Stage 2 is a fundamentally different audit from Stage 1. Stage 1 is a documentation review; Stage 2 is an operational audit. The Stage 2 auditor visits the organisation, interviews the people responsible for business continuity activities, tests whether the documented BCMS actually produces the capability that the documentation claims. The auditor will conduct BCP walkthroughs with process owners, review exercise records in detail, potentially visit the alternate recovery site, and interview IT teams about technical recovery testing. The auditor is assessing operational capability, not documentary completeness.
Stage 2 BCM auditing differs fundamentally from ISO 27001 Stage 2 auditing. An ISO 27001 Stage 2 auditor samples controls from Annex A and tests whether those controls are implemented and effective. A BCM Stage 2 auditor cannot sample a few BCPs; the auditor must understand whether the entire BCMS, as an operational system, can respond to a disruption. The auditor will focus on the coherence of the BCMS, the competence of the people responsible for executing it, and evidence that the BCMS has been tested and that findings are being improved. A BCMS that passes Stage 1 (documentation is complete) may still encounter major findings at Stage 2 (documentation does not translate into capability).
The preparation for Stage 2 therefore requires attention to operational readiness. It is not sufficient that the plans exist; the people responsible for executing them must know what the plans are and what their role is. It is not sufficient that exercises have been documented; the exercise records must demonstrate that the exercises were genuinely conducted and that findings are being addressed. It is not sufficient that recovery targets are documented; there must be evidence that ICT teams have tested recovery procedures and achieved the documented targets.
Stage 2 Objectives and Format
Stage 2 audits typically span 8–15 days (depending on BCMS scope, number of sites, and number of critical activities) and are conducted at the organisation’s primary site and any alternate recovery sites. The auditor arrives with the Stage 1 report and conducts a follow-up assessment of Stage 1 findings, then systematically audits the implementation of the BCMS against Clauses 4–10 of ISO 22301. The audit includes interviews with leadership, process owners, IT teams, HR teams, and facilities teams; a detailed review of business continuity plans; an examination of exercise records; and potentially a visit to the alternate recovery site.
The Stage 2 audit concludes with a closing meeting where the auditor summarises findings and discusses remediation timelines. For major nonconformities, the CB may schedule a recertification audit within 6–12 months; for minor nonconformities and observations, the organisation has 3 months to provide closure evidence. If no major nonconformities are identified, the auditor will recommend certification to the CB, and the certificate is typically issued within 1–2 weeks.
Stage 2 findings are classified the same way as Stage 1 findings: major nonconformities (fundamental defects that prevent certification); minor nonconformities (defects that must be addressed within 3 months); and observations (suggestions for improvement). A major nonconformity at Stage 2 — for example, evidence that no exercises have been conducted despite documentation suggesting they have — is grounds for a conditional certificate (the CB recommends certification subject to corrective action closure within a specified timeframe) or a deferred certification decision (certification is deferred pending re-audit).
How BCM Auditing Differs from ISMS Auditing
ISO 22301 and ISO 27001 share common clauses (4, 5, 7, 9, 10) that govern management system design. However, the audit approach to BCM is operationally focused in ways that ISMS auditing is not. An ISO 27001 auditor samples controls, verifies implementation, and tests effectiveness. An ISO 22301 auditor tests operational activation: do the people know how to activate the BCMS? Can they describe their role? Have the procedures been tested under realistic conditions?
This operational focus manifests in several specific audit activities unique to BCM. The BCP walkthrough is a BCM-specific activity where the auditor walks through a BCP with the process owner, following the BCP as written, identifying gaps and asking operational questions. An ISMS auditor does not typically conduct a control walkthrough with a control owner in the same way. The exercise evidence review focuses on whether the exercise was genuinely conducted (participants, scenario, injects, findings) rather than just whether the exercise programme exists. The ICT continuity review includes review of technical recovery test records, a level of technical detail that may exceed ISMS continuity testing.
