www.infosectrain.com www.azpirantz.com ISO 22301:2019 Checklist www.infosectrain.com www.azpirantz.com Clause No. Control Name Control Description 4.1 Understanding the organization and its context The organization shall determine external and internal issues relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. Audit Questionnaire Evidence Required è Have internal and external issues been identified and documented? è Are these issues reviewed periodically? è Do these issues consider business objectives, regulations, and stakeholder needs? è List of identified internal/external issues è Review meeting records 4.2 Understanding the needs and expectations of interested parties The organization shall determine interested parties and their requirements relevant to business continuity. è Have all relevant interested parties been identified? è Are their needs and expectations documented? è Documented list of identified stakeholders. è Evidence of periodic review and updates to stakeholder information 4.3 Determining the scope of the BCMS The organization shall determine and document the scope of the BCMS considering internal/external issues, interested party requirements, and interfaces with other management systems. è Is the scope of the BCMS clearly defined and documented? è Has management approved the scope? è Does the scope statement identify boundaries and applicability? è BCMS scope document è Document contains Justification for exclusions (if any) è Approval records. 4.4 Business continuity management system The organization shall establish, implement, maintain and continually improve a BCMS in accordance with the requirements of this document è Is there an established BCMS framework? è Are BCMS processes documented and maintained? è Are roles for BCMS management assigned? è BCMS framework documentation è Role assignment records 5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the BCMS. è Does top management actively promote and support the BCMS? è Is adequate funding and resources provided for BCMS? è Does management participate in key BCMS decisions and reviews? è Executive communications on BCMS è Resource allocation records è Management meeting minutes (MOM) 5.2 Business continuity policy Top management shall establish a business continuity policy appropriate to the organization's purpose. è Is there a documented and approved BC policy? è Does it provide a framework for BC objectives? è Has it been communicated throughout the organization? è Employee awareness records è Approved BC policy document www.infosectrain.com www.azpirantz.com Clause No. Control Name Control Description 5.3 Organizational roles, responsibilities and authorities Top management shall ensure responsibilities and authorities for relevant roles are assigned and communicated. Audit Questionnaire Evidence Required è Is there clear accountability for BCMS performance? è Have they been communicated to relevant personnel? è Are BCMS roles and responsibilities clearly defined? è Role descriptions and Responsibility assignment. 6.1 Actions to address risks and opportunities The organization shall determine risks and opportunities that need to be addressed to ensure the BCMS achieves its intended outcome(s). è Is the effectiveness of these actions evaluated? è Has a risk and opportunity assessment been conducted for the BCMS? è Are actions planned to address identified risks and opportunities? è Risk register. è Effectiveness evaluation records 6.2 Business continuity objectives and planning to achieve them The organization shall establish measurable BC objectives at relevant functions and levels. è Are BC objectives established and documented? è Is there a plan to achieve these objectives? è Are objectives measurable and aligned with the BC policy? è Action plans to achieve objectives è Documented BC objectives 6.3 Planning changes to the BCMS The organization shall plan for changes to the BCMS in a structured manner. è Are changes documented and approved? è Are change impacts assessed before implementation? è Is there a defined process for managing changes to the BCMS? è Change management process è Change impact assessments è Change approval records 7.1 Resources The organization shall determine and provide resources needed for the BCMS. è Has the organization identified resources required for the BCMS? è Is resource adequacy reviewed periodically? è Are adequate resources allocated? è Budget allocations è Resource plans è Resource review records 7.2 Competence The organization shall determine, ensure and document the necessary competence of persons doing work under its control that affects BC performance. è Is appropriate training provided to these personnel? è Are competency requirements defined for BC roles? è Are competency records maintained? è Training records è Skills assessment documentation www.infosectrain.com www.azpirantz.com Clause No. Control Name Control Description 7.3 Awareness Persons doing work under the organization's control shall be aware of BC policy, their contribution to BCMS effectiveness, and implications of not conforming. Audit Questionnaire Evidence Required è Are awareness programs conducted regularly? è Do they understand their role in the BCMS? è Are personnel aware of the BC policy and objectives? è Attendance records è Awareness program materials è Knowledge assessment results 7.4 Communication The organization shall determine internal and external communications relevant to the BCMS. è Are communication channels defined for normal and crisis situations? è Are communication responsibilities clearly assigned? è Is there a documented communication plan for BC? è BCP communication plan 7.5 Documented information The BCMS shall include documented information required by this document and determined by the organization as necessary for BCMS effectiveness. è Are documents properly identified, reviewed and approved? è Is there a procedure for controlling BCMS documents? è Is there a system for document