ISO 22301 version 2019 requirements, business continuity management systems
24/03/2024
Quiz requirements ISO 22301 version 2019 You want to familiarize yourself with the structure of the standard, identify and understand the requirements of ISO 22301 version 2019, then it's up to you to play!
The "ISO 22301 version 2019 Requirements" quiz will help you understand the main requirements of the standard.
The questions (requirements) included in this quiz are 161 of the 242 in the standard, but don't worry. These 161 requirements are among the most important. So do not hesitate to learn in a fun way!
Do not think you can finish this quiz in less than an hour, unless of course you are a little genius!
News about the ISO 22301 version 2019
The online training (course) T 26v19 ISO 22301 version 2019 readiness and its demo (soon)
The course T 56v19 ISO 22301 version 2019 internal audit and its demo (soon)
The package of courses T 76v195 training package ISO 22301 version 2019 readiness and internal audit
Based on the ISO 22301: 2019 the 242 requirements (verb shall) of clauses 4 to 10 are as follows:
|
ISO 22301 : 2019 requirements
 |
||||
|
No
|
Clause
|
PDCA cycle
|
Requirement No
|
Quantity
|
|
4
|
Context of the organization | Plan | 1 ÷ 16 | 16 |
|
5
|
Leadership | Plan |
17 ÷ 34
|
18
|
|
6
|
Planning | Plan |
35 ÷ 59
|
25
|
|
7
|
Support | Plan, Do |
60 ÷ 85
|
26
|
|
8
|
Operation | Do |
86 ÷ 190
|
105
|
|
9
|
Performance evaluation | Check |
249 ÷ 228
|
38
|
|
10
|
Improvement | Act |
229 ÷ 242
|
14
|
|
Total
|
242
|
|||
.jpg)
ISO 22301 version 2019 requirements
The Deming PDCA cycle
Remark. Any requirement normally begins with "The organization shall...". For simplicity's sake we present the requirements directly, starting with the verb.
|
ISO 22301 - Requirements and comments
|
||||
|
No
|
Clause, sub-clause
|
Requirement
|
Comment, link
|
|
| 4 |
Context of the organization
|
|||
| 4.1 |
The organization and its context
|
|
||
|
4.1
|
Determine external and internal issues | Understand everything that can influence the purpose (mission) of the company and its ability to obtain the expected results of the BCMS. Cf. sub-clause 6.1 | ||
| 4.2 |
Understanding the needs and expectations of stakeholders
|
|
||
| 4.2.1 |
General
|
|
||
|
2
|
4.2.1 a | Determine the stakeholders | That can influence the company's BCMS | |
|
3
|
4.2.1 b | Determine the requirements of stakeholders | Implicit or explicit needs and wishes | |
| 4.2.2 |
Legal and regulatory requirements
|
|
||
|
4
|
4.2.2 a | Implement a process to identify the legal and regulatory requirements | Related to the company's business continuity | |
| 5 |
4.2.2 b
|
Ensure that these requirements are taken into account | When implementing the BCMS | |
|
6
|
4.2.2 c
|
Document this information | And keep it updated, cf sub-clause 7.5.1 | |
| 4.3 |
Determining the scope of the business continuity management system
|
|
||
| 4.3.1 |
General
|
|
||
|
7
|
4.3.1
|
Determine the scope of the BCMS | Limits and applicability | |
|
8
|
4.3.1 a
|
Take into account the external and internal issues | Cf. sub-clause 4.1 | |
|
9
|
4.3.1 b
|
Take into account the requirements of stakeholders | Cf. sub-clause 4.2 | |
|
10
|
4.3.1 c
|
Take into account its mission and goals | And internal and external obligations | |
|
11
|
4.3.1
|
Make the scope available | As a record, cf sub-clause 7.5.1 | |
| 4.3.2 |
Scope of the business continuity management system
|
|
||
|
12
|
4.3.2 a
|
Determine the parts to include in the BCMS | Location, size, nature and complexity | |
|
13
|
4.3.3 b
|
Identify products and services | To be included in the BCMS | |
|
14
|
4.3.2
|
Document and explain exclusions | Retain a record, cf sub-clause 7.5.1 | |
|
15
|
4.3.2
|
Do not affect the ability and responsibility of the company to ensure business continuity | As determined by the business impact analysis and risk asessment, cf. sub-clause 8.2 | |
| 4.4 |
Business continuity management system
|
 |
||
|
16
|
4.4
|
Establish, implement, maintain and improve the BCMS |
Including the processes needed and their interactions. Specific mandatory processes: |
|
| 5 |
Leadership
|
|||
| 5.1 |
Leadership and commitment
|
|||
|
17
|
5.1 a
|
