ISO 22301:2012 Internal Audit Report

Audit Information

Address
Audit Number
Function
Region
Audit Date & Time
Lead Auditor
Support Auditor(s)
Auditor in Training
Auditee

Opening Meeting

Opening Meeting Notes

Review of previous audit findings for effectiveness

Previous Findings Review

Previous Findings
Review Details
Review Outcome

Recommendations Effectiveness Review

Recommendations raised in previous audits?
Recommendation Details
Recommendation Effectiveness Outcome
- Process Improvement - quality of service
- Process efficiency improved (reduction in cost)
- Process efficiency improved (time reduction)
- Process efficiency improved (less staff required)
- Process resilience improved
- Security controls enhanced
- Positive impact to candidates and clients
- Supplier relationship/process improved
- Other(s)
Please Specify Other(s)
Conclusion/Outcome Details:

Section 4 - Context of the organisation

Section applicable to the function being audited
Applicable Clauses
- 4.1
- 4.2.1
- 4.2.2
- 4.3.1
- 4.3.2
- 4.4

4.1 Understanding of the organisation and it's context

Requirements:
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS.

These issues shall be taken into account when establishing, implementing and maintaining the organization’s BCMS.
The organization shall identify and document the following:
a) the organization’s activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to a disruptive incident;
b) links between the business continuity policy and the organization’s objectives and other policies, including its overall risk management strategy; and
c) the organization’s risk appetite.

In establishing the context, the organization shall
1) articulate its objectives, including those concerned with business continuity,
2) define the external and internal factors that create the uncertainty that gives rise to risk,
3) set risk criteria taking into account the risk appetite, and
4) define the purpose of the BCMS.
Has the above requirements been met for 4.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

4.2.1 General

Requirements:
When establishing its BCMS, the organization shall determine
a) the interested parties that are relevant to the BCMS, and
b) the requirements of these interested parties (i.e. their needs and expectations whether stated, generally implied or obligatory).
Has the above requirements been met for 4.2.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

4.2.2 Legal and regulatory requirements

Requirements:
The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of relevant interested parties.

The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS.

The organization shall document this information and keep it up-to-date. New or variations to legal, regulatory and other requirements shall be communicated to affected employees and other interested parties.
Has the above requirements been met for 4.2.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

4.3.1 General

Requirements:
The organization shall determine the boundaries and applicability of the BCMS to establish its scope.
When determining this scope, the organization shall consider
— the external and internal issues referred to in 4.1, and
— the requirements referred to in 4.2.
The scope shall be available as documented information.
Has the above requirements been met for 4.3.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

4.3.2 Scope

Requirements:
The organization shall
a) establish the parts of the organization to be included in the BCMS,
b) establish BCMS requirements, considering the organization’s mission, goals, internal and external
obligations (including those related to interested parties), and legal and regulatory responsibilities,
c) identify products and services and all related activities within the scope of the BCMS,
d) take into account interested parties’ needs and interests, such as customers, investors, shareholders, the supply chain, public and/or community input and needs, expectations and interests (as appropriate), and
e) define the scope of the BCMS in terms of and appropriate to the size, nature and complexity of the
organization.

When defining the scope, the organization shall document and explain exclusions; any such exclusions shall not affect the organization’s ability and responsibility to provide continuity of business and operations that meet the BCMS requirements, as determined by business impact analysis or risk assessment and applicable legal or regulatory requirements.
Has the above requirements been met for 4.3.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

4.4 Business Continuity Management System

Requirements:
The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this International Standard.
Has the above requirements been met for 4.4
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN
Total Number of Findings in Section 4

Section 5 - Leadership

Section applicable to the function being audited
Applicable Clauses
- 5.1
- 5.2
- 5.3
- 5.4

5.1 Leadership & Commitment

Requirements:
Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS.

EXAMPLE This leadership and commitment can be shown by motivating and empowering persons to contribute to the effectiveness of the BCMS.
Has the above requirements been met for 5.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

5.2 Management Commitment

Requirements:
Top management shall demonstrate leadership and commitment with respect to the BCMS by
— ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization,
— ensuring the integration of the business continuity management system requirements into the organization’s business processes,
— ensuring that the resources needed for the business continuity management system are available,
— communicating the importance of effective business continuity management and conforming to the BCMS requirements,
— ensuring that the BCMS achieves its intended outcome(s),
— directing and supporting persons to contribute to the effectiveness of the BCMS,
— promoting continual improvement, and
— supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility.
Has the above requirements been met for 5.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

