Certification is not a point-in-time achievement; it is the beginning of an ongoing governance cycle. The certification body relationship spans three years, including Stage 2 (initial certification), Surveillance Audit 1 (Year 1), Surveillance Audit 2 (Year 2), and Recertification (Year 3). During this period, the BCMS must operate continuously as a functioning management system. Exercises must be conducted regularly, BCPs must be reviewed and updated, management reviews must be held, and corrective actions must be managed. Surveillance audits verify that these activities are occurring and that the BCMS is improving, not stagnating.
Understanding the 3-year cycle helps organisations plan the ongoing investment in BCMS operation. Many organisations approach ISO 22301 as a certification project with a defined end date (initial certification), then find themselves unprepared for surveillance audits that verify the BCMS is operating. The most cost-effective approach is to view the BCMS as a permanent management system with governance, budgets, and resourcing that continues across the 3-year cycle and beyond.
The 3-Year Certification Cycle
The certification cycle begins with Stage 2 (initial certification), typically 4–6 months after Stage 1. At Stage 2, the auditor conducts the full implementation audit as described in Article 4.4. If Stage 2 is successful, the certificate is issued and is valid for 3 years from the Stage 2 audit date. During the 3-year validity period, the CB conducts surveillance audits and, at the end of Year 3, a recertification audit.
Surveillance audits are shorter than Stage 2 (typically 4–5 man-days) and focus on operational clauses (Clause 8, 9, 10) and on findings from the prior audit to verify closure. Surveillance Audit 1 (12 months after Stage 2) focuses on whether the BCMS has been operated during Year 1: have exercises been conducted, has the management review been held, have corrective actions been managed? Surveillance Audit 2 (24 months after Stage 2) covers remaining clauses not fully examined in Surveillance Audit 1 and again verifies corrective action closure and ongoing BCMS operation.
Recertification (36 months after Stage 2) is equivalent to Stage 2 in scope — the auditor conducts a full assessment of the BCMS against all Clauses 4–10 — but the auditor may place less emphasis on areas that have been repeatedly verified in surveillance audits. If the BCMS has been well-maintained through the 3-year cycle, recertification is typically straightforward. If the BCMS has stagnated or if surveillance audit findings have not been properly addressed, recertification may identify significant gaps requiring remediation.
| Audit Type | Timing | Scope | Key Evidence Required |
|---|---|---|---|
| Stage 2 (Initial certification) | Year 0 | Full BCMS — all Clauses 4-10 | See Article 4.4 |
| Surveillance Audit 1 | Year 1 (12 months after Stage 2) | Subset of clauses — focus on operational clauses (8, 9, 10); findings from Stage 2 | Exercise records from Year 1; corrective action closure from Stage 2 findings; management review Year 1; BCP currency |
| Surveillance Audit 2 | Year 2 (24 months after Stage 2) | Broader subset; remaining clauses not covered in SA1; new risks/changes | Exercise records from Year 2; any BIA updates; BCP updates following organisational changes; SA1 finding closure |
| Recertification | Year 3 (36 months after Stage 2) | Full BCMS — equivalent to Stage 2 | 3 years of exercise records; 3 years of management review; full BCP suite current; internal audit completed |
What Surveillance Audits Focus On
Surveillance audits are not lighter versions of Stage 2; they are focused audits that verify the BCMS is operating. Exercise evidence is always audited: have exercises been conducted? Are the records complete and demonstrating genuine testing? Clause 10 (improvement) is always audited: are corrective actions from previous audits being tracked to closure? Are improvement actions from exercises being implemented? Approximately 40–60% of surveillance audit time is dedicated to these two areas.
The remaining surveillance audit time is allocated to other clauses using a rotating approach: Surveillance Audit 1 focuses on Clauses 8 and 9 (operations, performance evaluation, management review); Surveillance Audit 2 covers Clauses 4, 5, 6, and 7 (context, leadership, planning, support) that were not deeply examined in SA1. This rotation ensures that all clauses are re-audited during the 3-year cycle, but in a distributed manner that spreads the audit effort across multiple audits rather than concentrating it all at recertification.
Surveillance audits also examine changes: has the organisation undergone significant changes that affect the BCMS scope? Have the critical activities changed? Are the risk assessment and BIA still current and relevant? Have supplier relationships changed? Have recovery procedures been tested since the prior audit and do they still work? This assessment of change and continued relevance is a surveillance auditor’s primary focus: verifying that the BCMS remains current and operational.
| KEY IDEA | Surveillance audits are not lighter versions of Stage 2. A surveillance auditor who finds that no exercises have been conducted in the past 12 months, that the management review was not held, or that Stage 2 corrective actions were never closed will recommend suspension of the certificate. Surveillance audits are the mechanism by which the certification body verifies that the BCMS is operating continuously — not just performing for the certification audit. |
Maintaining the BCMS Between Audits — the Annual BCMS Calendar
BCMS operation between audits requires a structured annual calendar. Organisations should define: an annual exercise schedule (typically one major exercise per year, with tabletop or desk-based exercises as needed); an annual management review meeting (typically scheduled at a board or risk committee meeting); an internal audit programme (typically one annual audit covering a subset of clauses, or a multi-year rotating programme); a BCP review schedule (typically each BCP is reviewed annually by its process owner); and a corrective action management process (findings from exercises, internal audits, and surveillance audits are tracked with owners and target dates).
