02 Slides - BCM04101ENIN - v5 (AD01) - Oct2021

CQI and IRCA Certified BCMS ISO 22301:2019 Lead Auditor Training Course
Training Academy
CQI and IRCA Certified BCMS ISO 22301:2019

Lead Auditor Training Course
Copyright © 2021 BSI. All rights reserved. BCM04101ENIN v5.0(AD01) Oct 2021
(Reminder to delegates)
Delegates are expected to have the following prior knowledge:
Management systems
• The Plan, Do, Check, Act (PDCA) cycle
• The core elements of a management system and the interrelationship between top management
responsibility, policy, objectives, planning, implementation, measurement, review and continual
improvement
Business continuity management

• The concepts of managing business continuity through business impact analysis, risk assessment,
business continuity strategies and solutions, business continuity plans and procedures, and
compliance with legal requirements and other requirements
• The relationship between business continuity management and the provision of more secure and
resilient organizations, the considered treatment of risk, and the proactive improvement of
business continuity performance
• Common examples of relevant national and local business continuity legislation and requirements
ISO 22301
Knowledge of the requirements of ISO 22301 and the commonly used business continuity
management terms and definitions, as given in ISO 22301, which may be gained by completing our
ISO 22301 Requirements training course, or the equivalent.
BCM04101ENIN v5.0(AD01) Oct 2021 Copyright © 2021 BSI. All rights reserved. 1
Benefits to you
2
Copyright © 2021 BSI. All rights reserved.
Global auditing qualification.
This CQI and IRCA (Chartered Quality Institute and International Register of Certified Auditors)
course is the accepted benchmark for management systems auditor training; recognized and valued
worldwide.
To have credibility, organizations need competent auditors. To be efficient and competitive,

organizations need competent auditors. This course starts you on this exciting journey.
Organizations around the world recognize the value of using management systems to control risk and
contribute value. They rely on skilled professionals to assess the performance of their management
practices to enhance efficiency and credibility. With increasing globalization and competitiveness, it is
more important than ever for organizations to use competent, certified auditors.
This course will help you:

• Identify the aims and benefits of an ISO 22301 audit
• Interpret ISO 22301 requirements for audit application
• Plan, conduct and follow-up auditing activities that add real value
• Grasp the application of risk-based thinking, leadership and process management
• Access the latest auditor techniques and identify appropriate use
• Build stakeholder confidence by leading audit activities in line with the latest requirements
By successfully completing this CQI and IRCA certified auditor training course you will have
demonstrated that you have the knowledge and basic skills to undertake and lead a management
systems audit; not only by attending the course, but by passing the relevant CQI and IRCA
examination and skills assessment.
You have the full support and training from a world-class BSI tutor at your disposal.
We hope you very much enjoy the course and take back valuable knowledge and skills to your
workplace.
Welcome
3
Please observe the following key points:
For your personal safety, please be aware of the emergency exits from your classroom and the
building.
The tutor will inform you of the nearest restrooms.
Please do not leave valuable items unattended in the classroom. Keep them with you or make other
arrangements for their safekeeping.
Please be considerate of other delegates, and avoid distractions from the beeping/flashing of your
mobile phone.
Please do not use recording devices since they may restrict free discussion.
The tutor will inform you of the lunch and break schedule. Please return to class on time.
The tutor will inform delegates of any area(s) known to be available for smoking.
If there are any special needs please confirm these now.
Delegate introductions
Introductions
10 minutes
Click here to start
4
Your tutor(s) will introduce themselves.
Your turn.
• Delegate name
• Organization and product, or service
• Job position or role
• Experience of business continuity management, and knowledge of ISO 22301
• Any specific question/problem to be answered/expectation from the course
• Something interesting about YOU
Course aim
To provide delegates with the knowledge and skills

required to perform first, second and third-party
audits of business continuity management systems
against ISO 22301, in accordance with ISO 19011 and
ISO/IEC 17021, as applicable.
5
You may be unfamiliar with some of the terms above; please do not worry, these will be explained as
the course progresses.
Learning objectives
Knowledge Skills
• Explain the purpose of a business Have the skills to:
continuity management system, of • Plan
business continuity management system • Conduct
standards, of management system audit, • Report
of third-party certification, and the • Follow-up an audit of a
business benefits of improved BCMS to establish
performance of the business continuity conformity (or otherwise)
management system with ISO 22301, and in
accordance with ISO
• Explain the role and responsibilities of an 19011 (and ISO 17021
auditor to plan, conduct, report and where appropriate)
follow-up a business continuity
management system audit in accordance
with ISO 19011 (and ISO 17021, where
appropriate)
6
Learning objectives describe in outline what delegates will know and be able to do by the end of the
course.
On completion, successful delegates will have the knowledge and skills to:
Knowledge
• Explain the purpose of a business continuity management system, of business continuity
management systems standards, of management system audit, of third-party certification and the
business benefits of improved performance of the business continuity management system
• Explain the role and responsibilities of an auditor to plan, conduct, report and follow up a business
continuity management system audit in accordance with ISO 19011 (and ISO 17021 where
appropriate)
Skills
• Plan, conduct, report and follow up an audit of a business continuity management system to
establish conformity (or otherwise) with ISO 22301 and in accordance with ISO 19011 (and ISO
17021 where appropriate)
Course structure
Materials:
• Delegate Workbook
• Loan copy of ISO 22301
• Loan copy of ISO 19011
Course format:
• Activities
• Classroom discussions
• Case Study
• Continuous assessment
• Exam
7
This course includes a detailed delegate workbook, tutorial sessions, practical activities, continual
evaluation and a two-hour written examination.
There is also a course notepad, which should be used as a ‘learning diary’, for recording self-marking
of model answers and during later reflection.
If any delegate has a question, which they feel might not be appropriate to ask at that particular
point in the course, a recording facility (flipchart page) has been provided. This will be periodically
reviewed by the tutor and questions dealt with at the appropriate time.
The contents of the Delegate Workbook include an agenda, slides and associated notes (like these),
activities, References and Case Study materials.
Model answers (in References section) are included in the folder for reference only after completing
the activity, and not for copying from during the activities (and the only person you will be cheating,
if you do look, is yourself); as exams are closed book it’s the learning during the course and activities
that will be important to you.
Delegates are expected and encouraged to participate, experiment, and question in a stress-free
environment.
Throughout this course, delegates will be assessed by the tutor against the criteria contained within a
personal continuous assessment record (PCAR), including:
• Participation in class and team activities, written assignments, attitude and personal attributes,
attendance and punctuality, communication skills and feedback
There is also an exam, on the last day, for 2 hours (70% to pass). Examination is ‘closed book’, with
four sections to complete. You may however re-sit the exam within a 12 month period if you happen
to be unsuccessful at the first attempt.
Delegates may use a ‘clean’ copy of the requirement standard (not annotated or marked) during the
exam – these are the only items normally permitted for reference.
Delegates, whose first language is not the language the course is presented in, may also use an
appropriate dictionary, and are also entitled to an extra 24 minutes (20%) for the examination.
Dictionaries (for use in the exam) are also permitted for any delegate who has learning difficulties;
they are also entitled to an extra 36 minutes (30%) for the examination.
A specimen exam paper is provided, as part of the course materials, and you will have the
opportunity to work through this sample paper, before the actual exam.
Course methodology
Delegate
Interactive
centred
Activity
Collaborative
based
Realistic
case study
9
As auditing is a practical activity, and involves finding things out, this course is very interactive in
nature. Many activities have therefore been included where delegates will collaborate in pairs/teams
to create knowledge, rather than purely information provision/discussion sessions from the tutor. This
will greatly enhance your knowledge retention, and provide an opportunity to discuss topics from
other team members’ perspectives. The tutor will facilitate this learning, as appropriate. Team
members will also be swapped around, to ensure valuable existing knowledge and experience is
shared between delegates.
Do not concern yourself with the size of the Case Study; as your tutor will explain how auditors would
deal with this when auditing in a real life environment.
Enabling objectives
Knowledge
10
In order for delegates to achieve the overall learning objectives, you will need to acquire and develop
specific knowledge and skills. These are specified as ‘enabling objectives’ and can be considered as
steps to the achievement of learning objectives.
We will start with the ‘knowledge’ elements.
First, second and third-party audits
First-party: Second-party: Third-party:

Internal audit External provider audit, Certification or statutory
or other interested party etc. and similar audit
11
First-party - Internal
A first-party audit is an audit conducted by an organization on itself, to determine whether their
systems and processes are consistently improving their ability to provide products and/or services to
customers and users, and as a means to evaluate conformance with their processes and the
standard. Internal audits are a requirement of ISO 22301 Clause 9.2.
Second-party – External provider audit, or other interested party audit

A second-party audit is that carried out on a current or potential external provider by a purchasing
organization; audit results may then be used as part of the purchasing equation. Purchasers must
consider how much assurance is needed for a particular product, service or project. By consideration
of a number of factors, a decision can be reached as to the relative importance of the external
provider having a fully conformant system. This could mean that even if an external provider had a
very attractive price and delivery, they would not be given a contract where risk was involved due to
weaknesses in their capacity to deliver goods or services in certain timeframes.
Third-party – Certification and/or accreditation, or statutory, regulatory and similar audit

The third-party ISO 22301 certification scheme was designed to reduce, and perhaps remove the
need for many second-party audits, by providing a list of organizations whose systems had been
assessed and shown to be in conformance with ISO 22301. The assurance thus provided to potential
customers would mean that they might not have to audit external providers themselves, providing
that the assurance given by the third-party satisfied their needs. It is becoming increasingly common
that a purchasing organization will not even consider a tender from an external provider unless they
are certified against an ISO management system standard.
An organization may also invite an independent body (e.g. a consultancy) to audit their management
systems for a purpose other than certification, e.g. an evaluation of statutory and regulatory
requirements, or to assess the effectiveness of a particular process etc. This could also be considered
a third-party audit, from the perspective of the consultancy and the organization itself.
Activity 1
Differences between first, second

and third-party audits
10 minutes
Click here to start
12
[Please keep in mind, for all activities on this course: There may be more than one ‘correct’ answer.
Try to identify the strongest or most direct answer in each case, and be prepared to consider,
defend, or rebuke alternate answers raised during class discussions.]
Activity 1: Differences between first, second and third-party audits
Purpose:
To explain the differences (approach, duration, formality, objective etc.) between first-party, second-
party and third-party certification audits of management systems.
Duration:
10 minutes in pairs
10 minutes classroom discussion/review model answers
5 minutes reflection/application to own workplace
Directions:
The tutor will label three flipcharts with: ‘First-party audits’, ‘Second-party audits’ and ‘Third-party
audits’.
In pairs, try and think of the differences between these audit types (approach, duration, formality,
objective etc.) Record, as many as you both can think of, onto ‘sticky notes’, and affix to the
appropriate flipchart.
The tutor will then review your feedback.
Accredited certification
International Accreditation Forum Multilateral recognition arrangements

Certified once, accepted everywhere Establishes mandatory documents
Accreditation body Personal certification body

UKAS, or equivalent local national body (e.g. CQI and IRCA)
Accredits Certificates Accredits
BSI or esteemed Training course,

Certification body competitor Auditor tutor,
Trains training body
Certifies (USA, “Registers”) Uses

Audits
Organization
13
One of the benefits of operating to a standard is that it provides a common reference point against
which to assess performance. However, there is a difficulty in trying to make an objective assessment
of that performance. This can best be achieved through an independent audit process.
Governments have authorized accreditation bodies to oversee the work and competence of various
certification bodies: Such as the British Standards Institution (BSI).
Certification bodies are accredited to carry out independent audits of organizations to determine if
they conform to the requirements of a given standard.
If it does conform, the organization is able to claim that it is certificated to the standard and this
provides a degree of assurance to other bodies in the organization’s competence of the given area.
IAF Mandatory Documents on third-party audits
Accreditation reduces risk for organizations and its customers by assuring them that accredited
bodies are competent to carry out the work they undertake. Accreditation bodies that are members
of the International Accreditation Forum, Inc. (IAF) are required to operate at the highest standard
and to require the bodies they accredit to comply with appropriate International Standards and IAF
guidance to the application of those standards.
Accreditations granted by accreditation body members of the IAF Multilateral

Recognition Arrangement (MLA), based on regular surveillance to assure the equivalence of their
accreditation programs, allows companies with an accredited conformity assessment certificate in one
part of the world to have that certificate recognized everywhere else in the world.
Therefore certificates in the fields of management systems, products, services, personnel and other
similar programs of conformity assessment issued by bodies accredited by members of the IAF MLA
are relied upon in international trade.
IAF publishes guidance for the use of accreditation bodies when accrediting certification/ registration
bodies to assure that they also operate their programs in a consistent and equivalent manner. IAF
guidance documents are not intended to establish, interpret, subtract from or add to the
requirements of any ISO/IEC guide, but simply to assure consistent application of those guides.
Third-party accredited certification