Key Stage 2 Audit Activities: BCM vs ISMS Approach
| Audit Activity | ISO 27001 Equivalent | BCM-Specific Difference |
|---|---|---|
| Policy and leadership review | Security policy review | BC Policy must show genuine board commitment; auditor probes whether leadership is actively engaged or just a signatory |
| Risk assessment review | IS risk assessment review | BCM auditor assesses BIA quality and MAO/RTO rationale — not just the risk register |
| Control effectiveness testing | Sample controls from Annex A | BCM auditor reviews BCP procedures for operational completeness and usability under pressure |
| Staff interviews | Security awareness interview | BCM auditor interviews process owners on their BCP — can they describe activation criteria, their role, and where they go? |
| Exercise evidence review | No direct equivalent | BCM auditor reviews exercise records in detail — scenario, injects, findings, improvement action closure |
| ICT continuity review | IS continuity controls (5.29/5.30) | BCM auditor reviews technical recovery test records and RTO achievement evidence |
| Site inspection | Occasional | BCM auditor may visit alternate site to verify it exists, is equipped, and is accessible as documented |
| Supplier BCM review | Third-party security review | BCM auditor reviews supplier BCM assessment records and contractual BCM requirements |
The BCP Walkthrough — the Most Consequential Stage 2 Activity
The BCP walkthrough is the core activity of a Stage 2 BCM audit. The auditor, armed with a BCP, walks through the plan step-by-step with the person responsible for executing it — typically the process owner or department head. The auditor asks: What is the activation criterion? How will you know when to activate the plan? Who do you contact first? Where will your team work if the office is inaccessible? What are the recovery procedures? Are these documented procedures current?
A process owner who is unable to answer these questions is a finding, regardless of what the BCP document says. A common Stage 2 finding is that process owners are interviewed about their BCP and cannot articulate the activation criteria, do not know what activities are covered by their plan, or have never read the plan despite signing an acknowledgment form. This finding is typically classified as a Clause 7.3 (awareness and competence) deficiency — the people responsible for executing the BCMS are not aware of the system.
BCP walkthroughs also identify gaps between the documented BCP and operational reality. A documented BCP may state that the team will work from an alternate location, but the auditor may find that the alternate location does not have the equipment documented in the BCP, or that access to the location has become problematic since the plan was written. A documented BCP may reference a supplier, but the auditor may find that the supplier relationship has changed and the documented recovery procedures no longer apply. These operational gaps are Stage 2 findings that must be addressed through BCP updates or operational changes.
| KEY IDEA | Stage 2 BCM auditors interview the people named in the BCPs, not just the BCM team. A process owner who says ‘I know there is a plan but I have not read it’ is a major finding. An operations director who cannot describe the activation threshold for the crisis management team is a finding. The Stage 2 interview programme typically covers 8–12 individuals across business units, IT, HR, and facilities — all of whom need to be BCM-aware and able to articulate their role before the audit. |
Exercise Evidence: What Auditors Want to See
The Stage 2 auditor will review all exercise records produced during the BCMS implementation and since the pre-certification exercise. The auditor is assessing: whether the exercises were genuinely conducted (participants, dates, locations documented); whether the exercises tested the BCMS against realistic scenarios with measurable outcomes; whether findings were documented and tracked; and whether findings from exercises are being addressed through corrective actions.
A well-documented exercise record contains: the exercise scenario (what disruption was simulated, how did it develop); the date, duration, and location; a list of participants by role; the exercise objectives; a timeline or sequence of events and injects (prompts that drive the exercise forward); observations recorded during the exercise; findings documented with clarity on root cause; and a corrective action register showing ownership and target closure dates for each finding. An auditor who reviews an exercise record with this detail can assess whether the exercise was genuine, what capability gaps it revealed, and whether the organisation is learning and improving from the exercise.