access control and protection? è Document review records è Document control procedure 8.1 Operational planning and control The organization shall plan, implement and control processes needed to meet requirements and implement actions è Is there evidence of process monitoring? è Are operational controls established for these processes? è Are BCMS operational processes planned and documented? è Operational procedures è Process control records 8.1 Business impact analysis (BIA) and risk assessment - General The organization shall implement and maintain a formal and documented BIA and risk assessment process. è Is the methodology appropriate for the organization? è Are assessments conducted at planned intervals? è Is there a documented procedure for conducting BIA and risk assessments? è BIA and risk assessment procedure 8.2 Business impact analysis The organization shall analyze the impact of disruptive events on the organization through a BIA. è Has a BIA been conducted and documented? è Does it identify critical activities, dependencies, and resources? è Are recovery time objectives (RTOs) established for critical activities? è RTO documentation è BIA report è Critical activity list www.infosectrain.com www.azpirantz.com Clause No. Control Name Control Description 8.3 Risk assessment The organization shall conduct a risk assessment to identify, analyze and evaluate BC risks. Audit Questionnaire Evidence Required è Has a BC risk assessment been conducted? è Is there a risk treatment plan? è Are risks to critical activities identified and evaluated? è Risk register è Risk assessment report è Risk treatment plan 8.3 Business continuity strategies and solutions The organization shall determine appropriate BC strategies based on the outputs from the BIA and risk assessment. è Have BC strategies been documented for all critical activities? è Do strategies address the identified recovery time objectives? è Have resource requirements for strategies been identified? è BC strategy document è Strategy selection criteria è Resource requirement documentation 8.4.1 Business continuity plans and procedures - General The organization shall establish, implement and maintain business continuity plans and procedures. è Are they regularly reviewed and updated? è Are BC plans and procedures documented? è Do they address roles, actions, resources, and communications? è BC plans and procedures è Update logs è Review records 8.4.2 Response structure The organization shall establish a response structure with identified roles and responsibilities for incident response. è Is there a documented response structure for BC incidents? è Are roles and responsibilities clearly defined? è Has the structure been communicated to relevant personnel? è Response structure document è Role descriptions è Communication records 8.4.3 Warning and communication The organization shall establish procedures for detecting and monitoring incidents and for internal/external communications during disruptions. è Are there procedures for incident detection and notification? è Are contact details for key stakeholders maintained? è Is there a communication protocol for BC incidents? è Communication protocols è Incident detection procedure 8.4.4 Business continuity plans The organization shall develop BC plans to manage disruptive events based on strategies and provide guidance for response and recovery. è Are plans accessible during disruptions? è Do BC plans include specific actions for response and recovery? è Do they address roles, resources, and communications? è Plan accessibility provisions è Response and recovery procedures è Documented BC plans www.infosectrain.com www.azpirantz.com Clause No. Control Name Control Description 8.5 Exercise and testing The organization shall exercise and test its BC procedures to ensure they are consistent with its BC objectives. Audit Questionnaire Evidence Required è Is there a documented program for BC exercises and tests? è Are exercise results documented and reviewed? è Are exercises conducted at planned intervals? è Exercise program è Exercise scenarios è Exercise results and recommendations 9.1 Monitoring, measurement, analysis and evaluation The organization shall determine what needs to be monitored and measured, methods, and when evaluation shall occur. è Are monitoring methods appropriate? è Are there procedures for monitoring BCMS performance? è Is monitoring data analyzed and evaluated? è Analysis reports è Monitoring procedures è Performance data 9.2 Internal audit The organization shall conduct internal audits at planned intervals to ensure the BCMS conforms to requirements and is effectively implemented. è s there an internal audit program for the BCMS? è Are audits conducted by competent and impartial personnel? è Are audit results reported to management? è Auditor qualifications è Audit reports è Audit program 9.3 Management review Top management shall review the organization's BCMS at planned intervals to ensure continuing suitability, adequacy, and effectiveness. è Are management reviews conducted as planned? è Do reviews consider all required inputs? è Are review outputs documented and acted upon? è Management review minutes(MOM) è Review input documentation è Action plans from reviews 10.1 Nonconformity and corrective action The organization shall identify nonconformities, take corrective actions, and continually improve the BCMS. è Is there a documented procedure for managing nonconformities? è Are root causes analyzed? è Are corrective actions implemented and verified? è Nonconformity records è Corrective action plans è Root cause analyses 10.2 Continual improvement The organization shall continually improve the suitability, adequacy and effectiveness of the BCMS. è Is there a process for identifying improvement opportunities? è Are improvements implemented and evaluated? è Is there evidence of BCMS performance improvement over time? è Implementation records è Improvement plans è Performance trend data