Non-accredited body?
Accredited body,
Not independently
Independently assessed?
assessed,
Not ISO/IEC 17021
ISO/IEC 17021 compliant compliant?
?
ISO 22301 certification ISO 22301 certification
awarded by an accredited awarded by a
organization non-accredited organization
15
Discussion: Your tutor will now ask you to discuss with the class your thoughts on the benefit of
being certified by an accredited certifying body and the overall business benefits that certification
may bring, including how your BCMS may improve over time as a result.
Certification is an independent assessment of both an organization’s implementation and the

effectiveness of a management system, in accordance with an internationally agreed standard of best
practice i.e. ISO 22301.
Certification may be awarded by an organization that is not accredited. In this case it is possible
that no-one is auditing the auditor/organization. This organization could audit in any way they choose
– even bad practice, or to undercut others on time/cost. This is not to say they would do so, but
there is clearly a level of doubt and risk from a prospective customer.
On the other hand, an accredited certification organization, has been assessed and accredited by an
independent body, i.e. UKAS (United Kingdom Accreditation Service) to provide a certification service.
The accredited organization is then subject to compliance with ISO/IEC 17021 (conformity
assessment - requirements for bodies providing audit and certification of management systems), and
are thus audited against this requirement by the awarding accredited body i.e. UKAS.
Using an accredited certification organization provides a level of independent assurance for the
prospective customer and the organization itself.
(The audited organization’s processes meet the requirement of the particular management system,
and are continually improving in line with their policy commitments and objectives i.e. they can
probably provide needed services safely).
Other benefits
• Independent assurance to insurers, regulators and other stakeholders of an effective business
continuity management system
• Enhances reputation by demonstrating your organization’s commitment to good security and
resilience practices to shareholders, employees and customers, which in turn can help to
attract new investors
BCM04101ENIN v5.0(AD01) Oct 2021 Copyright © 2021 BSI. All rights reserved. ‹#›
• Accredited certification can be a differentiator from competitors, helping you to retain your existing
customer base, and attract new business. More and more invitations to tender require accredited
certified business continuity management systems to be in place
Application of the principles of ISO 22301 and certification not only provides direct benefits, but also
makes an important contribution to managing local, regional, and international security and resilience
risks. Maximizing the return on effort, and focusing on risk, means in turn that benefit, cost and risk
management considerations are prioritized by the organization. This is reflected in the concerns of
customers and other interested parties.
Such business continuity considerations affect overall performance of the organization and may
impact:
• Repeat business and referral from regional, national and international customers
• Operational results such as revenue, market share, litigation, incidents etc.
• Cost through efficient and effective use of safe resources
• Increased capacity to attract inward investment
• Alignment of processes which will best achieve desired results (fewer incidents)
• Competitive advantages through improved organizational capabilities
• Understanding and motivation of people towards the organizational goals and objectives, as well
as participation in continual improvement and a resilient working environment
• Confidence of interested parties in the effectiveness and efficiency of the organization; as
demonstrated by the financial and social benefits from the organization’s business continuity
performance, and reputation
• Ability to create value for both the organization and its suppliers by the safe optimization of
resources as well as flexibility and speed of joint responses to changing activities
• By linking the business continuity management system (BCMS) to your organization’s objectives
you will have the confidence that the risks to your organization and their effects can be kept to a
minimum
• Having a common framework, with other management systems gives you confidence that in the
event of a disruption you are prepared
• Having resilient plans in place enables you when faced with disruptions to achieve your key
objectives
• Provides a rehearsed method of restoring your ability to supply products and services to an agreed
level and timeframe following a disruption so allows you to continue trading
Audit process
Similarities
• First, second and third-party audit
INPUTS AUDIT ACTIVITY OUTPUTS
AUDIT CRITERIA
(REQUIREMENTS)
AUDIT EVIDENCE AUDIT FINDINGS

(OBJECTIVE EVIDENCE)
EVALUATION
17
Audit process, (generic) to any management system audit, is shown above.
Also there are three main dimensions to auditing:

Assessment of documented management system (INTENT)
Assessment of the degree of implementation (IMPLEMENTATION)
Assessment of its effectiveness (EFFECTIVENESS)
Intent
Does top management intend to implement a BCMS? If so how is this intent communicated? For
example, are appropriate resources made available?
Conformance with documentation; as auditors, we need to know that the organization has planned to
meet the requirements.
Implementation
Does the implementation of the BCMS reflect the intent of top management?
Conformance here is all about checking if activities are as they are supposed to be, following
processes, procedures, policies, protocols etc. There is a strong emphasis on the collection of
observations of physical evidence as well as interviews and documentary reviews.
Effectiveness
Is the implementation effective (i.e. does it meet the parameters established by the intent?).
Conformance here is in the effectiveness of the management system – Is it on target to deliver the
organization's policy, objectives and maintain regulatory compliance?
Continual improvements - As auditors, we want to see that the system is healthy and self-healing; if
there are problems they are addressed, and that there is a continual focus on how the system could
be improved, for the purposes of enhanced business continuity performance.
Activity 2
Typical audit activities
10 minutes
Click here to start
18
Activity 2: Typical audit activities
Purpose:
To explain the audit process.
Duration:
10 minutes in groups
Directions:
The tutor will provide each group with a pack of flashcards. Please try and arrange these into a
logical process to explain the sequence of activities that are involved in a generic management
system audit. Please resist viewing the forthcoming slides.
THESE CARDS WILL BE USED AGAIN FOR THE NEXT ACTIVITY – SO PLEASE KEEP THE CARDS ON
YOUR DESK IN THE FINAL ORDER CHOSEN.
Cards cover the below activities: (In no particular order)
Header cards:
Conducting audit activities
Completing audit
Initiating audit
Conducting audit follow-up
Preparing and distributing audit report
Preparing audit activities
Cards (within headers above):

Assigning roles and responsibilities of guides and observers
Risk-based approach to planning
Assigning work to audit team
Generating audit findings
Conducting opening meeting
Collecting and verifying information
Audit planning
Preparing audit report
Audit planning details
Preparing documented information for audit
Content of audit conclusions
Preparation for closing meeting
Conducting closing meeting
Establishing contact with auditee
Performing review of documented information
Determining feasibility of audit
Reviewing documented information while conducting audit
Distributing audit report
Determining audit conclusions
Communicating during audit
Audit information availability and access
General (Audit team leader responsibility)
General (sequence may be varied)
Audit activities
Similarities
• First, second and third-party audit
20
The tutor will now explain in further detail the activity steps just identified.
Please ask questions on any step as they arise, with the tutor.
Main areas of similarities include:
Preparation – before the audit

Communication – during the audit
Collection and verifying findings – during the audit
Conclusions – from audit findings
Reporting – preparation and distribution
A useful acronym is P.E.R.C:
Planning
Execute
Reporting
Close out/down findings
ISO 19011 ‘Conducting an audit’ activities

6.2 Initiating audit
6.2.1 General (audit Team Leader responsibility)
6.2.2 Establishing contact with auditee
6.2.3 Determining feasibility of audit
6.3 Preparing audit activities

6.3.1 Performing review of documented information
6.3.2 Audit planning
6.3.2.1 Risk-based approach to planning
6.3.2.2 Audit planning details
6.3.3 Assigning work to audit team
6.3.4 Preparing documented information for audit
6.4 Conducting audit activities

6.4.1 General (sequence may be varied)
6.4.2 Assigning roles and responsibilities of guides and observers
6.4.3 Conducting opening meeting
6.4.4 Communicating during audit
6.4.5 Audit information availability and access
6.4.6 Reviewing documented information while conducting audit
6.4.7 Collecting and verifying information
6.4.8 Generating audit findings
6.4.9 Determining audit conclusions
6.4.9.1 Preparation for closing meeting
6.4.9.2 Content of audit conclusions
6.4.10 Conducting closing meeting
6.5 Preparing and distributing audit report

6.5.1 Preparing audit report NOTE:
6.5.2 Distributing audit report Subclause numbering
refers to the relevant
subclauses of this
6.6 Completing audit International Standard.
6.7 Conducting audit follow-up

21
The tutor will direct the class to ISO 19011 Clause 6, and also refer the class to the terms and
definitions for: ‘3.1 Audit’ definition‘.
For clarification:
The tutor will also refer the class to the definition of an ‘audit plan’: By reference to ISO 19011
Clause 3.6, and what an ‘audit programme’ is defined as: By reference to ISO 19011 Clause 3.4.
These will be covered in more depth later in the course, when you will be auditing a supplier’s audit
programme. Please note that particular attention always needs to be paid to the design, planning and
validation of an audit programme in the case of multiple locations/sites or where important functions
are outsourced.
Activity 3
First, second, third-party
Audit activity differences
First-party audits
10 minutes
Click here to start
22
Activity 3: Audit activity differences
Purpose:
To explain the differences in audit activities between first-party, second-party and third-party
certification audits.
Duration:
10 minutes in pairs
10 minutes classroom discussion
Directions:
In pairs, review the cards on your desk from the previous activity. Identify where differences may lie
between first/second/third-party audits. Record as many differences as you both can think of, onto
‘sticky notes’, and also affix to the flipcharts from Activity 1.
Please mark the ‘sticky notes’ as ‘activity differences’.
Audit objectives, scope and criteria
Three aspects need deciding:
23
The first is the objective of the audit. Is it to assess an organization for its degree of conformance
to the Business Continuity Management System standard? Is it to determine where the greatest
problems lie? Is it to determine the organization’s biggest risk to their resilience or their degree of
control? Or is it to follow-up on nonconformities reported at a previous audit? The audit objectives
define what is to be accomplished by the individual audit.
The second aspect is the scope, which relates to the ‘extent and boundaries’ of an audit. The audit
scope generally includes a description of the physical locations, organizational units, activities and
processes, as well as the time period covered. For a third-party audit this tends to cover the complete
scope of the organization’s management system. A second-party audit may also include this, but
more probably only the area of interest. A first-party audit tends to be just one item on the audit
programme which itself will cover the complete management system scope.
If a company makes washing machines and refrigerators, but the business impact analysis (BIA)
shows that the refrigerators are a higher earning product with greater financial risk to the business, if
this product were lost, then that will be reflected in the audit scope, and the effort required. Similarly,
if the audit is required to look at all departments associated with that product range, from order
receipt through to delivery, that also will have a bearing on early decisions. For second-party audits
the scope is decided by the audit client. The audit scope should be consistent with the audit
programme and audit objectives.
The scope of a management system could be the same as the scope of a second/third-party audit,
except for the omission of a time period.
The audit criteria is used as a reference against which conformity is to be evaluated and
determined.
Each individual audit should be based on documented audit objectives, scope and criteria. These
should be defined by the person managing the audit programme and be consistent with the overall
audit programme objectives.
In summary:
Scope – What are the boundaries of the audit?
Criteria – What are you going to be assessing against?
Objectives – What are you auditing for/to achieve?
The significance for auditors (you) is that these are your terms of reference; your details of works,
which everything emanates from. These will dictate your document review, work documents, appear
in your audit plan, opening meeting, closing meeting and audit report.
Activity 4
Determine objectives, scope and criteria
10 minutes
Click here to start
25
Activity 4: Determine objectives, scope and criteria
Purpose:
To determine possible audit objectives, scope and criteria for BCMS audits.
Duration:
10 minutes individually
Directions:
Working individually, try and think of some audit objectives, scope and criteria, and write them on
your notepads. Then explain these to your neighbour, and listen also to their answers to this activity.
Be ready to query the answers if you do not agree with their findings. Discuss any, where you are not
sure, with the tutor and class after.
To help you, an audit scope can be defined using the following broad categories. Try and consider
these: Geographical; process; departmental; and temporal (time).
Resources: What resource will you need?
Audit team
Technical experts
People (auditees)
Logistics/
infrastructure
Documented
information
26
Resources for an audit could be split between:
Audit team – Availability of competent auditors for the sector/discipline – might include legal,
cultural or geographical considerations, interpreters, technical experts i.e. information security
aspects of business continuity, and data loss etc.
Technical experts – Availability: If the language of the auditee, or the auditee’s social and cultural
characteristics are unknown to the auditor, or skills are lacking. If all the necessary competence is not
covered by the auditors in the audit team, technical experts with additional competence should be
included in the team. Technical experts should operate under the direction of an auditor, but should
not act as auditors. All communications should be through the auditor, and not through the expert.
People (auditees) – Availability of person(s) responsible/managing the activity being audited and
actually carrying it out, top management availability, key functions – procurement, HR etc.
Logistics/infrastructure – Availability of meeting rooms/team meeting facilities, internet access,

PPE, guides, car parking, security and health and safety for your team, movement within the site
(transport - distances etc.)
Documented information during the audit – Documents, processes, procedures, programmes,

archives etc.
Resourcing: Competency
CV
27
Resourcing the audit will include the importance of auditor and team competency, and the selection
of team members. This will be particularly important regarding personal characteristics, generic
knowledge and skills, the knowledge of the relevant management system discipline, industry sector,
regulations, and auditor training. See ISO 19011 Clause 7.
For example:
Personal characteristics (examples demonstrating an absence of competency)
• Ethical – Tell another department what a mess the last department you audited was – have a
laugh about people getting nonconformities. Lie, or twist the facts to get someone you don’t like
into trouble
• Diplomatic – If the auditee is worried about getting his/her department into trouble, but you find a
major problem. Be tactful in dealing with this person – not ‘it’s you I’m auditing, so I’m going to
mention your name in the report’ etc.
• Tenacious – The auditor asks to see a particular sample, but the auditee provides a different one.
The auditor accepts this and moves on
• Decisive – The auditee keeps arguing and giving different excuses and the questioning is going
round-and-round; even though there is sufficient objective evidence to close the finding
• Culturally sensitive – Shaking a woman’s hand when this would not be appropriate, or continuing
to audit when certain prayer times are normally adhered to. Offering food/drink to the auditee
when they are fasting, etc.
Generic knowledge and skills of management system auditors (examples demonstrating

an absence of competency)
• An auditor who is being handed samples to look through, but is not selecting samples themselves
• Not spending more time on processes of greater risk
• Auditing outside the scope because he/she knows more about that area, or is interested in it
Legal requirements that apply (examples demonstrating an absence of competency)

• Clear breach admitted by the auditee in a relevant legal requirement i.e. license or permitting
requirement, but the auditor is not comfortable, or is unaware how to raise this in a nonconformity
statement and says: “Well I’m not that informed on that area of regulation, so best we leave that
to your internal audits, don’t you think?”
Discipline specific (examples demonstrating an absence of competency)

• An environmental management system auditor who has been tasked with an ISO 22301
management system audit, but has no knowledge of business continuity
Generic knowledge and skills of audit team leaders (examples demonstrating an absence
of competency)
• Not making effective use of resources – One team member (auditor) has a very long lunch break;
perhaps waiting for an activity to start, the audit team leader not ensuring his/her team’s health
and safety, or not resolving conflicts within the team or with the auditee’s management
Clause 7 of ISO 19011 details very specific auditor knowledge and skills expectations. For
example: Understanding the types of risks and opportunities associated with auditing and the
principles of the risk-based approach to auditing; auditing a process from start to finish, including the
interrelations with other processes and different functions, where appropriate; relationships and
interactions between the management system(s) processes; the needs and expectations of relevant
interested parties that impact the MS; principles, methods and techniques relevant to the discipline
and sector, so the auditor can determine and evaluate opportunities associated with the audit
objectives; and discussing strategic issues with top management of the auditee to determine whether
they have considered these issues when evaluating their risks and opportunities. Continual
professional development activities should also take into account changes in sector or discipline.
(Please now refer to ‘Examples of discipline-specific knowledge and skills of auditors in

business continuity management’ in your References section, after Activity 4)
Roles and responsibilities

