ISO
          22301 2012 Business Continuity Audit Tool

ISO 22301 2012 is a generic business continuity management standard.
Use it to ensure that operations continue and that products and services
are delivered at predefined levels, that brands and value-creating activities
are protected, and that the reputations and interests of key stakeholders
are safeguarded whenever major disruptive incidents occur.

ISO 22301 2012 can be used by any organization to certify its business continuity
management system (BCMS).
If you want to be certified, you can use our audit tool
to pinpoint the gaps that exist between ISO's business continuity management
standard and your organization's practices and processes. Once you've filled all
the gaps, you'll comply with the standard and you'll be ready for certification.

However, you don’t have to become certified. You can be in compliance without
being formally registered by an accredited certification body. You can also use
our audit tool to self-audit your business continuity management system (BCMS).
You can then announce to the world that your system complies with the standard.

ISO`s business continuity management requirements are listed in sections 4 to 10.
Our audit tool is numbered in the same way and covers the same seven sections.
It will help you to ensure that you comply with the standard and it will help you to:

 4.  Audit and improve your business continuity context review process.

 5.  Audit and improve your business continuity leadership process.

 6.  Audit and improve your business continuity planning process.

 7.  Audit and improve your business continuity support process.

 8.  Audit and improve your business continuity operational process.

 9.  Audit and improve your business continuity evaluation process.

10. Audit and improve your business continuity improvement process.


This page will introduce our audit tool. It will show you how it is organized
and it will explain how it works. Once you've examined our approach, we hope
you'll consider purchasing our complete ISO 22301 Business Continuity Audit Tool.

ISO 22301 BUSINESS CONTINUITY AUDIT TOOL

TABLE OF CONTENTS (TITLE 41)

 

OVERVIEW AND SUMMARY OF AUDIT

 

1

Overview of Our Business Continuity Audit Tool

3

2

Profile of Your Business Continuity Audit Project

9

3

Summary of Your Business Continuity Audit Results

10

 

BUSINESS CONTINUITY AUDIT QUESTIONNAIRES 

 

4

Audit Your Business Continuity Context Review Process

11

5

Audit Your Business Continuity Leadership Process

18

6

Audit Your Business Continuity Planning Process

23

7

Audit Your Business Continuity Support Process

26

8

Audit Your Business Continuity Operational Process

SAMPLE

9

Audit Your Business Continuity Evaluation Process

55

10

Audit Your Business Continuity Improvement Process

66

 

BUSINESS CONTINUITY IMPROVEMENT PLANS

 

11

Improve Your Business Continuity Context Review Process

68

12

Improve Your Business Continuity Leadership Process

69

13

Improve Your Business Continuity Planning Process

70

14

Improve Your Business Continuity Support Process

71

15

Improve Your Business Continuity Operational Process

72

16

Improve Your Business Continuity Evaluation Process

73

17

Improve Your Business Continuity Improvement Process

74

 

APPENDICES

 

18

Plain English Business Continuity Terms and Definitions

75

19

License Agreement and Contact Information

86

JUL 2013

COPYRIGHT © 2013 BY PRAXIOM RESEARCH GROUP LIMITED 

VER 2.0


AUDIT PROFILE

Before you start your audit, you will be asked to fill out the form entitled Profile of
Your Business Continuity Management Audit Project
(see Part 2). First record the
name of the organization being audited, its address, the areas being audited, the
address of the audit, and a brief description of the actual scope or focus of the
audit. Also use the form to record the names of your auditors and the audit start
date. Once you’ve completed the audit, use the same form to record when the audit
was finished, who reviewed the audit and when, and any review comments.


AUDIT QUESTIONS

ISO 22301 is made up of seven sets of business continuity requirements. We've
taken each one of these requirements and turned it into a question. As a result,
our audit tool contains seven sets of questions (sections 4 to 10).

Our audit questionnaire starts with section 4 because the ISO 22301 requirements
start in section 4. We've preserved this numbering system in order to make it easy
to cross-reference the original ISO 22301 standard with our material. However,
at the detailed level we have added a numbering system that you won’t find in the
original standard. We have sequentially numbered all questions within each of the
seven parts (4 to 10) that make up the core of the standard.
We have done this in
order to make it easier for you to work
with our questionnaires.

In addition, we have used paragraph indents to distinguish between general
questions and specific questions. This approach makes it easy to see how our
questionnaires are structured. In most cases, a general question is immediately
followed by several specific questions which usually help clarify what the general
question means. If you’re not sure about what a general question is asking, just
keep reading. In most cases, the more detailed questions will clarify what the
general questions are trying to ask. But, if you’re still not sure what a question
means, perhaps our Plain English Business Continuity Terms and Definitions
section will help (see Part 18).


AUDIT METHOD

For each question, two answers are possible: YES and NO. A YES answer
means you’re in compliance with the standard while a NO answer means you’re
not in compliance. NO answers reveal gaps that exist between the ISO 22301
standard and your organization's practices and processes.

Please answer each question by selecting one of these two answers found in the
cells to the right of each question. To the right of your answers you will also find a
column that you can use to record any comments or observations you might have.

