1 / 6

ISO 22301 Audit Checklist — Clause-by-Clause Breakdown!

Planning for ISO 22301 certification or internal audit? We've simplified the standard into an easy-to-follow audit checklist covering each clause u2014 complete with sample questions and evidence requirements.<br><br>This quick reference helps you:<br>(i) Understand audit expectations<br>(ii) Identify gaps in your BCMS<br>(iii) Prepare for internal and external audits<br><br>Perfect for:<br>(i) Compliance teams<br>(ii) BCMS leads<br>(iii) Auditors & CISO<br>

Azpirantz
Télécharger la présentation

ISO 22301 Audit Checklist — Clause-by-Clause Breakdown!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISO 22301:2019 Checklist www.azpirantz.com www.infosectrain.com

  2. Control Description Audit Questionnaire Evidence Required Control Name Clause No. 4.1 Understanding the organization and its context The organization shall determine external and internal issues relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. è Have internal and external issues been identified and documented? è List of identified internal/external issues è Review meeting records è Are these issues reviewed periodically? è Do these issues consider business objectives, regulations, and stakeholder needs? 4.2 Understanding the needs and expectations of interested parties The organization shall determine interested parties and their requirements relevant to business continuity. è Have all relevant interested parties been identified? è Documented list of identified stakeholders. è Are their needs and expectations documented? è Evidence of periodic review and updates to stakeholder information 4.3 Determining the scope of the BCMS The organization shall determine and document the scope of the BCMS considering internal/external issues, interested party requirements, and interfaces with other management systems. è Is the scope of the BCMS clearly defined and documented? è BCMS scope document è Approval records. è Does the scope statement identify boundaries and applicability? è Document contains Justification for exclusions (if any) è Has management approved the scope? 4.4 Business continuity management system The organization shall establish, implement, maintain and continually improve a BCMS in accordance with the requirements of this document è Is there an established BCMS framework? è BCMS framework documentation è Are BCMS processes documented and maintained? è Role assignment records è Are roles for BCMS management assigned? 5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the BCMS. è Does top management actively promote and support the BCMS? è Management meeting minutes (MOM) è Resource allocation records è Is adequate funding and resources provided for BCMS? è Executive communications on BCMS è Does management participate in key BCMS decisions and reviews? 5.2 Business continuity policy Top management shall establish a business continuity policy appropriate to the organization's purpose. è Is there a documented and approved BC policy? è Approved BC policy document è Does it provide a framework for BC objectives? è Employee awareness records è Has it been communicated throughout the organization? www.azpirantz.com www.infosectrain.com

  3. Control Description Audit Questionnaire Evidence Required Control Name Clause No. 5.3 Organizational roles, responsibilities and authorities Top management shall ensure responsibilities and authorities for relevant roles are assigned and communicated. è Are BCMS roles and responsibilities clearly defined? è Role descriptions and Responsibility assignment. è Have they been communicated to relevant personnel? è Is there clear accountability for BCMS performance? 6.1 Actions to address risks and opportunities The organization shall determine risks and opportunities that need to be addressed to ensure the BCMS achieves its intended outcome(s). è Has a risk and opportunity assessment been conducted for the BCMS? è Risk register. è Effectiveness evaluation records è Are actions planned to address identified risks and opportunities? è Is the effectiveness of these actions evaluated? 6.2 Business continuity objectives and planning to achieve them The organization shall establish measurable BC objectives at relevant functions and levels. è Are BC objectives established and documented? è Documented BC objectives è Are objectives measurable and aligned with the BC policy? è Action plans to achieve objectives è Is there a plan to achieve these objectives? 6.3 Planning changes to the BCMS The organization shall plan for changes to the BCMS in a structured manner. è Is there a defined process for managing changes to the BCMS? è Change management process è Change impact assessments è Are change impacts assessed before implementation? è Change approval records è Are changes documented and approved? 7.1 Resources The organization shall determine and provide resources needed for the BCMS. è Has the organization identified resources required for the BCMS? è Resource plans è Budget allocations è Are adequate resources allocated? è Resource review records è Is resource adequacy reviewed periodically? 7.2 Competence The organization shall determine, ensure and document the necessary competence of persons doing work under its control that affects BC performance. è Are competency requirements defined for BC roles? è Skills assessment documentation è Is appropriate training provided to these personnel? è Training records è Are competency records maintained? www.azpirantz.com www.infosectrain.com

