The 2019 version of the ISO 22301 standard was recently published. The revisions bring the standard more in line with the newer ISO standards, including 31000, 27001, 90001 and all others that include the modern “management system” format. As such, it prescribes various “mandatory documents” and records that are required to demonstrate compliance (and to achieve certification).
ISO 22301 Mandatory documents
The following is a list of mandatory documentation for the Business Continuity Management System – BCMS:
* List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with.
* Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented.
* Business continuity policy (clause 5.2) – defines main responsibilities, and the intent of the management.
* Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity.
* Competencies of personnel (clause 7.2) – defines knowledge and skills needed.
* Business continuity plans and procedures (clause 8.4) – includes plans and procedures for response, communication, recovery (including disaster recovery plans), restore and return activities.
* Documented communication with interested parties (clause 188.8.131.52) – these could be emails, but also official communication from sources such as government agencies and others.
* Records of important information about the disruption, actions taken and decisions made (clause 184.108.40.206) – normally these records are done through minutes or by filling out checklists of performed activities.
* Data and results of monitoring and measurement (clause 9.1.1) – this is the evaluation on whether your BCMS met the objectives.
* Internal audit program (clause 9.2)
* Results of internal audit (clause 9.2) – normally, this is the Internal audit report.
* Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions.
* Nature of nonconformities and actions taken (clause 10.1) – this is a description of nonconformities, and their cause.
* Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity.
Non-mandatory BCMS documents and records that are a good idea
However better practice organisations also produce, implement and maintain the following documents and records, even though they are not strictly required by the standard:
* Procedure for identification of applicable legal and regulatory requirements (clause 4.2.2)
* Implementation plan for achieving the business continuity objectives (clause 6.2)
* Training and awareness plan (clauses 7.2 and 7.3)
* Procedure for control of documented information (clause 7.5)
* Contracts and service level agreements (SLAs) with suppliers and outsourcing partners (clause 8.1)
* Process for business impact analysis and risk assessment (clause 8.2.1)
* Results of business impact analysis (clause 8.2.2)
* Results of risk assessment (clause 8.2.3)
* Business continuity strategy (clause 8.3)
* Strategies and solutions for business continuity (clause 8.3.3)
* Incident scenarios (clause 8.5)
* Exercise and testing plans (clause 8.5)
* Post-exercise reports (clause 8.5)
* Results of post-incident review (clause 8.6)
* Methods for monitoring, measurement, analysis and evaluation (clause 9.1.1)
* Procedure for internal audit (clause 9.2)
* Procedure for corrective action (clause 10.1)
Even though the standard itself may not prescribe and mandate these documents, your organisation’s regulatory, policy or other compliance obligations might.
Also remember that the above documents and records needn’t be separate artefacts. If it makes sense for your organisation to combine several of the above items into one or more documents, then do so.