Show me desktop version
CALL US +1 (646) 759 9933

ISO 27001/ISO 22301 Knowledge base

Mandatory documents required by ISO 22301

Author: Dejan Kosutic

What should your business continuity documentation contain? This is probably what you’re asking yourself if you are implementing ISO 22301, preparing for the internal audit, or preparing for the certification audit.

Unfortunately, ISO 22301 does not have a checklist of all mandatory documentation (like ISO 27001); however, by carefully reading the standard, it is rather easy to conclude which documents and records are mandatory.

ISO 22301 Mandatory documents

So, here’s the list of mandatory documentation for the Business Continuity Management System – BCMS (for a description of each document, download this white paper):

  • Procedure for identification of applicable legal and regulatory requirements (clause 4.2.2) – defines who is responsible for compliance.
  • List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with.
  • Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented.
  • Business continuity policy (clause 5.3) – defines main responsibilities, and the intent of the management.
  • Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity.
  • Competencies of personnel (clause 7.2) – defines knowledge and skills needed.
  • Communication with interested parties (clause 7.4) – defines which interested parties exist, and how to communicate with them.
  • Process for business impact analysis and risk assessment (clause 8.2.1) – defines the methodology for BIA and RA.
  • Results of business impact analysis (clause 8.2.2) – documents the results of BIA.
  • Results of risk assessment (clause 8.2.3) – documents the results of RA.
  • Business continuity procedures (clause 8.4.1) –include incident response, recovery and business continuity plan(s).
  • Incident response procedures (clause 8.4.2) – defines how to initially respond to various incidents.
  • Decision whether the risks and impacts are to be communicated externally (clause 8.4.2) – this is normally made by Crisis manager.
  • Communication with interested parties, including the national or regional risk advisory system (clause 8.4.3) – this can be documented through emails, minutes, memos, etc.
  • Records of important information about the incident, actions taken and decisions made (clause 8.4.3) – normally this is done through minutes.
  • Procedures for responding to disruptive incidents (clause 8.4.4) – these are the business continuity plan(s) and recovery plan(s), including the disaster recovery plans.
  • Procedures for restoring and returning business from temporary measures (clause 8.4.5) – these are the procedures on what to do after the operations have been recovered.
  • Results of actions addressing adverse trends or results (clause 9.1.1) – these are basically the preventive actions.
  • Data and results of monitoring and measurement (clause 9.1.1) – this the evaluation on whether your BCMS met the objectives.
  • Results of post-incident review (clause 9.1.2) – this is basically an evaluation on how effective your business continuity was in a real situation.
  • Results of internal audit (clause 9.2) – normally, this is the Internal audit report.
  • Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions.
  • Nature of nonconformities and actions taken (clause 10.1) – this is a description of nonconformities, and their cause.
  • Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity.

Just to add here, some requirements can be documented through several other documents – e.g. determining the context of the organization from (requirements of clause 4.1) can be documented through Procedure for identification of requirements, Business continuity policy, Business impact analysis methodology, etc.

On the other hand, you can merge some of these documents into a single document (especially if you are a smaller company) – e.g. you can report the results of business impact analysis and of risk assessment through the Business continuity strategy.

Commonly used non-mandatory BCMS documents

However, the list of documents usually doesn’t end here. In most cases (unless you are a small company), you would use also these documents – although they are not strictly required by the standard:

  • Implementation plan for achieving the business continuity objectives (clause 6.2)
  • Training and awareness plan (clauses 7.2 and 7.3)
  • Procedure for control of documented information (clause 7.5)
  • Contracts and service level agreements (SLAs) with suppliers and outsourcing partners (clause 8.1)
  • Business continuity strategy (clause 8.3)
  • Risk mitigation (clause 8.3.3)
  • Incident scenarios (clause 8.5)
  • Exercise and testing plans (clause 8.5)
  • Post-exercise reports (clause 8.5)
  • BCMS maintenance plan (clause 9.1.1)
  • Methods for monitoring, measurement, analysis and evaluation (clause 9.1.1)
  • Procedure for internal audit (clause 9.2)
  • Internal audit program (clause 9.2)
  • Procedure for corrective action (clause 10.1)

This might seem like a huge number of documents, but from my experience, each and every one of them does make sense – would you agree?

Click here to download a white paper  Checklist of ISO 22301 Mandatory Documentation with more detailed information on the most common ways for structuring and implementing mandatory documents and records.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Documentation Toolkit

ISO 22301 Documentation Toolkit

See Details

Upcoming free webinar
How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301
Wednesday - September 27, 2017

OUR PARTNERS

  • Exemplar Global (formerly RABQSA) is leading international
    authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited.
    Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of
    accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933