Certification body selection is a procurement decision with multi-year consequences. The CB you select at the beginning of the certification journey remains your auditor for the full three-year cycle, including Stage 2, two surveillance audits, and recertification. The relationship requires frequent interaction, trust, and compatibility in approach to auditing. Selecting a CB purely on price, without assessing competence or considering the longer-term relationship, typically results in conflict or inefficiency downstream.
The right certification body is accredited to conduct ISO 22301 audits by a recognise accreditation body; employs auditors with genuine BCM expertise, not just ISO 27001 or ISO 9001 generalists applying a standard template to BCM; and aligns with the organisation’s audit objectives and operational context. For Indonesian organisations, KAN accreditation is the primary criterion; for international organisations seeking recognition across multiple jurisdictions, IAF multilateral recognition adds value. This article addresses the evaluation criteria for CB selection, the questions to ask during procurement, and the commercial and technical considerations that should inform the decision.
Accreditation: The Non-Negotiable Criterion
An ISO 22301 certificate issued by a certification body accredited by KAN (Komite Akreditasi Nasional, Indonesia’s national accreditation body) has standing with Indonesian regulators, clients, and procurement processes. A certificate issued by a non-accredited CB has no standing. The distinction is critical: OJK, Bank Indonesia, and major multinational clients who require ISO 22301 certification as part of vendor requirements specify accreditation by KAN or another accreditation body that is a signatory to the IAF Multilateral Agreement (MLA). Non-accredited certificates do not satisfy these requirements.
KAN accreditation covers specific standards within the CB’s scope. A CB may be accredited for ISO 27001 but not for ISO 22301. A CB may be accredited for ISO 22301 in scope but under review for that scope and therefore not actively issuing new certificates. Before selecting a CB, verify that the CB holds current KAN accreditation with an explicit scope that includes ISO 22301 at the time you need the audit. This information is publicly available on the KAN website and should be confirmed directly with the CB as part of procurement.
For international organisations, IAF multilateral recognition is equally important. The IAF Multilateral Agreement requires that accreditation bodies in signatory countries mutually recognise certificates issued by CBs accredited by their peers. A certificate issued by a KAN-accredited CB is recognised internationally because KAN is an IAF MLA signatory. Conversely, a certificate issued by a CB accredited by a body that is not in the IAF MLA is not internationally recognised and may not be accepted by global clients or regulatory bodies outside the issuing country. IAF MLA membership should be confirmed for any CB you are considering, and the CB’s accreditation body (not the CB itself) should be verified as an IAF MLA signatory.
Evaluating CB Competence for ISO 22301
Accreditation is a necessary condition for CB selection but is not sufficient. A CB can be accredited for ISO 22301 and still employ auditors who lack BCM expertise. BCM auditing is fundamentally different from IS security or quality management auditing. A BCM auditor must understand: the business impact analysis methodology and how to assess whether BIA outputs credibly support RTO/RPO targets; the relationship between risk assessment, BIA, and strategy in the BCMS; the design and conduct of business continuity exercises; and the operational implementation of recovery plans. An auditor whose background is exclusively ISO 9001 or ISO 27001 will lack this context.
BCM competence is assessed through the auditor’s experience, training, and demonstrated knowledge. Relevant experience includes previous ISO 22301 certification audits: how many certifications has the proposed auditor conducted? What sectors? What was the outcome of those audits? BCM-specific training includes formal BCM courses or certifications (BCI, DRI, or equivalent). Demonstrated knowledge is evident in the auditor’s understanding of BIA methodology, understanding of the recovery planning process, and ability to question the coherence of a BCMS design.
When evaluating a CB, request the CV and audit history of the proposed lead auditor and any supporting auditors. Ask specifically: how many ISO 22301 certifications has this auditor conducted? What sectors? In what countries? Does this auditor hold a BCM certification (BCI Practitioner, DRI, or equivalent)? What is their ISO 27001 experience if any? Has this auditor conducted combined ISO 27001 and ISO 22301 audits? Responses to these questions will quickly separate CBs with genuine BCM competence from those with generalist auditors applying a standard template.
Key CB Selection Criteria
CB selection is a structured procurement decision that should be documented and based on explicit criteria. Table 1 presents the key selection criteria, the information to request from each CB, and the red flags that should disqualify a CB or require clarification.