Conversely, a weak exercise record is sparse: ‘Exercise held 15 May, 20 people participated, all BCPs were reviewed.’ This record does not demonstrate whether the exercise was conducted against a realistic scenario, whether it identified gaps, or whether findings are being addressed. An auditor will flag this as insufficient exercise evidence and may require a more detailed re-run of the exercise before Stage 2 can be concluded.
ICT Continuity Audit Activities
The Stage 2 audit includes a focused review of ICT continuity capability. The auditor will review technical recovery test records to determine whether ICT teams have actually tested the recovery procedures documented in the ICT continuity plan. The auditor will assess whether recovery tests have achieved the documented RTO and RPO targets, whether failures or delays were documented and addressed, and whether the recovery procedures are current and reflect the current ICT environment.
Technical recovery test records should contain: the test date and scope (which systems were tested); the test procedure (how was recovery initiated, what was the sequence of recovery steps); the test results (were systems recovered successfully, what was the actual recovery time); any failures or issues encountered; the root cause analysis; and corrective actions taken. An auditor reviewing this record can assess the credibility of the documented RTO targets and can identify whether the ICT team has the capability to execute the recovery procedures under actual disruption conditions.
A common finding at Stage 2 is that the documented ICT recovery procedures have never been tested, or have been tested but not under conditions realistic to an actual disruption. For example, a procedure that states ‘restore from backup tape’ may have been tested by the ICT team using tapes on-site, but the actual backup tapes are stored off-site and would take hours to retrieve in a real disruption. The test result is therefore not credible evidence that the RTO target can be achieved. Testing must be conducted realistically to provide evidence that recovery targets are achievable.
Stage 2 Audit Evidence and Preparation Actions
| Stage 2 Activity | Evidence Required | Preparation Action |
|---|---|---|
| Leadership interviews | Meeting minutes showing BCM discussion; management review records; BC Policy sign-off | Brief executive team on BCMS; confirm management review minutes are accessible |
| Process owner interviews | BCP acknowledgment records; awareness training records; exercise participation records | Conduct BCP awareness sessions; document attendance; ensure process owners can describe their role |
| BCP walkthrough | BCPs with activation criteria, procedures, contact lists; version control; review dates | Validate all BCPs with process owners; update contact directories; confirm review dates are current |
| Exercise record review | Exercise plan; scenario documentation; attendance; findings register; improvement action closure | Ensure all exercise findings are closed or have documented action plans with owners |
| ICT recovery test review | Recovery test plan; test records; RTO achievement; discrepancies and resolution | Complete recovery tests before Stage 2; document results including failures and remediation |
| Alternate site visit | Alternate site agreement; equipment inventory; access procedures | Verify site agreement is current; conduct physical inventory check; confirm staff know access procedures |
| Supplier BCM review | Critical supplier list from BIA; supplier BCM assessment records; contractual BCM clauses | Complete supplier BCM assessments; document contractual BCM requirements for all critical suppliers |
| Corrective action review | Corrective action register; closure evidence for internal audit findings and exercise findings | Close all open corrective actions before Stage 2; ensure closure evidence is documented |
| IMPORTANT | The Stage 2 audit can be suspended if a major nonconformity is found that is sufficiently serious to question the fundamental validity of the BCMS. This is rare but does occur — typically where the BIA is found to be superficial during interview, where BCPs are found to be unknown to the people responsible for activating them, or where no exercises have been conducted despite the documentation suggesting they have. Honest internal audit and a realistic readiness assessment before Stage 2 are the most effective ways to prevent this outcome. |
| BITLION INSIGHT | The most common Stage 2 moment that surprises Indonesian organisations is the process owner interview. The BCM team knows the BCMS thoroughly. Process owners — the department heads and operational managers who own the BCPs — are often less prepared, having signed acknowledgment forms without fully engaging with plan content. A Stage 2 auditor who interviews the Head of Operations, the IT Director, and the Head of Customer Service in sequence and finds that none of them can describe their BCP activation criteria has found a systemic Clause 7.3 (awareness) finding. Structured BCP briefings for all key process owners in the month before Stage 2 is the most reliable mitigation. |