5.3 Policy

Requirements:
Top management shall establish a business continuity policy that
a) is appropriate to the purpose of the organization,
b) provides a framework for setting business continuity objectives,
c) includes a commitment to satisfy applicable requirements,
d) includes a commitment to continual improvement of the BCMS.
The BCMS policy shall
— be available as documented information,
— be communicated within the organization,
— be available to interested parties, as appropriate,
— be reviewed for continuing suitability at defined intervals and when significant changes occur
The organization shall retain documented information on the business continuity policy.
Has the above requirements been met for 5.3
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

5.4. Organisational roles, responsibilities and authorities

Requirements:
Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization.
Top management shall assign the responsibility and authority for
a) ensuring that the management system conforms to the requirements of this International Standard, and
b) reporting on the performance of the BCMS to top management.
Has the above requirements been met for 5.4
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN
Total Number of Findings in Section 5

Section 6 - Planning

Section applicable to the function being audited
Applicable Clauses
- 6.1
- 6.2

6.1 Actions to address risk and opportunities

Requirements:
When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to
— ensure the management system can achieve its intended outcome(s),
— prevent, or reduce, undesired effects,
— achieve continual improvement.
The organization shall plan
a) actions to address these risks and opportunities,
b) how to
1) integrate and implement the actions into its BCMS processes (see 8.1),
2) evaluate the effectiveness of these actions (see 9.1).
Has the above requirements been met for 6.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

6.2 Business continuity objectives and plans to achieve them

Requirements:
Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization.
The business continuity objectives shall
a) be consistent with the business continuity policy,
b) take account of the minimum level of products and services that is acceptable to the organization to
achieve its objectives,
c) be measurable,
d) take into account applicable requirements, and
e) be monitored and updated as appropriate.

The organization shall retain documented information on the business continuity objectives.

To achieve its business continuity objectives, the organization shall determine
— who will be responsible,
— what will be done,
— what resources will be required,
— when it will be completed, and
— how the results will be evaluated.
Has the above requirements been met for 6.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN
Total Number of Findings in Section 6

Section 7 - Support

Section applicable to the function being audited
Applicable Clauses
- 7.1
- 7.2
- 7.3
- 7.4
- 7.5.1
- 7.5.2
- 7.5.3

7.1 Resources

Requirements:
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS.
Has the above requirements been met for 7.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

7.2 Competence

Requirements:
The organization shall
a) determine the necessary competence of person(s) doing work under its control that affects its performance,
b) ensure that these persons are competent on the basis of appropriate education, training, and experience,
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and
d) retain appropriate documented information as evidence of competence.

NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employed persons; or the hiring or contracting of competent persons.
Has the above requirements been met for 7.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

7.3 Awareness

Requirements:
Persons doing work under the organization’s control shall be aware of
a) the business continuity policy,
b) their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance,
c) the implications of not conforming with the BCMS requirements, and
d) their own role during disruptive incidents.
Has the above requirements been met for 7.3
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

7.4 Communication

Requirements:
The organization shall determine the need for internal and external communications relevant to the BCMS including
a) on what it will communicate,
b) when to communicate,
c) with whom to communicate.
The organization shall establish, implement, and maintain procedure(s) for
— internal communication amongst interested parties and employees within the organization,
— external communication with customers, partner entities, local community, and other interested parties, including the media,
— receiving, documenting, and responding to communication from interested parties,
— adapting and integrating a national or regional threat advisory system, or equivalent, into planning and operational use, if appropriate,
— ensuring availability of the means of communication during a disruptive incident,
— facilitating structured communication with appropriate authorities and ensuring the interoperability of multiple responding organizations and personnel, where appropriate, and
— operating and testing of communications capabilities intended for use during disruption of normal
communications.

NOTE Further requirements for communication in response to an incident are specified in 8.4.3.
Has the above requirements been met for 7.4
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

7.5.1 General

Requirements:
The organization’s BCMS shall include
— documented information required by this International Standard, and
— documented information determined by the organization as being necessary for the effectiveness of the BCMS.

NOTE The extent of documented information for a BCMS can differ from one organization to another due to
— the size of organization and its type of activities, processes, products and services,
— the complexity of processes and their interactions, and
— the competence of persons.
Has the above requirements been met for 7.5.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

7.5.2 Creating and updating

Requirements:
When creating and updating documented information, the organization shall ensure appropriate
a) identification and description (e.g. a title, date, author or reference number),
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic), and review and approval for suitability and adequacy.
Has the above requirements been met for 7.5.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

7.5.3 Control of documented information

Requirements:
Documented information required by the BCMS and by this International Standard shall be controlled to ensure
a) it is available and suitable for use, where and when it is needed,
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable
— distribution, access, retrieval and use,
— storage and preservation, including preservation of legibility,
— control of changes (e.g. version control),
— retention and disposition,
— retrieval and use,
— preservation of legibility (i.e. clear enough to read), and
— prevention of the unintended use of obsolete information.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled.

