CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

Mandatory documents required by ISO 22301

Author: Dejan Kosutic

What should your business continuity documentation contain? This is probably what you’re asking yourself if you are implementing ISO 22301, preparing for the internal audit, or preparing for the certification audit.

Unfortunately, ISO 22301 does not have a checklist of all mandatory documentation (like ISO 27001); however, by carefully reading the standard, it is rather easy to conclude which documents and records are mandatory.

ISO 22301 Mandatory documents

So, here’s the list of mandatory documentation for the Business Continuity Management System – BCMS (for a description of each document, download this white paper):

  • Procedure for identification of applicable legal and regulatory requirements (clause 4.2.2) – defines who is responsible for compliance.
  • List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with.
  • Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented.
  • Business continuity policy (clause 5.3) – defines main responsibilities, and the intent of the management.
  • Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity.
  • Competencies of personnel (clause 7.2) – defines knowledge and skills needed.
  • Communication with interested parties (clause 7.4) – defines which interested parties exist, and how to communicate with them.
  • Process for business impact analysis and risk assessment (clause 8.2.1) – defines the methodology for BIA and RA.
  • Results of business impact analysis (clause 8.2.2) – documents the results of BIA.
  • Results of risk assessment (clause 8.2.3) – documents the results of RA.
  • Business continuity procedures (clause 8.4.1) –include incident response, recovery and business continuity plan(s).
  • Incident response procedures (clause 8.4.2) – defines how to initially respond to various incidents.
  • Decision whether the risks and impacts are to be communicated externally (clause 8.4.2) – this is normally made by Crisis manager.
  • Communication with interested parties, including the national or regional risk advisory system (clause 8.4.3) – this can be documented through emails, minutes, memos, etc.
  • Records of important information about the incident, actions taken and decisions made (clause 8.4.3) – normally this is done through minutes.
  • Procedures for responding to disruptive incidents (clause 8.4.4) – these are the business continuity plan(s) and recovery plan(s), including the disaster recovery plans.
  • Procedures for restoring and returning business from temporary measures (clause 8.4.5) – these are the procedures on what to do after the operations have been recovered.
  • Post-exercise reports (clause 8.5)
  • Results of actions addressing adverse trends or results (clause 9.1.1) – these are basically the preventive actions.
  • Data and results of monitoring and measurement (clause 9.1.1) – this the evaluation on whether your BCMS met the objectives.
  • Results of post-incident review (clause 9.1.2) – this is basically an evaluation on how effective your business continuity was in a real situation.
  • Results of internal audit (clause 9.2) – normally, this is the Internal audit report.
  • Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions.
  • Nature of nonconformities and actions taken (clause 10.1) – this is a description of nonconformities, and their cause.
  • Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity.

Just to add here, some requirements can be documented through several other documents – e.g. determining the context of the organization from (requirements of clause 4.1) can be documented through Procedure for identification of requirements, Business continuity policy, Business impact analysis methodology, etc.

On the other hand, you can merge some of these documents into a single document (especially if you are a smaller company) – e.g. you can report the results of business impact analysis and of risk assessment through the Business continuity strategy.

Commonly used non-mandatory BCMS documents

However, the list of documents usually doesn’t end here. In most cases (unless you are a small company), you would use also these documents – although they are not strictly required by the standard:

  • Implementation plan for achieving the business continuity objectives (clause 6.2)
  • Training and awareness plan (clauses 7.2 and 7.3)
  • Procedure for control of documented information (clause 7.5)
  • Contracts and service level agreements (SLAs) with suppliers and outsourcing partners (clause 8.1)
  • Business continuity strategy (clause 8.3)
  • Risk mitigation (clause 8.3.3)
  • Incident scenarios (clause 8.5)
  • Exercise and testing plans (clause 8.5)
  • BCMS maintenance plan (clause 9.1.1)
  • Methods for monitoring, measurement, analysis and evaluation (clause 9.1.1)
  • Procedure for internal audit (clause 9.2)
  • Internal audit program (clause 9.2)
  • Procedure for corrective action (clause 10.1)

This might seem like a huge number of documents, but from my experience, each and every one of them does make sense – would you agree?

Click here to download a white paper  Checklist of ISO 22301 Mandatory Documentation with more detailed information on the most common ways for structuring and implementing mandatory documents and records.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

2 responses to “Mandatory documents required by ISO 22301”

  1. Frank Dubois says:

    Does any one have any example of an internal audit schedule (9.2)? Or provide some guidance on how to produce this?

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.