Audit client
For whom?
Person(s)
Guide(s) and managing the
observer(s) audit
programme
Audit roles
and
responsibilities
Auditee(s)
(including Audit team
management) leader
Auditors and
technical
experts
29
Clearly defined and understood roles and responsibilities, for all parties involved in the audit, need to
be established.
The main parties involved will be:

• Audit client
• Individual(s) managing the audit programme – establish its extent, audit objectives, scope and
criteria for individual audits, determine necessary resource, responsibilities, audit methods,
selecting the audit team, evaluating auditors, audit records, improve the programme and inform
top management of its contents. The individual(s) managing the audit programme should also
identify and present to the audit client the risks and opportunities considered when developing the
audit programme, and resource requirements, so that they can be addressed appropriately, and
review the audit programme to identify opportunities for its improvement
• Audit team leader
• Auditor(s) and technical experts
• Auditee(s), including management
• Guide(s) and observer(s)
Main roles include:

• Audit client – To commission/request an audit (for an internal audit – can also be the auditee or
the person managing the audit programme)
• Person(s) managing the audit programme – Establish its extent, audit objectives, scope and
criteria for individual audits, determine necessary resource, responsibilities, risk for the
programme, processes/procedures, audit methods, selecting the audit team, evaluating auditors,
audit records, improve the programme and inform top management of its contents
• Audit team leader – To audit and manage the process to achieve the defined audit objectives
• Auditor(s) – To audit under the direction of the audit team leader
• Auditee(s), including management – To assist the auditor during the collection of the objective
evidence
• Guide(s) – To assist the audit team and act on the request of the audit team leader
Activity 5
Roles and responsibilities
10 minutes
Click here to start
30
Activity 5: Roles and responsibilities
Purpose:
To describe the main responsibilities of the auditee(s) management, auditors, audit team leaders,
auditees, guides and observers.
Duration:
Directions:
The tutor will allocate a sheet of sticky labels to each group detailing the main responsibilities and the
functions concerned.
In your groups:
• Review the labels and discuss

• Peel each label from the sheet and place on a flipchart, matching the main responsibilities to the
functions concerned
Management responsibilities
Audit team leader

• Managing the audit and audit team
31
The audit team leader is effectively the team captain. Their specific management
responsibilities are discussed below.
Throughout the audit, the team leader needs to prepare for the next stage of the audit and manage
the audit, and the audit team. This will include:
• Following up on any ‘leads' which have become apparent as the audit progresses, and deciding
changes to the audit plan (with the client)
• Deciding whether the audit is progressing to plan, and whether audit objectives can still be
achieved
• Coordinating review sessions with client management and audit team meetings
• Planning and management of the opening and closing meetings – specifically time management
and questions arising
• Assisting and managing the audit team if major concerns are found
• Deciding on the severity of nonconformances – major or minor findings (additionally where
appropriate, deciding the commensurate response required in line with certification body policy)
• Ensuring the ‘tone’ and ‘conduct’ of the audit is appropriate in their team: In line with looking for
conformance, not just searching for things that are wrong
• If acting for a certification body, ensuring that the team fulfils all the terms, conditions, protocols
and policy requirements of that body
The audit team leader is ultimately responsible for all phases of the audit. The audit team leader
should have management capabilities and experience and should be given authority to make
final decisions regarding the conduct of the audit and any audit observations and conclusions.
Please note: Assigning work to the audit team should include assigning, as appropriate, authority for
decision-making.
Auditor confidentiality
Confidentiality
Is there a
need? and
regulators
32
Discussion: Your tutor will now ask you to discuss with the class your thoughts on the need for
auditor confidentiality and other professional behaviours (please also refer to the CQI and IRCA Code of
Conduct).
An audit is confidential between the two parties, as is any information raised before, during or
thereafter. This confidentiality binds management system auditors. CQI and IRCA registered
auditors/audit team leaders are also bound by a Code of Conduct stipulating this. A statement to this
effect should therefore be made by the audit team leader; normally in the opening/closing meetings
and audit report.
The format of notes and the medium on which to write them are matters for each auditor to decide.
Many use clipboards with loose sheets, which are then clipped together, others find a notebook more
practical. Whichever format they use, auditors must safeguard the confidentiality of the information
they gain during the audit.
The very fact that an audit has taken place is confidential between the two parties, and the information
must not be disclosed to another party (including enforcement bodies) without the permission of
both parties. There are of course two exceptions; firstly, during an audit which is determining the way
one company audits its suppliers, and secondly, if the audit is for the purpose of certification and the
auditee is successful (then they can give permission to advertise the fact).
Should a suspected legal noncompliance be discovered by an auditor, they should not draw legal
opinion, nor pass information directly to the authorities. The auditor will have discharged their entire
responsibility by drawing the attention of the auditee to the system nonconformity that gave rise to the
legal noncompliance. They should not exceed their brief in this respect by breaking confidentiality and
communicating with any third-party.
A second-party audit is also a matter between the two parties and any breach of confidentiality is not
only a serious breach of trust but may also result in legal proceedings.
A first-party internal audit is in effect, no different to the above, in that it is a matter between the
auditor/employee and the organization. Any unauthorized disclosure of sensitive information may
result in disciplinary proceedings.
In keeping with the ethics of auditing, if requested to do so, an auditor should have no hesitation in
signing a confidentiality agreement.
Activity 6
Audit methods
15 minutes
Click here to start
34
Activity 6: Audit methods
Purpose:
To outline different audit methods.
Duration:
Directions:
Individually – Provide one advantage and disadvantage for each of the methods detailed in Table A.1
- Audit methods of ISO 19011 (Page 35).
An important consideration, for any of the methods detailed, is identifying an auditing line-of-sight
(from the organization’s purpose, intended outcomes, issues, requirements, risks and opportunities,
policy, objectives, plans, resource needs, operational control, and performance evaluation). This
should really be established during stage 1 (overleaf) and prior to a top management interview
(during stage 2), who will hopefully confirm the organization’s purpose, intended outcomes, issues,
requirements and main risks and opportunities relating to the BCMS.
An auditor should always recognize this, and consider any findings in relation to its impact on the
organization’s line-of-sight.
Please note: Audit methods also need to be determined based on where, when, and how to access
audit information. This is crucial to the outcome of a successful audit and is independent of where
the information is created and used etc. Audit methods may need to change as audit circumstances
change during the audit (to access audit information) See A.1.
Stage 1 audit Clarify scope and

objective
Assess organizational
readiness for an audit
Plan the audit Gain an understanding
of the organization
Purposes
Establish the Understand the hazards,
of risks and appreciate
adequacy
of documentation stage 1 relevant legislation
audit
Identify layout of
organization/plant and
its BCM context Identify any special Agree the
needs, skills, process/procedures
protective clothing to be used
Resolve any during the audit
misunderstandings
35
Stage 1: Is defined by ISO/IEC 17021-1:2015 (Conformity assessment - Requirements for

bodies providing audit and certification of management systems):
Clause 9.3.1.2.2 The objectives of stage 1 are to:
a) Review the client’s management system documented information
b) Evaluate the client’s site-specific conditions and to undertake discussions with the client’s
personnel to determine the preparedness for stage 2
c) Review the client’s status and understanding regarding requirements of the standard, in particular
with respect to the identification of key performance or significant aspects, processes, objectives
and operation of the management system
d) Obtain necessary information regarding the scope of the management system, including: The
client’s site(s); processes and equipment used; levels of controls established (particularly in case
of multisite clients); applicable statutory and regulatory requirements
e) Review the allocation of resources for stage 2 and agree the details of stage 2 with the client
f) Provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s
management system and site operations in the context of the management system standard or
other normative document
g) Evaluate if the internal audits and management reviews are being planned and performed, and
that the level of implementation of the management system substantiates that the client is ready
for stage 2
NOTE: If at least part of stage 1 is carried out at the client’s premises, this can help to achieve the
objectives stated above.
Accredited third-party audits for ISO 22301 must be a two stage process; a stage 1 site visit,
stipulated by IAF accreditation bodies and the costs are built into the initial proposal.
The visits can be of great value. They allow the team leader to meet various members of the
auditee's staff, and they are a good opportunity for the team leader to be given a ‘quick tour’ of the
site, and thus appreciate the scale, layout and plant/equipment involved; as well as the nature of the
potential business continuity risks. Should transport around the site, or special protective clothing be
necessary, it also gives the team leader time before the audit to ensure these will be available, thus
saving valuable audit time. The meeting obviously provides the auditee with an opportunity to ask the
team leader about the way the audit will be conducted.
In summary: The purpose of the stage 1 site visit is to:

• Clarify the scope, criteria and objective of the audit
• Establish the degree of readiness for stage 2 (with particular focus on planning)
• Agree the process/procedures to be adopted during the audit
• Resolve any misunderstandings
(Please now refer to ‘Additional notes: Major issues arising at stage 1’ in your References section,
after Activity 6)
Stage 1 audit process and outputs
37
The stage 1 audit process and outputs.
See diagram overleaf.
Inputs
• Audit objectives, scope, criteria
• Audit methods
• Audit team members (including team leader -
responsibilities)
Activities:
• Establish initial contact with the auditee
• Determine feasibility of the audit
• Request documentation relevant to the scope, objective and
criteria
Outputs/inputs:
Contact is established and audit is feasible
(or not as the case may be – inform audit client), relevant
documentation.
Activity:
Perform stage 1 audit
Outputs/inputs:
• Documentation meets criteria (or not)
• Areas or concern/risk identified
Activity:
Corrective actions by auditee
Output
Ready for stage 2
Stage 2 audit: Preparation activities

Consider: Identify the BIA of:
• Past results (if available) • Processes
• Current problems/risks • Products and services
• Management's concerns • Activities
• Management's priorities (where appropriate)
Determine
scale of audit Determine the setting
and resources and importance/risk
required (including legislation)
Prepare
and agree
Contact audit plan
auditee and Assign work
confirm date(s) to the audit
team
Consider Brief the
stage 1 report audit team
Prepare
work
39
Copyright © 2021 BSI. All rights reserved. documents
Stage 2: As defined by ISO/IEC 17021-1:2015 (Conformity assessment. Requirements for

bodies providing audit and certification of management systems), has the purposes of:
Assessing the ‘implementation’ and ‘effectiveness’ of the management system.
Some preparation considerations for this stage of the audit include:
• Determine scale of audit and resources required

• Consider past results (if available)
• Consider current problems/risks
• Consider management's concerns
• Consider management's priorities (where appropriate)
• Contact auditee and agree date(s)
• Review report from stage 1 site visit
• Determine the setting and importance/risk (including legislation)
• Identify the BIA of processes, products and services, activities
• Prepare and agree audit plan
• Assigning work to the audit team
• Audit team briefing
• Prepare work documents
(Please now refer to ‘Additional Notes: For auditors at stage 2’ in your References section, after
Activity 6)
Initial certification audit – Stages 1 and 2

From ISO/IEC 17021
Document review
Audit go/no-go decision
Audit plan Checklists

Stage 1
Stage 2 Opening meeting
Audit
Summary report Nonconformity reports
Closing meeting
Corrective actions
Continuing assessment visits
3 yearly recertification
40
This slide establishes the context for document review and its outcomes. Use it as the course
progresses, and to show the broad architecture of the audit process.
There is an opening meeting, summary report, nonconformities (if applicable), closing meeting and
corrective action (if applicable) at both stages.
Activity 7
Audit plan (template)
20 minutes
Click here to start
41
Activity 7: Audit plan (template)
Purpose:
To prepare an audit plan structure (template).
Duration:
Directions:
Individually, read ISO 19011 Clause 6.3.2 (Audit planning). Then, in groups try and create an audit
plan structure (template only) on a flipchart, that could be populated later. Ensure it includes two
auditors (lead and auditor) with a duration over two days (use two sheets in landscape view).
The tutor will then invite other groups to critique your answers during feedback.
Please then refer to your References section (on this Activity) for ‘Audit plan (approaches)’, e.g.
upstream, downstream, risk, horizontal, or a combination etc. These will be used in a later Activity.
Work documents
Preparing
42
Audit team members should then collect and review the information relevant to their audit
assignments, and prepare work documents, as necessary, for reference and for recording audit
evidence. Such work documents may include the following:
• Checklists
• Audit sampling plans
• Forms for recording information (such as supporting evidence, audit findings and records of
meetings)
The use of checklists and forms should not restrict the extent of audit activities, which can change as
a result of information collected during the audit.
Work documents may also include: Nonconformity report forms, audit summary report forms,
corrective action schedules etc.
An aide memoire approach may be more beneficial for experienced auditors; who are then able to
follow audit trails and use their own experience to verify conformity. However, these could also have
disadvantages, such as auditor bias and skewing the sampling from the audit criteria.
The tutor will create an example format(s) for a checklist/aide memoire, on a flipchart,
for you. Record it in your learning diary.
Please note: Preparing documented information for audit can include digital checklists, and audio
visual information.
Audit sampling takes place when it is not practical, or cost effective, to examine all available
information during an audit, e.g. records are too numerous or too dispersed geographically to justify
the examination of every item in the population. Audit sampling typically involves the following
steps:
• Establishing the objectives of the sampling plan

• Selecting the extent and composition of the population to be sampled
• Selecting a sampling method
• Determining the sample size to be taken
• Conducting the sampling activity
• Compiling, evaluating, reporting and documenting results
Departments/records available?
How many would typically be sampled from the above?
What would you do if a nonconformity (NC) is found in one of them, or risk is higher, or lots of NCs
at the last audit?
Samples should test the effectiveness of the system and should be:
• Representative with an equal probability of being picked by you
• Structured
• Independently selected
Sample size should be based on:

• Risk
• Importance
• Status
• Findings from the previous/current audit
Please refer to ISO 19011 A.6 (Page 37).
Work documents
Advantages and disadvantages

of using checklists
44
Advantages and disadvantages of using checklists:
Checklist benefits
• Sample relevant to audit objectives
• Formality, defines the audit process/procedures
• Requires research and thought
• Helps maintain the pace of an audit (and time management)
• Keeps audit objectives clear
• Historical reference as an audit record
• Reduces workload for the auditor during the audit
• Assures auditee of auditor professionalism
• Ensures auditors keep the hazards and risks in mind
• Can be used as audit criterion for other audits (benchmark)
Disadvantages
• Can become a tick list
• Can become full of yes/no questions
• If not on checklist you might be so distracted by the next questions that important audit trails
can be lost
• Stifles initiative and analysis of the processes
• If used time and time again, the sample of questions become rigid and fixed, and therefore can
lose its value to the organization
Opening meeting
Main purpose?
45
The purpose of the opening meeting is to:
1. Confirm the agreement of all parties to the audit plan