Ensure that business continuity policy and objectives are established | "When you sweep the stairs, you start at the top". Romanian proverb. Business continuity policy and objectives are compatible with the strategic direction of the company | |
| 18 | 5.1 b | Ensure that BCMS requirements are integrated into business processes | Demonstrate leadership | |
|
19
|
5.1 c
|
Ensure that BCMS resources are available | Resources to establish, apply, maintain and improve the BCMS. Cf. sub-clause 4.4 | |
|
20
|
5.1 d
|
Communicate on the importance of an effective BCMS | And conforming to the BCMS requirements | |
|
21
|
5.1 e
|
Ensure the achievement of intended results of the BCMS | Commitment, responsiveness and active support from top management | |
|
22
|
5.1 f
|
Direct and support staff | In order to contribute to the effectiveness of the BCMS | |
|
23
|
5.1 g
|
Promote continual improvement | Demonstrate leadership, cf. sub-clause 10.2 | |
|
24
|
5.1 h
|
Support the staff involved to demonstrate leadership | "Employees first, customers second". Vineet Nayar | |
| 5.2 |
Policy
|
|
||
| 5.2.1 |
Establishing the business continuity policy
|
|
||
|
25
|
5.2.1 a
|
Establish the business continuity policy | That is appropriate to the purpose of the company | |
| 26 | 5.2.1 b | Provide a framework for setting business continuity objectives | In order to establish the objectives, cf. sub-clause 6.2 | |
| 27 | 5.2.1 c | Include meeting the requirements | That are applicable, cf. sub-clause 4.2.2 | |
| 28 | 5.2.1 d | Include a commitment to continual improvement of the BCMS | Cf. sub-clause 10.2 | |
| 5.2.2 |
Communicating the business continuity policy
|
|
||
| 29 | 5.2.2 a | Keep the business continuity policy available | And make it available inside the company. Cf. sub-clause 7.5 | |
| 30 | 5.2.2 b | Communicate the policy | So it is understand and applied, cf. sub-clause 7.4 | |
| 31 | 5.2.2 c | Make the policy available to stakeholders | Cf. sub-clause 4.2 | |
|
5.3
|
Roles, responsibilities, authorities
|
|
||
|
32
|
5.3
|
Ensure that the responsibilities and authorities are assigned | And communicated within the company | |
|
33
|
5.3 a
|
Ensure that the BCMS conforms to the ISO 22301 requirements | Requirements of clauses 4 to 10 | |
|
34
|
5.3 b
|
Report on the performance of the BCMS to top management | Regularly, cf. sub-clause 7.5.1 | |
|
6
|
Planning
|
|||
| 6.1 |
Actions to address risks and opportunities
|
|
||
| 6.1.1 |
Determining risks and opportunities
|
|||
| 35 |
6.1.1
|
Determine the risks and opportunities | Risk management is based on the ISO 31000 standard (see training T 51). To ensure that the BCMS can achieve the planned results. Cf. sub-clause 4.1 (context) and 4.2 (stakeholders). "Any decision involves a risk". Peter Barge | |
| 36 | 6.1.1 a | Ensure that the BCMS can achieve its intended outcomes | In order to address risks | |
| 37 | 6.1.1 b | Reduce undesired effects | In order to address risks | |
| 38 | 6.1.1 c | Achieve a continual improvement approach | Cf. sub-clause 10.2 | |
| 6.1.2 |
Addressing risks and opportunities
|
|
||
| 39 |
6.1.2 a
|
Plan actions to address risks | And opportunities, cf. sub-clause 8.2 | |
| 40 | 6.1.2 b 1 | Plan how to integrate these actions | In the BCMS processes, cf. sub-clause 8.1 | |
|
41
|
6.1.2 b 2
|
Plan how to evaluate the effectiveness of these actions | Cf. sub-clause 9.1 | |
|
6.2
|
Business continuity objectives and planning to achieve them
|
|
||
|
6.2.1
|
Establishing business continuity objectives
|
|
||
|
42
|
6.2.1
|
Establish business continuity objectives | At relevant functions and levels. "He who has no goals will not achieve them". Sun Tzu" | |
| 43 | 6.2.1 a | Determine business continuity objectives | Consistant with the business continuity policy, cf. sub-clause 5.2 | |
| 44 | 6.2.1 b | Determine business continuity objectives | Be measurable (if practicable) | |
| 45 | 6.2.1 c | Determine business continuity objectives | Taking into account applicable requirements, cf. sub-clauses 4.1 and 4.2 | |
| 46 | 6.2.1 d | Determine business continuity objectives | Be monitored, cf. sub-clause 9.1 | |
| 47 | 6.2.1 e | Determine business continuity objectives | Be communicated, cf. sub-clause 7.4 | |
| 48 | 6.2.1 f | Determine business continuity objectives | Be upgrated regularly | |
| 49 | 6.2.1 | Record the busness continuity objectives | Cf. sub-clause 7.5.1 | |
