ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
ISO 22301 AUDITOR CHECKLIST TEMPLATE
2
Use this self-audit questionnaire to gauge how ready your organization is to apply for ISO 22301 Business Continuity Management System (BCMS) certification. If your organization is not applying to be certified, you should still use the questionnaire to assess the robustness of your business continuity program.
3
REQUIREMENTIN COMPLIANCE?REMARKS
4
Context
5
Do you understand the internal and external actors that can influence your organization’s business continuity requirements?
6
Do you understand the risks and opportunities associated with your organization’s context?
7
Do you understand and regularly monitor the expectations of interested parties, such as customers, suppliers, employees, or regulatory bodies, in your business continuity plan?
8
Do you understand the regulatory or legal requirements that influence business continuity?
9
Leadership
10
Is top management committed to championing your organization’s business continuity management system (BCMS)?
11
Does top management communicate the value of your BCMS internally and externally?
12
Have you set and documented measurable business continuity plan objectives?
13
Do the BCMS policy and objectives align with the mission and strategy of the organization?
14
Do the individuals and roles responsible for leading continuity management have adequate skills and experience?
15
Planning
16
Have you determined the risks to and opportunities for your organization?
17
Do you have a plan to tackle these risks and opportunities?
18
Do your business systems incorporate any pertinent elements of the continuity plan?
19
Have you told your whole organization about these objectives and discussed how the whole organization might help to achieve them?
20
Support
21
Have you identified the people, tools, equipment, finances, and other resources you need to stand up, run, maintain, and continually improve your BCMS?
22
Does everyone involved in the BCMS have experience or training to perform well in their roles, or do they need training?
23
Do you have a documentation system for both internal and external documents and do you have a change control process?
24
Can employees and external stakeholders easily find the documentation they need when they need it?
25
Operation
26
Do you have a process to determine if the BCMS needs changes as well as a process to implement those changes?
27
Are contractors and outsourced labor informed of business continuity requirements and solutions?
28
Is a business impact analysis (BIA) scheduled regularly?
29
Based on the BIA, have you prioritized which activities should resume first after a disruptive event? (This metric is also known as the recovery time objectives.)
30
Have you determined the minimum levels for prioritized activities?
31
Have you created a BCMS strategy (including dependencies and required resources) that focuses on supporting priority activities?
32
Have you analyzed the business continuity capabilities of your suppliers?
33
Have you listed the following key organization resources in your plan?
34
Personnel
35
Infrastructure
36
Facilities
37
Information
38
Data
39
IT
40
Supplies
41
Transportation
42
Finance
43
Other
44
Have you considered approaches to help prevent (or reduce the length and impact of) the disruptions that can be caused by the risks you’ve identified?
45
Have you documented and implemented your business continuity procedures?
46
Did you create internal and external protocols to communicate about business continuity issues?
47
Have you created an incident response structure to identify management and personnel who will respond to disruptive events?
48
Procedures
49
Do you have a procedure for detecting disruptive incidents?
50
Do you have a procedure for making detailed reports on disruptive incidents, including articulating the steps and decisions that would lead up to an event?
51
Do you have a procedure for recording actions and decisions in response to an incident?
52
Do you have a procedure to receive and respond to warnings about possible events?
53
Have you documented plans for restoring operations after an event? Do these plans contain all the information and procedures needed by the personnel who will use them?
54
Do you have a procedure to secure people and infrastructure immediately after an event?
55
Do you have a procedure to communicate internally and externally after an event?
56
Do you have a procedure to switch from a temporary response to regular business operations?
57
Do you regularly test your business continuity procedures using well-developed scenarios?
58
Does your organization prepare after-action reports to detail what went well and what didn’t go well in business continuity system exercises?
59
Evaluation
60
Do you know what in your continuity system you must measure and monitor? Who will monitor the system and how often? What are the measurement methods?
61
Do you document the results of periodic monitoring?
62
Are internal audits scheduled to ensure conformity to ISO 22301 and your organization’s BCMS plan?
63
Have you created an internal audit process?
64
Do you document and retain audit results and report them to management?
65
Improvement
66
Have you created robust processes to manage nonconformities and to implement corrective action?
67
Does top management regularly review and suggest improvements to the BCMS?
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100