2. Introduce the audit team
3. Ensure that all planned audit activities can be performed
Activity 8
Opening meeting
15 minutes
Click here to start
46
Activity 8: Opening meeting
Purpose:
To identify agenda items for use in an opening meeting and their purpose.
Duration:
15 minutes whole class
Directions:
Whole class, please shout out the possible agenda items for an opening meeting. The tutor will
record these on a flipchart and ask the purpose/meaning behind them.
Opening meeting
Problems/issues encountered?
47
Problems encountered during an opening meeting might include:
• MD proposes an hour long video of the organization

• Suggested two hour lunch at a five star restaurant
• Key documents (i.e. BCMS and risk documentation) being updated and current ones are not
available
• Samples have been pre-prepared by the auditee
• Best staff are available who have been audited many times
• Plant/equipment room is inaccessible/locked
• Recent visit from authorities, so there is no need for you to look
• Suggested extended site tour
• No guide available – but free to wander around
• Key members of staff off-sick
• Documentation not on site, so have preselected ones for you to save time etc…
Can you think of any others?
These issues will be looked at again tomorrow and how to respond to them.
Activity 9
Audit evidence
10 minutes
Click here to start
48
Activity 9: Audit evidence
Purpose:
To explain how audit evidence is collected and how this can become objective.
Duration:
Directions:
In groups, please draw a large triangle on a flipchart and try and label the sides with three different
methods for collecting audit evidence. Then, for each side, consider how to make this evidence
objective (data supporting the existence or verity of something – i.e. not your opinion). Record this
next to the evidence.
Effective communication
Eye contact
Facial expression
Gestures
Posture
Haptic/touch
Personal ` ` ` Culture
space ``
49
Perhaps the biggest challenge for the auditor is the fact that finding out information depends,
amongst other things, on communication skills. Within a very short time of meeting someone the
auditor needs to have developed a degree of rapport with that person to obtain the facts essential
to the investigation whilst remaining objective. If these facts are indicative of a lack of management
control in the area, then the auditor needs to be tactful in the way these findings are presented.
The main method of soliciting information is by asking questions in a series of interview situations.
Though not always appreciated, the best interviewers are those who say least and have an ability to
listen or hear what is being said. By combining this with the right kind of attitude and tone, the
auditors generate an atmosphere in which good communication can take place.
The interviewee (the auditee) must not feel threatened by the auditor. Many people are easily
intimidated by auditors. The auditor can avoid generating this by being polite, patient, slightly
informal and not afraid to smile. Showing interest in what people say is essential. Holding a degree
of eye contact, small verbal acknowledgements, “I see”, “ah”, “yes”, and so on will show that the
‘transmission is being received’, as will the right facial expression and head movement. There are
no standard expressions and head movements recommended to elicit information, each auditor will
develop their own style.
It often happens that the auditee, (because the majority of them are human), misunderstands a
question or is determined to tell the auditor about some other matter. They may even say something
which the auditor knows not to be true. If the auditor interrupts abruptly, or directly contradicts the
auditee, easy communication will not continue.
At the end of the ‘interview’ the auditor should thank all auditees for their help and time, regardless
of whether it was beneficial or otherwise.
Opinion questions are often neglected. There is a danger in straying too far from fact, but this type of
question can be very useful for gaining someone's attention or for gaining new approaches to
problem solving. They indicate that the auditor regards the auditee's view as important, thus raising
the auditee's self image, and encourages auditees who regard themselves as the ‘local expert' to say
more. They can also encourage junior people in an organization to say more: “What do you think
would be the most effective...?”, “How would you go about...?”.
Please note: When conducting interviews, the careful selection of the types of question used is
therefore important (including appreciative inquiry).
Non-verbal questions may seem to be a contradiction in terms, but questions do exist in this form.
For example, the raising of the eyebrows whilst maintaining eye contact can indicate a wish for the
auditee to continue.
Please note: An awareness of limited non-verbal communication in virtual settings should be

remembered, with perhaps then more focus applied on the type of questions to use in finding
objective evidence.
Activity 10
Effective communications
5 minutes
Click here to start
51
Activity 10: Effective communications
Purpose:
To recognize examples of effective communications, during an audit.
OPTION 1: E-learning module on ‘Questioning techniques’

Duration:
5 minutes classroom e-learning
5 minutes to create learning test questions (with your neighbour) for the rest of the class
Directions:
The tutor will now run an e-learning module for the class; please listen and take notes. If the tutor is
going too fast for you: Please slow him/her down.
When this is finished, please reflect on what you have learnt, and discuss any learning points with
your neighbour. Think of questions (in your pairs) that you could ask - to test the other groups
learning i.e. provide examples of different questions and then ask other groups what type of question
it is.
OPTION 2:
Duration:
10 minutes in pairs
Directions:
In pairs, the tutor will select for you two types of questions from the below:
1st pair – Open and specific
2nd pair – Leading and closed
3rd pair – Hypothetical and reflective
4th pair – Probing and rhetorical
Please think of one statement to demonstrate the questions above for a real life audit situation. Get
ready to feed these back to the rest of the class.
5th pair – How could you funnel these questions to come up with an audit finding? Which ones would
you start with etc. and end with?
Audit findings
What could they be?
• Conformance and positive audit

findings
• Opportunities for improvement

(OFIs)
• Nonconformity (ISO 9000 –

non-fulfilment of a requirement)
53
Conformance and positive audit findings – Such as those areas or processes which were found
to be meeting the audit criteria requirements and were perhaps very effective, or indeed good
practice found. Also, to thank the auditees for their cooperation and courtesy.
Opportunities for improvement or potential risks (OFIs) – While a particular process may be
effective, it might not be as efficient as it could be. It might be the case that the auditor has
specialist knowledge, or has explored best practice with the auditee. However, third-party auditors
should exercise caution; as identifying OFIs could be construed as giving advice/consultancy. There
may also be areas of concern, but for which there is insufficient objective evidence to raise
conformity or nonconformity. For example, whilst a particular process meets the requirements today,
it is likely that it will not; should either: (i) if the same state of affairs is to continue e.g. deterioration,
or (ii) if there is a change in the situation e.g. an expected or unexpected demand is made of the
process. An OFI could therefore be described as a statement referring to a potential enhancement,
weakness, or potential deficiencies in a management system. It can also provide a rationale for
improvement, and generic information about industrial best practice, without providing a specific
solution. BSI assessors may also use a finding called an ‘observation’, for specific schemes where
accreditation rules prohibit the certifying body from issuing an OFI.
Nonconformity (ISO 9000: Non-fulfilment of a requirement)

There will be a audit nonconformity if an audit criteria has not been fulfilled:
1. The process (documented or not) does not comply with the requirements of the criteria
2. The process (documented or not) has not been implemented
3. The process (documented or not) (what is actually being done) is not effective, i.e. the required
output is not produced
As soon as the objective evidence points to a nonconformity, the auditor should immediately voice
their thoughts to the auditee to seek clarification, and verification. This is not a cause for rejoicing,
but total openness from auditors will hopefully encourage the same from the auditee. It is essential
that both parties fully understand what the problem is and how serious
it is. Auditors will often need a little help from the auditee to do that. Once the facts of the matter are
established, they should be written down by the auditor and agreed with the auditee.
When determining audit findings: Accuracy; sufficiency and appropriateness of objective evidence to
support audit findings; and the extent to which planned audit activities are realized and planned
results achieved, should be considered. Therefore, when recording conformity, an auditor should
consider audit evidence to support effectiveness, if applicable. (See process audit preparation slide,
introduced later in the course, on process effectiveness.)
Audit meetings
• End-of day meetings

• Progress meetings
• Team meetings
55
Auditors should be focused on the intended result of the management system throughout the audit
process. While processes and what they achieve are important, the result of the management
system and its performance are what counts.
It may be helpful to the auditee, and management, to provide a summary of the days auditing
progress; in particular progress against the audit plan, positives encountered, areas of
nonconformance encountered, and anything that is/could affect the audit objective or the plan the
next day.
Before the closing meeting, but immediately after the actual auditing process is completed, an
audit team meeting should be held so that the team leader can plan the closing meeting in detail,
and ensure the team knows what is going to be presented to the organization in the way of
conformance, nonconformities and conclusion. The team meeting could be up to an hour before the
closing meeting, less if some of the work has already been done the night before, for example.
Some auditors try to ‘squeeze in’ a bit more auditing at this point. The law of diminishing returns
operates, and very little will be gained by trying to rush through some more auditing.
The team leader chairs the audit team meeting and only the audit team is present. The team
completes any nonconformity reports and reviews all findings. The team leader prepares the final
conclusions.
There is no set rule about who presents the information. The team leader may present everything –
all nonconformities and conclusions – or the team members may be asked to present the
nonconformities they have found. The review of nonconformities is important, and members
should be rigorous in their review of one another's statements. Are all the facts there? Is it clear that
it is a nonconformity? Can it be read easily? Is it grammatically correct?
As a result of the ‘review team’ findings, the team leader prepares the audit conclusions. This
should reflect the degree to which the organization is complying with its own documented system
and the relevant audit criteria.
As a suggestion, a team leader could do worse than answer three questions asked about the system
in any audit:
1. Is there a system intending to address all the clauses of the relevant standard/criteria? To what
extent? (Audit of intent)
2. Has this system been put into practise? To what extent? (Audit of implementation)
3. Is the system achieving its intended outcomes/objectives? To what extent? (Audit of

effectiveness)
To answer these questions, the nonconformities raised will give some guide.
Further questions may be answered by the conclusion:

• Do the nonconformities raised indicate weakness in any particular area(s) of the organization?
• Do the nonconformities raised indicate weaknesses in any particular sections of the management
system?
Please note: The content of audit conclusions should also address issues such as the identification of
risks and the effectiveness of actions taken by the auditee to address risks and consider the level of
the integration of different management systems and their intended results. The absence of a
process or documentation can be important in a high risk, or complex organization, but not so
significant in other organizations.
The team leader will also prepare an agenda for the closing meeting and arranges, either through a
team member or a guide, for copies of each nonconformity to be passed over to the organization’s
management at the appropriate time. It is ideal, but by no means possible on every audit, for the
team leader to organize the seating arrangements for the closing meeting. This is not for any
underhand reason, but they should try to ensure that the arrangements suit the purpose, and that no
one is in an awkward position. Often, the closing meeting may be in the very room the auditors are
using for their team meeting.
Closing meeting
57
The closing meeting is the concluding meeting of the audit, and is the formal presentation by the
team of the findings and conclusions of the audit.
The way the meeting is carried out is by conventions which have been drawn up over the years in
which audits have been carried out. As long as the auditee management understands the findings
and agrees the facts surrounding them before the team leaves, the team leader and team have done
their job.
At the pre-agreed time the team should make themselves available for the meeting. The team leader
chairs the meeting. The team leader should take the initiative and work through the agenda as
prepared during the audit team meeting.
The following points need to be covered in some form.
List of attendees at the closing meeting

The team leader, or second auditor could pass around a headed list with name and position to be
entered onto it by each attendee.
Please note: The closing meeting can be attended by, as applicable, other relevant interested parties
as determined by the audit client and/or auditee.
Thanks
The team leader should thank the organization on behalf of the team for their help and time etc. If
the audit was carried out in an open fashion by the organization, the team leader should say so and
thank them for it. If it was not, then silence is the preferred method. The team leader should also
thank the guides.
Objectives, scope and criteria

As a formality, and to ensure that the basis for the audit is in no doubt, the objectives, criteria, and
the scope should be restated. This is for a number of practical reasons. There is usually no real doubt
about this in the auditee organization, because it has been discussed
and agreed before the audit took place. However, some of the people attending the closing meeting
may not have been present at the opening meeting, or are not necessarily aware of everything that
has happened in-between.
Audits cover a lot of ground, some of it (not too much in a well-planned audit) irrelevant. The
objectives can become hazy. Therefore this statement by the team leader resets the context of the
audit. It is also important to state whether the audit objective(s) has been accomplished (or not), as
the case may be. This is important when activities/processes, or responsible key personnel, were not
available during the audit (although planned to be). This may reduce the reliance on the conclusion
(through sampling), and hence in certain instances make the conclusion unreliable.
Report
The outline of how the audit will be formally reported and the results sent to the auditee should be
described. Ask who the report should be distributed to, within the auditee’s organization.
Limitations
It bears repetition that the audit was a sample of activities and is therefore subject to the risks
associated with sampling. Not every conforming or nonconforming area was seen, only a
representative selection. Therefore the possibility exists that there are nonconformities in areas not
covered by this audit.
It is recommended that the auditors develop a standard statement covering the essence of the above
in their own words, although many certification bodies include the appropriate wording in their report
documents.
As appropriate, an explanation of the fact that an audit is not necessarily fully representative of the
overall effectiveness of the auditee’s processes should also be covered.
Presentation of findings
It is recommended that positive findings (good practice etc.) are covered first, then nonconformities
(if any) are communicated, one after the other, until they have all been presented, although it might
be necessary to give a summary.
In some cases the auditee representatives will have copies of the nonconformities if some were
agreed earlier. There are different schools of thought about giving copies of the nonconformities to
the auditees at the time of the closing meeting. Generally there are few disadvantages, and it is
recommended here as good practice. There is then no need for auditees to try to make notes. It is
also recommended that the nonconformities are read out, rather than trying to describe them. This
limits the tendency to add unnecessary words and comments, which should not be necessary if the
nonconformity statement is complete in all respects.
Reading the statements also encourages perhaps less experienced auditors to present the
nonconformities in a clear, firm voice, not in an apologetic manner.
Any diverging opinions should be discussed, and if possible, resolved. If not resolved, this should be
recorded. If specified by the audit objectives, recommendations for improvements may be presented.
It should be emphasized that recommendations are not binding.
The degree of detail should take into account consideration of its context and risks and opportunities.
Summarize
The team leader is responsible for presenting the conclusion that the audit results have led the team
to reach. This is the ‘informed judgement' of the auditors and must consider the seriousness of any
nonconformity, and whether they indicate a departmental or organization-wide breakdown of
systems. They must be balanced with positive findings made during the audit.
Agreement
Each of the nonconformities presented were raised on the basis of the facts being agreed with a
departmental representative at the time. Having reached agreement at the time, the wording of the
nonconformity is unlikely to have been at its most complete and concise.
Clarification
The auditee must have an opportunity to ask questions about the nonconformities or the conclusions,
and it would normally come at this point. The facts as stated should not be in dispute. Assuming all
the nonconformities or the audit report are accepted by the auditee, the auditor may be asked what
response is necessary by the auditee to the points raised. The auditors would expect the auditees to
propose some corrective action in a given time. The closing meeting is not the place to discuss any
actual corrective actions necessary. That should be given very careful consideration by the auditee.
The team leader should therefore state that a response in writing is necessary within a number of
days or weeks after receipt of the report, with a proposed plan of corrective action. However, if the
recommendation is for a full re-audit then it will not be necessary to submit a corrective action plan.
Departure
Having presented the findings and discussed them to the auditee's satisfaction, the audit team can
depart, once again thanking the auditee for their time etc.
Audit report
Contents
60
The audit report should provide a complete, accurate, concise and clear record of the
audit and should include or refer to the following:
• The audit objectives, scope and criteria

