Most organisations that decide to pursue ISO 22301 certification make the same first mistake. They start building the BCMS before they understand what they already have. They commission consultants, begin writing policy documents, and schedule training — before anyone has established whether the existing business continuity practices are broadly aligned with the standard, partially aligned, or starting from nothing.
That sequence is expensive and inefficient. The gap analysis exists precisely to prevent it. Done properly, a gap analysis tells you exactly where your current BCMS stands against the standard’s requirements, which gaps are material and which are cosmetic, what the remediation effort looks like in terms of time and resource, and where the certification programme should begin. It is the diagnostic before the treatment. Skipping it is the equivalent of starting chemotherapy before the scan.
This article explains how to conduct an ISO 22301 gap analysis properly — the methodology, the clause-by-clause assessment approach, the common gaps most organisations discover, and what to do with the findings once the analysis is complete.
What an ISO 22301 Gap Analysis Is — and What It Is Not
An ISO 22301 gap analysis is a structured assessment that compares an organisation’s current business continuity management practices against the requirements of the ISO 22301 standard, clause by clause, to identify the gaps between where the organisation is and where it needs to be to achieve conformance.
What the gap analysis produces
- A clause-by-clause conformance rating — typically expressed as conformant, partially conformant, or non-conformant — for each of the standard’s operative requirements
- A description of the evidence available for each clause, the nature of the gap where one exists, and the risk associated with the gap remaining unaddressed
- A prioritised remediation roadmap that sequences the work required to close gaps in order of materiality and logical dependency
- An estimated effort assessment — the time, resources, and expertise required to close each gap — that allows the organisation to plan the certification programme realistically
- A baseline against which the progress of the BCMS development programme can be tracked
What the gap analysis is not
A gap analysis is not a certification audit. It does not produce a pass or fail verdict on the organisation’s readiness for certification. It is an internal — or externally facilitated — diagnostic exercise. Its findings are not reported to a certification body. Its purpose is to inform the organisation’s own development work, not to satisfy an external auditor. Organisations sometimes conflate the two and approach the gap analysis as a dress rehearsal for certification. That framing is counterproductive. The most useful gap analysis is the most honest one — the one that surfaces uncomfortable truths about what is missing, even when acknowledging those gaps is organisationally inconvenient.
Who Should Conduct the ISO 22301 Gap Analysis
The gap analysis can be conducted internally, by an external consultant, or through a combination of the two. Each approach has advantages and limitations that the organisation should weigh against its own context.
Internal gap analysis
- Advantages: Lower cost, deeper institutional knowledge, no need to brief an external party on organisational context, and direct ownership of the findings by the people who will be responsible for closing the gaps
- Limitations: Risk of self-serving assessment — the people conducting the analysis may be the people responsible for the practices being assessed, creating unconscious bias toward more favourable ratings; limited knowledge of how the standard’s requirements are interpreted in practice by certification bodies; and difficulty in distinguishing between what the organisation thinks it does and what it actually does
- When it works: When the organisation has a BCM practitioner with genuine knowledge of ISO 22301, when the analysis is treated as a genuine diagnostic rather than a validation exercise, and when the findings will be subjected to independent challenge before the remediation programme begins
External gap analysis
- Advantages: Independent perspective that is not affected by internal politics or self-interest; practical knowledge of how certification bodies interpret the standard’s requirements; benchmark visibility across multiple organisations in the same sector; and credibility of findings that makes leadership engagement easier
- Limitations: Higher cost; time required to brief the consultant on organisational context; and risk that findings reflect the consultant’s standard template rather than the organisation’s specific situation
- When it works: When the organisation is starting from a low BCM maturity base and needs an authoritative baseline; when the gap analysis is intended to inform a board-level decision about the certification investment; and when internal BCM expertise is limited
The minimum competency requirement
Regardless of whether the analysis is conducted internally or externally, the person leading it must have working knowledge of ISO 22301:2019 — not just familiarity with its structure, but practical understanding of how the standard’s requirements are interpreted in audit contexts, what evidence is typically expected at each clause, and what constitutes substantive conformance versus superficial compliance. A gap analysis conducted without that knowledge is not a gap analysis. It is a self-assessment against a checklist that the assessor does not fully understand.
