What to expect from your BS 25999 audit
The word audit may conjure up thoughts of fear and dread in peoples’ minds and it’s true to say that those being audited are understandably anxious about the audit that they are about to go through. This article looks at what the auditor will be expecting to see within your business continuity management system as well as give you some useful hints on what you can do to make the experience as pain-free as possible.
What do they look for?
Firstly, it is important to stress that auditors look for compliance to the standard rather than non compliance. They are not out to trip you up or fail you. They really do want you to be successful and will be looking for evidence that your systems and processes meet the requirements of the standard. Auditors will have been matched for their suitability to your industry sector. They will bring a level of experience which they will be able to draw upon when considering the appropriateness of your business continuity arrangements.
An audit is made up of samples
Audits are based on a practice called sampling. This means that, where there is a choice to be made, the auditor will select at random, what they wish to look at. An example of this would be a proportion of business continuity plans or a selection of internal audits from the audit schedule.
The aim is to obtain sufficient evidence to support conformance (or otherwise) to the requirements of the standard without looking at every single piece of work that has been conducted. It also maintains an element of surprise to ensure that you don’t put in front of the auditor only what you want them to see.
Preparation for the audit
Prior to the audit, the auditor will make contact with you to agree a suitable agenda for the audit. Depending on which type of audit it is that you are about to undergo, the plan will include what the auditor intends to address and where. If you have a number of locations included, then details of which are to be visited will be provided and when. However, as the nature of the audit will be that of sampling, the finer detail of BC plans and exercises for example, will be selected by the auditor once the audit has commenced.
Scope of your Business Continuity Management System
It is likely that the auditor will look at the scope of your business continuity management system (BCMS) first. The auditor will be looking to make sure that it fits in with whatever your key products and services are as well as having been aligned to both your company and business continuity objectives. After all, there is little worth in you trying to certify your Human Resources department when you are a company providing services to the public, despite this department being instrumental in the running of your business.
As a business, you must decide what your scope should be and whether you opt for a phased approach to test your BCMS or a big bang approach covering all of your products and services. There is no right or wrong answer here, but you must be able to justify your decision to the auditors so that they can understand your logic.
Involvement at all levels in your business
To be sustainable, your business continuity management system must have the ongoing support of the company’s Senior Management team. The auditor will be looking for evidence to demonstrate that a Sponsor has been appointed and that they are actively involved in some way. Not necessarily with preparing documentation but for example, making key decisions on business continuity strategies, budgets and resources. There may be a formal interview between the Sponsor and the auditor and the findings of this conversation, like all others, will be followed through in the form of an audit trail during the remainder of the audit.
Who is responsible for what?
As well as appointing a business continuity Sponsor, there will be a need for other staff to be allocated roles to ensure the implementation and ongoing maintenance of the BCMS. Careful consideration is required prior to these appointments and you will be expected to be able to explain the rationale behind your selection process. It comes down to how you have determined the necessary competencies for each role and this will underpin the credibility of your entire BCMS, so choose carefully.
Finally on the human aspect side of business continuity, it’s important to stress that well maintained business continuity arrangements are not just down to the select few. In fact, every member of management and staff has a role to play and it is imperative that they all understand this in the context of their day to day roles.
Embedding business continuity into the culture of the company is critical to achieving certification to BS 25999 (as well as successful business continuity arrangements) and the auditor will be keen to satisfy himself that randomly selected staff can speak knowledgably about, for example, what they would do in the event of a disruption and any involvement they might have had of an exercise scenario.
Continual improvements are important
Finally, like all management systems, your BCMS is all about continual improvement. This means that as time goes by and plans and processes are practised and reviewed, changes are made which enhance their ability to meet the needs for which they were originally set. It means that as the company evolves, so do the business continuity arrangements. When an external factors like the environment or national security change, the company is mindful of this and reacts accordingly.
What you can do to support the audit process
- Be prepared! Ensure you have a complete BCMS in place
- Understand the concept of sampling and explain this to staff so they all know what to expect
- Review the audit plan provided and make sure that you fully understand what will be expected on the day. Ask the auditor if you are unsure about anything
- Be able to provide practical evidence that your systems are effective
- Be calm on the day and support your staff through the audit.
Article by, Hilary Estall
BS 25999 auditor and Director of Perpetual Solutions Limited
www.pslinfo.co.uk
- Home
- Getting started with Business Continuity Management
- Becoming certified to BS 25999
- Useful BCM resources
- BCM News and Events
- Case studies BCM
- Training and Advice
- Webinars
- 10 things you should know about Business Continuity Management
- FAQ US Title IX | Private Sector Preparedness PS-Prep
Email Newsletter
Subscribe to our newsletter to receive the latest Business Continuity Management news and information. Training courses
View our Business Continuity training courses offered worldwide.
These cover every aspect of BS 25999, the world's first British standard for BCM. 