• Identification of the audit client
• Audit team and auditee’s participants
• Dates and locations where conducted
• Audit findings and objective evidence (see below example for BSI assessors)
• Audit conclusions
• Statement to which the criteria have been fulfilled
BSI assessors use the ‘Five steps to a finding’ approach:
Remembering this should help all assessors when structuring their evidence i.e.:
1. Objective evidence as bullet point/list
2. Planned activities have been fully realized/not fully realized/not realized
3. Methods for determining process results
4. Result
5. Planned results achieved/not achieved but actions being taken/not achieved and appropriate
actions not taken
Please note: Preparing the audit report should also include, or refer to the fact, that audits by nature
are a sampling exercise; as such there is a risk that the audit evidence examined is not
representative. Any unresolved diverging opinions between the audit team and the auditee should
also be referred to.
Audit report
Recognizing possible additional
content
61
The report ‘may’ also include or refer to the following, as appropriate:

• Audit plan
• Summary of the audit process including obstacles
• Areas within scope not covered
• Good practices identified
• Agreed follow-up plans
• Statement of confidentiality
• Implications for the audit programme or subsequent audits
• Distribution list
Please note: Preparing the audit report can also include or refer to any issues of availability of
evidence, and resources or confidentiality, with related justifications.
(See ISO 19011 6.5.1 – page 27)
Additional notes
As the audit moves towards the concluding stages, the auditors could be gradually building up a
picture of areas or systems exhibiting best practice as well as the most failures. This is the composite
picture the auditors are required to present at the closing meeting and in their written report. The
team leader has the responsibility for generating this composite picture as their informed judgement
of the degree to which working systems comply with stated systems (and the standard). The
information to provide this comes from the audit findings, but it is necessary to ‘sort' these, so that a
reasonable conclusion can be thus sought (assuming noteworthy practices and/or nonconformities
have been found).
Based on this, a picture emerges of the types of failure found, relative frequency, where they were
found in the organization, and the management system requirement, (clause of the standard), which
is weakest.
If auditors find information which indicates a distinct lack of management support for the
management system, then they should say so in their report. Their task is to collate the evidence as
fairly and objectively as they can, and to highlight areas where the greatest risk and least control or
assurance lie.
If it is a second-party audit, the auditors will have to make recommendations to their own
organization about conducting business with the auditee. The audit report might then reflect what
effect the results of the audit will have on the future relationship between the two organizations.
Whether internal, second or third-party, the auditors are often limited in what they are allowed to say
to the auditee. For example, auditors cannot draw legal opinion, even if they have clear evidence that
exposure levels have been exceeded. They do not act in the place of the regulator, who is the only
person to be able to make the decision whether to take legal action. However, they must leave the
auditee management with a clear idea of the situation so that they can take appropriate action
themselves.
As with any record, audit reports should be retained on file for a prescribed time. All the other
records from the audit should also be retained, e.g. checklists, which are useful for re-audits, and the
auditor's own notes made during the audit investigation. As corrective action is taken the records of
this will be kept to satisfy the ‘close out’ requirements of each nonconformity.
Audit report
AUDIT REPORT RELEASE
DATE:
REVIEW:
APPROVAL:
63
The audit report should be issued within an agreed period of time. If it is delayed, the reasons
should be communicated to the auditee and the person managing the audit programme.
Auditors should preferably complete their report before leaving the site; in order to capture all the
evidence while it is still fresh and relevant in their minds. The report could then be provided during
the closing meeting.
The audit report should be dated, reviewed and approved, as appropriate, in accordance with audit
programme requirements.
The audit report should then be distributed to the recipients, as defined in the audit
process/procedures, audit plan or closing meeting.
Please note: When distributing the audit report, appropriate measures should be considered to
ensure confidentiality.
Completing audit: When completing the audit, lessons learned from the audit can identify risks and
opportunities for the audit programme and the auditee.
Activity 11
Audit follow-up
10 minutes
Click here to start
64
Activity 11: Audit follow-up
Purpose:
To recognize the purpose of audit follow-up, and the activities involved.
Duration:
Directions:
Individually, please refer to ISO 19011 Clause 6.7 and decide what the purpose of this phase is, and
what you would do/check, as the audit team leader.
Enabling objectives (continued)

Knowledge
65
In order for delegates to achieve the overall learning objectives, you will need to acquire and develop
specific knowledge and skills. These are specified as ‘enabling objectives’ and can be considered as
steps to the achievement of learning objectives.
We will now continue with the ‘knowledge’ elements.
Activity 12
Start of day 2 quiz
5 minutes
Click here to start
66
Activity 12: Start of day 2 quiz
Purpose:
To review and refresh day 1 materials.
Duration:
20 minutes classroom quiz/discussion
Directions:
Individually, please review day 1 materials and construct two questions that you know the answers
to. Your questions will be answered by the other delegates. The tutor will coordinate the
questioning/answer session.
Get ready to feed back any differences found and your conclusions to the rest of the class.
Purpose?
• BC Management System
• ISO 22301
67
Discussion: Your tutor will now ask you to discuss with the class your thoughts on the purpose of a
business continuity management system and how management system standards, such as ISO
22301, can help in this process.
The purpose of a BC management system can be described as understanding the organization’s

needs and the necessity for establishing business continuity policies and objectives.
ISO 22301 states that by operating and maintaining processes, capabilities and response structures,
the organization will be better able to survive disruptions.
BC ‘reviews’ or ‘audits’ to assess an organization’s BC performance, on their own, may not be

sufficient to provide an assurance that its performance not only meets, but will continue to meet, its
legal and policy requirements. To be effective, they need to be conducted within a structured
management system that is integrated within the organization i.e. ISO 22301 through its High Level
Structure (HLS).
This standard is intended to continually improve its BC performance.
It specifies the requirements to enable an organization to understand its context, resulting risks and
opportunities, implement an aligned BC policy and objectives, which take into account its purpose
and strategic direction, legal requirements and information about its BC risks. It can be used for
certification/registration and/or self-declaration of an organization’s BC management system, and a
non-certifiable guideline intended to provide generic assistance to an organization.
The standard is intended to apply to all types and sizes of organizations and to accommodate diverse
geographical, cultural and social conditions. However, it does not establish absolute requirements for
BC performance beyond the commitments, in the BC policy. Thus, differing organizational BC
performance can both conform to its requirements.
Demonstration of successful implementation can be used by an organization to assure interested

parties that an appropriate management system is in place.
The standard enables an organization to integrate other aspects of business continuity, such as the
protection of data within information security.
Within various legal frameworks around the world, legislation/regulation is capturing the requirement
to have arrangements in place to cover business continuity. For example, in the UK the ‘Civil
Contingencies Act, 2004’ requires such arrangements.
Benefits of improving business continuity management system performance are numerous, some
are implied above, and others are listed below for reference:
a) From a business perspective:

• Supporting its strategic objectives
• Creating a competitive advantage
• Protecting and enhancing its reputation and credibility
• Contributing to organizational resilience
b) From a financial perspective:

• Making business partners confident in its success
• Reducing legal and financial exposure
• Reducing direct and indirect costs of disruptions
c) From the perspective of interested parties:

• Protecting life, property and environment
• Considering the expectations of interested parties
d) From an internal processes perspective:

• Improving its capability to remain effective during disruptions
• Demonstrating proactive control of risks effectively and efficiently
• Addressing operational vulnerabilities
What is business continuity (BC)? (Reminder)
Capability of an
organization to continue
delivery of products and
services within
acceptable time frames
at predefined capacity
relating to a disruption
ISO 22301, Clause 3.3
69
Discussion: Your tutor will now ask you to discuss with the class your thoughts on what business
continuity means and how that is interpreted at this current moment in time in your organization, or
an organization that you are familiar with.
Business continuity aims to build resilience in an organization by putting strategies and solutions in
place, through risk-based thinking, in order to recover an organization’s processes and activities
following a disruption. The levels of recovery should be determined in advance.
Incidents, disruptions and impacts (reminder)
INCIDENT DISRUPTION IMPACT
Fire: Causes a Which has

Call the disruption: an impact:
fire brigade Cannot Not being able
access to operate
the building as a business
70
The above should be self-explanatory. However, many people concentrate their efforts on the
‘incident’ when the real issue is around the ‘impact’.
The incident does need to be dealt with but the main effort needs to go into dealing with the impact
and how to recover from the impact.
Main impacts an organization may incur:

• Premises
• Staff
• Financial
• Image and reputation
Activity 13
Terminology
10 minutes
Click here to start
71
Activity 13: Terminology
Purpose:
To explain the terminology used in ISO 22301.
Duration:
Directions:
Individually, please match the ISO 22301 term up with its correct definition. (Place the definition
letter next to the term it describes). Once you have done this; compare and discuss any differences
with your neighbour. Please feed back to the class any differences found.
TERM DEFINITION (letter):

1. Risk
2. Documented information
3. Business continuity
4. Disruption
5. Process
6. Nonconformity
7. Business continuity plan
8. Corrective action
9. Policy
10. Business impact analysis
11. Impact
12. Interested party
13. Management system
14. Incident
DEFINITIONS:
A. A. Incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the
expected delivery of products and services according to an organization’s objectives
B. Process of analysing the impact over time of a disruption on the organization
C. Outcome of a disruption affecting objectives
D. Intentions and direction of an organization, as formally expressed by its top management
E. Effect of uncertainty on objectives
F. Person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
G. Information required to be controlled and maintained by an organization and the medium on which it is
contained
H. Set of interrelated or interacting elements of an organization to establish policies and objectives and
processes to achieve those objectives
I. Capability of an organization to continue the delivery of products and services within acceptable time frames at
predefined capacity during a disruption
J. A. Set of interrelated or interacting activities which transforms inputs into outputs
K. Non-fulfilment of a requirement
L. Event that can be, or could lead to, a disruption, loss, emergency or crisis
M. Action to eliminate the cause(s) of a nonconformity or an incident and to prevent recurrence

N. Documented information that guides an organization to respond to a disruption and resume, recover and
restore the delivery of products and services consistent with its business continuity objectives
PDCA continual framework
PLAN
• Context
• Leadership
• Planning
• Support
DO
• Operations
CHECK
• Performance evaluation
ACT
• Continual improvement
73
Discussion: Your tutor will now ask you to discuss with the class your thoughts on the PDCA model
and how it applies to business continuity management processes.
The PDCA model is an improvement model that works in cycles and is expressed through the clause
headings of the ISO 22301 requirements’ Clauses 4-10. The word ‘continual’ implies that there is a
step change at the end of each cycle, meaning that the organization has improved and taken itself to
a new level.
Terminology
BC
BC BC Operation
Organization Risk Management
Policy objective and evaluation
and its context System
74
The above shows how some of the key terms within ISO 22301 could be viewed as relating to one
another.
For example, within ISO 22301, an organization is defined as a person or group of people that has
its own functions with responsibilities, authorities and relationships to achieve its objectives.
Risk is defined as the effect of uncertainty on objectives. (An effect is a deviation from the expected
– positive or negative.)
• A BC management system is a management system or part of a management system used to

achieve the BC policy
• A BC policy is a policy to state the capability of an organization to continue delivery of products

and services within acceptable time frames at predefined capacity relating to a disruption
• A BC objective is an objective set by the organization to achieve specific results consistent with
the BC policy
PDCA and BCMS
Continual improvement of BCMS
Establish
Interested (PLAN) Interested
parties parties
Maintain and Implement

improve and operate
(ACT) (DO)
Requirements
for BC Monitor and Managed BC
review
(CHECK)
75
Discussion: Your tutor will now ask you to discuss with the class your thoughts on the PDCA model
and how it applies to business continuity management processes.
PDCA model applied to BCMS processes.
The approach applied in ISO 22301 is founded on the concept of Plan-Do-Check-Act (PDCA).
PDCA can be applied to all processes and briefly described as follows.
Plan: Determine and assess BC risks, BC opportunities and other risks and other opportunities,
establish BC objectives and processes necessary to deliver results in accordance with the
organization’s BC policy
Do: Implement the processes as planned
Check: Monitor and measure activities and processes with regard to the BC policy and objectives,
and report the results
Act: Take actions to continually improve the BCMS performance to achieve the intended outcomes
Processes in ISO 22301 must include:

• Consideration of the impact on the business should a disruption occur, in relation to processes,
products and services, and activities
• Risk identification
• Actions needed to determine and address its risks and opportunities
• Determine and have access to up-to-date legal requirements and other requirements
• Those needed for internal and external communications
• Those needed to implement the actions determined in Clause 6
• Etc.
As an example, when applying PDCA to a process, if we think of competence:

• Plan – Determine the necessary competence of personnel that affects or can affect its BC
performance
• Do – Ensure that personnel are competent on the basis of appropriate education, training, or
experience. Where applicable, take actions to acquire and maintain the necessary competence
• Check – Evaluate the effectiveness of the actions taken
• Act – Continue to determine and provide/maintain the competence OR re-evaluate the methods of
education, training or experience to ensure it is now effective
High level structure process flow (reminder)
PLAN DO CHECK ACT
4 Context of 9
10
the 5 Leadership 6 Planning 7 Support 8 Operation Performance
Improvement
organization evaluation
Understanding Actions to Monitoring,

