9 Red Flags When Hiring ISO 22301 Business Continuity Consultants

Overly complex ISO 22301 business continuity documents compared to a simple, practical incident response checklist, highlighting audit-focused plans versus usable BCP
Posted by: Inoni – Jun 04, 2026

Summary

Nine practical warning signs that an ISO 22301-focused consultant may deliver something compliant on paper, but not something your business will actually use. Includes simple checks to help make sure your continuity work produces something the business can actually use when something goes wrong.

Introduction

A lot of organisations assume that hiring an ISO 22301 specialist means they’re getting strong business continuity capability.

That isn’t always true.

ISO 22301 is a solid framework. It helps you build a Business Continuity Management System that meets a recognised standard (ISO 22301 consultant or ISO 22301 consulting support)

But it doesn’t guarantee that the plan will actually work when you need it.

And that’s the gap you see in practice.

The organisation has a plan. Sometimes a very detailed one.

But no one really knows how to use it. It’s too big, too detailed, and written to meet an audit rather than to help people respond to an incident.

So when something does go wrong, or even when you look closely at how it would work, it’s clear the system isn’t built for real use.

1. They talk about clauses, not consequences

If most of the conversation is:

  • Clause 4
  • Clause 8
  • audit readiness

…but very little about what actually happens when something fails, you’re in the wrong place.

ISO defines requirements. It doesn’t tell you what actually happens when something breaks.

Check: Ask them to explain a real disruption in business terms, not ISO language.

2. The end product is “a compliant system”

If success is defined as:

  • “aligned with ISO 22301”
  • “audit-ready”
  • “complete documentation”

you’ll probably get something that looks right… but isn’t much use when something actually goes wrong. (see what good business continuity consultancy should actually look like

A BCMS isn’t the output. It’s something the business should actually use.

Check: Ask what will be different when something goes wrong. If the answer is vague, that tells you a lot.

3. No clear owners across the business

This is where things fall apart quickly.

You end up with:

  • central BCP ownership
  • but no one in the business actually responsible for anything

So when something goes wrong, no one is clear what they’re supposed to do.

Check: Every output needs a named owner before the work is finished. Not “the business” — an actual person.

4. Everything is designed for audit, not action

If what you’re getting is:

  • policies
  • registers
  • document structures

rather than:

  • decisions
  • scenarios
  • clear actions

then it’s been built for audit, not for real use.

It will review well. It won’t help much when something actually happens.

5. The Business Impact Analysis is technically strong… but useless

Classic one.

You get:

  • detailed mapping
  • long spreadsheets
  • lots of recovery numbers

And no one ever uses it.

If it doesn’t help someone respond to an incident, it’s just admin. (see why traditional BIA often falls short)

Check: Ask who actually uses the BIA in practice. If there isn’t a clear answer, it’s a dead output.

6. Exercises are treated as proof, not learning

You’ll sometimes see exercises where:

  • everyone knows the scenario
  • everything “works”
  • nothing really changes

That’s not testing. That’s rehearsal.

If you’re not finding gaps that would matter in a real incident, you’re not doing it properly.

Check: Ask what changed after the last exercise. If the answer is “not much”, that tells you everything.

7. The consultant builds it, then disappears

The system gets:

  • designed
  • documented
  • handed over

And then left with the business to “run”.

In reality, without structure and pressure, the plan quickly drifts and becomes something no one actually uses.

Check: Ask how this is going to be kept alive in practice. Not in theory. (see what a business continuity consultant should actually do during an engagement)

8. No link to real operational or commercial risk

If continuity doesn’t connect to:

  • revenue
  • service failure
  • contracts

it stays abstract, so it doesn’t help when something actually fails.

And abstract work gets ignored.

Check: Ask how outputs link to actual business decisions. If they don’t, it won’t land.

9. When something does go wrong the plan doesn’t really help.

This is the one that matters.

The plan exists. It’s been reviewed. It may even be “approved”.

But when you try to use it, it’s too big, too unclear, or just not practical in that moment.

 

It means the work sitting behind it isn’t something the business can actually use.

Closing

ISO 22301 is useful. It gives you a structure to work from.

But compliance and capability are not the same thing.

If the focus is on documents and audit, you’ll end up with something that exists…

…but doesn’t influence anything.

And you’ll only really notice that when something actually goes wrong — and the plan doesn’t help.

If you need ISO 22301 support, make sure you’re building something the business can actually use. See how our business continuity consultants approach delivery.