|
6.2.2
|
Determining business continuity objectives
|
|
||
|
50
|
6.2.2 a
|
Determine business continuity objectives when planning | What will be done | |
| 51 | 6.2.2 b | Determine business continuity objectives when planning | What resources will be required | |
|
52
|
6.2.2 c
|
Determine business continuity objectives when planning | Who will be responsible | |
|
53
|
6.2.2 d
|
Determine business continuity objectives when planning | When it will be completed | |
| 54 | 6.2.2 e | Determine business continuity objectives when planning | How the results will be evaluated | |
| 6.3 |
Planning changes to the business continuity management system
|
|
||
|
55
|
6.3 | Plan the need for changes to the BCMS | "The only person who likes change is a wet baby". Cf. clause 10 | |
|
56
|
6.3 a | Take into account | The purpose of the changes and their consequences | |
|
57
|
6.3 b | Take into account | The integrity of the BCMS | |
|
58
|
6.3 c | Take into account | The availability of resources | |
|
59
|
6.3 d | Take into account | The allocation of responsibilities and authorities | |
| 7 |
Support
|
|||
| 7.1 |
Resources
|
|
||
|
60
|
7.1.1 | Provide the necessary resources | In order to establish, implement, maintain and improve the BCMS | |
| 7.2 |
Competence
|
|||
| 61 | 7.2 a | Determine the necessary competence of concerned persons | Persons who can impact business continuity performance | |
| 62 | 7.2 b | Ensure that the persons are competent | Education, training or experience | |
| 63 | 7.2 c | Undertake actions to acquire the necessary competence | And evaluate the effectiveness of these actions | |
| 64 | 7.2 d | Retain staff competence | Record, cf. sub-clause 7.5 | |
| 7.3 | Awareness |
|
||
| 65 | 7.3 a | Ensure the staff is aware of the business continuity policy | Including people who carry out work under the company's control. Cf. sub-clauses 5.2, 6.2 and 7.5.1 | |
| 66 | 7.3 b | Raise staff awareness of the importance of their contribution to the effectiveness of the BCMS | And the beneficial effects of improved BCMS performance | |
| 67 | 7.3 c | Raise staff awareness of the consequences of non-compliance with BCMS requirements | Do not forget the potential consequences on all professional activities | |
| 68 | 7.3 d | Raise staff awareness of their role and responsibilities | During and after disruptions | |
| 7.4 |
Communication
|
|||
| 69 | 7.4 a | Determine the internal and external communications | On what. Internally and externally. "Good news walks, bad news runs". Swedish proverb | |
| 70 | 7.4 b | Determine the internal and external communications | When to communicate | |
| 71 | 7.4 c | Determine the internal and external communications | With whom to communicate | |
|
72
|
7.4 d
|
Determine the internal and external communications | How, orally, in writing, Internet, video | |
|
73
|
7.4 e
|
Determine the internal and external communications | Who will communicate, the one who is closest to the subject | |
| 7.5 |
Documented information
|
|||
| 7.5.1 |
General
|
|
||
| 74 | 7.5.1 a | Include in the BCMS the documents (documented information) required by ISO 22301 | Documented procedures (* mandatory): .jpg){kind=small}
Policy (* mandatory):
.jpg){kind=small}
|
|
| 75 | 7.5.1 b | Include in the BCMS documents deemed necessary for the effectiveness of the BCMS |
"Spoken words fly away, written one stay". Latin proverb. These documents are specific to the size of the company, the field of activity, the complexity of the processes and their interactions, and the skills of the personnel |
|
| 7.5.2 |
Creating and updating
|
|
||
| 76 | 7.5.2 a | Identify and describe documents appropriately | Codification, title, author, subject, product | |
| 77 | 7.5.2 b | Ensure that format and media of documents are appropriate | Language, graphics, paper, electronic | |
| 78 | 7.5.2 c | Review and validate documents appropriately | Who writes, codifies, who approves | |
| 7.5.3 |
Control of documented information
|
|||
| 79 | 7.5.3.1 a | Make documents available and suitable for use | Where and when required in a form that is suitable for use | |
| 80 | 7.5.3.1 b | Protect adequately the documents | Loss of confidentiality, loss of integrity, misuse | |
| 81 | 7.5.3.2 a | Apply distribution, access, retrieval and usage activities | Who is in charge, method to use, rule to follow | |
| 82 | 7.5.3.2 b | Apply storage and preservation activities | Including protection and readability | |
| 83 | 7.5.3.2 c | Apply control of changes activities | Use of updated versions, restricted access to obsolete versions | |
| 84 | 7.5.3.2 d | Apply retention and removal activities | Retention period, disposal method | |
| 85 | 7.5.3.2 | Identify and control documents of external origin | List of documents deemed necessary for the planning and operation of the BCMS, cf. sub-clause 7.5.1 | |
| 8 |
Operation
|
Do | ||
| 8.1 |
Operational planning and control
|
|||
| 86 | 8.1 a | Plan, apply, control and maintain the necessary processes to comply with the requirements of the BCMS | By establishing criteria for these processes and carrying out actions determined in sub-clause 6.1 | |
| 87 | 8.1 b | Plan, apply, control and maintain the necessary processes | In order to comply with the requirements of the BCMS | |
| 88 | 8.1 c | Maintain documentation of necessary processes | In order to have confidence that the processes have been carried out as planned | |
| 89 | 8.1 | Control planned changes | And analyze unforeseen ones | |
| 90 | 8.1 | Ensure that outsourced processes are controlled and relevant | And the supply chain is also controlled | |
| 8.2 |
Business impact analysis and risk assessment
|
|||
| 8.2.1 |
General
|
|
||
| 91 | 8.2.1 a | Apply systematic processes | For analysing the business impact and assessing the risks of disruption | |
| 92 | 8.2.1 b | Review the business impact analysis and the risk assessment | At planned intervals and when there are significant changes | |
| 8.2.2 |
Business impact analysis
|
|||
| 93 | 8.2.2 | Use the process Analyze business impacts on activity | In order to determine business continuity priorities and requirements | |
| 94 | 8.2.2 a | Define impact types | And company's criteria | |
| 95 | 8.2.2 b | Identify the activities | That support the provision of products and services | |
| 96 | 8.2.2 c | Use the impact types and criteria for assessing the impacts over time | From disruption of these activities | |
| 97 | 8.2.2 d | Identify the time frame beyond which the impacts of a non-resumption of activities would pose a problem | This time frame is refered as "maximum tolerable period of disruption" (MTPD) | |
| 98 | 8.2.2 e | Determine prioritized time frames | Within the time identified in MTPD, referred as "recovery time objective" (RTO) | |
| 99 | 8.2.2 f | Use this analysis | In order to identify prioritized activities | |
| 100 | 8.2.2 g | Determine the needed resources | In order to support prioritized activities | |
| 101 | 8.2.2 h | Determine dependencies on priority activities | Including partners and suppliers | |
| 8.2.3 | Risk assessment |
|
||
| 102 | 8.2.3 | Apply the process Assess risk | Cf. sub-clause 6.1 and the training T 51v18 | |
| 103 | 8.2.3 a | Identify the risks of disruption | To the company's prioritized activities and resources needed | |
| 104 | 8.2.3 b | Analyze the identified risks | And evaluate the risks | |
| 105 |
8.2.3 c
|
Determine which risks require treatment | These risks relate to the disruption of business activities, the other risks (related to the effectiveness of the BCMS) are addressed in sub-clause 6.1 | |
| 8.3 |
Business continuity stratégies and solutions
|
|||
| 8.3.1 |
General
|
|
||
| 106 | 8.3.1 | Identify and select business continuity strategies | That consider options before, during and after disruption | |
| 107 | 8.3.1 | Include more than one solution | For each business continuity strategy | |
| 8.3.2 | Identification of strategies and solutions | |||
| 108 | 8.3.2 a | Take into account, when identifying, the extent to which strategies and solutions | Meet the requirements to continue and recover prioritized activities | |
| 109 | 8.3.2 b | Take into account, when identifying, the extent to which strategies and solutions | Protect the company's prioritized activities | |
| 110 | 8.3.2 c | Take into account, when identifying, the extent to which strategies and solutions | Reduce the likelihood of disruption | |
| 111 | 8.3.2 d | Take into account, when identifying, the extent to which strategies and solutions | Shorten the period of disruption | |
