Transcription
ISO 22301:2012 Assessment ChecklistType:Assessors:Clause4 Context oftheorganization4.1 Theorganizationshall determineexternal andinternal issuesthat are relevantto its purposeand that affectits ability toachieve theintendedoutcome(s) of itsBCMS. Theseissues shall betaken intoaccount whenestablishing,implementingand maintainingtheorganization’sBCMS.RequirementDate (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber).The organization shall identify and document thefollowing:a) the organization’s activities, functions, services,products, partnerships, supply chains, relationshipswith interested parties, and the potential impactrelated to a disruptive incident;b) links between the business continuity policy andthe organization’s objectives and other policies,including its overall risk management strategy; andc) the organization’s risk appetite.In establishing the context, the organization shall1) articulate its objectives, including thoseconcerned with business continuity,2) define the external and internal factors thatcreate the uncertainty that gives rise to risk,3) set risk criteria taking into account the riskappetite, and4) define the purpose of the BCMS.Documented information requiredCompliance
ISO 22301:2012 Assessment tandingthe needs andexpectations ofinterestedparties4.2.1 GeneralWhen establishing its BCMS, the organization shalldeterminea) the interested parties that are relevant to theBCMS, andb) the requirements of these interested parties (i.e.their needs and expectations whether stated,generally implied or obligatory).Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Compliance
ISO 22301:2012 Assessment ChecklistType:Assessors:ClauseRequirement4.2.2 Legal andregulatoryrequirementsThe organization shall establish, implement andmaintain a procedure(s) to identify, have access to,and assess the applicable legal and regulatoryrequirements to which the organization subscribesrelated to the continuity of its operations, productsand services, as well as the interests of relevantinterested parties.The organization shall ensure that these applicablelegal, regulatory and other requirements to whichthe organization subscribes are taken into accountin establishing, implementing and maintaining itsBCMS.The organization shall document this informationand keep it up-to-date. New or variations to legal,regulatory and other requirements shall becommunicated to affected employees and otherinterested parties4.3 Determiningthe scope ofthe businesscontinuitymanagementsystemDate (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Documented information requiredCompliance
ISO 22301:2012 Assessment ChecklistType:Clause4.3.1 GeneralAssessors:RequirementThe organization shall determine the boundariesand applicability of the BCMS to establish itsscope.When determining this scope, the organizationshall consider— the external and internal issues referred to in4.1, and— the requirements referred to in 4.2.The scope shall be available as documentedinformation.Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Documented information requiredCompliance
ISO 22301:2012 Assessment ChecklistType:Clause4.3.2 Scope ofthe BCMSAssessors:RequirementThe organization shalla) establish the parts of the organization to beincluded in the BCMS,b) establish BCMS requirements, considering theorganization’s mission, goals, internal and externalobligations (including those related to interestedparties), and legal and regulatory responsibilities,c) identify products and services and all relatedactivities within the scope of the BCMS,d) take into account interested parties’ needs andinterests, such as customers, investors,shareholders, the supply chain, public and/orcommunity input and needs, expectations andinterests (as appropriate), ande) define the scope of the BCMS in terms of andappropriate to the size, nature and complexity ofthe organization.When defining the scope, the organization shalldocument and explain exclusions; any suchexclusions shall not affect the organization’s abilityand responsibility to provide continuity of businessand operations that meet the BCMS requirements,as determined by business impact analysis or riskassessment and applicable legal or regulatoryrequirements.Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Document and explain exclusionsCompliance
ISO 22301:2012 Assessment ChecklistType:ClauseAssessors:Requirement4.4 BusinesscontinuitymanagementsystemThe organization shall establish, implement,maintain and continually improve a BCMS,including the processes needed and theirinteractions, in accordance with the requirements ofthis International Standard.5 Leadership5.1 LeadershipandcommitmentPersons in top management and other relevantmanagement roles throughout the organizationshall demonstrate leadership with respect to theBCMS.EXAMPLE This leadership and commitment can beshown by motivating and empowering persons tocontribute to the effectiveness of the BCMS.Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Compliance
ISO 22301:2012 Assessment rs:RequirementTop management shall demonstrate leadership andcommitment with respect to the BCMS by— ensuring that policies and objectives areestablished for the business continuitymanagement system and are compatible with thestrategic direction of the organization,— ensuring the integration of the businesscontinuity management system requirements intothe organization’s business processes,— ensuring that the resources needed for thebusiness continuity management system areavailable,— communicating the importance of effectivebusiness continuity management and conforming tothe BCMS requirements,— ensuring that the BCMS achieves its intendedoutcome(s),— directing and supporting persons to contribute tothe effectiveness of the BCMS,— promoting continual improvement, and— supporting other relevant management roles todemonstrate their leadership and commitment as itapplies to their areas of responsibilityDate (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Compliance
ISO 22301:2012 Assessment ChecklistType:Clause5.3 Policy5.4Organizationalroles,responsibilitiesand authoritiesAssessors:RequirementDate (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Top management shall establish a businessDocumented information requiredcontinuity policy thata) is appropriate to the purpose of the organization,b) provides a framework for setting businesscontinuity objectives,c) includes a commitment to satisfy applicablerequirements,d) includes a commitment to continual improvementof the BCMS.The BCMS policy shall— be available as documented information,— be communicated within the organization,— be available to interested parties, asappropriate,— be reviewed for continuing suitability at definedintervals and when significant changes occurThe organization shall retain documentedinformation on the business continuity policy.Top management shall ensure that theresponsibilities and authorities for relevant roles areassigned and communicated within theorganization.Top management shall assign the responsibilityand authority fora) ensuring that the management system conformsto the requirements of this International Standard,andb) reporting on the performance of the BCMS to topmanagement.Compliance