The Gap Analysis Methodology: How to Structure the Assessment
A rigorous ISO 22301 gap analysis follows a consistent methodology that covers information gathering, clause-by-clause assessment, evidence evaluation, gap characterisation, and output reporting. The following is the sequence that produces reliable, actionable findings.
Stage 1 — Pre-assessment preparation
- Obtain a copy of ISO 22301:2019 and ensure the assessment lead has read and understood the standard’s requirements — not a summary or a training course overview, but the standard itself
- Define the scope of the BCMS for assessment purposes — which locations, which functions, which services, and which threat scenarios the assessment will cover. The scope definition determines what evidence is in scope and what is excluded.
- Prepare an assessment framework — a structured worksheet mapping each clause to the assessment criteria, the evidence to be reviewed, the rating scale, and the space for findings and observations
- Identify the stakeholders who will need to be interviewed — typically the BCM programme owner, the heads of functions with BCM responsibilities, IT leadership, HR, legal and compliance, and senior management
- Request documentary evidence in advance — existing BCP documents, BIA reports, risk assessments, exercise records, training records, policy documents, and any prior audit or assessment findings
Stage 2 — Document review
The document review is the first pass through available evidence. It establishes what exists in writing and identifies the most obvious gaps before the interviews begin.
- Review each document against the clause it is intended to address — not whether the document exists, but whether its content meets the standard’s requirements
- Assess document currency — when was each document last reviewed and updated, by whom, and is there evidence that it reflects the current operating reality
- Identify documented processes that appear to meet requirements and flag them for verification through interview — the gap between what is documented and what is practised is one of the most consistent findings in BCM gap analyses
- Note missing documentation — clauses for which no relevant document exists, which immediately flag as gaps requiring new development
- Assess the quality of existing BIA and risk assessment outputs — not just whether they exist, but whether they are evidence-based, current, and connected to recovery planning decisions
Stage 3 — Stakeholder interviews
Interviews are where the gap between documented practice and actual practice typically surfaces. The document review shows what the organisation says it does. The interviews reveal what it actually does.
- Interview the BCM programme owner about the governance structure, the leadership engagement, the exercise programme, and the maintenance cycle — and ask for evidence of each, not just assertions
- Interview department heads about their awareness of BCM requirements, their understanding of their department’s continuity plans, and whether they have actually practised the procedures they are responsible for
- Interview IT leadership about the disaster recovery architecture, the backup and recovery procedures, and whether the technical recovery timelines are consistent with the RTOs established in the BIA
- Interview HR about the competency framework for BCM roles, the training programme, and how BCM responsibilities are incorporated into job descriptions and performance frameworks
- Interview a sample of staff with specific BCM responsibilities — not just plan owners, but the people who would actually execute the procedures — and test whether they know what their role requires
Stage 4 — Evidence evaluation and gap rating
For each clause, evaluate the combined evidence from documents and interviews against the standard’s requirements and assign a conformance rating.
A four-point rating scale that works in practice:
- Conformant: The requirement is fully met. Documented evidence and interview evidence are consistent. The practice is embedded and verifiable.
- Substantially conformant: The requirement is largely met but with minor gaps — a process exists but documentation is incomplete, or evidence of consistent application is limited. Low remediation effort required.
- Partially conformant: The requirement is partially met but with significant gaps — the practice exists in some form but is not systematic, not documented to the required level, or not applied consistently across the scope. Moderate remediation effort required.
- Non-conformant: The requirement is not met. No evidence of the required practice exists, or the existing practice is so far from the requirement that it does not constitute partial conformance. Significant remediation effort required.