| 112 | 8.3.2 e | Take into account, when identifying, the extent to which strategies and solutions | Limit the impact of disruption | |
| 113 | 8.3.2 f | Take into account, when identifying, the extent to which strategies and solutions | Provide for the availability of adequate resources | |
| 8.3.3 |
Selection of strategies and solutions
|
|||
| 114 | 8.3.3 a | Take into account, when selecting, to what extent the strategies and solutions | Meet the requirements to continue and recover prioritized activities | |
| 115 | 8.3.3 b | Take into account, when selecting, to what extent the strategies and solutions | Consider the amount and type of risk worth taking or not | |
| 116 | 8.3.3 c | Take into account, when selecting, to what extent the strategies and solutions | Consider associated costs and benefits | |
| 8.3.4 |
Resource requirements
|
|
||
| 117 | 8.3.4 | Determine the resource requirements | In order to implement the selected business continuity solutions | |
| 118 | 8.3.4 a | Include in considered resource types | People | |
| 119 | 8.3.4 b | Include in considered resource types | Information and data | |
| 120 | 8.3.4 c | Include in considered resource types | Infrastructure | |
| 121 | 8.3.4 d | Include in considered resource types | Equipment and consumables | |
| 122 | 8.3.4 e | Include in considered resource types | ICT (information and communication technology) | |
| 123 | 8.3.4 f | Include in considered resource types | Transport and logistics | |
| 124 | 8.3.4 g | Include in considered resource types | Finance | |
| 125 | 8.3.4 h | Include in considered resource types | Partners and suppliers | |
| 8.3.5 | Implementation of solutions |
|
||
| 126 | 8.3.5 | Implement selected business continuity solutions | In order to be activated when needed | |
| 8.4 |
Business continuity plans and procedures
|
|
||
| 8.4.1 |
General
|
|||
| 127 | 8.4.1 | Apply a response structure | In order to enable timely warning and communication to stakeholders | |
| 128 | 8.4.1 | Provide plans and procedures | In order to manage the company during a disruption | |
| 129 | 8.4.1 | Use plans and procedures when required | In order to activate business continuity solutions | |
| 130 | 8.4.1 | Identify and document plans and procedures | Based on selected strategies and solutions, cf. sub-clause 7.5.1 | |
| 131 | 8.4.1 a | Use precises plans | Regarding the immediate steps | |
| 132 | 8.4.1 b | Use flexible plans | In order to respond to the changing conditions of a disruption | |
| 133 | 8.4.1 c | Focus on the impact of incidents | That can lead to disruption | |
| 134 | 8.4.1 d | Use effective procedures | Through the implementation of appropriate solutions | |
| 135 | 8.4.1 e | Assign roles and responsibilities | For every task concerned | |
| 8.4.2 |
Response structure
|
|||
| 136 | 8.4.2.1 | Implement and maintain a structure identifying one or more teams | In charge of responding to disruptions | |
| 137 | 8.4.2.2 | Establish clearly the roles and responsibilities of each team | And the relationships between the teams | |
| 138 | 8.4.2.3 a | Designate collectively competent teams to | Assess the nature of a disruption and its impact | |
| 139 | 8.4.2.3 b | Designate collectively competent teams to | Assess the impact against pre-defned thresholds | |
| 140 | 8.4.2.3 c | Designate collectively competent teams to | Activate an appropriate response | |
| 141 | 8.4.2.3 d | Designate collectively competent teams to | Plan actions to be undertaken | |
| 142 | 8.4.2.3 e | Designate collectively competent teams to | Establish priorities | |
| 143 | 8.4.2.3 f | Designate collectively competent teams to | Monitor the effects of the disruption and the company's response | |
| 144 | 8.4.2.3 g | Designate collectively competent teams to | Activate the business continuity solutions | |
| 145 | 8.4.2.3 h | Designate collectively competent teams to | Communicate with relevant stakeholders including authorities and media | |
| 146 | 8.4.2.4 a | Have for each team | An identified personnel to perform their designated role | |
| 147 | 8.4.2.4 b | Have for each team | Documented procedures to guide their actions, cf. sub-clause 8.4.4 | |
| 8.4.3 |
Warning and communication
|
|
||
| 148 | 8.4.3.1 a | Document and maintain procedures for | