ISO 22301:2019 List of mandatory documents

Updated according to ISO 22301:2019.

What should your business continuity documentation contain? What are the ISO 22301 mandatory documents? This is probably what you’re asking yourself if you are implementing ISO 22301, preparing for the internal audit, or preparing for the certification audit. Help yourself with this checklist of ISO 22301 mandatory documentation and also learn which other documents are commonly used, even though they are not strictly required.

Some of the mandatory documents required by ISO 22301:2019:
  • List of legal, regulatory and other requirements (clause 4.2.2)
  • Scope of the BCMS and explanation of exclusions (clause 4.3
  • Business continuity policy (clause 5.2)
  • Business continuity objectives (clause 6.2)
  • Competencies of personnel (clause 7.2)

ISO 22301 Mandatory documents

To help you out, here’s the list of ISO 22301 mandatory documents for the Business Continuity Management System – BCMS:


ISO 22301 mandatory documents | Complete updated checklist

Commonly used non-mandatory BCMS documents and records

The list of documents usually doesn’t end with the checklist of ISO 22301 mandatory documentation above. In most cases (unless you are a small company), you would also use these documents, even though they are not strictly required by the standard:

Note that some requirements can be documented through several other documents. One example of this is determining the context of the organization (clause 4.1) which, although it is not mandatory, can be documented through List of legal, regulatory and other requirements, Business continuity policy, etc.

On the other hand, you can merge some of these documents into a single document (especially if you are a smaller company). For example, you can report the results of business impact analysis and of risk assessment through the Business continuity strategy.

This might seem like a huge number of documents, but from my experience, each and every one of them does make sense – would you agree?

Download a free preview of the ISO 22301 Documentation Toolkit to see the structure for each document mentioned above.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.