Business Continuity Planning (BCP) Community

Official Blog for Dr Goh Moh Heng

Achieving BCMS Certification (Part 3) – Step 3


Step 3: Assessment

  • The formal assessment is then made during which all areas of the BS25999: 2007 Part 2 or SS 540:2008 Specification will be covered. The assessment is conducted in line with ISO17021, the formal assessment is done in two stages.

Stage 1 Assessment Audit

  • The stage 1 assessment is similar to a typical ISO audit where the auditor is not only looking for the existence of the documents but is also checking for things like version control, document ownership and other quality management systems.
  • The Stage 1 assessment will not only examine the BCMS documentation, it will also look at the management review and audit system and evaluation of readiness.
  • The organization will need to review the feedback from the first-stage assessment and estimate the amount of work required and, if necessary, push back the second stage assessment to a more realistic date.

Stage 2 Assessment Audit

  • The stage 2 assessment is usually very challenging and resource-intensive. It entails the examining of the documentation, looking at how it was implemented and understood across the areas in scope.
  • The assessment will also focus heavily on the objective evidences for the BCMS.
  • These includes the inspection of records, interviews of personnel and physical inspections. This addresses both logical and physical locations, and the audit team may include a BC (Technical) expert.
  • During the assessment, an audit report will be supplied at the conclusion of the assessment; this report will identify any major non-conformity (in which case certification will not be recommended until these have been addressed). The report may also include detail minor non-conformities, where improvements are needed but are not deemed significant.

Addressing Non-conformity

  • If the results of the Stage 2 Assessment indicate that the requirements of BCM Standard have not been met, the organization will be required to agree to a Corrective Action Plan to address the weaknesses. Once the organization has addressed the weaknesses a further Conformance Audit will be carried out.
  • If the outcome of the further Stage 2 Assessment is successful, a recommendation will be made for certification.


  1. BCMPedia: Glossary for BCM Auditing
  2. A Manager’s Guide to Auditing and Reviewing your BCM Program
  3. A Manager’s Guide to BS25999 British Standard for BCM
  4. BCM-8590 BS 25999 BCM Lead Auditor Course
  5. BCM-8540 SS540 BCM Lead Auditor Course
  6. BCM-8040 SS540 BCM Internal Auditor Course

    Author: moh_heng

    Dr Goh Moh Heng is the Managing Director of GMH Continuity Architects and President of Business Continuity Management (BCM) Institute.

    Leave a Reply

    Required fields are marked *.