CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

Rhand Leal

Mandatory documents required by 2019 revision of ISO 22301

Author: Rhand Leal

Updated according to ISO 22301:2019.

What should your business continuity documentation contain? This is probably what you’re asking yourself if you are implementing ISO 22301, preparing for the internal audit, or preparing for the certification audit.

ISO 22301 Mandatory documents

To help you out, here’s the list of mandatory documentation for the Business Continuity Management System – BCMS:

  • List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with.
  • Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented.
  • Business continuity policy (clause 5.2) – defines main responsibilities, and the intent of the management.
  • Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity.
  • Competencies of personnel (clause 7.2) – defines knowledge and skills needed.
  • Business continuity plans and procedures (clause 8.4) – includes plans and procedures for response, communication, recovery (including disaster recovery plans), restore and return activities.
  • Documented communication with interested parties (clause – these could be emails, but also official communication from sources such as government agencies and others.
  • Records of important information about the disruption, actions taken and decisions made (clause – normally these records are done through minutes or by filling out checklists of performed activities.
  • Data and results of monitoring and measurement (clause 9.1.1) – this is the evaluation on whether your BCMS met the objectives.
  • Internal audit program (clause 9.2)
  • Results of internal audit (clause 9.2) – normally, this is the Internal audit report.
  • Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions.
  • Nature of nonconformities and actions taken (clause 10.1) – this is a description of nonconformities, and their cause.
  • Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity.

Mandatory documents required by 2019 revision of ISO 22301

Commonly used non-mandatory BCMS documents and records

The list of documents usually doesn’t end with the above list. In most cases (unless you are a small company) you would use also these documents, even though they are not strictly required by the standard:

  • Procedure for identification of applicable legal and regulatory requirements (clause 4.2.2)
  • Implementation plan for achieving the business continuity objectives (clause 6.2)
  • Training and awareness plan (clauses 7.2 and 7.3)
  • Procedure for control of documented information (clause 7.5)
  • Contracts and service level agreements (SLAs) with suppliers and outsourcing partners (clause 8.1)
  • Process for business impact analysis and risk assessment (clause 8.2.1)
  • Results of business impact analysis (clause 8.2.2)
  • Results of risk assessment (clause 8.2.3)
  • Strategies and solutions for business continuity (clause 8.3.3)
  • Incident scenarios (clause 8.5)
  • Exercise and testing plans (clause 8.5)
  • Post-exercise reports (clause 8.5)
  • Results of post-incident review (clause 8.6)
  • Methods for monitoring, measurement, analysis and evaluation (clause 9.1.1)
  • Procedure for internal audit (clause 9.2)
  • Procedure for corrective action (clause 10.1)

Note that some requirements can be documented through several other documents. One example of this is determining the context of the organization (clause 4.1) which, although it is not mandatory, can be documented through List of legal, regulatory and other requirements, Business continuity policy, etc.

On the other hand, you can merge some of these documents into a single document (especially if you are a smaller company). For example, you can report the results of business impact analysis and of risk assessment through the Business continuity strategy.

This might seem like a huge number of documents, but from my experience, each and every one of them does make sense – would you agree?

To learn more about ISO 22301 implementation, visit our Free download page. You’ll find a host of helpful resources.

About the author:

Rhand Leal has 10 years of experience in information security, and for the 6 years he had continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

2 responses to “Mandatory documents required by 2019 revision of ISO 22301”

  1. Frank Dubois says:

    Does any one have any example of an internal audit schedule (9.2)? Or provide some guidance on how to produce this?

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.