Clause-by-Clause Assessment: What to Look For at Each Stage
The operative clauses of ISO 22301 — clauses 4 through 10 — each require specific evidence. Understanding what that evidence looks like in practice is what separates a useful gap analysis from a superficial checklist exercise.
Clause 4 — Context of the Organisation
What to look for:
- A documented analysis of the internal and external issues affecting BCM — not a generic list, but one specific to this organisation, this industry, and this operating environment
- An identified and documented list of interested parties — customers, regulators, investors, suppliers, employees — with their specific continuity-related needs and expectations captured
- A defined and documented BCMS scope with a written rationale for any exclusions — and a check that the rationale is genuine, not a device to exclude difficult areas from the assessment
Common gaps: The context analysis exists at a generic level that could apply to any organisation in the sector. The interested party analysis has not been updated to reflect changes in the regulatory environment or the customer base. The scope excludes significant functions without documented justification.
Clause 5 — Leadership
What to look for:
- Demonstrable evidence of top management engagement — not just a policy signature, but participation in exercises, attendance at management reviews, and visible ownership of BCM as a strategic priority
- A BCM policy that is current, specific, and communicated — not a generic template, but one that reflects this organisation’s continuity commitments
- Defined BCM roles with documented responsibilities and authorities — and evidence that the individuals in those roles understand what is required of them
Common gaps: The BCM policy exists but has not been reviewed in more than two years. Top management commitment is evidenced only by a policy signature. BCM roles are assigned to individuals who are unaware of the specific requirements of those roles.
Clause 6 — Planning
What to look for:
- A risk assessment process that is documented, applied, and connected to the continuity strategies selected — not a generic risk register that lives separately from the BCM programme
- Documented continuity objectives with measurable targets — specific RTOs and RPOs for identified critical functions — not vague aspirations about “minimising disruption”
- Planning documentation that shows how continuity objectives will be achieved, by whom, and within what timeframe
Common gaps: The risk assessment exists but has not been updated following organisational changes. Continuity objectives are expressed in qualitative terms without measurable targets. The connection between the risk assessment and the continuity strategies is not documented.
Clause 7 — Support
What to look for:
- Evidence of resource allocation — budget, personnel, and infrastructure committed to the BCM programme, not just acknowledged as necessary
- A documented competency framework for BCM roles, with evidence that individuals in those roles have met the defined requirements — training records, qualifications, or demonstrated experience
- Awareness programme evidence — communications, training materials, and records showing that BCM awareness extends beyond the BCM team to the broader workforce
- A document management system that ensures BCM documentation is controlled, version-managed, and accessible to those who need it — particularly during a disruption
Common gaps: BCM training records exist only for the central BCM team. Awareness of BCM obligations among department heads is inconsistent. Plan documents are stored in locations that may not be accessible during the disruptions they are designed to address.
Clause 8 — Operation
This is the most substantive clause to assess. It contains the requirements that most directly determine whether the organisation can actually perform during a disruption.
- BIA (Clause 8.2): Is it evidence-based? Are MTDs, RTOs, and RPOs established for each critical function? Is it current? Is it connected to the recovery strategies and plans?
- Continuity strategies (Clause 8.3): Are strategies documented for each critical function? Is there evidence that alternative options were considered and the selected strategy is justified?
- Plans and procedures (Clause 8.4): Do plans exist that are genuinely executable — not just descriptive? Do they include activation criteria, response structure, communication protocols, and recovery procedures that a deputy could follow without additional briefing?
- Exercise programme (Clause 8.5): Has an exercise been conducted? Is it documented? Were findings captured and acted upon?
Common gaps at Clause 8 are the most consequential and the most commonly found. BIAs that are generic rather than evidence-based. RTOs that were set by estimation rather than analysis. Plans that describe what the organisation will do without providing the procedural detail to actually do it. Exercise programmes that have not been conducted, or that have been conducted but not documented, or that have been documented but whose findings have not been actioned.
Clause 9 — Performance Evaluation
What to look for:
- Defined BCM performance metrics — what is being measured, at what frequency, and by whom
- An internal audit programme with documented scope, schedule, findings, and follow-up actions
- Management review records — evidence that senior leadership has formally reviewed the BCMS performance, with documented inputs, outputs, and decisions
Common gaps: Performance metrics exist on paper but are not actively monitored. Internal audits of the BCMS have not been conducted or are conducted by individuals who are also responsible for the BCMS, creating a conflict of interest. Management reviews are informal conversations rather than documented formal reviews.
Clause 10 — Improvement
What to look for:
- A documented process for identifying, investigating, and correcting nonconformities
- Evidence that nonconformities identified through audits, exercises, and incidents have been addressed — with root cause analysis, corrective action, and verification of effectiveness
- Evidence of continual improvement — the BCMS has been updated in response to changing circumstances, exercise findings, and incident learnings, not just maintained in its original form
Common gaps: Nonconformities from exercises and audits are recorded but not formally tracked to resolution. Corrective actions are agreed verbally but not documented. The BCMS has not been meaningfully updated since its initial development.
Prioritising and Presenting Gap Analysis Findings
A gap analysis that produces a list of findings without prioritisation is useful as a record but not as a planning tool. The findings need to be organised in a way that drives decisions about where to start and what to invest.
How to prioritise remediation
- Major nonconformities first: In ISO audit terminology, a major nonconformity is a gap that either completely fails to meet a requirement or that directly undermines the system’s ability to achieve its intended outcomes. These are the gaps that would prevent certification and the ones that most likely mean the organisation cannot perform during a disruption. They go to the top of the remediation queue.
- Logical dependencies second: Some gaps cannot be closed until other gaps have been closed first. The BIA must be completed before recovery strategies can be validated. The recovery strategies must be defined before plans can be written. The plans must exist before an exercise can test them. The remediation sequence must respect these logical dependencies — starting with the BIA even if it is not the most uncomfortable gap to acknowledge.
- Quick wins third: Gaps that can be closed with low effort — a policy that needs updating, a document that needs version control, a training record that needs to be formalised — should be addressed in parallel with the major work. They build momentum, demonstrate progress, and prevent the gap analysis findings from being dismissed as overwhelming.
- Resource constraints fourth: The sequence must be achievable with the resources available. A remediation plan that requires simultaneous work on all gaps across all clauses is not a plan. It is a wish list. Realistic sequencing — what can be done in the first quarter, the second quarter, the second half of the year — is what turns a gap analysis into a certification programme.
How to present findings to leadership
Gap analysis findings should be presented to senior leadership in business terms, not standard terms. Leadership does not need a clause-by-clause recitation of what is non-conformant. They need to understand: what is the current BCM maturity level, what are the most significant risks the gaps create, what investment is required to close them, and what the certification timeline looks like if that investment is made. A one-page executive summary with a traffic-light dashboard and a realistic programme timeline is more likely to secure leadership commitment than a forty-page technical report.
From Gap Analysis to Certification Programme: Building the Remediation Roadmap
The gap analysis output is the input to the certification programme. The remediation roadmap translates the prioritised findings into a structured programme with milestones, owners, and timelines.
The components of an effective remediation roadmap
- Milestone structure: Defined phases — typically Foundation (governance, scope, policy, context), Analysis (BIA, risk assessment), Strategy and Planning (continuity strategies, plan development), Validation (exercises, testing), and Readiness (audit, management review) — with completion criteria for each phase
- Action ownership: Each remediation action assigned to a named individual with accountability for completion, not just responsibility for progress
- Timeline realism: Timelines built from the actual effort required — not from the date by which leadership wants certification, working backwards. A BIA conducted properly for a complex organisation takes weeks, not days. Plans written to a standard that a deputy can actually execute take time. Compressing those timelines produces documentation that satisfies a checklist, not a system that works.
