ISO 22301 Audit Checklist

Use this ISO 22301 Audit Checklist to evaluate business continuity management systems, ensure compliance, and enhance resilience against disruptions.

ISO 22301 Audit Checklist



Clause 4 - Know Your Organization

1. What are the internal and external issues that drive the need for business continuity planning?


Photo Comment

2. Who are the stakeholders and what are their requirements?


Photo Comment

3. What relevant laws and regulations apply, and what is the process for managing them?


Photo Comment
Clause 4 - Limit Your BCMS To What Really Matters

1. Which parts of the organization should be included in the scope?


Photo Comment

2. What outputs (products and services) should be included in the scope?


Photo Comment

3. What exclusions need to be documented and explained?


Photo Comment
Clause 5 - Make Sure Your Top Management Is Committed To Business Continuity

1. Has a Business Continuity Policy been written?


Photo Comment

2. Has the policy been disseminated to everyone affected by it, both internal and external?


Photo Comment

3. Have the roles and responsibilities for business continuity been defined?


Photo Comment

4. Is there a senior leadership individual responsible for the BCMS, and have their responsibilities been documented?


Photo Comment
Clause 6 - Have Some Objectives

1. What are the risks and opportunities at the organizational level?


Photo Comment

2. What actions are needed to address the risks and opportunities, and how will they be implemented into operational processes?


Photo Comment

3. What are the business continuity objectives, what is needed to achieve them, and who is responsible?


Photo Comment

4. How will performance towards the business continuity objectives be monitored and measured?


Photo Comment

5. Are change control processes for the BCMS in place?


Photo Comment
Clause 7 - Are Your Resources Capable, Competent, And Sufficient?

1. What resources (personnel, technology, infrastructure) are required, and what knowledge and skills are needed for personnel?


Photo Comment

2. Are the required resources, knowledge, and skills present in the organization?


Photo Comment

3. Is there a communications plan for the wider organization and external interested parties?


Photo Comment

4. Is everything required by the standard documented, including any additional necessary items, and is there a process for controlling changes to documents?


Photo Comment
Clause 8 - Conduct A Business Impact Analysis

1. What are the impacts and their criteria for performing the Business Impact Analysis (BIA), and how will this ensure consistency and repeatability?


Photo Comment

2. What are the key activities that comprise your products and services?


Photo Comment

3. What are the internal and external resources required to deliver these products and activities, including personnel, equipment, technology (IT), supplies, and infrastructure?


Photo Comment

4. How will the criteria be used to determine the business impact over time on the key activities?


Photo Comment

5. What is the maximum tolerable period of disruption (MTPD) before business impacts become unacceptable?


Photo Comment

6. What are the timeframes for recovering activities to minimum acceptable levels (MBCO)?


Photo Comment

7. What are the impacts and their criteria for performing the BIA, and how will this ensure consistency and repeatability?


Photo Comment

8. What are the key activities that comprise your products and services?


Photo Comment
Clause 8 - Conduct A Risk Assessment

1. Is a risk assessment considered?


Photo Comment

2. Are the risks for treatment prioritized which drives the business continuity strategies and then the plans?


Photo Comment
Build Business Continuity Strategies And Solutions

1. Do the strategies address the risks and requirements of the BIA?


Photo Comment
Procedures

1. How should the crisis management team(s) be established to address immediate steps and cope with ambiguity in an incident?


Photo Comment

2. Is a crisis management team established?


Photo Comment

3. Are the roles and responsibilities of the crisis management team(s) clearly defined?


Photo Comment

4. What response structure should be defined for the responsible team?


Photo Comment

5. How should internal and external communications be managed during a crisis?


Photo Comment
Plans

1. What guidance should be provided to teams on how to respond, including the order of activities?


Photo Comment

2. What criteria should be specified for invoking activities?


Photo Comment

3. What actions need to be taken to protect the welfare of individuals?


Photo Comment

4. What actions need to be taken during a crisis?


Photo Comment
Recovery To Normal Operations

1. Are plans and processes developed to ensure a smooth transition from the disaster recovery phase to normal operation?


Photo Comment
Test, Test, And Test Again

1. Is an exercise program used to ensure the plans work and to prevent knowledge fade?


Photo Comment

2. Are the organization’s capabilities evaluated as an essential part of the continual improvement cycle required by the standard?


Photo Comment
Clause 9 - Continuously Monitor Your Business Continuity Performance

1. Do you know what you should measure, by whom, how, and by when?


Photo Comment

2. Do you need an ongoing internal audit program and regular management reviews?


Photo Comment
Clause 10 - Continuously Improving

1. Is there a process to control them?


Photo Comment

2. Is there a process to fix them?


Photo Comment

3. Is there a process to understand why they went wrong?


Photo Comment

4. Is there a process to prevent it from happening again?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists