Most business impact analyses are accurate exactly once β the month they’re written for the Stage 2 audit. By the first surveillance visit, the organisation has changed. The BIA hasn’t. This is the central failure of ISO 22301 BIA review in practice.
ISO 22301:2019 Clause 8.2.1 requires organisations to review the BIA “at planned intervals and when there are significant changes within the organization or the context in which it operates.” But the standard prescribes no frequency, defines no trigger threshold, and sets no staleness criterion. That silence creates the single most common pattern auditors find in BCMS surveillance: a BIA that was fit for purpose at certification and has been rubber-stamped annually since, while the operations it describes have quietly moved on.
What Clause 8.2.2 Actually Requires β and Where It Stops
Clause 8.2.2 sets out the BIA’s structural obligations. The organisation must identify activities supporting product and service delivery, assess disruption impacts over time, determine maximum tolerable periods of disruption and minimum business continuity objectives, establish prioritised activities with recovery timeframes, and map dependencies including partners and suppliers.
None of those outputs are static. Every one of them changes when the organisation restructures, launches a new service line, migrates IT infrastructure, or substitutes a supplier. The clause demands that these elements exist and are documented. It does not demand that they remain current β that obligation lives in Clause 8.2.1’s review requirement, which defers entirely to the organisation’s own definition of “planned intervals” and “significant changes.”
Glocert International, in CB guidance published January 2026, lists “BIA not reviewed annually or after significant changes” as one of the most common ISO 22301 audit findings. The finding exists because the review trigger mechanism is absent, not because organisations refuse to update their BIA.
The 2019 Edition Changed the BIA Review Equation
The 2012 edition implied that BIA adequacy should be evaluated. The 2019 edition made it explicit. Clause 8.6 now requires the organisation to evaluate the suitability, adequacy, and effectiveness of its BIA and risk assessment. ISOQAR, a UKAS-accredited certification body, confirms in July 2025 guidance that this was “previously only an implicit requirement in the name of effectiveness.”
That distinction matters at surveillance. Under the 2012 edition, an auditor questioning a stale BIA was arguing from inference β the standard didn’t directly require evaluation of BIA fitness. Under the 2019 edition, the auditor has Clause 8.6 as a direct mechanism. A BIA that exists, is version-controlled, and was formally “reviewed” but demonstrably misrepresents current operations β RTOs referencing decommissioned systems, dependencies mapped to terminated supplier contracts, prioritised activities owned by teams that were restructured out of existence β is now a legitimate finding against a named clause.
The question shifts from “was the BIA reviewed?” to “is the BIA fit for purpose?” The second question is harder to answer with an annual rubber stamp.
Where the Stale BIA Actually Breaks
The damage propagates downstream. Clause 8.2.3 requires the risk assessment to assess disruption risks to the prioritised activities identified by the BIA. If the BIA is stale, the risk assessment is built on invalidated foundations. Both documents arrive at surveillance with matching dates and matching approvals β and matching disconnection from current operations.
Clause 9.1 makes the gap wider. Performance evaluation requires the organisation to determine what to monitor and measure, and to retain documented evidence of results. Most organisations track exercise completion rates and incident response metrics. Almost none include BIA currency as a performance indicator. The BIA sits outside the measurement framework entirely β formally maintained, operationally unchecked.
Here is what that looks like in practice: the BCMS manager updates the BIA in the four to six weeks before the surveillance visit. IT infrastructure changed eight months ago. A key supplier was replaced six months ago. A business unit was restructured four months ago. The BCMS manager discovers these changes during pre-audit preparation β or the external auditor discovers them first.
Clause references for 8.2.3 and 9.1 reflect mapped standard requirements. Verify against current edition before audit use.
Building a BIA Review Process That Stays Current
Moving from a static BIA to a maintained one takes infrastructure, not willpower.
First, age the existing BIA. Map every prioritised activity to its current operational owner. Verify every dependency β supplier, system, location β is still active. Confirm every RTO against current recovery capabilities, not the capabilities that existed at certification. Document every discrepancy. The output is a gap register that quantifies drift.
Second, define the trigger mechanism. ISOQAR’s July 2025 CB guidance states that BC arrangements should be “reviewed and updated whenever there is a significant change in your operational environment, structure, locations, personnel, processes or technology, or when an exercise or incident highlights deficiencies.” That translates into a trigger register: organisational restructure, new or discontinued product/service lines, material supplier changes, IT infrastructure migration, site relocation, post-exercise findings of RTO infeasibility, and M&A activity. Assign cross-functional ownership β HR notifies on restructures, IT on infrastructure changes, Procurement on supplier substitutions.
Third, add BIA currency to the Clause 9.1 performance framework. Track date of last BIA review, date of last material operational change, number of open BIA discrepancies, and date of last dependency verification. Include BIA currency as a standing management review agenda item under Clause 9.3.
Fourth, expand internal audit scope. Audit BIA accuracy against current operations β not only document existence and version control. Interview operational line managers, not only the BCMS owner. A BIA that is formally approved and version-controlled but operationally inaccurate is still a conformance problem under Clause 8.6.
The Core Problem With ISO 22301 BIA Review
ISO 22301:2019 requires the BIA to be reviewed. It does not require the BIA to be right. The standard’s silence on frequency, trigger thresholds, and staleness criteria means organisations can satisfy the review obligation with an annual sign-off that never interrogates whether the documented recovery priorities still match the organisation’s actual operations.
Clause 8.6 gives auditors the instrument to challenge that approach. The question at surveillance is no longer whether the BIA was reviewed on schedule. It’s whether the BIA would actually work if you activated it tomorrow.
About AEC International
AEC International provides ISO certification, training, and consultancy services at the intersection of business continuity, resilience, and operational risk management. We support organisations across industries in achieving and maintaining ISO certification β from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc