Picture of readiness in action - personnel on top of a spirit level

Readiness, Resilience, Risk

ISO 22301 and readiness – Preparing your team with a readiness programme

by | Sep 24, 2025

Why do we need a readiness programme?

People are at the heart of the crisis and incident response, and indeed are often the biggest strength but a potential vulnerability in terms of performance and consistency. Whether it is for regulatory, commercial or operational benefits, many organisations either align or certify against the international standard for Business Continuity Management Systems (BCMS) ISO 22301:2019 sets out requirements for training and exercising in clauses 4–10. As ISO 22301 Lead Auditor trained Resilience, Readiness and Control Room experts, here are the key areas in which you need to consider how you produce, deliver and document your training and exercising.

The muscle memory and deep learning from rehearsing your plans and arrangements is proven to make your response more efficient and consistent. Delays or mistakes when responding to an incident will ultimately cost time, money, reputation and may lead to regulatory non-compliance and litigation. Training and exercises are a proven and effective way to assure senior managers that their response and that of their managers, teams and partners will work as effectively as possible.

For organisations that certify against ISO 22301, the evidence gathered needs to include the readiness, testing and exercising programme (what is being tested, with who and when), the training and exercising content, the audit trail of training and exercising attendance and the outcomes with clear evidence of debrief report and action plans being addressed within the organisation’s governance structure. We also recommend client’s ensure that outputs are retained from the chosen crisis/incident management log platform as evidence of decision making and information management.

Training

Training is the first area to look at and we always recommend a structured training programme ahead of exercising. In our experience, trainees need to know why the topic of business continuity and crisis management is relevant and that starts with education. Clause 7 of ISO 22301 talks about ensuring competence with “performing roles within the BCMS are competent, based on education, training, or experience.” Furthermore, there needs to be evidence of awareness – can they describe the key aspects of the plans e.g. Policy, Business Continuity Plan, Crisis/Incident Plans? Do they recognise the role they plan in planning and in response and the consequences of non-conformity.

When supporting audits, having an attendance sheet with dates, attendees and content is important but also evidence of the competency assessments. As a Skills for Justice Learning Centre we undertake training needs analyses, mapping roles to competencies such as those from the National Occupational Standards. We often mention in training that most of the response to a disruption is the normal role in abnormal circumstances but competency frameworks are an objective basis for evaluating the right roles and people to the plan. Additional evidence for auditors would include awareness campaigns if they are a feature in your ‘training’ programme.

Like peeling back layers of an onion, it is rare that we see an organisation transition from no plan to a certified management system in weeks or months; developing and embedding a crisis, business continuity and incident structure often involves developing foundation arrangements and then peeling back additional layers of planning and training and exercising programmes maturing.

Exercising

The next area of development are Exercises. These vary in scale, style and scope but are all about validating your plans, procedures and people. Sometimes Exercises can be a tick box exercise, certainly when an audit deadline looms. However, a truly ready organisation does not scrimp on this phase – your people and their lived experience of exercise scenarios is the practice run ahead of your next incident.

Clause 8.5 of ISO 22301 requires organisations to implement and maintain a programme of exercises and tests to validate the effectiveness of plans and strategies and with requirements focused on aligning the exercises with business continuity objectives – i.e. inclusion of relevant parts of the organisation, with realistic scenarios and clear aim/objectives, involving the right internal and external stakeholders and with a focus on team work and validating competence.

Whether you are working to an audit regime or just needing to track exercise learning and improvements, exercise reporting starts with a report format for facilitators and observers, tools to track discussion and feedback and a debrief feedback process. Outcomes, recommendations and actions for improvement all need to feature in that debrief report with a clear feedback loop into the organisational improvements to close gaps. ‘How often do we need to exercise?’ is a common question. At least annually and when systems, organisational structure or other factors change e.g. office moves, significant new products/services being delivered.

Resources

Need more assistance? Here are some bite-sized resources in checklist format to support your planning.

Mandatory Documentation Checklist (ISO 22301:2019)

  • Competency records for personnel (Clause 7.2).
  • Business continuity plans and procedures (Clause 8.4).
  • Exercise programme and post-exercise reports (Clause 8.5).
  • Internal audit programme and results (Clause 9.2).
  • Management review results (Clause 9.3).
  • Records of nonconformities and corrective actions (Clause 10.1).

Training and Exercising Checklist for ISO 22301 Compliance

Training & Awareness

  • Readiness Training, Testing and Exercising Plan documented and approved.
  • Role-specific training delivered (managers, staff).
  • Attendance records maintained (dates, names, signatures).
  • Competency assessments completed and filed.
  • Awareness communications and initiatives (policy, roles, consequences) distributed.
  • Audit trail of training activities available for review.

Drills & Exercises

  • Readiness Training, Testing and Exercising Plan (documented  (scope, type of session, risks and business areas in focus, frequency).
  • Scenario plans prepared and approved.
  • Pre-exercise briefing records retained.
  • Exercise execution records (internal participants and external interested parties), timings, log of information and decisions).
  • Debrief reports completed and signed off with feedback loop into management reporting/governance.
  • Corrective actions logged and tracked to closure.

Audit & Review

  • Internal audit schedule documented.
  • Audit reports filed with findings and actions.
  • Management review minutes recorded.
  • Evidence of continual improvement maintained.

Compliance Matrix (ISO 22301 Clauses vs Requirements)

Clause Requirement Evidence Required
7.2 Competence Ensure personnel are competent Training records, competency assessments
7.3 Awareness Staff aware of crisis/business continuity/incident plans and roles Awareness campaign materials
8.5 Exercising & Testing Programme of exercises and tests Exercise plan, execution logs, debrief reports
9.2 Internal Audit Verify BCMS conformity Audit schedule, audit reports
9.3 Management Review Review BCMS performance Meeting minutes, improvement actions
10.1 Nonconformity & Corrective Action Address issues and improve Corrective action logs

 

What makes us a credible source of advice – you could just ask ChatGPT for more (only the image on this post came from AI!).  With 90% of our clients retaining us year on year and the majority of our work coming from referral we are an trusted and authentic Consultancy with over twenty year’s experience of project delivery, incidents and crises.

Related Topics

View All News

Contact Us

Interested in the products and services we have to offer? Please get in touch with our team, and we’ll get back to you as quickly as possible.

Book A Consultation