Operational Nonconformity
of the Leadership and address risk measurement,
Resources planning and and corrective
organization commitment and analysis and
control action
and its context opportunities evaluation
Needs and
expectations of BIA and risk Continual
BC policy BC objectives Competence Internal audit
interested assessment improvement
parties
Scope of Roles,
Planning BC strategies Management
management responsibilities Awareness
changes and solutions review
system and authorities
BC plans and
BCMS Communication
procedures
Documented Exercise
information programme
Evaluation of
business
continuity
documentation 77
You will find the high level structure of the standard very useful when trying to find your way around
ISO 22301. Also the standard advocates in Clause 4.4 that the BCMS should be described using
processes needed and their interactions.
This high level structure has been developed as the framework for all management system standards,
bringing commonality and standardized vocabulary to management system standards, regardless of
their discipline. Think about how this commonality might be useful, should an organization have
multiple management systems in place.
Activity 14
BCM processes
10 minutes
Click here to start
78
Activity 14: BCM processes
Purpose:
To outline the processes involved in establishing, implementing, operating,
monitoring, measuring, analysing, evaluating, reviewing, maintaining and
improving a business continuity management system, including the significance of these for BCMS
auditors.
Duration:
10 minutes in pairs
Directions:
In pairs, the first diagram overleaf contains contents that are in the wrong order; so please try and
create a flow chart, from the items listed overleaf, by populating the second diagram overleaf.
What are the significance of these for BCMS auditors?
Activity 14: BCM processes (Jumbled up)
Order Process Steps
1 Start to monitor, analyse and evaluate performance, including management review
2 Set BC objectives, making sure they align with the strategic objectives of the organization
BCM04101ENIN v5.0(AD01) Oct 2021

3 Determine resources, including competent persons
4 Make changes and demonstrate continual improvement
5 State the intentions for business continuity in the organization and establish a mandate to demonstrate commitment
6 Plan the process for the BIA, risk assessment and risk treatment
7 Implement, control and maintain operational processes needed for BC and establish an exercise programme and audit programme
8 Report, investigate, take action and manage incidents, disruptions and nonconformities

9 Assign and communicate responsibilities and authorities
10 Establish a policy which includes a framework for setting objectives
11 Define the scope of the management system, taking into account legal obligations and other commitments
79
Process Steps
Activity 14: BCM processes
Order
Identifying legal and other requirements
Vs.
Legal
compliance
Conformance
with the
standard
81
Discussion: Your tutor will now ask you to discuss with the class your thoughts on the role of the
business continuity management systems auditor in evaluating an organization’s ability to meet its
legal, regulatory and other requirements.
Linked to Clause 4.2.2 is the necessity for legal requirements and other requirements to be
determined, to be accessible, to be taken into account in its BCMS, and evaluated for compliance.
Clearly this information is required to be kept up-to date and communicated to persons working
under its control, and any other interested party.
Significance for auditors:

These activities need to be defined in the process(es) (‘set of interrelated or interacting activities that
use inputs to deliver an intended result’), which the auditor must assess whether this is established,
implemented, maintained and indeed effective. Clearly there are legal and other obligations relating
to the requirement for risk assessment, but many more relating to specific aspects of business
continuity that are ‘applicable’ to the organization’s activities. Applicability lies in the eye of the
beholder, so the auditor must assess how applicability has been determined, and once deemed
applicable: How it applies to the organization. Once this is known then operational controls,
competence, monitoring/measurement, compliance evaluations etc. will need auditing. The most
obvious laws relating to BC are any relating to civil contingencies and societal security, but, in
addition, we are now living in a post-GDPR world, so any jurisdiction dealing with the EU must think
about the personal data handling in a BC context.
A summary of certain other points relating to the law is fitting here.
When auditors open a dictionary and compare the definitions for the words ‘compliance’ and
‘conformance’, they find themselves coming to the conclusion that there is little to choose between
the two words, and that they are therefore interchangeable. Certainly auditees will be using the
terms that way.
However, making a distinction and being consistent in the application of such terminology is
worthwhile, though auditors will always need to be aware that the distinction they are making may
not be understood by the auditee, unless they draw their attention to it.
Conformance is generally used by auditors in reference to meeting a specification or set of

requirements.
Role of the BC auditor:
In evaluating the organization’s capability
83
To -
• Protect against...
• Reduce the likelihood of occurrence of...
• Prepare for...
• Respond to...
• Recover from...
incidents when they arise.

disruptions which may threaten the continuity of the business, and the ability to deliver products and
services within acceptable time frames, which have been predefined.
And -
• Continually improve BC performance
• Fulfil legal requirements and other requirements
• Achieve BC objectives
Feedback loops provide an organization with clear and accurate information on BC performance.
Organizational success, in providing increased organizational resilience, displays a tendency over time
to favour those with better feedback loops, and it appears that the more one can monitor and
provide input for evaluation, the better the chance for BC performance improvement.
A management system, in general, and auditing in particular, can be seen as a way of improving (or
even establishing) these feedback loops in an organization. A BCMS specifically improves the
feedback about a constantly evolving area: Business continuity and other risk. Continuing resilience
and societal security expectations in an increasingly complex global environment is another feedback
loop. Obviously the more finely attuned an organization is to new BC developments, the better placed
it is to react, and plan to improve, ahead of any legal, contractual, social/ethical
considerations/requirements.
A BC audit can help to define circumstances of which others may not even be aware of, and keep the
more sensitive organization continually at the head of good corporate governance and social
responsibility.
The role of the auditor may include, amongst other things: Determination of the extent of conformity
of the management system to be audited, or parts of it, with audit criteria; determination of the
extent of conformity of activities, processes and products with the requirements of processes and
procedures of the management system; evaluation of the capability of the management system to
ensure compliance with legal and contractual requirements and other requirements to which the
organization is committed; evaluation of the effectiveness of the management system in meeting its
specified objectives; and identification of areas for potential improvement of the management
system.
Documentation
Documented A documented
A process is:
information is: process is:
Documented
information
85
Documented information is used to include both documents and records, and is defined as:
‘Information required to be controlled and maintained by an organization and the medium on which it
is contained’. The medium can be in any format and media, and from any source. This can refer to
the management system, including related processes, information created in order for the
organization to operate (documentation), or evidence of results achieved (records).
The phrase ‘retain documented information as evidence of’ means records, and ‘maintain as
documented information’ to mean documentation, including procedures.
A process is a ‘set of interrelated or interacting activities which transforms inputs into outputs’
(which may be documented or not). (ISO 22301:2019)
A process is a ‘set of interrelated or interacting activities that use inputs to deliver an intended result’
(which may be documented or not). (ISO 19011:2018)
A procedure is a specified way to carry out an activity or a process (which may be documented or
not).
A documented process is documented information specifically required of ISO 22301, or

determined necessary by the organization as being necessary for the effectiveness of the BCMS, or
necessary to have confidence that the processes will be carried out as planned.
ISO 22301 is made up of:

• BCMS processes (which should be interactive)
• Documented processes
• Processes
• Procedures
• Documented procedures
• Documented information
Documentation requirements
ISO 22301 requirements for documented information
86
ISO 22301 requires the following documentation:

Documented information
4.2.2 a) Process to identify, have access to, and assess applicable legal and regulatory requirements
4.3.1 Scope
4.3.2 Exclusions and explanation
5.2 Policy
6.2 Objectives
7.2 d) Competence
7.5.1 a) and b) Required by ISO 22301 and determined by the organization as necessary for the
effectiveness of the BCMS
8.1 c) Keeping documented information to the extent necessary to have confidence that the
processes have been carried out as planned
8.4.2.4 b) Procedures to guide team actions in the response structure
8.4.3.1 Procedures for warning and communication
8.4.4.1 Business continuity plans and procedures
8.4.5 Processes to restore and return the business activities from the temporary measures adopted
during and after a disruption
8.5 e) Post-exercise reports
9.1 Evidence of results of monitoring, measurement, analysis and evaluation
9.2.2. e) Evidence of the implementation of the audit programme(s) and audit results
9.3.3.2 Evidence of the of the results of management reviews
10.1.3 a) and b) Evidence of the nature of the nonconformities and any subsequent actions taken
and the results of any corrective action
Processes
4.2.2 a) Process to identify, have access to, and assess applicable legal and regulatory
requirements
4.4 Processes needed for the BCMS
8.1 Processes to meet requirements and implement actions determined in Clause 6.1
8.2.1 a) Processes for analysing business impact and assessing risks of disruption
8.2.2 Process for analysing business impacts to determine business continuity priorities and
requirements
8.2.3 Risk assessment process
8.4.4.3 h) Process for standing down
8.4.5 Documented processes to restore and return the business activities from the temporary
Measures adopted during and after a disruption
9.2.2 c) Audit process
Procedures
8.4.1 Plans and procedures to manage the organization during a disruption
8.4.2.4 b) Documented procedures to guide team actions in the response structure
8.4.3.1 Documented procedures for warning and communication
8.4.4.1 Documented business continuity plans and procedures
8.4.4.1 c) Procedures to enable the delivery of products and services of agreed capacity
Documented information (7.5) (reminder)
Documentation can be:

• Paper
• Electronic
• Any other medium
88
Documented information (7.5) includes documentation required by ISO 22301 AND documentation
required by the organization.
Documentation can be in paper, electronic, or any other medium.
This includes:
• Products, services etc.
• Scope and boundaries of the BCMS
• Policy
• Objectives
• Documented information
• Other documents necessary to the organization
Procedures and processes required by ISO 22301.
It is important to not get bogged down in lots of unnecessary paperwork, which can be
counterproductive. When developing documentation, the organization should do what’s right for
them.
Control of documents (7.5) (reminder)
Not only does

the organization
being audited
need
documents, but
they also need
a set way to
control them
89
Not only does the organization being audited need documents, but they also need a set way to
control them.
Organizations must ensure:

• Document reviews and updates
• Identifying revision statuses
• Making applicable documents available at points of use
• Ensuring documents stay legible and identifiable
• Identifying and distributing external documents that are necessary for the BCMS
• Obsolete documents (preventing their unintended use, properly identifying retained obsolete
documents)
Enabling objectives
Skills
90
In order for delegates to achieve the overall learning objectives, you will now need to acquire and
develop specific skills; by practising and testing the knowledge gained in real/simulated audit
situations. These are also specified as ‘enabling objectives’ and can be considered as steps to the
achievement of learning objectives.
We will now look at the ‘skills’ elements.
Activity 15
Initiating the audit
15 minutes
Click here to start
91
Activity 15: Initiating the audit
Purpose:
To practise and test the skills for initiating an audit.
Duration:
15 minutes whole class
Directions:
You are currently working as an audit team leader for Live Wild Logistics (LWL), a B2B wholesaler
and supplier of live plants to supermarkets and other businesses. You look at the audit schedule to
see which audit is due to be carried out next. (Please think of an area to audit.)
You have been asked to contact the head of the department where the audit is to be carried out.
Whole class, please ask the tutor questions to complete this stage to the point where you are
comfortable that you have enough information to proceed with the audit. This includes speaking with
your audit client (the head of the department), your programme manager (management
representative) and then the appropriate auditee’s management. Your tutor will role-play these
individuals.
Please note: Initial contact with the auditee should also include requesting access to information on
the risks and opportunities the organization has identified, and how these are addressed; also the
determination of any areas of risk to the auditee, in relation to the specific audit. Resolution of any
issues regarding the composition of the audit team, with the auditee or audit client, will also be
necessary.
Activity 16
Document review
60 minutes
Click here to start
92
Activity 16: Document review
Purpose:
To practise and test the skills for carrying out a document review, in preparation for an audit.
Duration:
60 minutes groups
Directions:
In groups, please now assume you have access to the BCMS documentation; so you are now able to
perform a document review of LWL. Be prepared to feedback your findings to the other groups.
Please note: Delegates might wish to either allocate sections of the documentation to each group
member, as long as an appropriate document review is carried out.
(Note: A stage 1 audit is usually performed to ensure there is evidence the organization has the full
and correct set of documentation in place, but for the sake of time, you will only be looking at
excerpts of LWL documentation during this exercise.)
This should all help when you construct your audit plan.
Please note: Performing a review of documented information should take into account the context of
the auditee’s organization, and its related risks and opportunities.
ISO 22301 Covered in the ‘LWL’ Case Study documentation

4.2.2 Legal and regulatory requirements
Documented process required
4.3.1 Scope
Documented information required
4.3.2 Exclusions from the scope

Document exclusions
4.4 BCMS
Processes required
5.2 Policy
6.2 Objectives
7.2 Competence
7.5.1 Documented information
8.1 Operational planning and control

Documented information on processes
required
8.4.2 Response structure

Documented procedures required
ISO 22301 Covered in the ‘LWL’ Case Study Documentation
8.4.3 Warning and communication

Documented procedures required
8.4.4 Business continuity plans

Documented plans and procedures required
8.4.5 Recovery
Documented processes required
8.5 Exercise programme