Once you’ve completed our seven sets of questionnaires, please study each of
your NO answers and use the associated questions to formulate remedial actions.
Use the forms at the end of this audit process to record your remedial actions and
to create your unique business continuity improvement plans (see Parts 11 to 17,
below). Once you've done this for all gaps, you will have seven plans which, taken
together, will make up your business continuity management improvement plan.

And once all plans have been implemented and all remedial actions have been
taken, you will have improved the overall effectiveness of your organization's
business continuity management practices and processes, and you will
comply
with the standard.

In most cases, remedial actions can be formulated by simply turning an audit
question into an action statement. For example, a question might ask: “Do you
use your records to support continuous improvement?”
. If you answered NO, you
would create a remedial action statement by simply writing: “Use records to support
continuous improvement”
. Or, if you wish to use our questions to set objectives,
simply write the following: “To use records to support continuous improvement”.

You can also summarize your business continuity audit quantitatively if you wish
(see part 3). The idea here is to measure how compliant your business continuity
practices and processes actually are. And if you carry out regular audits, you can
also use our approach to measure whether or not your practices and processes
are improving over time.

We suggest that you read every page of this audit tool before you start answering
questions. This will broaden your perspective and give you a better feel for what
you need to do. It will also introduce the ISO 22301 standard and clarify how
it is organized.

The following example will show you what our
ISO 22301 Business Continuity Audit Tool looks like.

SAMPLE AUDIT QUESTIONS

ISO 22301 BUSINESS CONTINUITY AUDIT TOOL

8. AUDIT YOUR BUSINESS CONTINUITY OPERATIONAL PROCESS

8.1 CARRY OUT PROCESS PLANNING AND ESTABLISH YOUR CONTROLS

1

Did you plan the development of your BCMS processes?

YES

NO

 

 

2


Did you establish criteria that processes must meet?

YES

NO

 

 

3



Did you use your criteria to establish process controls?

YES

NO

 

 

4




Do you control your internal BCMS processes?

YES

NO

 

 

5




Do you control your outsourced BCMS processes?

YES

NO

 

 

6

Did you develop your organization's BCMS processes?

YES

NO

 

 

7

 

Did you develop the business continuity processes that your
organization needs in order to meet BCMS requirements?

YES

NO

 

 

8

 

Did you develop the business continuity processes that your
organization needs in order to address risks and opportunities?

YES

NO

 

 

9



Do you review the actions needed to address your
risks and opportunities (specified in part 6.1, above)?

YES

NO

 

 

10

 



Do you make these actions part of your business
continuity processes (do you integrate them)?

YES

NO

 

 

11





Do you build your actions into your processes?

YES

NO

 

 

12

Did you implement your organization's BCMS processes?

YES

NO

 

 

13


Did you implement the business continuity processes that
your organization needs in order to meet BCMS requirements?

YES

NO

 

 

14


Did you implement the business continuity processes that your
organization needs in order to address risks and opportunities?

YES

NO

 

 

15

Do you control your organization's BCMS processes?

YES

NO

 

 

16


Do you control process changes and modifications?

YES

NO

 

 

17



Do you review uncontrolled process modifications?

YES

NO

 

 

18

 



Do you review unintended effects and consequences?

YES

NO

 

 

19





Do you mitigate adverse effects and consequences?

YES

NO

 

 

20

Do you maintain your organization's BCMS processes?

YES

NO

 

 

21

 

Do you retain records that demonstrate that
your processes were carried out as planned?

YES

NO

 

 

22

 

Do you control records that demonstrate that
your processes were carried out as planned?

YES

NO

 

 

8.2 STUDY DISRUPTIONS AND RISKS AND SET YOUR PRIORITIES

8.2.1 ESTABLISH A PROCESS TO ANALYZE IMPACTS AND ASSESS RISKS

23

Did you establish a formal process that your organization can
use to analyze its business impacts and assess its risks?

YES

NO

 

 

24

Did you document your organization's business
impact analysis and risk assessment process?

YES

NO

 

 

25

Did you implement your organization's business
impact analysis and risk assessment process?

YES

NO

 

 

26


Do you clarify the context of your assessments?

YES

NO

 

 

27


Do you consider your legal and other requirements?

YES

NO

 

 

28


Did you establish your organization's risk criteria?

YES

NO

 

 

29


Did you define the outputs that should be produced?

YES

NO

 

 

30



Did you define required impact analysis outputs?

YES

NO

 

 

31



Did you define required risk assessments outputs?

YES

NO

 

 

32

 

Do you evaluate disruptive incidents and
study the potential impact they could have?

YES

NO

 

 

33

 

Do you prioritize risk treatments and do
you establish the cost of each treatment?

YES

NO

 

 

34

Do you maintain the process that your organization uses
to analyze its business impacts and assess its risks?

YES

NO

 

 

35

 

Are your process outputs kept up-to-date?

YES

NO

 

 

36

 

Do you protect the confidentiality of process outputs?

YES

NO

 

 

8.2.2 EVALUATE AND SET BUSINESS CONTINUITY AND RECOVERY PRIORITIES

37

Did you establish a formal process that your organization
can use to evaluate and set business continuity and recovery
priorities, objectives, and targets?

