ISO9001:2008 QP06 Business Continuity

Information

Audit Preparation

a. Is there a clear BCM policy?
b. Is there a designated BCM sponsor at senior level?
c. Is day to day responsibility for BCM clearly delegated to a team or an individual?
d. Is there a designated BCM budget?
e. Has a BCM representative been identified within each department?

a. Have the potential impacts that could result from business interruption been quantified (loss of reputation, revenues, customers, trading licence; incursion of penalties, fines)?
b. Is there an up to date inventory of business services and processes which identifies those which are critical?
c. Have recovery priorities and timescales been agreed for mission-critical services and processes?
d. Have the resources (systems, premises, equipment, skills, supplies) required to reinstate each critical service and process been itemised?
e. Has a risk assessment been carried out to identify potential threats to business continuity? Consider suppliers too.
f. Have risk mitigation measures been introduced to reduce or eliminate threats where possible?

a. Do arrangements exist to support the recovery of critical resources (systems, premises, equipment, skills, supplies)?
b. Do they address business interruption on site, plus off site recovery in case of exclusion from main site?
c. Do they meet the recovery time objective for the re-instatement of critical services and processes?
d. Are these arrangements formally binding and supported with contracts?
e. Has it been established how long it would take to restore critical computer and communications infrastructure?
f. Has this been successfully tested?
g. Have data recovery tests been successfully conducted?
h. Are individual recovery processes fully documented?
i. Do critical suppliers have suitable business continuity arrangements of their own?

a. Have your business continuity arrangements been documented in a Business Continuity Plan?
b. Does it contain the contact details you would need – staff (including home), suppliers, customers and stakeholders?
c. Is there a contact plan for quickly reaching all staff and key stakeholders, e.g. a contact cascade or an SMS messaging capability?
d. Does the Plan clearly specify roles and responsibilities?
e. Does it identify suitable alternative sites?
f. Does it list the actions required for Activating the plan?
g. Does it list the actions required for Assessing the incident?
h. Does it list the actions required for Escalating the response?
i. Does it list the actions required for Standing down?
j. Does it contain the details of third party agreements that would be called upon?
k. Do all those who would need to refer to a copy of the plan in the early phase have a copy at home?

a. Have all staff been made aware of your business continuity arrangements?
b. Have those who have responsibilities within the Plan, plus their deputies, received familiarisation training?
c. Is refresher training provided every year?
d. Have you undertaken a desk top exercise to help participants understand how the Plan would be used in a realistic scenario?
e. Have all key components of the plan been successfully tested?
f. Do key individuals have specialist knowledge and skills you would rely on? Have others been cross trained to provide cover?

a. Who is responsible for ensuring the Plan remains up to date?
b. Have clear procedures been developed for making sure that changes in the business are reflected in the Plan (personnel, processes, resource requirements, etc)?
c. Is a full review undertaken annually?
d. Do you include critical suppliers in this process?
e. Are updated copies of the Plan distributed on a suitably regular basis?
Assessor
Process Owner