9.1.1 General
9.2 Internal audits

9.3.3 Management review outputs

10.1 Nonconformity and corrective action

Activity 17
Audit plan
45 minutes
Click here to start
95
Activity 17: Audit plan
Purpose:
To practise and test the skills for preparing an on-site audit plan that is appropriate to the defined
objectives, scope, criteria, and the organization’s context and processes.
Duration:
45 minutes groups
Directions:
Working in groups, use the audit plan template to prepare an audit plan for an on-site visit to LWL,
using the Case Study documentation. Plan for more than one auditor, with one auditor being the
audit team leader. Plan the audit over a two-day period with the scope, objective and criteria as
follows:
Scope: LWL’s site at Haarlemweg
Objective: To make a recommendation for certification to ISO 22301, if major nonconformities are
not found
Criteria: ISO 22301, and applicable legal or contractual requirements and the organization’s own
BCMS
Please note: The audit team leader should take a risk-based approach to planning, based on the
audit programme and the documented information provided. The audit team leader should also
consider opportunities to improve the effectiveness and efficiency of the audit activities, and the risks
to achieving the audit objectives created by ineffective audit planning. Audit planning should also
address or reference: The processes to be audited; the locations (physical and virtual); the need to
familiarize themselves with the auditee’s facilities and
processes; reviewing information and communication technology; allocation of resources based on

risks and opportunities; and follow-up actions (e.g. lessons learned, project reviews).
Activity 18
Work documents
30 minutes
Click here to start
97
Activity 18: Work documents
Purpose:
To practise and test the skills for preparing the necessary audit work documents.
Duration:
(This will be used for the audit of top management – in Activity 21)
Directions:
Working in teams, please now prepare checklist questions to ask the top management: (You may wish
to split the topic areas up for each team member to focus on).
Choose the auditee representative from the top management team.
ISO 22301 clauses that may be relevant include (4, 5, 9.3 etc.).
Reference specific documents from the Case Study in the organization’s BCMS that might be relevant (to
assist you in your first audit). Context and Leadership Section.
PLEASE BE PREPARED TO INTERVIEW TOP MANAGEMENT SHORTLY
Activity 19
Opening meeting
30 minutes
Click here to start
98
Activity 19: Opening meeting
Purpose:
To practise and test the skills to conduct an opening meeting for a BCMS audit.
Duration:
20 minutes whole class workshop
30 minutes in groups plan and carry out an opening meeting
Directions:
1. Whole class, your tutor will now talk you through a second party opening meeting from the point
of view of an auditor. Based on the scenarios given what do you think is not correct, and if you
were the lead auditor, what would you consider and do differently
2. Then, in groups, plan and carry out an opening meeting, in accordance with your audit plan for
Live Wild Logistics. The tutor will then select one group to carry out the actual opening meeting.
The other group to observe, take notes, and comment as appropriate
Activity 20
Observations
20 minutes
Click here to start
99
Activity 20: Observations
Purpose:
To practise and test the skills required for a site tour to collect evidence through observations.
Duration:
20 minutes in pairs
Directions:
Working in pairs, please look at the photos in Section 3 of your References. Assume you are making
these observations as you walk-round the organization’s site. Please record your observations, and
think about what questions you might ask; in relation to the observations made.
When you are not asking questions please follow the audit and take notes of evidence provided.
These may provide further useful audit trails for yourself. Please summarize your findings and audit
trails to the tutor.
Auditing ‘top management’
100
Please review the script of an audit with top management in the ‘References’.
In your teams, read the script, answer the questions and then teams to hold classroom discussions
with your tutor:
1. What clauses of the Standard are being audited?

2. The ability to manage meetings and audit interviews effectively with top management
3. The ability to follow audit trails with top management
4. The ability to collect and verify appropriate audit evidence, including appropriate sampling
5. The purpose and the intended outcomes of the management system, and the relevant external
and internal issues, as determined by the organization
6. The relevant interested parties and any relevant requirements that have been determined by the
organization
7. The scope of the management system in relation to its:
• External and internal issues
• Compliance obligations
• Boundaries and applicability of the management system
• Authority and ability to exercise control and influence
8. The management system policy and objectives have been established by top management and
that they:
• Are compatible with the organization’s strategic direction
• Have been communicated with the management system policy to relevant interested parties
Activity 21
Interviewing ‘top management’
45 minutes
Click here to start
101
Activity 21: Interviewing ‘top management’
Purpose:
To practise and test the skills required, as an auditor, in a review of top management at an
organization.
Time is normally very limited for this audit with top management – so focus on the important
questions and evidence expected. Assume all your samples are already contained in your Case Study
records.
Duration:
45 minutes for audit and with tutor feedback
10 minutes to review/reflect and summarize findings
Directions: (Part A)
In your allocated teams, interview the top management auditee representative who will be played by
the tutor. Each group will be allowed to ask questions in turn. When you are not asking questions
please follow the audit and take notes of evidence provided. These may provide further useful audit
trails for yourself.
You should note the information given to you and be prepared to discuss in class what this is and
how you might use this during the audit.
You and your team should also be prepared to discuss auditor/auditee body language issues and
tone and language used for top management.
Please note: Auditors should also aim to interview top management to confirm that they have an
adequate understanding of the discipline-specific issues relevant to their management system,
together with the context their organization operates within, so that they can ensure that the
management system achieves its intended results. Auditors should not only focus on leadership at the
top management level but should also audit leadership and commitment at other levels of
management, as appropriate.
Directions: (Part B)
After the audit, spend 10 minutes reflecting on your audit and summarize the main findings (good
and bad) in preparation for Activity 30 (Audit report).
Process audit preparation
With what? With who?

(Resources) (Responsibilities,
authorities)
Inputs?
(What, Outputs?
from PROCESS (What,
whom) to whom)
How done? What results?

(Criteria, methods/controls (Monitoring, measurements,
documentation) performance indicators)
103
Auditors should apply professional judgement during the audit process and avoid concentrating on
the specific requirements of each clause of the standard at the expense of achieving the intended
outcome of the management system. Some ISO management system standard clauses do not readily
lend themselves to audit in terms of comparison between a set of criteria and the content of a
procedure or work instruction. In these situations, auditors should use their professional judgement
to determine whether the intent of the clause has been met. Please remember though: Auditors
should be focused on the intended result of the management system throughout the audit process.
While processes and what they achieve are important, the result of the management system
and its performance are what counts.
A process is essentially a set of interrelated or interacting activities that use inputs to deliver an
intended result.
Identifying the processes that drive an organization’s activities, products and services helps to
understand the risks/opportunities and the appropriate controls.
Whether you are attempting to audit existing processes or you are auditing new ones, an important
stage is the accurate identification of inputs, outputs, controls and resources. In order to capture the
information, it is useful to construct a diagram to identify all the elements of a process, as on the
slide. Creating the diagram will also help focus attention on the need for the process in the first place
– you may find that it has evolved rather than been designed.
During this sort of analysis, it is sometimes hard to know whether you are auditing a process or a
series of processes, where the output of one process is the input into the next process. Note, in some
processes, some inputs become outputs without any transformation e.g. a blueprint used in a
manufacturing process or a catalyst in a chemical process.
Note that a ‘procedure’ is a ‘specified way to carry out an activity or a process’, which may be a
documented set of instructions, or simply an established way of doing a specific task that itself forms
part of a larger process.
As mentioned previously, there are three main dimensions to auditing:

• Assessment of the documented management system (INTENT)
• Assessment of the degree of implementation (IMPLEMENTATION)
• Assessment of the BCMS effectiveness (EFFECTIVENESS)
It is therefore important not to forget about process effectiveness. The definition of effectiveness,
from (Annex SL) is: ‘Extent to which planned activities are realized and planned results achieved’.
‘Planned activities’ are considered as the means, methods, and internal requirements by which the
organization intends to achieve planned results of a given process to meet requirements. Planned
activities include conformity to process requirements and processes.
Please note, ‘process effectiveness’ includes a consideration of both:

• Process realization - the extent to which planned activities are realized
• Process results - the extent to which planned results are achieved
(An EXAMPLE therefore, from an auditor’s findings, which has taken into consideration
process effectiveness)
Process: Supplier onboarding and SLA establishment (relating to BCMS requirements)
Reviewed documents/evidence:
• Management’s description of the process (management interview)
• Documented third-party management process ‘3PM’ 23rd Jul 2019
• Etc.
Planned activities: Have been fully realized.
Methods for determining process results are: Returned with BCMS requirements adequately
responded to - on-going target (98%), etc.
Results: Weekly review minutes (wk 34, 36 and 40) state on-going BCMS team’s concern with the
BCMS requirements completed in supplier responses (currently 78%), although no
investigation/action has yet been taken…etc.
Planned results: Not achieved and appropriate action is not taken.
There are therefore basically: ‘Five steps to a finding’ here.
Remembering this should help all auditors when structuring their documented evidence, to include
process effectiveness i.e.:
1. Objective evidence as bullet point/list
2. Planned activities have been fully realized/not fully realized/not realized
3. Methods for determining process results are:
4. Result:
5. Planned results achieved/not achieved but actions being taken/not achieved and appropriate
actions not taken
BIA and risk assessment process (reminder)
105
You should consider the following when auditing the BIA and risk assessment process:
• The BIA should be in line with the context, risks and opportunities the organization may encounter
and are prepared to accept
• There should be top management support with resources provided taking into account interested
parties
• There needs to be methods shown of how recovery timeframes are determined, including
unacceptable timeframes
• Risk assessment methodology and criteria need to be in place, taking into account the amount and
type of risk top management are will to accept, pursue or retain (this was referred to as risk
appetite in previous standards, but this term is hotly debated and does not appear in the latest
publication)
Resumption of activities (reminder)
Incident
Normal Normal
activity activity
Performance
Time after which irrevocable damage
is done to the organization
Objective to resume activity
Minimum
performance
level Time
Time to resume Time to resume normal

activity levels of operation
106
The real issue for organizations is meeting minimum levels of service. If this is met before ‘objective
to resume activity’ then fine and the irrevocable damage is irrelevant. The problems start when the
organization does not meet the ‘objective to resume activity’.
Provided they reach the minimum level of service before they reach the irrevocable damage time that
is acceptable.
What is disastrous is when they, in theory, do not meet the ‘objective to resume activity’ OR the
irrevocable time. This means the organization may not be recoverable, so to speak, no longer a
‘going concern’ or in operation. ISO 22301 Clause 8.2.2. d) and e) specifically ask for both of these
times to be considered.
Note: While this diagram demonstrates a sudden disruption, it is also possible for gradual disruptions
to occur (e.g. an outbreak of flu that gradually reduces workforces, slowly-increasing regional
flooding, reduction in availability/price of fuel oils/gasoline). Also note that this is an idealized
graphical representation, and where on a timeline and at what level acceptable production/service is
positioned is dependent on the organization's own BIA.
Activity 22
Auditing processes: Business impact
analysis and risk assessment
50 minutes
Click here to start
107
Activity 22: Auditing processes: Business impact analysis and risk assessment
Purpose:
To practise and test the skills required, as an auditor, to review the processes in interview with a
representative from LWL for carrying out the business impact analysis and risk assessment and
evaluate these against any documented information in the Case Study.
Duration:
In your allocated teams, confirm or otherwise the statements made by the LWL representative that
any documented information present in the Case Study confirms the practice carried out as by those
responsible for BIA and risk assessment. Each group will be allowed to ask questions in turn (if
needed). When you are not asking questions please follow the audit and take notes of evidence
provided. These may provide further useful audit trails for yourself.
Audit criteria – Clauses 6.1, 8.1 and 8.2 and any others thought appropriate.
Audit scope and objective – LWL’s Haarlemweg site and readiness for certification respectively.
Auditee representative – As per the audit plan.
BIA and risk assessment process, Planning and Operation sections, plus anything else you consider
relevant.
Please note: Auditors should have relevant sector-specific knowledge and understanding of the
management tools that organizations can use in order to make a judgement regarding the
effectiveness of the processes used to determine context.
After the audit, spend 5 minutes reflecting on your audit and summarize the main findings (good and
bad) in preparation for Activity 30 (audit report).
BC strategies and solutions (reminder)
Strategies and solutions must be established
109
Once the BIA has been determined then the strategies and solutions for dealing with an impact have
to be established.
You should consider the following when auditing the BC strategies and solutions:
• The strategies need to deal with prioritizing activities, managing and responding to impacts
• There need to be clear solutions which consider any resources required and how and when they
would be used
• Depending on the amount of risk the organization is willing to accept, risk treatment will be in
place to reduce disruptions and limit their impacts
Activity 23
Auditing processes: Business continuity
strategies and solutions
25 minutes
Click here to start
110
Activity 23: Auditing processes: Business continuity strategies and solutions
Purpose:
representative from LWL for implementing business continuity strategies and solutions and evaluate
these against any documented information in the Case Study.
Duration:
25 minutes work documents preparation
In your allocated teams, create work documents for the BCMS processes allocated, then start
auditing. Each group will be allowed to ask questions in turn. When you are not asking questions
please follow the audit and take notes of evidence provided. These may provide further useful audit
trails for yourself.
Then in your teams, confirm or otherwise the statements made by the LWL representative that any
documented information present in the Case Study confirms the practice carried out as by those
responsible for implementing and maintaining business continuity strategies and solutions. Each
group will be allowed to ask questions in turn (if needed). When you are not asking questions please
follow the audit and take notes of evidence provided. These may provide further useful audit trails for
yourself.
Specific documents in the organization’s BCMS that might be relevant include:

Business continuity strategies and solutions based on the outputs of the BIA and risk assessment,
Planning and Operation sections, plus anything else you consider relevant.
After the audit, spend 5 minutes reflecting on your audit and summarize the main findings (good and
bad) in preparation for Activity 30 (audit report).
BC plans and procedures (reminder)
There is a process for activating a response
There is flexibility
in responding to
incidents and The welfare There is a
impacts of individuals strategy for
There is a
is taken care dealing
process for
of with the
standing
media
down
112
What would you need to consider when auditing the BC plans and procedures?
The BC plans need to establish an incident response structure, methods of warning and
communications, and provide procedures for dealing with disruptive incidents to ensure:
• There is a process for activating a response

• There is flexibility in responding to incidents and impacts
• The welfare of individuals is taken care of
• There is a strategy for dealing with the media
• There is a process for standing down
There has to be a documented process to restore and return the business activities from the
temporary measures.
Activity 24
Auditing processes: Business

continuity plans and procedures
30 minutes
Click here to start
113
Activity 24: Auditing processes: Business continuity plans and procedures
Purpose:
representative from LWL for implementing business continuity plans and procedures and evaluate
these against any documented information in the Case Study.
Duration:
responsible for implementing and maintaining business continuity plans and procedures. Each group
will be allowed to ask questions in turn (if needed). When you are not asking questions please follow
the audit and take notes of evidence provided. These may provide further useful audit trails for
yourself.

