A couple of weeks ago I was in Sweden with a technology company taking part in a Stage 2 audit for ISO22301 certification.
It’s a beautiful country and I thoroughly enjoyed my time there. More importantly I learnt a great deal from the audit and the journey we took to ISO22301.
1. The more I see organisations going for ISO22301, the further I am convinced that if you are serious about business continuity then you should go for the standard. Once you have gone round the business continuity life cycle once, the challenge is trying to maintain the momentum of the project. It is far too easy to let business continuity slip. Forget to maintain the Business Continuity Management System (BCMS), and eventually the investment is wasted. If an external auditor comes into the organisation it provides extra discipline to make sure that the plans are updated, awareness training is conducted, and exercises are carried out.
2. I think a good auditor will provide additional value in that they often notice bits you have missed, identify weaknesses or make suggestions for improvement. It is difficult to find someone within the organisation to provide a similar review. Internal audit departments are often very busy and only have time to audit you every 5 years. They also lack the business continuity expertise a ISO22301 auditor has.
3. One of the key lessons I learned on the last audit would be to challenge the audit company on the number of days they were going to spend auditing. We had four days allocated for the stage 2 audit for two smallish offices. In future I think I would push for the audit to be done in 3 days.
4. This reminded me of my time in the forces. When I was in the army you knew that a senior officer was going to do an armoury serial number check to all the unit’s weapons. You, as the officer responsible, always did your own check prior to them arriving to ensure that all the weapons were there and you weren’t caught out. It is obvious but you should do exactly the same thing prior to the audit. I have a spreadsheet which lists every clause of the standard and I laboriously go through each line to make sure that I have not missed any part of the standard.
5. Be nice to your auditor! They want you to pass, you want to pass – and so you have the same end in mind. They can also catch you out if they want to. There is always something they can pick you up on if they want to. Remember they are human and a little kindness goes a long way!