ISO 22301 Audit Methodology – BCMS

Read the testimonials from companies that have used our ISO 22301 audits and experienced tangible benefits in business continuity management. The methodology is fully compliant with ISO 22301:2019, supplemented by best practices from DORA, NIS2, ENISA, BCI, FFIEC and EBA ICT/BCM, enabling its application in regulated and critical sectors.

General principles

The ISO 22301 audit conducted by JDA Advisory assesses the compliance, maturity and effectiveness of the Business Continuity Management System (BCMS), covering:

• compliance with ISO 22301:2019
• the suitability of BCM processes to operational risks
• the effectiveness of BIAs, TRAs, continuity and recovery plans
• the organisation’s preparedness for real-world disruptions
• the integration of the BCMS with cybersecurity, suppliers and IT

The methodology combines evidence-based auditing, risk analysis, effectiveness testing and process maturity assessment.

Stage 1 — Preparation and audit plan

Objective: to gain a full understanding of the organisation, its critical processes and its operational context.

Scope of activities:

• analysis of preliminary documents (BIA, TRA, plans, policies, incident logs, IT architecture)
• identification of critical processes and dependencies (people, IT, suppliers, locations)
• definition of the audit scope (processes, units, systems, locations)
• preparation of the Audit Plan:
  • objectives and criteria
  • timetable
  • list of required evidence
  • list of process owners

Products:

• Meeting schedule
• ISO 22301 Audit Plan
• Evidence Request List

Stage 2 — Review of documentation (Stage 1)

Objective: to assess the completeness and adequacy of the BCMS documentation.

Scope:

• business continuity policy
• BIA and TRA methodology
• BIA results (RTO, RPO, MTPD, dependencies)
• TRA results (threats, vulnerabilities, scenarios)
• business continuity plans (BCP)
• IT disaster recovery plans (DRP)
• crisis and communication procedures
• incident and test logs
• roles and responsibilities

Techniques:

• gap analysis
• assessment of consistency between documents
• assessment of alignment with risks and business requirements

Products:

• Updated list of evidence for the operational audit
• Stage 1 Report
• List of documentation gaps and non-conformities

Stage 3 — Operational audit (Stage 2)

Objective: to assess the actual functioning of the BCMS and the effectiveness of its processes.

Scope:

• interviews with process owners
• review of operational evidence
• control tests and performance tests
• analysis of incidents and disruptions
• process evaluation:
  • BIA and TRA
  • incident and crisis management
  • crisis communication
  • critical asset management
  • IT disaster recovery (DR)
  • tests and exercises
  • supplier management
  • supply chain business continuity
  • links to cybersecurity

Techniques:

• compliance testing
• operational effectiveness testing
• scenario analysis
• process maturity assessment (CMMI-like)

Products:

• BCMS Maturity Assessment
• NC/OBS/REC List
• Control Test Results

Stage 4 — Assessment of BIA, TRA and business continuity plans

Objective: to assess whether the organisation correctly identifies critical processes, risks and recovery strategies.

BIA

• accuracy of critical process identification
• appropriateness of RTO, RPO and MTPD
• interdependencies (IT, people, suppliers, locations)
• alignment of the BIA with operational realities

TRA

• Identifying threats and vulnerabilities
• Assessing disruption risk
• Linking TRA with business continuity plans

Continuity and recovery plans

• completeness
• feasibility
• up-to-date status
• link to BIA and TRA
• readiness for use

Products:

• Assessment of the adequacy of the business continuity strategy
• BIA/TRA assessment report
• List of strategic recommendations

Stage 5 — Tests and exercises

Objective: to assess the effectiveness of the tests and the organisation’s readiness.

Scope:

• review of test plans
• analysis of test and exercise results
• assessment of the effectiveness of crisis communication
• assessment of team readiness
• analysis of test incidents

Products:

• List of vulnerabilities and recommendations
• Test evaluation report

Stage 6 — Final report and closing session

Objective: to present the audit findings and the roadmap for improving the BCMS.

Scope:

• presentation of findings to management
• discussion of non-compliance issues and areas of risk
• prioritisation of actions
• strategic and operational recommendations
• 3–12-month roadmap

Products:

• Compliance Roadmap
• ISO 22301 Audit Report
• NC/OBS/REC Matrix
• Compliance Dashboard

3. Audit techniques used by JDA Advisory

• compliance analysis with DORA, NIS2, EBA and KNF
• documentation review
• interviews and workshops
• control tests
• incident and disruption analysis
• BIA and TRA analysis
• process maturity assessment
• scenario analysis
• plan effectiveness testing

Key deliverables provided to the client

• Compliance Roadmap
• Audit Plan
• List of Evidence
• Stage 1 Report
• Stage 2 Report
• List of NC/OBS/REC
• BIA/TRA Assessment
• Assessment of Continuity and Recovery Plans
• Compliance Dashboard

Key features of the JDA Advisory methodology

• executive-ready communication
• evidence-based and granular
• sector-specific approach (banking, fintech, insurance, ICT, manufacturing)
• mapping to DORA, NIS2, EBA, KNF
• BCMS maturity assessment
• dashboards and KPIs/KRIs for management boards
• practical recommendations, not theoretical advice
• minimising the client’s workload