ISO 22301:2012 Assessment ChecklistType:ClauseAssessors:Requirement6 Planning6.1 Actions toaddress risksandopportunitiesWhen planning for the BCMS, the organizationshall consider the issues referred to in 4.1 and therequirementsreferred to in 4.2 and determine the risks andopportunities that need to be addressed to— ensure the management system can achieve itsintended outcome(s),— prevent, or reduce, undesired effects,— achieve continual improvement.The organization shall plana) actions to address these risks and opportunities,b) how to1) integrate and implement the actions into itsBCMS processes (see 8.1),2) evaluate the effectiveness of these actions (see9.1).Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Compliance
ISO 22301:2012 Assessment ChecklistType:Clause6.2 Businesscontinuityobjectives andplans toachieve themAssessors:RequirementTop management shall ensure that businesscontinuity objectives are established andcommunicated for relevant functions and levelswithin the organization.The business continuity objectives shalla) be consistent with the business continuity policy,b) take account of the minimum level of productsand services that is acceptable to the organizationto achieve its objectives,c) be measurable,d) take into account applicable requirements, ande) be monitored and updated as appropriate.The organization shall retain documentedinformation on the business continuity objectives.To achieve its business continuity objectives, theorganization shall determine— who will be responsible,— what will be done,— what resources will be required,— when it will be completed, and— how the results will be evaluated.7 Support7.1 ResourcesThe organization shall determine and provide theresources needed for the establishment,implementation, maintenance and continualimprovement of the BCMS.Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Documented information requiredCompliance
ISO 22301:2012 Assessment ChecklistType:Clause7.2Competence7.3 AwarenessAssessors:RequirementThe organization shalla) determine the necessary competence ofperson(s) doing work under its control that affectsits performance,b) ensure that these persons are competent on thebasis of appropriate education, training, andexperience,c) where applicable, take actions to acquire thenecessary competence, and evaluate theeffectiveness of the actions taken, andd) retain appropriate documented information asevidence of competence.NOTE Applicable actions can include, for example:the provision of training to, the mentoring of, or thereassignment of current employed persons; or thehiring or contracting of competent persons.Persons doing work under the organization’scontrol shall be aware ofa) the business continuity policy,b) their contribution to the effectiveness of theBCMS, including the benefits of improved businesscontinuity management performance,c) the implications of not conforming with theBCMS requirements, andd) their own role during disruptive incidents.Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Documented information requiredCompliance
ISO 22301:2012 Assessment ChecklistType:ClauseAssessors:Requirement7.4The organization shall determine the need forCommunication internal and external communications relevant tothe BCMS includinga) on what it will communicate,b) when to communicate,c) with whom to communicate.The organization shall establish, implement, andmaintain procedure(s) for— internal communication amongst interestedparties and employees within the organization,— external communication with customers, partnerentities, local community, and other interestedparties, including the media,— receiving, documenting, and responding tocommunication from interested parties,— adapting and integrating a national or regionalthreat advisory system, or equivalent, into planningand operational use, if appropriate,— ensuring availability of the means ofcommunication during a disruptive incident,— facilitating structured communication withappropriate authorities and ensuring theinteroperability of multiple responding organizationsand personnel, where appropriate, and— operating and testing of communicationscapabilities intended for use during disruption ofnormal communications.NOTE Further requirements for communication inresponse to an incident are specified in 8.4.3.Date (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)Documented information requiredCompliance
ISO 22301:2012 Assessment ChecklistType:ClauseAssessors:RequirementDate (s)Evidence Sighted(Identify documents or records, e.g.show title, date, author or referencenumber)7.5Documentedinformation7.5.1 GeneralThe organization’s BCMS shall include— documented information required by thisInternational Standard, and— documented information determined by theorganization as being necessary for theeffectiveness of the BCMS.NOTE The extent of documented information for aBCMS can differ from one organization to anotherdue to— the size of organization and its type of activities,processes, products and services,— the complexity of processes and theirinteractions, and— the competence of persons.The following is a summary of theDocumented information requirements.Examples should be given in the relevantsections of this checklist.4.1 Understanding of the organization andits context4.2.2 Legal and regulatory requirements4.3 Scope of the BCMS5.3 Policy6.2 Business continuity objectives7.2 Competence7.4 Communication7.5 Documented information8.1 Operational planning and control8.2 Business impact analysis and riskassessment8.4 Establish and implement businesscontinuity procedures9.1 Monitoring, measurement, analysis andevaluation9.2 Internal audit9.3 Management review10.1 Nonconformity and corrective actionCompliance
ISO 22301:2012 Assessment ChecklistType:Clause7.5.2 Creatingand updatingAssessors:RequirementWhen creating and updating documentedinformation, the organization shall ensureappropriatea) identification and description (e.g. a title, date,author o
ISO 22301:2012 Assessment Checklist Type: Assessors: Date (s) Clause Requirement Evidence Sighted (Identify documents or records, e.g. show title, date, author or reference number) Compliance 4.3.2 Scope of the BCMS The organization shall a) establish File Size: 332KBPage Count: 36