YES

NO

 

 

38


Did you document your priority setting process?

YES

NO

 

 

39


Did you implement your priority setting process?

YES

NO

 

 

40



Do you assess the impact that disruptive incidents
could have on your products and services?

YES

NO

 

 

41



Do you identify the activities that support
the provision of products and services?

YES

NO

 

 

42

 



Do you consider what would happen if these
supportive activities aren't performed?

YES

NO

 

 

43





Do you assess the impact this could have?

YES

NO

 

 

44

   

Do you set business continuity and recovery
priorities, objectives, and targets?

YES

NO

 

 

45

 

 

Do you identify the organizations that support
your business activities and the resources that
you depend on to provide products and services?

YES

NO

 

 

46

   

Do you identify essential suppliers, outsourced
partners, and other interested parties?

YES

NO

 

 

47

 

 

Do you set continuity and recovery timeframes
that specify when activities must be resumed?

YES

NO

 

 

48

   

Do you consider how much time you have before
business disruption becomes unacceptable?

YES

NO

 

 

49

   

Do you prioritize continuity and recovery timeframes?

YES

NO

 

 

50

   

Do you specify minimum acceptable security levels?

YES

NO

 

 

51

 

Do you maintain your priority setting process?

YES

NO

 

 

8.2.3 ASSESS YOUR RISKS AND IDENTIFY YOUR RISK TREATMENT OPTIONS

52

Did you establish a formal risk assessment process?

YES

NO

 

 

53


Did you document your risk assessment process?

YES

NO

 

 

54


Did you implement your risk assessment process?

YES

NO

 

 

55



Do you identify your business interruption risks?

YES

NO

 

 

56

 



Do you identify potential incidents that could
possibly disrupt, damage, or destroy your
organization's prioritized activities?

YES

NO

 

 

57





Do you consider the processes that support
these activities and do you imagine how they
could be disrupted, damaged, or destroyed?

YES

NO

 

 

58





Do you consider the systems that support these
activities and do you imagine how they could
be
disrupted, damaged, or destroyed?

YES

NO

 

 

59





Do you consider the information that supports
these activities and do you imagine how it could
be disrupted, damaged, or destroyed?

YES

NO

 

 

60





Do you consider the people that support these
activities and do you imagine how they could
be disrupted, damaged, or destroyed?

YES

NO

 

 

61





Do you consider the assets that support these
activities and do you imagine how they could
be disrupted, damaged, or destroyed?

YES

NO

 

 

62





Do you consider the outsourced partners that
support these activities and do you imagine how
they could be disrupted, damaged, or destroyed?

YES

NO

 

 

63





Do you consider the other resources that support
these activities and do you imagine how they could
be disrupted, damaged, or destroyed?

YES

NO

 

 

64

   

Do you analyze your business interruption risks?

YES

NO

 

 

65

   

Do you evaluate your business interruption risks?

YES

NO

 

 

66

 

 

Do you identify the risks that require treatment?

YES

NO

 

 

67

   

Do you communicate business interruption risks?

YES

NO

 

 

68

 

 

Do you contact government agencies and report
your business interruption risks whenever legally
or administratively obligated to do so?

YES

NO

 

 

69

 

 

Do you report your business interruption risks
whenever financial obligations or legal
contracts
make this necessary?

YES

NO

 

 

70

 

 

Do you share information about your business
interruption risks with society in general
whenever
necessary or appropriate?

YES

NO

 

 

71

 

Do you maintain your risk assessment process?

YES

NO

 

 

72

Do you identify your risk treatment options?

YES

NO

 

 

73

 

Do you identify risk treatments that are commensurate
with your organization's business continuity objectives?

YES

NO

 

 

74

 

Do you identify risk treatments that are consistent
with your organization's overall risk appetite?

YES

NO

 

 

75

Etcetera ...

YES

NO

 

 


Attention

Now that you know what our tool looks like, please consider
purchasing Title 41: ISO 22301 Business Continuity Audit Tool.

If you purchase our ISO 22301 Business Continuity Audit Tool, you'll
find that it's integrated, detailed, exhaustive, and easy to understand.
You'll find that we've worked hard to create a high quality product.
In fact, we
guarantee the quality of our business continuity audit tool.
Title 41 is 87 pages long and comes in pdf and MS doc file formats.

Place an Order 

Check our Prices

See our License


MORE ISO 22301 PAGES

Introduction to ISO 22301 Standard

Plain English Business Continuity Checklist

Plain English Business Continuity Definitions

Brief Overview of ISO 22301 Business Continuity Standard

How to Carry Out an ISO 22301 Business Continuity Gap Analysis

Some of the Topics that Business Continuity Plans Should Address

ISO 22301 Business Continuity Standard Translated into Plain English

Knowledge and Skill Continuity Management Auditors Should Have

ALSO SEE OUR OTHER AUDIT TOOLS AND PROGRAMS


Home Page

Our Libraries

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited            help@praxiom.com           780-461-4514

Updated on May 18, 2016. First published on July 4, 2013.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2013 - 2016 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom
          Research