ISO 22301:2019 · Certification Process
The ISO 22301
Certification Guide
How ISO 22301 certification actually works — from the first gap assessment, through building and exercising the BCMS, to the certification body’s Stage 1 and Stage 2 audits and the three-year certificate cycle. Written for teams facing a bank, regulator, or contract deadline in the Gulf, Australia, or beyond.
Guided by the consultants who prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East — TCSA prepares you; an independent accredited certification body issues the certificate.
ISO/IEC 22301:2019 · Stage 1 & Stage 2 by accredited bodies · Last reviewed June 2026
The Path
Seven Steps From Gap to Certificate
The sequence is fixed by the standard and the accreditation rules — you cannot book Stage 2 without an internal audit, and you cannot pass it without exercise evidence. Here is the order that works.
Readiness & gap assessment
Assess current continuity arrangements against every ISO 22301:2019 requirement, define the BCMS scope and the products and services it protects, and turn the gaps into a sequenced remediation plan with your regulator or contract deadline as the anchor.
Build the BCMS
Run the business impact analysis and set RTO/RPO/MTPD, assess disruption risks, select and resource continuity strategies, then document the policy, response structure, business continuity plans, and recovery procedures.
Exercise the plans
Launch the exercise programme — tabletop walkthroughs first, scenario-based exercises after — so that real exercise reports and closed corrective actions exist before any external auditor arrives. Stage 2 cannot pass without them.
Internal audit & management review
An impartial internal audit covers every clause, top management reviews the BCMS with the required inputs and records decisions, and the findings are closed. These two records are explicit preconditions for Stage 1.
Stage 1 — documentation review
The certification body reviews your documented BCMS: scope, policy, BIA, strategies, plans, and the internal audit and management review records. It confirms readiness for Stage 2 and lists any areas of concern to fix first.
Stage 2 — certification audit
Auditors test implementation through interviews and record sampling — including exercise results. Nonconformities are classified major or minor; once they are addressed, the auditor recommends certification.
Certificate & the 3-year cycle
After an independent technical review, the body issues a certificate listing your scope and sites, valid for three years — with annual surveillance audits in years one and two and a full recertification audit in year three.
The detailed requirements behind each step are covered in our clause-by-clause requirements guide; the week-by-week build is in the implementation roadmap.
The Timeline
An Indicative 14-Week Schedule
For a single-scope organisation starting from limited maturity. Multi-site groups run longer; an existing ISO 27001 ISMS shortens the governance phases. Phases overlap deliberately.
| Phase | Indicative timing | What happens | Key output |
|---|---|---|---|
| Phase 1 — Readiness & gap assessment | Weeks 1–2 | Current state assessed against all of Clauses 4–10; BCMS scope, interested parties, and regulatory deadlines defined; remediation plan agreed. | Gap report & project plan |
| Phase 2 — BIA & risk assessment | Weeks 2–5 | Business impact analysis ranks products and services and sets RTO, RPO, and MTPD; disruption risks to prioritised activities assessed. | Signed-off BIA & risk assessment |
| Phase 3 — Strategies, plans & documentation | Weeks 5–9 | Continuity strategies selected and resourced; policy, response structure, business continuity plans, and recovery procedures drafted and controlled. | Controlled BCMS document set |
| Phase 4 — Exercises & embedding | Weeks 8–11 | Exercise programme launched; tabletop and scenario exercises run with post-exercise reports; awareness rolled out across continuity roles. | Exercise reports & closed actions |
| Phase 5 — Internal audit & management review | Weeks 10–12 | Impartial internal audit across all clauses; management review held with required inputs; corrective actions closed before the external audit. | Audit report & review minutes |
| Phase 6 — Stage 1 audit | Week 12 (scheduled with the CB) | Certification body reviews documentation and readiness, confirms scope, and flags areas of concern to resolve before Stage 2. | Stage 1 report |
| Phase 7 — Stage 2 audit & certificate | Weeks 13–14 | Implementation evidence sampled — interviews, records, exercise results; findings closed; auditor recommends certification, and the certificate follows the body’s technical review. | ISO 22301 certificate |
Stage 1 and Stage 2 dates depend on the certification body’s scheduling — we book them early in the engagement so your regulator or contract deadline drives the plan, not the audit calendar.
Stage 2 Evidence
What Auditors Actually Sample
Stage 2 is an evidence audit, not a conversation. This is the sampling list we prepare every client against — if each item is on the table before the auditor asks, the audit is short.
Who Certifies You
Consultants Prepare. Accredited Bodies Certify.
The separation is not a TCSA policy — it is how the accreditation system is built, and it is what makes the certificate worth something to the bank reading it.
TCSA prepares — accredited bodies certify
Accreditation rules (ISO/IEC 17021-1) require the consultant who builds your BCMS and the body that audits it to be independent. TCSA runs the gap assessment, BIA, documentation, exercises, and internal audit; an accredited certification body conducts Stage 1 and Stage 2 and issues the certificate.