- Progress tracking: A governance mechanism — a steering group, a monthly review, a programme dashboard — that tracks progress against the roadmap and surfaces blockages before they derail the programme
- Pre-certification internal audit: An internal audit conducted against the standard’s requirements before the Stage 1 certification audit, to identify any remaining gaps and ensure the Stage 2 audit does not encounter surprises
Building the knowledge to conduct a credible gap analysis, develop a conformant BCMS, and navigate the certification process requires both theoretical understanding of the standard and practical experience of its application. The ISO IEC 22301 – Business Continuity Management Course at EuroMaTech provides exactly that combination — covering the full ten-stage BCM lifecycle as defined by the standard, with practical exercises including a BIA, risk assessment, and plan development that give practitioners the hands-on capability to conduct a rigorous gap analysis and lead the remediation programme that follows it.
Common ISO 22301 Gap Analysis Findings Across Industries
While every organisation’s gap analysis will surface findings specific to its context, certain gaps appear with enough consistency across industries to be worth anticipating before the assessment begins. Knowing they are likely does not make them easier to close — but it does allow the organisation to allocate realistic effort rather than being surprised by what the analysis reveals.
The gaps that appear most consistently
- BIA quality: The most consistently identified gap, across virtually every sector and every size of organisation. The BIA exists but is generic, not evidence-based, and is not connected to the recovery strategies the organisation has selected. MTDs and RTOs were set by estimation, not by analysis of contractual, regulatory, and financial evidence.
- Exercise programme absence or inadequacy: Either no exercises have been conducted, or exercises have been conducted but not documented, or exercises have been documented but the findings have not been used to improve the BCMS. The clause 8.5 requirement for a planned, documented, and acted-upon exercise programme is one of the most commonly undermet requirements in the standard.
- Leadership engagement evidence: The BCM policy exists and is signed. Beyond that, evidence of top management commitment is limited. Management reviews have not been formally conducted. Senior leadership cannot describe the organisation’s BCM objectives, the status of the programme, or the most significant BCM risks.
- Plan usability: Plans describe what will happen rather than how to make it happen. They are written for an audience that is already familiar with the organisation’s systems, suppliers, and procedures — not for a deputy taking over a critical function for the first time under pressure. Contact lists are out of date. Workaround procedures are described at a level of abstraction that does not translate into executable steps.
- Supply chain and third-party continuity: The organisation’s own BCM programme is reasonable, but the continuity requirements placed on critical suppliers and third-party service providers are absent or unenforced. The plan assumes supplier availability that has never been validated through supplier BCM assessment.
- Document currency: Plans, BIAs, and risk assessments that were developed during the initial BCMS build and have not been updated since. Staff lists with people who have left. Systems lists with applications that have been decommissioned. Recovery procedures referencing facilities that no longer exist.
Frequently Asked Questions
What is an ISO 22301 gap analysis?
An ISO 22301 gap analysis is a structured assessment that compares an organisation’s current business continuity management practices against the requirements of ISO 22301:2019, clause by clause, to identify the gaps between where the organisation is and where it needs to be to achieve conformance. It produces a conformance rating for each clause, a description of the evidence available and the gaps identified, and a prioritised remediation roadmap that guides the work required to close those gaps before certification.
When should an ISO 22301 gap analysis be conducted?
The most common trigger is a decision to pursue ISO 22301 certification — the gap analysis establishes the baseline and informs the certification programme plan. But gap analyses are also conducted at other inflection points: after a significant organisational change that may have affected BCM capability, after a major incident or exercise that revealed systemic weaknesses, as part of an annual BCMS review cycle, or when a regulatory or contractual requirement to demonstrate BCM capability has been introduced. The gap analysis is the diagnostic. The circumstances that justify the diagnostic vary.