When establishing control of documented information, the organization shall ensure that there is adequate protection for the documented information (e.g. protection against compromise, unauthorized modification or deletion).

NOTE Access implies a decision regarding the permission to view the documented information, or the permission
and authority to view and change the documented information, etc.
Has the above requirements been met for 7.5.3
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN
Total Number of Findings in Section 7

Section 8 - Operation

Section applicable to the function being audited
Applicable Clauses
- 8.1
- 8.2.1
- 8.2.2
- 8.2.3
- 8.3.1
- 8.3.2
- 8.3.3
- 8.4.1
- 8.4.2
- 8.4.3
- 8.4.4
- 8.4.5
- 8.5

8.1 Operational planning and control

Requirements:
The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by
a) establishing criteria for the processes,
b) implementing control of the processes in accordance with the criteria, and
c) keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are controlled.
Has the above requirements been met for 8.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.2.1 General

Requirements:
The organization shall establish, implement and maintain a formal and documented process for business impact analysis and risk assessment that
a) establishes the context of the assessment, defines criteria and evaluates the potential impact of a
disruptive incident,
b) takes into account legal and other requirements to which the organization subscribes,
c) includes systematic analysis, prioritization of risk treatments, and their related costs,
d) defines the required output from the business impact analysis and risk assessment, and
e) specifies the requirements for this information to be kept up-to-date and confidential.

NOTE There are various methodologies for business impact analysis and risk assessment which will determine the order in which these will be conducted.
Has the above requirements been met for 8.2.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.2.2 Business Impact Analysis

Requirements:
The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services.

The business impact analysis shall include the following:
a) identifying activities that support the provision of products and services;
b) assessing the impacts over time of not performing these activities;
c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and
d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.
Has the above requirements been met for 8.2.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.2.3 Risk assessments

Requirements:
The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization.

NOTE This process could be made in accordance with ISO 31000.
The organization shall
a) identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them,
b) systematically analyse risk,
c) evaluate which disruption related risks require treatment, and
d) identify treatments commensurate with business continuity objectives and in accordance with the
organization’s risk appetite.

NOTE The organization must be aware that certain financial or governmental obligations require the communication of these risks at varying levels of detail. In addition, certain societal needs can also warrant sharing of this information at an appropriate level of detail.
Has the above requirements been met for 8.2.3
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.3.1 Determination & Selection

Requirements:
Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment.
The organization shall determine an appropriate business continuity strategy for
a) protecting prioritized activities,
b) stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and
c) mitigating, responding to and managing impacts.

The determination of strategy shall include approving prioritized time frames for the resumption of activities.

The organization shall conduct evaluations of the business continuity capabilities of suppliers.
Has the above requirements been met for 8.3.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.3.2 Establishing resource requirements

Requirements:
The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to
a) people,
b) information and data,
c) buildings, work environment and associated utilities,
d) facilities, equipment and consumables,
e) information and communication technology (ICT) systems,
f) transportation,
g) finance, and
h) partners and suppliers.
Has the above requirements been met for 8.3.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.3.3 Protection and mitigation

Requirements:
For identified risks requiring treatment, the organization shall consider proactive measures that
a) reduce the likelihood of disruption,
b) shorten the period of disruption, and
c) limit the impact of disruption on the organization’s key products and services.
The organization shall choose and implement appropriate risk treatments in accordance with its risk appetite.
Has the above requirements been met for 8.3.3
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.4.1

Requirements:
The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis.
The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident.

The procedures shall
a) establish an appropriate internal and external communications protocol,
b) be specific regarding the immediate steps that are to be taken during a disruption,
c) be flexible to respond to unanticipated threats and changing internal and external conditions,
d) focus on the impact of events that could potentially disrupt operations,
e) be developed based on stated assumptions and an analysis of interdependencies, and
f) be effective in minimizing consequences through implementation of appropriate mitigation strategies.
Has the above requirements been met for 8.4.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.4.2 Incident reporting structure

Requirements:
The organization shall establish, document, and implement procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident.

The response structure shall
a) identify impact thresholds that justify initiation of formal response,
b) assess the nature and extent of a disruptive incident and its potential impact,
c) activate an appropriate business continuity response,
d) have processes, and procedures for the activation, operation, coordination, and communication of the response,
e) have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and
f) communicate with interested parties and authorities, as well as the media.

The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate.
Has the above requirements been met for 8.4.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.4.3 Warning and communication

Requirements:
The organization shall establish, implement and maintain procedures for
a) detecting an incident,
b) regular monitoring of an incident,
c) internal communication within the organization and receiving, documenting and responding to
communication from interested parties,
d) receiving, documenting and responding to any national or regional risk advisory system or equivalent,
e) assuring availability of the means of communication during a disruptive incident,
f) facilitating structured communication with emergency responders,
g) recording of vital information about the incident, actions taken and decisions made, and the following shall also be considered and implemented where applicable:
— alerting interested parties potentially impacted by an actual or impending disruptive incident;
— assuring the interoperability of multiple responding organizations and personnel;
— operation of a communications facility.
The communication and warning procedures shall be regularly exercised.
Has the above requirements been met for 8.4.3
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.4.4 Business continuity plans

Requirements:
The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them.

The business continuity plans shall collectively contain
a) defined roles and responsibilities for people and teams having authority during and following an incident,
b) a process for activating the response,
c) details to manage the immediate consequences of a disruptive incident giving due regard to
1) the welfare of individuals,
2) strategic, tactical and operational options for responding to the disruption, and
3) prevention of further loss or unavailability of prioritized activities;
d) details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts,
e) how the organization will continue or recover its prioritized activities within predetermined timeframes,
f) details of the organization’s media response following an incident, including
1) a communications strategy,
2) preferred interface with the media,
3) guideline or template for drafting a statement for the media, and
4) appropriate spokespeople;
g) a process for standing down once the incident is over.

Each plan shall define
— purpose and scope,
— objectives,
— activation criteria and procedures,
— implementation procedures,
— roles, responsibilities, and authorities,
— communication requirements and procedures,
— internal and external interdependencies and interactions,
— resource requirements, and
— information flow and documentation processes.
Has the above requirements been met for 8.4.4
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.4.5 Recovery

Requirements:
The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident.
Has the above requirements been met for 8.4.5
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

8.5 Exercising and testing

Requirements:
The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives.
The organization shall conduct exercises and tests that
a) are consistent with the scope and objectives of the BCMS,
b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives,
c) taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties,
d) minimize the risk of disruption of operations,
e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to
implement improvements,
f) are reviewed within the context of promoting continual improvement, and
g) are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.
Has the above requirements been met for 8.5
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN
Total Number of Findings in Section 8

Section 9 - Performance Evaluation

Section applicable to the function being audited
Applicable Clauses
- 9.1.1
- 9.1.2
- 9.2
- 9.3

9.1.1 General

Requirements:
The organization shall determine
a) what needs to be monitored and measured,
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results,
c) when the monitoring and measuring shall be performed, and
d) when the results from monitoring and measurement shall be analysed and evaluated.

The organization shall retain appropriate documented information as evidence of the results.

The organization shall evaluate the BCMS performance and the effectiveness of the BCMS.

Additionally, the organization shall
— take action when necessary to address adverse trends or results before a nonconformity occurs, and
— retain relevant documented information as evidence of the results.

The procedures for monitoring performance shall provide for
— the setting of performance metrics appropriate to the needs of the organization,
— monitoring the extent to which the organization’s business continuity policy, objectives and targets are met,
— performance of the processes, procedures and functions that protect its prioritized activities,
— monitoring compliance with this International Standard and the business continuity objectives,
— monitoring historical evidence of deficient BCMS’ performance, and
— recording data and results of monitoring and measurement to facilitate subsequent corrective actions.

NOTE Deficient performance could include non-conformity, near misses, false alarms, and actual incidents.
Has the above requirements been met for 9.1.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

9.1.2 Evaluation of business continuity procedures

Requirements:
a) The organization shall conduct evaluations of its business continuity procedures and capabilities in order to ensure their continuing suitability, adequacy and effectiveness;
b) These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner;
c) The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and
d) The organization shall conduct evaluations at planned intervals and when significant changes occur.

When a disruptive incident occurs and results in the activation of its business continuity procedures, the organization shall undertake a post-incident review and record the results.
Has the above requirements been met for 9.1.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

9.2 Internal audits

Requirements:
The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system
a) conforms to
1) the organization’s own requirements for its BCMS,
2) the requirements of this International Standard, and
b) is effectively implemented and maintained.

