Understanding common audit findings before the audit is the most cost-effective preparation. The same findings recur across organisations and jurisdictions because the same implementation errors recur. An organisation that addresses the highest-leverage findings in the readiness period — ensuring that the BIA produces credible MAO evidence, that RTO targets are supported by BIA analysis, that BCPs have clear activation criteria, that exercises are documented comprehensively, and that process owners are aware of their plans — typically passes Stage 1 and Stage 2 with minimal observations. An organisation that does not address these areas systematically will encounter findings that are entirely predictable.
This article documents the most common findings encountered in ISO 22301 certification audits. The findings are presented in order of consequence: major nonconformities that stop the certification programme; minor nonconformities that must be addressed within a specified timeframe; and observations that are suggestions for improvement. The root cause and prevention approach is specified for each finding, allowing organisations to conduct targeted remediation before the audit.
The most consequential cluster of findings is BIA-related: methodologies that do not produce MAO evidence, RTO targets that are not supported by BIA analysis, and decisions to set RTO based on assumption rather than analytical foundation. These findings cascade through the BCMS because the BIA is the foundation for strategy and BCP targets. A BIA deficiency discovered at Stage 1 typically requires months of remediation before Stage 2 can proceed.
The Most Common Major Nonconformities
Major nonconformities are findings that fundamentally question the design or operation of the BCMS and must be resolved before the certification programme can proceed. They cluster around BIA methodology, RTO targets, BCP structure, exercise evidence, and management engagement. An organisation with a major nonconformity at Stage 1 must resolve it before Stage 2 can be scheduled; an organisation with a major nonconformity at Stage 2 will receive a conditional certificate pending corrective action closure.
Table 1 presents the most common major nonconformities, the ISO clause they relate to, the root cause, and the prevention approach. These findings are not inevitable. Organisations that have a disciplined approach to BIA execution, that link RTO targets explicitly to BIA outputs, that validate BCPs with process owners, and that conduct realistic exercises with documented findings typically avoid major nonconformities.
| Finding | Clause | Root Cause | Prevention |
|---|---|---|---|
| BIA does not produce MAO evidence | 6.2 | BIA template used that captures RTO but not MAO; MAO not understood | Use BIA methodology that explicitly determines MAO before RTO; train BIA team on MAO definition |
| RTO targets not supported by BIA analysis | 6.2 | RTOs set by IT or management assumption; BIA conducted after RTOs were fixed | Conduct BIA first; set RTO based on BIA output; never set RTO without MAO anchor |
| BCPs lack activation criteria | 8.4 | BCPs written as general procedures without specifying trigger | Require activation threshold in every BCP template; validate in tabletop exercise |
| BCPs unknown to activation team | 7.3 | Plans written by BCM team without process owner engagement; awareness not tested | Conduct BCP validation workshops; test staff awareness in exercises; brief before audit |
| No exercise records | 8.5 | Exercises conducted but not documented | Require exercise record template; BCM team completes record during exercise; file immediately |
| Exercise findings not addressed | 10.1 | Corrective action register not maintained; improvement tracking not assigned | Assign owner to every finding; track to closure; verify at next exercise |
| Management review not conducted | 9.3 | Management review not in executive calendar; BCM not on board agenda | Schedule management review as recurring board/risk committee agenda item at least annually |
| Internal audit not completed before certification | 9.2 | Internal audit deferred; audit scope too narrow | Complete internal audit minimum 8 weeks before Stage 1; scope covers all Clauses 4-10 |
| Supplier BCM not assessed | 8.4 | Critical suppliers not identified in BIA; contractual BCM requirements not established | Complete supplier BCM section in BIA; send BCM questionnaire to all critical suppliers |
| BC Policy stale | 5.2 | Policy approved at implementation and not reviewed since | Set annual policy review in document management system; link to management review agenda |
Minor Nonconformities and Observations — the Most Common
Minor nonconformities are gaps in documentation or implementation detail that must be addressed but do not stop the certification programme. They include incomplete document content, outdated contact information, missing version control, and gaps in competence records. Observations are suggestions for improvement that are not requirements violations. Many organisations with well-developed BCM capabilities encounter minor nonconformities and observations at Stage 2 because the bar for certification is high: every document must be current, every process owner must be aware, every BCP must have current contact information, and every finding from an exercise must be tracked.
