ISO 22301 Gap Analysis Template: Assess Your BCMS Maturity

Most organizations pursuing ISO 22301 certification make the same mistake: they start building documents before they understand what they already have — and how far it falls short.

A gap analysis flips that sequence. Before you write a single policy or procedure, you map your current BCMS state against the 7 mandatory clauses of ISO 22301:2019. What you find tells you exactly where to invest time, where you’re closer than you thought, and what would get flagged as a major nonconformity if a certification body auditor walked in tomorrow.

This is the tool that separates organizations that pass Stage 1 audits cleanly from the ones that get buried in corrective action requests before their external audit even begins.

TL;DR

• An ISO 22301 gap analysis assesses your BCMS clause by clause against the 2019 standard — before your certification audit finds the gaps for you.
• Use a Red/Amber/Green scoring system across Clauses 4–10 to see your current maturity at a glance.
• The most common gaps: weak leadership documentation (Clause 5), incomplete BIA (Clause 6), BC plans that describe strategies but not procedures (Clause 8), and testing programs that never change scenarios (Clause 8).
• A gap analysis produces an action plan, not a certificate — but the action plan is what gets you to the certificate.

What an ISO 22301 Gap Analysis Actually Does

The goal is simple: identify the distance between where your BCMS is today and where ISO 22301:2019 requires it to be.

The analysis covers all mandatory clauses (4 through 10), evaluates both documentation and operational evidence, and produces a prioritized list of remediation actions. It’s not a pass/fail — it’s a maturity snapshot with a roadmap attached.

What it examines:

• Documents: policies, procedures, BIA outputs, risk assessments, BC plans, exercise reports, management review minutes
• Evidence of implementation: records showing processes are actively run, not just documented
• Stakeholder interviews: confirming that the people responsible for BC actually know their roles

The distinction between documentation and implementation evidence is where most organizations fail. You can have a complete set of policies and still score Red on Clause 8 if no one has actually tested the plan against a realistic scenario.

ISO 22301:2019 — The 7 Mandatory Clauses

Clauses 1–3 are definitional (scope, normative references, terms). The assessment work happens in Clauses 4–10.

How to Score Your Gap Analysis

Most practitioners use a three-tier RAG system, sometimes combined with a 0–5 numeric scale. Here’s a workable scoring guide:

A score below 3 on any sub-clause is a remediation priority. A score of 0 or 1 on any sub-clause of Clause 8 (Operation) is a serious problem — external auditors spend more time on Clause 8 than any other.

Clause-by-Clause Assessment Template

Use these assessment questions as your evaluation criteria. For each item, assign a score (0–5) and note the evidence you reviewed.

Clause 4 — Context of the Organization

4.1 Understanding the organization and its context

• Have you identified internal factors that affect your ability to achieve BCMS objectives (structure, culture, resources, technology)?
• Have you identified external factors (regulatory, competitive, social, technological environment)?
• Are these documented and kept current?

4.2 Understanding the needs and expectations of interested parties

• Have you identified interested parties (customers, regulators, suppliers, employees)?
• Are their requirements documented and reviewed for relevance?
• Does your BCMS scope reflect these requirements?

4.3 Determining the scope of the BCMS

• Is the scope formally documented with a clear statement of what is and isn’t included?
• Does the scope cover the activities, functions, services, and locations that matter for continuity?

4.4 Business continuity management system

• Is there a functioning BCMS — policies, processes, procedures — that covers the scope?

Clause 5 — Leadership

5.1 Leadership and commitment

• Is there documented evidence of top management commitment (signed policy, board minutes, management review participation)?
• Are resources allocated with visible management support?

5.2 Policy

• Is a BC policy issued and communicated that sets the intent and direction of the BCMS?
• Does it include a commitment to satisfy requirements and continually improve?

5.3 Roles, responsibilities, and authorities

• Are BC roles formally assigned to named individuals?
• Do all role-holders understand their responsibilities?
• Is there a BC Manager or equivalent with clear authority?

This is the most commonly under-documented clause. “Management supports BC” isn’t evidence. Board minutes showing BC was discussed, a signed policy with a named owner, and a roles matrix with acknowledged responsibilities — that’s evidence.

Clause 6 — Planning

6.1 Actions to address risks and opportunities

• Has a risk assessment been conducted for BC-relevant threats?
• Are the outputs used to inform BC strategies?

6.2 Business continuity objectives and planning to achieve them

• Are BCMS objectives documented (e.g., target RTO for critical functions, exercise frequency)?
• Is there a plan for how these objectives will be achieved and measured?