| Selection Criterion | What to Ask the CB | Red Flag |
|---|---|---|
| KAN accreditation (for Indonesian use) | Request accreditation certificate and scope — must include ISO 22301 | No KAN accreditation; accreditation does not cover ISO 22301 |
| IAF MLA membership | Confirm CB’s national accreditation body is an IAF MLA signatory | CB is accredited by a body not in IAF MLA — certificate not internationally recognised |
| Auditor BCM competence | Request auditor CV and ISO 22301 audit experience — how many ISO 22301 certifications has the proposed auditor conducted? | Proposed auditor has ISO 9001 or ISO 27001 experience but no ISO 22301 audit experience |
| Industry sector experience | Does the CB have auditors with experience in your sector (financial services, healthcare, technology)? | CB has no sector experience; auditor cannot contextualise regulatory BCM requirements |
| Multi-standard capability | Can the CB audit ISO 22301 and ISO 27001 in the same engagement? Are auditors dual-qualified? | CB offers combined audit but proposes two separate audit teams with no integration |
| Commercial terms and scheduling | What are the man-day requirements for Stage 1 and Stage 2? What are the surveillance audit schedules and costs? | Unclear man-day estimates; surveillance not included in contract; pricing not transparent |
| References from comparable organisations | Can the CB provide references from ISO 22301 certifications in comparable Indonesian organisations? | No references available; references are all international or from different sectors |
Multi-Standard CB Selection
Many organisations implementing ISO 22301 are already certified to ISO 27001 or are implementing both standards in parallel. Combining ISO 27001 and ISO 22301 audits with the same CB creates significant efficiencies. The two standards share common clauses (Clause 4, 5, 7, 9, 10) that govern the BCMS as a management system; these clauses can be audited once against both standards simultaneously. Only the standard-specific operational content (ISO 27001 Annex A controls and ISO 22301 Clause 8 BCPs and exercises) require separate audit time.
This efficiency typically reduces the combined audit duration by 25–35% compared to two separate audits. A CB that offers combined auditing must employ dual-qualified auditors who hold competence in both ISO 27001 and ISO 22301. Not all CBs have dual-qualified auditors available; some offer combined auditing in theory but assign two separate audit teams with minimal coordination, eliminating the efficiency benefit. When evaluating CBs, explicitly request details on how combined auditing would be structured and confirm that a single, dual-qualified lead auditor would coordinate the audit.
Multi-standard CB selection also enables surveillance cycle alignment. If ISO 27001 and ISO 22301 are certified by the same CB with Stage 2 audits conducted within 6 months of each other, the surveillance audits can be combined in Year 1, Year 2, and at recertification, further reducing annual audit costs. This alignment is a significant benefit and should be factored into the CB selection decision.
| KEY IDEA | An ISO 22301 certificate issued by an unaccredited certification body has no standing with regulators, clients, or procurement processes. OJK, Bank Indonesia, and enterprise clients who specify ISO 22301 certification as a requirement expect a certificate from a CB accredited by KAN or another IAF MLA signatory. Before investing in the certification process, verify that the CB you are considering holds KAN accreditation with an explicit scope that includes ISO 22301, or holds accreditation from an IAF MLA body that Indonesian regulators accept. |
The Man-Day Calculation
Certification audit cost is primarily driven by man-day effort — the number of auditor days required for Stage 1 and Stage 2. A CB will provide a man-day estimate based on the organisation’s scope, size, complexity, and number of sites. Understanding the factors that drive man-days allows the organisation to evaluate whether quoted estimates are reasonable and to understand the cost implications of scope decisions.
Standard BCMS scope — a single site with 5–10 critical activities — typically requires 5–7 man-days for Stage 1 (document review, limited interviews) and 8–12 man-days for Stage 2 (process owner interviews, BCP walkthroughs, exercise evidence review, ICT recovery testing). Multi-site scope, complex ICT environments, and high numbers of critical activities increase the audit duration proportionally. Prior certifications held (ISO 27001, ISO 9001) may reduce audit duration because the CB can assume management system maturity; conversely, significant prior audit findings may require extended audit scope to verify closure.
Man-Day Factors and Budget Implications
| Factor | Impact on Audit Duration | Implication for Budget |
|---|---|---|
| Number of sites | Each additional site adds audit days | Multi-site BCMS requires proportionally larger audit programme |
| Number of critical activities in BCMS scope | More activities = more BCPs to audit = more days | Scope BCP coverage appropriately to avoid excessive audit duration |
| Combined ISO 27001 + ISO 22301 | Shared clauses audited once; operational content audited separately — efficiency vs two separate audits | Combined audit is typically 25–35% shorter than two separate audits |
| Complexity of ICT environment | Complex, bespoke, or legacy IT requires more technical audit time | Ensure ICT auditor on the team has relevant technical competence |
| Prior certifications held | ISO 27001 or similar demonstrates management system maturity; may reduce context-setting audit time | Experienced CB will account for existing management system in audit scoping |
| Previous audit findings | CB may increase audit scope if prior nonconformities were significant | Closing prior findings thoroughly reduces risk of extended audit |
| IMPORTANT | The certification body relationship lasts three years — the full certification cycle including Stage 1, Stage 2, two surveillance audits, and recertification. Choose a CB whose auditors you can work with productively, whose surveillance schedule fits your operational calendar, and whose commercial terms are sustainable across the full cycle. The lowest-price CB is not always the best value if the auditors lack BCM competence, the surveillance schedule is inflexible, or the commercial terms escalate significantly after Stage 2. |
| BITLION INSIGHT | For Indonesian financial institutions, CB selection has an additional dimension: OJK and Bank Indonesia examiners are familiar with the major CBs operating in the Indonesian market and may have views about which CB’s certifications they consider most rigorous. Before finalising CB selection, it is worth consulting with peers in the industry association about which CBs’ ISO 22301 certificates are most readily accepted in OJK examination contexts. This is not a formal requirement — OJK accepts any KAN-accredited certification — but practical market intelligence can inform a more strategic CB selection decision. |