Choose an accredited body
Only certificates from bodies accredited for ISO 22301 by a recognised national accreditation body carry weight with regulators and bank vendor-assessment teams. TÜV, BSI, and DNV are examples of the accredited bodies we coordinate with — Gulf banks recognise all the major international names.
We manage the audit logistics
TCSA helps you shortlist bodies, obtain comparable audit-day quotes, schedule Stage 1 and Stage 2 against your regulator deadline, and sit beside you during both stages — walking auditors through evidence and closing findings fast.
After the Certificate
The Three-Year Certification Cycle
Certification is a cycle, not an event. The certificate stays valid only while surveillance audits keep finding a living system — exercises run, reviews held, actions closed.
Year 0 — certificate issued
After the Stage 2 recommendation passes the certification body’s independent technical review, the certificate is issued listing your scope, sites, and the standard — valid for three years.
Years 1 & 2 — surveillance audits
Annual surveillance audits sample the live system: internal audits, management reviews, corrective actions, and fresh exercise evidence, plus rotating clause coverage. The exercise programme must keep producing results between visits.
Year 3 — recertification
A full recertification audit re-examines the whole BCMS before the certificate expires, and the three-year cycle restarts. Organisations that exercised and improved throughout treat it as routine.
Many clients keep TCSA engaged after certification for exercise facilitation, internal audits, and surveillance preparation — see our operational resilience services.
“Stage 2 is won or lost months earlier — in the exercise programme. An auditor can forgive a thin procedure; they cannot forgive a plan that has never been tested. We never send a client into Stage 2 without exercise reports the auditor can pull apart.”
See verified client reviews and audit outcomes from 500+ engagements across India, USA, UK, Australia and UAE.
ISO 22301 Certification — Frequently Asked Questions
Straight answers about Stage 1, Stage 2, and the three-year cycle from the consultants who sit beside you in both audits.
What are the steps to ISO 22301 certification?
Seven, in a fixed order: a readiness and gap assessment against the standard; building the BCMS (BIA, risk assessment, strategies, plans); exercising the plans so real evidence exists; an impartial internal audit plus a management review; the certification body’s Stage 1 documentation review; the Stage 2 implementation audit; and finally the certificate, which runs on a three-year cycle with annual surveillance audits. A typical single-scope organisation is certification-ready in 8–14 weeks of preparation.
What is the difference between the Stage 1 and Stage 2 audits?
Stage 1 is a documentation and readiness review: the auditor checks your BCMS documents — scope, policy, BIA, strategies, plans — and confirms the internal audit and management review have happened, flagging areas of concern to fix before proceeding. Stage 2 tests implementation: interviews with leadership and continuity teams, sampling of records, and scrutiny of exercise results. Stage 1 asks “is the system designed and described?”; Stage 2 asks “does it actually operate?”.
Can you fail the ISO 22301 certification audit?
Yes — Stage 2 findings are classified as major or minor nonconformities. A major (for example, no exercise evidence, no internal audit, or a missing BIA) blocks certification until corrective action is taken and verified, sometimes requiring a follow-up visit. Minors require a corrective-action plan but do not block the certificate. Preparation is how you avoid both: TCSA’s internal audit applies the same lens the certification body will.
Who can issue an ISO 22301 certificate?
Only independent certification bodies accredited for ISO 22301 by a recognised national accreditation body — TÜV, BSI, and DNV are well-known examples we regularly coordinate with. Consultants cannot certify their own work; the accreditation rules deliberately separate the two roles. When a bank or regulator reviews your certificate, the issuing body’s accreditation is one of the first things its vendor-assessment team checks.
What happens during surveillance audits?
In each of the two years after certification, the certification body returns for a shorter surveillance audit. It always checks the heartbeat of the system — internal audits, management reviews, corrective actions, and recent exercise reports — plus a rotating sample of other clauses, changes to scope, and use of the certification mark. The practical implication: your exercise programme and review cadence must keep producing evidence year-round, not just before audits.
How much does ISO 22301 certification cost?
There are two components, and we deliberately quote neither as a flat figure. TCSA’s preparation work is custom-scoped to your headcount, sites, existing maturity, and deadline, and confirmed as a fixed, all-inclusive quote after a short scoping call — no hourly billing, no scope creep. The certification body’s Stage 1 and Stage 2 audit fee is quoted separately by that body, based on audit-day calculations driven by your size and scope. An existing ISO 27001 ISMS typically reduces the preparation effort, since the governance machinery is shared.
Keep Exploring
Related Reading
ISO 22301 Knowledge Hub
Every guide in the business-continuity cluster, in one place.
Read moreISO 22301 Requirements
Clauses 4–10 explained, with what auditors actually look for.
Read moreImplementation Roadmap
The 7-phase build, week by week, with deliverables per phase.
Read moreBusiness Impact Analysis
RTO, RPO and MTPD — the analysis every continuity decision flows from.
Read moreOperational Resilience Consulting
One ISO 22301-grade BCMS that answers CBUAE, SAMA, CPS 230 and DORA.
Read moreProof & Track Record
Every number we publish — explained, sourced and verifiable.
Read moreWritten By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours