (ISO clauses and your internal commitments) to implemented processes and controls. “Effectively implemented” means staff follow the process, records exist, testing happens, issues are found, and fixes stick.

A common misread is treating internal audit as a document review. Document review is necessary, but effectiveness requires testing reality: sampling exercise results, validating corrective actions, checking training completion, and confirming that business continuity arrangements match actual operations (including dependencies on third parties).

Who it applies to

Applies to: Any organization operating a BCMS aligned to ISO 22301, including those pursuing certification or maintaining an existing certificate ¹.

Operational context where this bites hardest:

• Rapidly changing operations (new systems, reorganizations, new locations, acquisitions)
• High dependency environments (critical suppliers, cloud services, outsourced operations)
• Federated models where business units “own” continuity but central teams report compliance
• Organizations with frequent incidents/exercises that generate findings but weak closure discipline

What you actually need to do (step-by-step)

1) Define audit criteria (what “requirements” you will test)

Build a single auditable criteria set that includes:

• ISO 22301 requirements that your BCMS claims to meet ¹
• Internal BCMS requirements: policy statements, mandatory procedures, RTO/RPO commitments where defined, exercise requirements, minimum documentation, and governance rules

Artifact: BCMS Audit Criteria Register (a matrix is fine).

2) Define audit scope and boundaries

Write down what parts of the organization, locations, products/services, and processes are in-scope for the BCMS audit. Include critical dependencies, especially third parties that support recovery strategies.

Operator tip: Scope should reflect business criticality, change, incident history, and previous findings. If you cannot audit everything each cycle, document a risk-based rationale for what you did audit.

Artifacts: Audit scope statement; BCMS boundary description.

3) Build an audit program that tests both conformity and effectiveness

Create an internal audit plan that includes:

• Audits of BCMS governance (roles, responsibilities, competence, documented information)
• Audits of operational readiness (plans, exercises, results, corrective actions)
• Audits of key sites/processes (sampling actual teams’ readiness and records)
• Follow-up audits for closure verification of past findings

Artifacts: Audit program; audit schedule; risk-based prioritization notes.

4) Establish auditor competence and independence

Assign auditors who can evaluate business continuity practices and who are sufficiently independent from the area being audited. If your BC team audits itself, you need documented safeguards (peer review, cross-audits, second-line oversight) so results are credible.

Artifacts: Auditor qualification records; conflict-of-interest declarations; audit assignment rationale.

5) Prepare an audit checklist that forces evidence collection

For each audit area, your checklist should require:

• Requirement reference (ISO clause and/or internal requirement)
• Evidence type required (record, interview, observation, system output)
• Sampling approach (what you sampled and why)
• Pass/fail criteria

Practical example evidence prompts:

• Show the last exercise report and trace its findings to corrective action closure.
• Pick a critical process owner and walk through their recovery plan: confirm it matches current systems and contacts.
• Validate that third-party continuity commitments (e.g., SLAs, recovery support) align with your recovery strategy documentation.

Artifacts: Audit checklist(s); sampling plan.

6) Execute the audit (fieldwork)

Perform a mixed-method audit:

• Interviews (process owners, BC coordinators, IT recovery, facilities, vendor management)
• Records review (training, exercises, incident logs, plan approvals, BIA/RA outputs where applicable)
• Observation (tabletop/exercise observation, call tree tests, plan walkthroughs)

Key test for “effective implementation”: Evidence of use and maintenance. Plans that were never exercised, never reviewed, or cannot be executed by the current team are not effective, even if they exist.

Artifacts: Working papers; interview notes; evidence index; copies/screenshots where permitted.

7) Write findings that are fixable

Each finding should include:

• The requirement not met (ISO/internal)
• Condition (what you observed)
• Cause (why it happened)
• Effect/risk (what could go wrong for continuity outcomes)
• Corrective action recommendation (or required action)
• Owner and due date (your internal governance decides timing)

Artifacts: Audit report; finding log.

8) Drive corrective actions to verified closure

Your obligation under this clause is determination of conformity and effective implementation ¹. In practice, certification auditors will expect you to manage findings to closure as part of maintaining an effective system.

Minimum closure discipline:

• Corrective action plan approved by accountable owner
• Evidence of implementation
• Verification that the fix works (not just “updated the document”)

Artifacts: Corrective action tracker; closure evidence; verification notes; management reporting.

9) Report results into governance

Feed audit results into your BCMS governance forums so leadership can make decisions about risk, resourcing, and priorities.

Artifacts: Steering committee minutes; management review inputs (where used); risk register updates.

Required evidence and artifacts to retain (audit-ready list)

Keep these in a controlled repository with retention rules:

• BCMS Internal Audit Policy/Procedure (how audits are run, independence, reporting)
• Audit criteria register (ISO + internal requirements mapping)
• Annual/rolling audit program and schedule with rationale
• Auditor competence/independence records
• Audit plans, checklists, and sampling documentation
• Working papers: evidence index, interview notes, referenced records
• Audit reports and signed approvals/distribution
• Findings log with severity, owners, corrective actions, and status
• Corrective action evidence and closure verification records
• Governance reporting (dashboards, committee minutes reflecting review)

If you use Daydream to manage BCMS evidence, set up a BCMS audit “binder” structure that mirrors the list above so you can answer auditor requests in minutes rather than days.

Common exam/audit questions and hangups

Expect questions like:

• “Show me how you determined the BCMS conforms to ISO 22301 requirements.” (They want your criteria mapping and audit coverage.)
• “How do you test effectiveness, not just documentation?” (They want sampling, exercises, incident lessons learned, and proof of operational use.)
• “How do you ensure auditors are independent of the audited area?” (They want conflict handling and role separation.)
• “How do you ensure findings are corrected and stay corrected?” (They want root cause, verification, and recurrence controls.)
• “How did you decide what business units/sites to audit?” (They want risk-based rationale and coverage.)

Hangup to avoid: producing an audit report that lists observations but does not tie each one to a requirement.

Frequent implementation mistakes (and how to avoid them)

1. Auditing only documents.
   Fix: Require at least one operational test per audit area (exercise evidence, incident evidence, or plan walk-through with live artifacts).

2. No single source of “requirements.”
   Fix: Maintain an audit criteria register that includes ISO clauses and your internal BCMS commitments.

3. Auditors auditing their own work.
   Fix: Use cross-functional auditors, rotate assignments, or require second-line review and sign-off.

4. Findings without root cause or closure proof.
   Fix: Make closure contingent on verification evidence (re-test or validate operation).

5. Third-party dependency blind spots.
   Fix: Include third-party continuity commitments in audit scope where they support recovery strategies.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the source catalog. Practically, the risk is certification nonconformity, operational disruption exposure, and board-level accountability gaps if continuity weaknesses are identified after an incident but internal audits failed to detect them earlier. The internal audit function is your defensible mechanism to show you looked, tested, and corrected.

Practical 30/60/90-day execution plan

First 30 days (stand up the mechanism)

• Confirm BCMS scope/boundaries and collect internal BCMS requirements in one place.
• Build the audit criteria register (ISO + internal).
• Draft or update the BCMS internal audit procedure (methods, independence, reporting, evidence handling).
• Identify auditors, document competence, and set independence rules.
• Build checklists for governance, exercises, and plan maintenance.

Next 60 days (run the first audits and produce determinations)

• Publish an audit schedule based on business criticality and change.
• Execute initial audits on highest-risk areas (critical processes, key sites, recent changes).
• Produce reports with requirement traceability and clear corrective actions.
• Start a corrective action tracker with accountable owners and verification steps.

Next 90 days (close the loop and institutionalize)

• Verify closure for early findings; re-test for effectiveness where needed.
• Report results and trends to BCMS governance.
• Refine the audit program based on what failed (update checklists and sampling).
• Create an “audit-ready” evidence binder structure (Daydream or your GRC system) aligned to the artifact list.

Frequently Asked Questions

What counts as “requirements” for conformity testing?

ISO 22301 requirements plus your own BCMS policies, procedures, objectives, and mandatory commitments are “requirements” you must audit against ¹. Auditors will expect you to show how you compiled and maintained that criteria set.

How do I prove “effective implementation” instead of just compliance on paper?

Test operational reality: sample exercises, incident learnings, plan reviews, training records, and walkthroughs with process owners. Effectiveness shows up in records of use, maintenance, and corrective action closure ¹.

Can the business continuity team perform the internal audit?

You can, but you must manage independence. Use cross-audits, rotate auditors, or require independent review and approval of results so the audit is credible to certification auditors.

How should we handle third-party dependencies in BCMS internal audits?

If third parties are part of your recovery strategy, include them in audit scope through contract review, SLA/continuity commitment checks, and evidence that dependencies were considered in exercises and plans. Keep the focus on whether your BCMS requirements for those dependencies are met in practice.

What artifacts do certification auditors ask for first?

They typically start with the audit program/schedule, audit criteria, recent audit reports, and evidence that findings were corrected and verified. If you can’t produce working papers or an evidence index, expect deeper sampling.

How do we keep audits from becoming a checkbox exercise each year?

Tie scope and sampling to change, incidents, and prior findings, and require at least one effectiveness test per audited area. Track recurring findings as a signal that corrective actions are superficial.

Footnotes

1. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements