Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Why become a BCMS Lead Auditor?

Over a series of articles, Hilary Estall, Director of Perpetual Solutions, will be discussing subject areas aimed at those managing a business continuity management system (BCMS) and in particular, those systems certified to ISO 22301. With her pragmatic approach to management systems and auditing in particular, Hilary will offer an insight into areas not widely discussed but still important for the ongoing success of a BCMS.

In her first article, Hilary Estall shares her thoughts on becoming a BCMS Lead Auditor and explores why people sometimes mistakenly opt for this particular auditor classification when more appropriate options may be available:

In this article I consider the role of the Lead Auditor and why so many individuals opt for this route for their auditor training. It’s a subject close to my heart and one which, in my opinion, is misrepresented and therefore misunderstood by those seeking auditor training. Whilst it’s not limited to business continuity management system standards, this is the context in which I have written the article.

Are you just following the auditor crowd?

For those of you reading this who are already ‘trained’ auditors, I’d ask you to think back to when you were starting out in the role and how you went about identifying an auditor training course. It’s more than likely you either looked at a handful of different auditor training courses being offered and opted for a five day Lead Auditor course (which probably included an exam) or were simply told by your manager you were being sent on an ISO 22301/BS 25999 Lead Auditor course. This is the most common approach and one, I believe, that is founded on a market driven assumption that you have to be a Lead Auditor in order to carry out audits. You don’t!

Depending on the nature of the audits you undertake, there are other training options available, but more often than not, these are passed over for the Lead Auditor route. An auditor who takes the lead in a team based audit is known as the Lead Auditor. They are expected to display different/additional characteristics and skills to the auditors who make up the rest of the team, of which I will explain more, later. In reality, how many organizations certified to ISO 22301 or seeking certification, run a programme of first party audits, (known as internal audits) utilising a team of auditors, working together on the same audit, at the same time? Unless you are part of a large corporate organization with an all-embracing BCMS, it is unlikely that your audit programme will follow this approach. My experience of conducting audits as well as auditing client audit programmes supports this statement. So why is it assumed necessary to train every auditor within a company, to Lead Auditor status? It’s time consuming, expensive and, once back in the work environment, under-utilised. Why not establish your audit team and over time, if you intend running audit teams, develop auditors’ skills, as they mature in their role? The role of a BCMS auditor is important and should be seen as a career development opportunity, not something performed once or twice a year to keep internal and third parties happy.

Expectations of a Lead Auditor

Before I discuss the specific characteristics expected of a Lead Auditor, it’s important to be clear on the pre-requisites of attending a BCMS Lead Auditor training course. It forms part of the pre course brief which should be communicated by training providers, but we know from experience that delegates do not always meet the basic criteria. These are:

1. Knowledge of the requirements of ISO 22301. (That means you have read and understood the standard!)

2. Knowledge of the following business continuity management principles and concepts:

  • The purpose and benefits of a business impact analysis.
  • The principals of risk assessment and analysis.
  • Typical business continuity strategies.
  • Business continuity response options.
  • BCMS performance metrics, monitoring and performance measurement.
  • Exercise and testing methodologies.

Equally important, it assumes a pre-existing awareness for management system standards and the basic principles of auditing them.

If ISO 22301 is the first management system you have encountered and you are being asked to audit the company’s BCMS, you need to have developed this level of knowledge before attending the BCMS Lead Auditor course.

Returning to the original question; what are the expectations of the Lead Auditor? Over and above the ability to apply basic auditing principles which include integrity, objectivity, accuracy, discretion and impartiality, a Lead Auditor is also expected to:

  • Select his/her audit team based on competency, experience and suitability.
  • Plan audit logistics; sites, timings, travel arrangements for his/her audit team.
  • Plan the audit scope and agenda, allocating responsibilities to each of his/her team.
  • Manage the entire audit process including opening, interim and closing meetings with the client/auditee’s management team.
  • Establish his/her team’s findings and lead auditor discussions.
  • Identify trends and direct audit team members to follow up audit trails where appropriate.
  • Determine overall audit findings and conclusions and communicate to the client.
  • Agree a suitable action plan with the client following the audit, including any follow up audit to review and close nonconformities.
  • Act as the liaison point with the client, before, during and after the audit. In other words, take charge of the audit, in its entirety.

This is what the Lead Auditor course addresses so if you are attending the course hoping to learn about ISO 22301, BCM Principles or acquire basic auditing skills, you may, at the very least, be disappointed and, more importantly, feel out of your depth or confused by the direction taken by the tutor.

So why do most BCMS internal auditors opt for this training and run the risk of returning to their audit duties, bewildered and scared of not conducting a meaningful audit? Because it’s what everyone else does!

How do you conduct BCMS internal audits?

1. Do you work from a pre-defined audit programme produced by the client/business continuity manager?

2. Has the scope of the audit, or at least the outline, been agreed in advance?

3. Do you have the freedom to select which departments/teams you audit?

4. Are you expected to cover the entire scope of the BCMS in a single/set number of audits and have these been identified for you?

5. Have target dates been set for you to complete the audit?

6. Are you expected to agree findings with the auditee and establish a suitable follow up audit or document review?

7. Do you complete the audit report and other documentation?

8. Do you ‘own’ the audit through to final closure?

These are all typical internal audit functions and, depending on the level of autonomy given to the auditor, will generally cover the scope of the work you are expected to carry out. In order to be competent (and confident) to conduct such an audit you are going to need to:

  • Be able to apply the requirements of ISO 22301 in the context of an audit (through learning the contents and applicability of the standard).
  • Understand each stage of the audit process.
  • Carry out each phase of the internal audit (planning, communication, audit, reporting, follow up and closure).
  • Assess findings and make informed decisions to support the improvement of the BCMS.

The above BCMS auditor functions are all covered by IRCA approved Internal Auditor training courses and can be accomplished in two days.


Lead Auditor training courses are great if you intend leading a team of auditors on a regular basis. In fact for some organizations as well as individual auditors, particularly those working for third party certification bodies, they are a pre-requisite. However, I hope I have conveyed the message that they are not the only option and, often, are a less favourable one for individuals setting out on their BCMS auditor journey.

Ironically, my company, Perpetual Solutions, has recently added a BCMS Lead Auditor course to its training portfolio! Not because we believe it’s at the top of the ‘must have’ BCMS training programme, but because we keep being asked for it! I rest my case.

The author

Hilary Estall, MBCI and IRCA BCMS Lead Auditor is Director of Perpetual Solutions Limited, a business continuity and management systems consultancy practice.

•Date: 6th August 2014 • UK/World •Type: Article • Topic: Business continuity standards

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here