Business continuity plans and procedures, Planning and Operation sections, plus anything else you
consider relevant.
and bad) in preparation for Activity 30 (audit report).
Activity 25
Audit trails
30 minutes
Click here to start
115
Activity 25: Audit trails
Purpose:
To recognize and discuss the importance of audit trails.
Duration:
30 minutes in your allocated teams
Directions:
In your allocated teams, identify a selection of the different audit trails taken by your team members
during the last three audit activities.
Record these, showing the lines of questioning and evidence giving rise to the trail, on a flipchart.
Get ready to present these to the other teams, explaining also their significance to the audit
objective(s) and possible conclusion.
Exercise programme (reminder)
Any exercises and tests should:
Be planned
Involve interested parties
Be in line with the objectives
Cause minimal risk to existing operations
Be part of the organization's approach to continual improvement
116
What would you need to consider when auditing the exercise programme?
A programme for exercising and testing the effectiveness of business continuity strategies and
solutions is an important part of the BCMS.
Any exercises and tests should:

• Be planned
• Involve interested parties
• Be in line with the objectives
• Cause minimal risk to existing operations
• Be part of the organization's approach to continual improvement
Post-exercise reports should contain outcomes, recommendations and improvement actions.
Typical exercises and tests (reminder)
117
The main types of exercises/tests carried out are:
Desk check:
The leader of the exercise and plan owners go through their plans across a desk/table and a report is
written from that with actions.
Walk through:
The leader and plan owners take their plans and ‘walk’ their plans through the processes and
procedure laid down. By doing this it is possible to see where there are any anomalies in the plans
and take the necessary actions.
Simulation:
An incident is given that requires a theoretical response. All participants that would be involved in the
normal response should be involved.
Limited rehearsal:
A business unit or similar may be chosen for a response to an incident.
Full exercise:
The organizations complete BC arrangements are put into place for a given scenario.
Activity 26
Auditing processes: Exercise programme
30 minutes
Click here to start
118
Activity 26: Auditing processes: Exercise programme
Purpose:
representative from LWL for maintaining an exercise programme and evaluate these against any
documented information in the Case Study.
Duration:
responsible for implementing and maintaining an exercise programme. Each group will be allowed to
ask questions in turn (if needed). When you are not asking questions please follow the audit and take
notes of evidence provided. These may provide further useful audit trails for yourself.

Business continuity plans and procedures, Planning and Operation sections, Planning and Operation
sections, plus anything else you consider relevant.
(Please also refer to some additional notes on monitoring in your References section, for this Activity)
Monitor and measure, management review

and continual improvement (reminder)
How effective is the BCMS and what needs to be
improved?
What has been monitored
and measured?
Post-incident reviews
also need consideration
There will also need How do the metrics fit

to be an evaluation with the policy and
Of BCMS processes objectives?
How are the results analysed?

120
What would you need to consider when auditing the Clause 9.1?
This area of ISO 22301 establishes how effective the BCMS is and where improvements can be made.
It has an important role to play in looking to the future for the organization.
The organization first needs to decide what is to be monitored and measured.

What metrics are required for measurement and how do these fit with the policy and objectives?
How will the organization deal with, and analyse the results?
There will also need to be an evaluation of BCM and the continuity procedures together with post-
incident reviews, amongst other things.
What would you need to consider when auditing Clause 9.3?
Management review pulls together the BCMS through considering all the inputs and reviewing these
against the policy and objectives.
The outputs should primarily look for improvements in risks, resource requirements and take into
account any budgetary requirements.
Communication of the results to relevant interested parties.
Continual improvement needs to address the whole of the BCMS, taking into account nonconformities
and the corrective actions taken to address these.
Activity 27
Auditing processes: Monitor, measure,
management review and continual improvement
25 minutes
Click here to start
121
Activity 27: Auditing processes: Monitor, measure, management review and continual improvement
Purpose:
representative from LWL for monitoring, measuring, reviewing and continually improving the BCMS
and evaluate these against any documented information in the Case Study.
Duration:
responsible for implementing and maintaining an exercise programme. Each group will be allowed to
ask questions in turn (if needed). When you are not asking questions please follow the audit and take
notes of evidence provided. These may provide further useful audit trails for yourself.
Audit criteria – Clauses 6.1, 8.1, 9.1, 9.3 and 10.2 and any others thought appropriate.

Data pertaining to the monitoring and measurement of the BCMS, any management review
documentation and evidence of improvement actions, Planning, Operation, Performance evaluation
and Improvement sections, Planning and Operation sections, plus anything else you consider
relevant.
Nonconformity (Knowledge)
Minor
Major
123
Nonconformities can be graded depending on the context of the organization and its risks. The
grading can be quantitative (e.g. 1-5) and qualitative (e.g. minor, major).
Minor nonconformity: Nonconformity that does not affect the capability of the management
system to achieve the intended results (ISO/IEC 17021-1:2015 3.13).
Example: Nonconformity: The organization was behind on its audit schedule when the business
continuity manager left and another qualified colleague was on maternity leave during the same
period. During the audit, the general manager stated (admissible statement) ‘we were recruiting a
new BC manager and had someone ready to start, so we decided to wait for the new starter before
resuming the audit schedule, and besides we knew BSI were coming to do our surveillance audit this
month. ISO 22301 Clause 7.1 states that the organization shall determine and provide the resources
needed for the establishment, implementation, maintenance and continual improvement of the BCMS.
Major nonconformity: Nonconformity that affects the capability of the management system to
achieve the intended results (ISO/IEC 17021-1:2015 3.12).
Nonconformities could be classified as major in the following circumstances:
If there is a significant doubt that effective process control is in place to either continually improve
BCMS performance, fulfil legal and other requirements, achieve BCMS objectives, provide a resilient
workplace or contribute to societal security.
A number of minor nonconformities associated with the same requirement or process could
demonstrate a systemic failure, and thus constitute a major nonconformity by not achieving its BCMS
intended results.
Example: Nonconformity: There was no audit programme established for the coming year, and no
plan to do so. ISO 22301 Clause 9.2.2 states that the organization shall plan, establish, implement
and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning
requirements, and reporting. The audit programme(s) shall take into consideration the importance of
the processes concerned and the results of previous audits.
Activity 28
Nonconformities
30 minutes
Click here to start
124
Activity 28: Nonconformities
Purpose:
To practise and test the skills required, as an auditor, to recognize nonconformity and write/grade
nonconformity reports correctly.
Duration:
Part 1
Directions:
1. Individually, review the scenarios contained in your References section (for this activity) and
answer the questions posed
After a classroom discussion:
Part 2
Directions:
2. The tutor will select a nonconformity(ies). In groups, please write a nonconformity statement on a
flipchart for all groups to then review (groups will assess to ensure the statement is; complete,
concise and correct). Please use the format covered on the last slide (example)
(This format will also be used in Section 4 of the specimen exam paper)
Activity 29
Closing meeting
45 minutes
Click here to start
125
Activity 29: Closing meeting
Purpose:
To practise and test the skills to present audit conclusions and recommendations clearly in a closing
meeting.
Duration:
20 minutes whole class workshop
45 minutes whole class plan and carry out a closing meeting
Directions:
1. Whole class, your tutor will now talk you through a second party closing meeting from the point
of view of an auditor and your opening meeting workshop from Tuesday. Based on the scenarios
given what do you think is not correct, and if you were the lead auditor, what would you consider
and do differently
2. Then, whole class, plan and carry out a closing meeting: Concluding on your recent audit
activities of the case study this week. The tutor will select one delegate to act as the team leader
and all other delegates are then to write one (different) nonconformity statement out (from your
audit of Live Wild Logistics) and be ready to present it during the meeting – as prompted by your
team leader
Note: If there are more than 10 delegates your tutor may split the class into two, for the purpose of
ensuring the meeting runs effectively.
Activity 30
Audit report
60 minutes
Click here to start
126
Activity 30: Audit report
Purpose:
To practise and test the skills to present audit conclusions and recommendations clearly in an audit
report.
Duration:
Directions:
Working individually, prepare an audit summary report - to be given to the tutor for marking. Please
record no more than 2-3 sides of A4 paper please (or equivalent).
Please include:
• A unique reference number
• Auditors in your team, with yourself identified as the audit team leader
• Audit objective, scope and criteria
• Auditee’s interviewed
• Executive summary detailing:
• Total number of minors/major nonconformities/OFI’s/observations
• The main positive encountered during the audit
• The main area of weakness in the system including relevant clause
• One nonconformity statement
• Assessment of intent – paragraph detailing the main area of weakness and the main area of
strength
• Assessment of implementation – paragraph detailing the main area of weakness and the main area
of strength
• Assessment of effectiveness – paragraph detailing the main area of weakness and the main area
of strength
• Your audit conclusion
Activity 31
Audit follow-up
30 minutes
Click here to start
127
Activity 31: Audit follow-up
Purpose: To practise and test the skills to evaluate proposals for corrective action, and differentiate
between correction and corrective action.
Duration:
30 minutes in pairs
Directions:
Following a recent audit your team conducted, some nonconformities have been raised.
As directed by your tutor, propose a corrective action for a nonconformity. Your answer will be given
to another team to review by the tutor.
First, review the nonconformities raised with your neighbour; also the proposed corrective actions
sent to you from the auditee. Then, you can accept the actions proposed by the auditee, or if you do
not, then note down why it would not be acceptable and what might be acceptable proposals. This
will then be discussed with the tutor.
Activity 32
Specimen exam paper
50 minutes
Click here to start
128
Activity 32: Specimen exam paper
Purpose:
To practise and test the skills required (for section 4 of the exam); to analyse audit situations,
evaluate audit evidence and apply knowledge of the audit criteria correctly.
Duration:
15 minutes classroom discussion/review answers
Directions:
Individually, complete section 4 of the specimen exam paper.
CQI and IRCA
• SMS Auditor certification scheme

• Code of Conduct
• Content
• Intent
129
CQI and IRCA (Chartered Quality Institute and The International Register of Certificated Auditors) are
internationally recognized as a certification body providing auditor registration.
See CQI and IRCA website (www.quality.org), for details of the BCM Auditor scheme requirements
and guidance.
Code of conduct - All CQI and IRCA certified auditors are required to agree in accordance with, and
be bound by, the Code of Conduct found within the ‘CQI professional code of conduct’ document,
available in your References section.
How to contact CQI and IRCA
CQI and IRCA

2nd
Floor, Chancery Exchange
10 Furnival Street, London
EC4A 1AB, UK
+44 (0)20 7245 6722
Website: https: www.quality.org
130
Course review and final questions
Knowledge
Skills
131
COURSE REVIEW
Learning objectives described in outline what delegates will know and be able to do by the end of
this course.
On completion, successful delegates will have the knowledge and skills to:
Knowledge
• Explain the purpose of a business continuity management system, of business continuity
management systems standards, of management system audit, of third-party certification and the
business benefits of improved performance of the business continuity management system
• Explain the role and responsibilities of an auditor to plan, conduct, report and follow up a business
continuity management system audit in accordance with ISO 19011 (and ISO 17021 where
appropriate)
Skills
• Plan, conduct, report and follow up an audit of a business continuity management system to
establish conformity (or otherwise) with ISO 22301 and in accordance with ISO 19011 (and ISO
17021 where appropriate)
Contact information
BSI Group India Pvt. ltd., The Mira Corporate Suites, Plot No 1
Address: & 2 Ishwar Nagar New Delhi 110065
Telephone: +91 11 47629000
Email: India.training@bsigroup.com
Links: www.bsigroup.co.in
132
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………
…

02 Slides - BCM04101ENIN - v5 (AD01) - Oct2021

Uploaded by

02 Slides - BCM04101ENIN - v5 (AD01) - Oct2021

Uploaded by

CQI and IRCA Certified BCMS ISO 22301:2019 Lead Auditor Training Course

CQI and IRCA Certified BCMS ISO 22301:2019

Delegates are expected to have the following prior knowledge:

Business continuity management

Global auditing qualification.

To have credibility, organizations need competent auditors. To be efficient and competitive,

This course will help you:

Please observe the following key points:

The tutor will inform you of the nearest restrooms.

If there are any special needs please confirm these now.

Your tutor(s) will introduce themselves.

To provide delegates with the knowledge and skills

We will start with the ‘knowledge’ elements.

First, second and third-party audits

First-party: Second-party: Third-party:

Second-party – External provider audit, or other interested party audit

Third-party – Certification and/or accreditation, or statutory, regulatory and similar audit

Differences between first, second

Activity 1: Differences between first, second and third-party audits

The tutor will then review your feedback.

International Accreditation Forum Multilateral recognition arrangements

Accreditation body Personal certification body

Accredits Certificates Accredits

BSI or esteemed Training course,

Certifies (USA, “Registers”) Uses

IAF Mandatory Documents on third-party audits

Accreditations granted by accreditation body members of the IAF Multilateral

Third-party accredited certification

Certification is an independent assessment of both an organization’s implementation and the

INPUTS AUDIT ACTIVITY OUTPUTS

AUDIT EVIDENCE AUDIT FINDINGS

Audit process, (generic) to any management system audit, is shown above.

Also there are three main dimensions to auditing:

Typical audit activities

Activity 2: Typical audit activities

Cards cover the below activities: (In no particular order)

Cards (within headers above):

Main areas of similarities include:

Preparation – before the audit

A useful acronym is P.E.R.C:

ISO 19011 ‘Conducting an audit’ activities

6.3 Preparing audit activities

6.4 Conducting audit activities

6.5 Preparing and distributing audit report

6.7 Conducting audit follow-up

Activity 3: Audit activity differences

Audit objectives, scope and criteria

Three aspects need deciding:

Determine objectives, scope and criteria

Activity 4: Determine objectives, scope and criteria

Resources: What resource will you need?

Resources for an audit could be split between:

Logistics/infrastructure – Availability of meeting rooms/team meeting facilities, internet access,

Documented information during the audit – Documents, processes, procedures, programmes,

Generic knowledge and skills of management system auditors (examples demonstrating

Legal requirements that apply (examples demonstrating an absence of competency)

Discipline specific (examples demonstrating an absence of competency)

(Please now refer to ‘Examples of discipline-specific knowledge and skills of auditors in

Roles and responsibilities

The main parties involved will be:

Main roles include:

Activity 5: Roles and responsibilities

• Review the labels and discuss

Audit team leader

Activity 6: Audit methods

Stage 1 audit Clarify scope and

Stage 1: Is defined by ISO/IEC 17021-1:2015 (Conformity assessment - Requirements for

In summary: The purpose of the stage 1 site visit is to:

Stage 1 audit process and outputs

The stage 1 audit process and outputs.

See diagram overleaf.

Stage 2 audit: Preparation activities

Stage 2: As defined by ISO/IEC 17021-1:2015 (Conformity assessment. Requirements for

Assessing the ‘implementation’ and ‘effectiveness’ of the management system.

Some preparation considerations for this stage of the audit include:

• Determine scale of audit and resources required