Table 2 presents the most common minor nonconformities and observations, the clause they relate to, and the remediation approach. These findings are often the easiest to address because the root causes are typically process-based (no quarterly contact directory review process) rather than conceptual (BIA methodology that does not produce MAO evidence). An organisation that implements quarterly contact directory review, annual BC Policy review, and annual exercise findings tracking will systematically eliminate this entire class of findings.
| Finding | Clause | Remediation |
|---|---|---|
| Contact directory not updated within review cycle | 8.4 | Update contact directory; implement quarterly verification process; assign ownership |
| BCP version control not followed | 7.5 | Retrain document controllers; implement version control checklist; audit document management system |
| Competence records missing for BCM roles | 7.2 | Create competence framework; collect training certificates and CVs; document experience assessment |
| RTO achievement not measured in exercises | 8.5/9.1 | Add RTO clock to exercise design; record start and achievement times; include in exercise report |
| BIA not reviewed following organisational change | 6.2 | Implement change management trigger for BIA review; add to change management procedure |
| Supplier BCM assessments out of date | 8.4 | Implement annual supplier BCM assessment cycle; add to BCMS calendar |
| Exercise improvement actions not tracked | 10.1 | Create improvement action log; assign owners; set review dates; present at management review |
| Stand-down procedures missing from BCPs | 8.4 | Add stand-down section to BCP template; validate in exercise |
Patterns Specific to Indonesian Organisations
Indonesian organisations implementing ISO 22301 encounter common findings that are specific to the regulatory and operational context. Financial institutions often struggle with the regulatory scope question: does ISO 22301 scope include only IT recovery, or does it include the full business continuity of the regulated function? Bank Indonesia and OJK guidance suggests that business continuity should cover the full function, including operational and facilities recovery, not just ICT. Organisations that narrowly scope ISO 22301 to ICT recovery often encounter a Stage 1 finding that the scope is inappropriate.
The supplier BCM assessment finding is also common among Indonesian organisations, particularly in financial services. Many Indonesian organisations rely on outsourced service providers — ICT vendors, BPO providers, facilities management companies — but have not conducted BCM assessments of these suppliers or established contractual BCM requirements. The auditor will question whether the BCMS depends on supplier recovery capability that has not been assessed. This finding is easily preventable by conducting a supplier BCM assessment as part of the pre-certification exercise.
A third pattern specific to Indonesian organisations is the management engagement finding. Some organisations complete the BCMS implementation with BCM specialists and IT teams but do not actively engage business line leadership or the board. A board-level management review is required by Clause 9.3; many organisations conduct this for the first time during the certification readiness period, rather than establishing it as an ongoing governance function. Organisations that position ISO 22301 as a business risk management function with board engagement tend to pass Stage 1 and Stage 2 more smoothly than organisations that position it as a technical compliance requirement.
| IMPORTANT | The same finding that is a minor nonconformity at first certification can become a major nonconformity at recertification if it has not been corrected. A surveillance auditor who finds a contact directory that is still out of date two years after a first-certification finding on the same issue is confronted with evidence that the corrective action was superficial — the symptom was addressed but the root cause (no review process) was not. Recertification audit findings are assessed in the context of the full certification history. |
| BITLION INSIGHT | The finding that Indonesian BCM practitioners most consistently tell us they wish they had known about in advance is the BIA-to-RTO linkage audit. In virtually every first-certification audit, the auditor asks: ‘For this critical activity, which has a 4-hour RTO, can you show me the BIA analysis that supports that target?’ If the BIA does not contain a time-phased impact analysis that identifies MAO at a specific point — demonstrating that the 4-hour RTO provides margin below the MAO — the auditor will raise a finding. Building this linkage explicitly into the BIA report format, and reviewing it before Stage 1, eliminates what is consistently the most consequential first-certification finding. |