6.3 Business impact analysis

• Has a BIA been completed covering critical activities, resources, and recovery time objectives?
• Is the BIA reviewed after organizational changes and at least annually?
• Do BIA results directly inform recovery strategies?

Clause 7 — Support

7.1–7.2 Resources and Competence

• Are resource requirements for BC activities identified and met?
• Are competence requirements defined for BC roles?
• Is training provided and documented?

7.3 Awareness

• Does relevant staff understand the BC policy, their role in it, and the implications of not conforming?

7.4 Communication

• Are internal and external communication requirements during a disruption documented?
• Are spokespeople and messaging chains identified?

7.5 Documented Information

• Are all required documents controlled, versioned, and distributed?
• Is there a document control procedure that prevents outdated procedures from being in circulation?

Clause 8 — Operation

This is the core of the BCMS and where most gap analysis failures cluster.

8.1 Operational planning and control

• Are BC procedures implemented, not just written?
• Are there documented processes to confirm continued operational effectiveness?

8.2 Business impact analysis and risk assessment (operational)

• Are BIA and risk assessment outputs kept current and reflected in plans?

8.3 Business continuity strategy and solutions

• Are recovery strategies defined and documented for critical activities?
• Are resource requirements (staff, technology, facilities) identified for each strategy?

8.4 Business continuity plans and procedures

• Do BC plans specify who does what, in what order, with what resources?
• Are plans written for the people who will execute them, not for management review?
• Do plans include escalation criteria, invocation procedures, and communication requirements?

8.5 Exercise programme

• Is there a documented exercise program covering multiple scenarios?
• Are exercises conducted regularly (minimum annually)?
• Do exercises test different functions and scenarios, not the same walkthrough every year?

8.6 Evaluation of business continuity documentation and capabilities

• Is there a formal post-exercise review process?
• Are lessons learned documented and acted upon?

Clause 9 — Performance Evaluation

9.1 Monitoring, measurement, analysis and evaluation

• Are BC performance metrics defined and tracked (e.g., RTO achievement in exercises, plan currency rate, training completion)?

9.2 Internal audit

• Is there a documented internal audit programme?
• Have internal audits been conducted at planned intervals?
• Are audit reports retained and nonconformities tracked?

9.3 Management review

• Are management reviews held at planned intervals?
• Do reviews cover the required inputs: audit results, performance trends, lessons learned, changes affecting the BCMS?
• Are review outputs documented (decisions made, actions assigned)?

Clause 10 — Improvement

10.1 Nonconformity and corrective action

• Is there a process for identifying and documenting nonconformities?
• Are root causes analyzed and corrective actions implemented to prevent recurrence?
• Are corrective action records retained?

10.2 Continual improvement

• Is there evidence that the BCMS is improving over time — not just maintained?

Where Organizations Actually Fail: The Most Common Gaps

Based on patterns across ISO 22301 gap assessments and certification audits, these are the gaps that appear most frequently:

Gap 1: Leadership commitment is asserted, not demonstrated (Clause 5) The BC policy exists. The BC Manager has a title. But there’s no documented evidence of management review, no board minutes showing BC on the agenda, no resources formally allocated. An auditor asks: “Show me evidence of top management commitment” and the answer is “Well, our CEO really cares about this.”

Fix: Schedule a management review, produce minutes, get the policy signed with a date, and show allocated budget for BC activities.

Gap 2: BIA outputs aren’t connected to plans (Clause 6 → 8) The BIA says the order processing system has an RTO of 4 hours. The BC plan makes no mention of order processing. The strategies documented don’t reflect the recovery objectives the BIA identified.

Fix: Map every critical activity in your BIA to a documented strategy and plan. If something has an RTO, there needs to be a procedure that could plausibly achieve it.

Gap 3: BC plans describe intent, not procedures (Clause 8.4) “In the event of a facility loss, the team will relocate to the backup site” is not a procedure. Who calls whom to activate? Who has building access? Where are the keys? What’s the first three steps?

Fix: Rewrite plans as step-by-step procedures with named roles, contact numbers, and decision authority spelled out.

Gap 4: Testing is a walkthrough, not a test (Clause 8.5) The same functional exercise, with the same scenario, in the same room, with the same participants, every year. It tests familiarity with the exercise format, not recovery capability.

Fix: Rotate scenarios, include surprise elements, test actual technical recovery (not just tabletop discussion), and involve frontline staff — not just the BC team.

Gap 5: Document control is informal (Clause 7.5) Plans are in SharePoint folders with no version control. Staff are using last year’s contact list. Critical procedures have no owner and haven’t been reviewed in 18 months.