  4. Control Description Audit Questionnaire Evidence Required Control Name Clause No. 7.3 Awareness Persons doing work under the organization's control shall be aware of BC policy, their contribution to BCMS effectiveness, and implications of not conforming. è Are personnel aware of the BC policy and objectives? è Awareness program materials è Attendance records è Do they understand their role in the BCMS? è Knowledge assessment results è Are awareness programs conducted regularly? 7.4 Communication The organization shall determine internal and external communications relevant to the BCMS. è Is there a documented communication plan for BC? è BCP communication plan è Are communication channels defined for normal and crisis situations? è Are communication responsibilities clearly assigned? 7.5 Documented information The BCMS shall include documented information required by this document and determined by the organization as necessary for BCMS effectiveness. è Is there a procedure for controlling BCMS documents? è Document control procedure è Document review records è Are documents properly identified, reviewed and approved? è Is there a system for document access control and protection? 8.1 Operational planning and control The organization shall plan, implement and control processes needed to meet requirements and implement actions è Are BCMS operational processes planned and documented? è Operational procedures è Process control records è Are operational controls established for these processes? è Is there evidence of process monitoring? 8.1 Business impact analysis (BIA) and risk assessment - General The organization shall implement and maintain a formal and documented BIA and risk assessment process. è Is there a documented procedure for conducting BIA and risk assessments? è BIA and risk assessment procedure è Are assessments conducted at planned intervals? è Is the methodology appropriate for the organization? 8.2 Business impact analysis The organization shall analyze the impact of disruptive events on the organization through a BIA. è Has a BIA been conducted and documented? è BIA report è Does it identify critical activities, dependencies, and resources? è Critical activity list è RTO documentation è Are recovery time objectives (RTOs) established for critical activities? www.azpirantz.com www.infosectrain.com

  5. Control Description Audit Questionnaire Evidence Required Control Name Clause No. 8.3 Risk assessment The organization shall conduct a risk assessment to identify, analyze and evaluate BC risks. è Has a BC risk assessment been conducted? è Risk assessment report è Are risks to critical activities identified and evaluated? è Risk register è Risk treatment plan è Is there a risk treatment plan? 8.3 Business continuity strategies and solutions The organization shall determine appropriate BC strategies based on the outputs from the BIA and risk assessment. è Have BC strategies been documented for all critical activities? è BC strategy document è Strategy selection criteria è Do strategies address the identified recovery time objectives? è Resource requirement documentation è Have resource requirements for strategies been identified? 8.4.1 Business continuity plans and procedures - General The organization shall establish, implement and maintain business continuity plans and procedures. è Are BC plans and procedures documented? è BC plans and procedures è Do they address roles, actions, resources, and communications? è Review records è Update logs è Are they regularly reviewed and updated? 8.4.2 Response structure The organization shall establish a response structure with identified roles and responsibilities for incident response. è Is there a documented response structure for BC incidents? è Response structure document è Role descriptions è Are roles and responsibilities clearly defined? è Communication records è Has the structure been communicated to relevant personnel? 8.4.3 Warning and communication The organization shall establish procedures for detecting and monitoring incidents and for internal/external communications during disruptions. è Are there procedures for incident detection and notification? è Incident detection procedure è Communication protocols è Is there a communication protocol for BC incidents? è Are contact details for key stakeholders maintained? 8.4.4 Business continuity plans The organization shall develop BC plans to manage disruptive events based on strategies and provide guidance for response and recovery. è Do BC plans include specific actions for response and recovery? è Documented BC plans è Plan accessibility provisions è Do they address roles, resources, and communications? è Response and recovery procedures è Are plans accessible during disruptions? www.azpirantz.com www.infosectrain.com

  6. Control Description Audit Questionnaire Evidence Required Control Name Clause No. 8.5 Exercise and testing The organization shall exercise and test its BC procedures to ensure they are consistent with its BC objectives. è Is there a documented program for BC exercises and tests? è Exercise program è Exercise scenarios è Are exercises conducted at planned intervals? è Exercise results and recommendations è Are exercise results documented and reviewed? 9.1 Monitoring, measurement, analysis and evaluation The organization shall determine what needs to be monitored and measured, methods, and when evaluation shall occur. è Are there procedures for monitoring BCMS performance? è Monitoring procedures è Performance data è Are monitoring methods appropriate? è Analysis reports è Is monitoring data analyzed and evaluated? 9.2 Internal audit The organization shall conduct internal audits at planned intervals to ensure the BCMS conforms to requirements and is effectively implemented. è s there an internal audit program for the BCMS? è Audit program è Are audits conducted by competent and impartial personnel? è Audit reports è Auditor qualifications è Are audit results reported to management? 9.3 Management review Top management shall review the organization's BCMS at planned intervals to ensure continuing suitability, adequacy, and effectiveness. è Are management reviews conducted as planned? è Management review minutes(MOM) è Do reviews consider all required inputs? è Review input documentation è Are review outputs documented and acted upon? è Action plans from reviews 10.1 Nonconformity and corrective action The organization shall identify nonconformities, take corrective actions, and continually improve the BCMS. è Is there a documented procedure for managing nonconformities? è Nonconformity records è Root cause analyses è Are root causes analyzed? è Corrective action plans è Are corrective actions implemented and verified? 10.2 Continual improvement The organization shall continually improve the suitability, adequacy and effectiveness of the BCMS. è Is there a process for identifying improvement opportunities? è Improvement plans è Implementation records è Are improvements implemented and evaluated? è Performance trend data è Is there evidence of BCMS performance improvement over time? www.azpirantz.com www.infosectrain.com

More Related