If you’ve read through our recent post on ISO Business Continuity Standard 22301, you know the components involved in building a high-performing program. Still, it can be a daunting task to meet this complex standard; how can you be sure you have all the angles covered? Where should you even start?
To ensure consistency and completeness as you develop your program, we’ve designed an ISO 22301 checklist. If you can verify that your program has each of the following elements associated with Sections 5-10 of the standard, your company does indeed have the organized and thorough continuity program outlined in ISO 22301. You can also use it as an ISO 22301 audit checklist if your company is preparing to undergo an official certification process. *The starred items are where most companies fall short, in our experience, so pay special attention to your efforts in those areas.
A crucial part of meeting business continuity standards like ISO 22301 is a well-written business recovery plan. Find out the components of a successful plan and get sample checklists in this free guide.
An ISO 22301 Checklist
1. Leadership, Section 5 Requirements
You have a management oversight committee in place, along with a process that dictates how the committee will oversee the program from the time of creation all the way through implementation, maintenance, and the actual carrying out of plans.
Your policies and objectives align with the requirements of your organization. If you have more intense legal/regulatory requirements, or customer and stakeholder requirements, then your policies must match your obligations.
2. Planning, Section 6 Requirements
You have documentation showing that you understand your company’s requirements for a business continuity plan. It should define the following and note how each contributes to the development of your business continuity management system:
- The requirements of your company.
- The products/services you provide.
- The requirements of your stakeholders.
- Your legal/regulatory requirements.
3. Support, Section 7 Requirements
You have a document management system that includes all the supporting documents related to every stage of your business continuity management system, from training to practice exercises. The system you use manages and organizes relevant documents, makes it easy to refer to them, and makes them accessible to the right people.
You have a good documentation maintenance program that provides a schedule for updating key components of the program, such as the Business Impact Analysis, recovery plans, and policies and objectives.
*You have a training program in place as well as global awareness of the program and its recovery processes. (Global awareness includes employees at all levels of your company—not just senior-level personnel or those who are actively involved in implementing the processes.)
You have a communication system in place that ensures ongoing communication with interested parties and stakeholders, before, during, and after an event. This process should also include communication as your program is developing (not just when an event occurs), for instance, interaction or consultation with regulatory bodies.
4. Operation, Section 8 Requirements
*You have performed and documented a risk and threat assessment to determine the risks associated with your business and your controls to protect them. (For assistance in evaluating residual risk and help in reducing it, try the Residual Risk online assessment tool.)
You have performed a complete Business Impact Analysis (BIA) to determine the criticality of your business operations based on the processes they perform, and to identify the dependencies that must be in place for those processes to run. (Use our comprehensive Business Impact Analysis (BIAOD) tool for a simple yet thorough way to identify your critical business processes and their system/resource requirements.)
*You have designed appropriate business continuity strategies and the requirements for each based on what you need to recover and when you need to recover it, and you’ve documented them (i.e., outsourcing, alternate sites, splitting up call centers, etc.). Each strategy is based on your BIA and your risk/threat assessment.
You have created the following business recovery plans depending on the requirements of your company, the strategy requirements, and the BIA:
- A crisis management plan (sometimes called an incident management plan) that directs the crisis management team in how to assess and manage an event and the key players involved in carrying out recovery plans.
- Critical business recovery plans for relevant business units.
- Critical IT disaster recovery plans.
You have a program of regularly scheduled testing that is appropriate based on the requirements of the company and the findings of the BIA. You also have a process to document test results.
5. Performance Evaluation, Section 9 Requirements
You have documented management reviews to confirm ongoing management review and appraisal of the program.
You have documented results of regularly scheduled internal or external audits of your program. (Internal audits tend to be less effective because of a lack of objectivity; an external third-party review of your program every two years is recommended.)
You have processes in place to measure and evaluate the performance of the program, including specific metrics for compliance and residual risk. You know the ROI of your program and whether it’s getting the intended results. (To easily assess your program compliance against industry standards, try the cloud-based self-assessment tool Compliance Confidence (C2). To assess residual risk try our Residual Risk (R2) tool.)
6. Continual Improvement, Section 10 Requirements
*You have a process designed to identify weaknesses in your program (either through testing or measuring) and take corrective action to address them; you also have those processes and actions documented.
You have a post-incident review process in place. You add your findings to a knowledge base and use them to improve your future plans.
Hit Every Item On Your ISO 22301 Checklist
All of our BCMMetrics™ tools were designed with standards like the ISO 22301 in mind. Because they’re intuitive self-assessment tools, you can use each of them—Business Impact Analysis (BIAOD), Residual Risk (R2), and Compliance Confidence (C2)—to do your own due diligence so you know where you stand in preparation for an ISO 22301 or related audit of your BCM program. All of our tools are regularly reviewed and updated in response to changes in the industry and regulatory landscape.
Schedule a free demo to see the tools in action, and find out where your program stands today.