How long does an ISO 22301 gap analysis take?
Duration depends on organisational size and complexity. For a single-site organisation with a defined scope, a thorough gap analysis typically takes two to four weeks — including document review, stakeholder interviews, evidence evaluation, and report production. For a multisite, multinational organisation with a broad BCMS scope, the assessment may take six to ten weeks. Organisations that try to conduct a gap analysis in two to three days are conducting a document review, not a gap analysis. The interview and evidence evaluation components take time that cannot be compressed without compromising the quality of the findings.
What is the difference between a gap analysis and a certification audit?
A gap analysis is an internal — or externally facilitated — diagnostic exercise conducted by or on behalf of the organisation. Its findings are for the organisation’s use in planning remediation. It does not produce a certification decision. A certification audit is conducted by an accredited third-party certification body and results in a decision to certify or not certify. The Stage 1 certification audit reviews documentation. The Stage 2 audit reviews implementation. A gap analysis is typically conducted before the certification programme begins, to inform what the programme needs to achieve. A pre-certification internal audit is typically conducted immediately before the Stage 1 audit, to confirm readiness.
What rating scale should be used in a gap analysis?
The most practical rating scale for an ISO 22301 gap analysis uses four levels: conformant — the requirement is fully met with consistent evidence; substantially conformant — largely met with minor gaps requiring limited remediation; partially conformant — partially met with significant gaps requiring moderate remediation; and non-conformant — the requirement is not met, requiring new development or major remediation. Some practitioners use a three-level scale — conformant, partially conformant, non-conformant — which is simpler but loses the distinction between minor and major gaps that is useful for remediation prioritisation.
What are the most common gaps found in ISO 22301 assessments?
The most consistently identified gaps are: a BIA that exists but is not evidence-based and is disconnected from recovery planning decisions; an exercise programme that is absent, undocumented, or not acted upon; limited evidence of genuine top management engagement beyond policy sign-off; plans that describe what will happen rather than providing executable procedures; inadequate supply chain and third-party BCM requirements; and documentation that has not been maintained and no longer reflects the current operational reality. These gaps appear across sectors and organisation sizes with enough consistency that any organisation beginning a gap analysis should allocate specific assessment effort to each of them.
Can a gap analysis be conducted internally?
Yes, provided the person conducting it has genuine working knowledge of ISO 22301 — not just familiarity with its structure, but understanding of how the standard’s requirements are interpreted in audit contexts and what evidence is expected at each clause. The risk of an internal gap analysis is self-serving assessment, where the people conducting the analysis are also responsible for the practices being assessed and unconsciously rate them more favourably than the evidence warrants. Organisations that conduct internal gap analyses should subject the findings to independent challenge — from an external BCM consultant, an internal audit function with BCM knowledge, or a peer review — before using them to plan the certification programme.
How does the gap analysis connect to the certification timeline?
The gap analysis findings directly determine the certification timeline. The number and materiality of the gaps, combined with the organisation’s available resources, define how long the remediation programme will take. Organisations with a relatively mature BCM baseline and limited gaps may be ready for Stage 1 audit within six months of the gap analysis. Organisations starting from a low maturity base with significant gaps across multiple clauses may need twelve to eighteen months. The gap analysis prevents organisations from committing to a certification timeline before they understand what closing the gaps actually requires — which is the most common cause of certification programmes that stall or overshoot their planned timelines.
What happens after the gap analysis is complete?
The gap analysis output feeds directly into a remediation roadmap — a structured programme that sequences the work required to close identified gaps, assigns ownership for each action, sets realistic timelines, and defines the milestones that mark progress toward certification readiness. The roadmap should respect logical dependencies — the BIA must be completed before recovery strategies can be validated; strategies must be defined before plans can be written; plans must exist before exercises can test them. A pre-certification internal audit, conducted once the remediation programme is substantially complete, verifies that gaps have been closed before the Stage 1 certification audit is scheduled.