The organization shall
— plan, establish, implement and maintain (an) audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits,
— define the audit criteria and scope for each audit,
— select auditors and conduct audits to ensure objectivity and the impartiality of the audit process,
— ensure that the results of the audits are reported to relevant management, and
— retain documented information as evidence of the implementation of the audit programme and the audit results.
The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requirements for conducting audits and reporting results.

The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.

Follow-up activities shall include the verification of the actions taken and the reporting of verification results.
Has the above requirements been met for 9.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

9.3 Management Reviews

Requirements:
Top management shall review the organization’s BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of
a) the status of actions from previous management reviews,
b) changes in external and internal issues that are relevant to the business continuity management system,
c) information on the business continuity performance, including trends in
1) nonconformities and corrective actions,
2) monitoring and measurement evaluation results, and
3) audit results,
d) opportunities for continual improvement.

Management reviews shall consider the performance of the organization, including
— follow-up actions from previous management reviews,
— the need for changes to the BCMS, including the policy and objectives,
— opportunities for improvement,
— results of BCMS audits and reviews, including those of key suppliers and partners where appropriate,
— techniques, products or procedures, which could be used in the organization to improve the BCMS’
performance and effectiveness,
— status of corrective actions,
— results of exercising and testing,
— risks or issues not adequately addressed in any previous risk assessment,
— any changes that could affect the BCMS, whether internal or external to the scope of the BCMS,
— adequacy of policy,
— recommendations for improvement,
— lessons learned and actions arising from disruptive incidents, and
— emerging good practice and guidance.
The outputs of the management review shall include decisions related to continual improvement opportunities and the possible need for changes to the BCMS, and include the following:
a) variations to the scope of the BCMS;
b) improvement of the effectiveness of the BCMS;
c) update of the risk assessment, business impact analysis, business continuity plans and related procedures;
d) modification of procedures and controls to respond to internal or external events that may impact on the BCMS, including changes to
1) business and operational requirements,
2) risk reduction and security requirements,
3) operational conditions and processes,
4) legal and regulatory requirements,
5) contractual obligations,
6) levels of risk and/or criteria for accepting risks,
7) resource needs,
8) funding and budget requirements; and
e) how the effectiveness of controls are measured.

The organization shall retain documented information as evidence of the results of management reviews.

The organization shall
— communicate the results of management review to relevant interested parties, and
— take appropriate action relating to those results.
Has the above requirements been met for 9.3
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN
Total Number of Findings in Section 9

Section 10 - Improvement

Section applicable to the function being audited
Applicable Clauses
- 10.1
- 10.2

10.1 Nonconformity and corrective action

Requirements:
When nonconformity occurs, the organization shall
a) identify the nonconformity,
b) react to the nonconformity, and, as applicable,
1) take action to control and correct it, and
2) deal with the consequences.
c) evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere, by
1) reviewing the nonconformity,
2) determining the causes of the nonconformity, and
3) determining if similar nonconformities exist, or could potentially occur,
4) evaluating the need for corrective action to ensure that nonconformities do not recur or occur elsewhere,
5) determining and implementing corrective action needed, 6) reviewing the effectiveness of any corrective action taken and 7) making changes to the BCMS, if necessary. d) implement any action needed,
e) review the effectiveness of any corrective action taken,
f) make changes to the business continuity management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.

The organization shall retain documented information as evidence of
— the nature of the nonconformities and any subsequent actions taken, and
— the results of any corrective action.
Has the above requirements been met for 10.1
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN

10.2 Continual Improvement

Requirement:
The organization shall continually improve the suitability, adequacy or effectiveness of the BCMS.

NOTE The organization can use the processes of the BCMS such as leadership, planning and performance evaluation, to achieve improvement.
Has the above requirements been met for 10.2
Auditor Notes
Compliance Level
Finding Type
- Non-Conformance RED
- Non-Conformance AMBER
- Observation RED
- Observation AMBER
- Observation GREEN
- Feedback GREEN
Total Number of Findings in Section 10

Closing Meeting

Closing Meeting Notes
Positives
Overall Audit Summary
Findings Raised
Non-Conformance RED
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Non-Conformance AMBER
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Observation RED
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Observation AMBER
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Observation GREEN
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 0
Feedback GREEN
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 0

Audit Signoff

Sign off Audit Team
- Lead Auditor
- Support Auditor
- Auditor in Training
- Functional Owner
- Auditee
Lead Auditor
Support Auditor
Auditor in Training
Functional Owner
Auditee Team
Add signature