Fix: Implement document versioning, set review frequencies, assign document owners, and build a control register that tracks when each document was last reviewed and approved.

Gap 6: Lessons learned from exercises don’t generate actions (Clause 10) Every exercise report ends with a list of findings. The same findings appear in next year’s report. Nothing closed.

Fix: Each finding needs an owner, a due date, and a tracked closure status. Include lessons learned tracking in your corrective action register.

Scoring Your Overall Maturity

After completing the clause-by-clause assessment, you can calculate an overall maturity score.

Most organizations doing their first serious ISO 22301 assessment land in the Developing to Defined range — which means 6–18 months of structured work before a realistic certification attempt.

What to Do With Your Gap Analysis Output

The gap analysis isn’t the end — it’s the starting point for your remediation roadmap.

Priority 1 — Resolve Red items (scores 0–1) first. These are major nonconformities that would block certification. Typically: absent scope document, no BIA, no exercise programme, no management review.

Priority 2 — Build out Clause 8 documentation. BC plans that can’t be executed under pressure are the most common reason organizations fail Stage 2 audits. This requires time, business unit involvement, and testing.

Priority 3 — Establish Clause 9 processes. Internal audit and management review need to run at least once before your external audit. Your certification body will ask for evidence of these.

Priority 4 — Fix documentation control (Clause 7.5). Good content in uncontrolled documents is still a finding. Build your document control framework before you write more documents into it.

So What?

An ISO 22301 gap analysis isn’t about finding out what you don’t have. It’s about knowing what you’re actually building toward and what it will take to get there.

Organizations that do this assessment honestly — and act on what they find — reduce the time and cost of certification significantly. Organizations that skip it often spend more time and money responding to nonconformities from external auditors than the gap analysis would have cost in the first place.

Start with an honest clause-by-clause score. If you’re at 2 on Clause 8, that’s not a problem to hide — it’s a gap to close before your Stage 1 audit.

Need a ready-to-use BCP/DR framework to start building your BCMS? The Business Continuity & Disaster Recovery Kit includes BC plan templates, BIA tools, exercise templates, and governance documentation aligned with ISO 22301 requirements.

Related Posts

• ISO 22301 Internal Audit Checklist: How to Prepare for Your BCMS Audit
• ISO 22301 Certification: Costs, Timeline, and What to Expect
• ISO 22301 Business Continuity Management Requirements: A Clause-by-Clause Guide

FAQ

What is an ISO 22301 gap analysis?

An ISO 22301 gap analysis is a structured assessment that compares your current business continuity management system (BCMS) against the requirements of ISO 22301:2019, clause by clause. It identifies where you comply, where you partially comply, and where you have significant gaps — giving you a prioritized action plan before a formal certification audit.

How is a gap analysis different from an internal audit?

A gap analysis is typically done before you implement (or before a certification audit) to understand your starting point. An internal audit is a formal requirement under Clause 9.2 that happens once your BCMS is established, to verify it conforms to requirements and is effectively maintained. Gap analysis is diagnostic; internal audit is conformance verification.

What scoring scale is used in an ISO 22301 gap analysis?

Most gap analyses use a Red/Amber/Green (RAG) rating system: Green (fully or substantially compliant), Amber (partially compliant — some gaps), and Red (significantly non-compliant or absent). Some tools also use a 0–5 numeric maturity scale aligned with COBIT or CMM frameworks, where 0 is “no capability” and 5 is “optimized.”

How long does it take to complete an ISO 22301 gap analysis?

A thorough self-assessment typically takes 2–4 weeks for a mid-size organization, depending on documentation availability and team involvement. A consultant-led gap analysis is usually faster (1–2 weeks) but requires interview access to key business continuity owners and documentation review. The output is a gap report with action plan, not a final audit.

What are the most common gaps found in an ISO 22301 gap analysis?

Across most organizations, the most common gaps are: leadership commitment that isn’t documented (Clause 5), incomplete or outdated business impact analysis (Clause 6), BC plans that name strategies but lack operational procedures (Clause 8), testing programs that run the same scenario year after year (Clause 8), and performance metrics that don’t tie back to recovery objectives (Clause 9).

Do I need a gap analysis before pursuing ISO 22301 certification?

Technically no, but practically yes. A Stage 1 external audit — the document review stage — will surface many of the same findings. Going in without a gap analysis means finding out about major nonconformities from your certification body, which delays certification and costs more. Most organizations that pursue ISO 22301 certification do an internal gap analysis 3–6 months before their Stage 1 audit.