This calendar should be integrated into the organisation’s operational planning. The exercise should be scheduled in advance and communicated to all participants. The management review should be scheduled as a standing agenda item at a governance meeting (board, risk committee, or senior management meeting). The internal audit should be scheduled as a calendar item with sufficient time to complete the audit and address findings before the next surveillance audit. BCP reviews should be assigned to process owners with a deadline before the exercise.
The BCMS calendar is the single most effective tool for ensuring BCMS operation does not lapse. Organisations without a formal calendar often skip an exercise in a given year due to operational pressures, and then find themselves unprepared when the surveillance auditor asks for exercise evidence. Organisations with a formal calendar, assigned owners, and tracking typically demonstrate continuous BCMS operation and pass surveillance audits without major findings.
What Triggers Additional Audits
Beyond the routine surveillance audit schedule, certain events can trigger special audits or scope changes. A major organisational change — merger, acquisition, significant restructuring, or opening of new facilities — may require a special audit or scope extension audit to assess whether the BCMS remains adequate for the changed organisation. A significant business continuity activation (actual disruption) may prompt an optional post-event audit to assess how the BCMS performed and whether lessons learned are being implemented. A formal scope extension (adding new sites or business units to the BCMS scope) requires an audit of the new scope elements before the extension is formally approved.
More rarely, a major audit finding or pattern of findings may trigger a special audit or threaten certificate suspension. If a surveillance auditor encounters a major nonconformity — for example, a critical activity that is no longer covered by any BCP, or exercise evidence that is clearly fabricated — the CB may schedule a special audit within 30 days to verify corrective action, or may move immediately to a corrective action request with a threat of suspension if closure is not demonstrated within 30 days.
| Trigger | Audit Type | Scope |
|---|---|---|
| Major organisational change (merger, acquisition, significant restructuring) | Special audit or scope extension | Assess BCMS coverage of new/changed organisational units; BIA update required |
| Significant BCM activation (major disruption event) | Optional — CB may request post-event review | Assess BCMS performance during actual event; review lessons learned implementation |
| Scope extension (adding new sites, activities, or business units) | Scope extension audit | Assess new scope elements against Clause 4-10 requirements; BIA update for new scope |
| Certificate suspension risk (surveillance finding indicating systemic failure) | Corrective action review | Verify corrective action implementation; assess systemic cause |
| Voluntary scope reduction | Scope change notification | Confirm scope statement update; assess whether core BCMS requirements still met |
| CB change | Transfer audit | New CB reviews certification history; may conduct partial audit to assess BCMS status |
The Recertification Process
Recertification is equivalent to a Stage 2 audit in scope: the auditor conducts a full assessment of the BCMS against Clauses 4–10. The auditor will review all Clauses and will verify that findings from surveillance audits have been addressed. For a well-maintained BCMS that has operated continuously through the 3-year cycle, recertification is typically straightforward: the auditor reviews the accumulated exercise records, management review minutes, and corrective action registers from Years 1–3; confirms that the BCMS has been operating; and recommends certification for another 3-year term.
For a poorly-maintained BCMS, recertification can be difficult. If exercises have been infrequent or poorly documented, if management reviews have not been held or have not addressed BCMS governance, or if corrective actions from surveillance audits have not been closed, the recertification auditor will encounter significant gaps. A BCMS that was inadequate at Stage 2 and has not improved during surveillance will typically encounter recertification findings that delay the renewal of certification.
| IMPORTANT | The organisations that find recertification straightforward are those that have operated the BCMS as a genuine management system throughout the cycle — conducting annual exercises, updating BCPs when the organisation changes, running management reviews with genuine governance content, and closing corrective actions systematically. The organisations that find recertification difficult are those that treated the initial certification as a destination rather than the beginning of an ongoing programme. |
| BITLION INSIGHT | Indonesian organisations on their second or third certification cycle consistently report that the ongoing cost of maintaining the BCMS decreases relative to the first certification, because the infrastructure is in place — document management, exercise scheduling, internal audit programme, management review calendar. The marginal cost of the annual exercise, the BCP update, and the surveillance audit is substantially lower than the initial implementation and certification investment. The ROI of ISO 22301 certification improves with each successive cycle. |