PlanB Consulting

Lessons learned from ISO22301 Audit

A couple of weeks ago I was in Sweden with a technology company taking part in a Stage 2 audit for ISO22301 certification.

It’s a beautiful country and I thoroughly enjoyed my time there. More importantly I learnt a great deal from the audit and the journey we took to ISO22301.

1.  The more I see organisations going for ISO22301, the further I am convinced that if you are serious about business continuity then you should go for the standard. Once you have gone round the business continuity life cycle once, the challenge is trying to maintain the momentum of the project. It is far too easy to let business continuity slip. Forget to maintain the Business Continuity Management System (BCMS), and eventually the investment is wasted. If an external auditor comes into the organisation it provides extra discipline to make sure that the plans are updated, awareness training is conducted, and exercises are carried out.

2.  I think a good auditor will provide additional value in that they often notice bits you have missed, identify weaknesses or make suggestions for improvement. It is difficult to find someone within the organisation to provide a similar review. Internal audit departments are often very busy and only have time to audit you every 5 years. They also lack the business continuity expertise a ISO22301 auditor has.

3.  One of the key lessons I learned on the last audit would be to challenge the audit company on the number of days they were going to spend auditing. We had four days allocated for the stage 2 audit for two smallish offices. In future I think I would push for the audit to be done in 3 days.

4.  This reminded me of my time in the forces. When I was in the army you knew that a senior officer was going to do an armoury serial number check to all the unit’s weapons. You, as the officer responsible, always did your own check prior to them arriving to ensure that all the weapons were there and you weren’t caught out. It is obvious but you should do exactly the same thing prior to the audit. I have a spreadsheet which lists every clause of the standard and I laboriously go through each line to make sure that I have not missed any part of the standard.

5.  Be nice to your auditor! They want you to pass, you want to pass – and so you have the same end in mind. They can also catch you out if they want to. There is always something they can pick you up on if they want to. Remember they are human and a little kindness goes a long way!

About Charlie Maclean-Bristol

Charlie Maclean-Bristol is one of the Founders and Directors of PlanB Consulting. He is also the Training Director of Business Continuity Training Ltd., a UK-based training provider accredited by the Business Continuity Institute. Charlie is a former Business Continuity Institute board member and one of the very few Fellows of both the Emergency Planning Society and the Business Continuity Institute.

A former Infantry Captain in the British Army, Charlie held several emergency planning, business continuity and crisis management positions within the energy and utility industry before founding PlanB Consulting in 2007. Over the past twelve years, Charlie has delivered business continuity consultancy in 6 of the worlds 7 continents, frequently providing full business continuity roll-outs to organisations of all sizes and in all sectors.

Scroll to Top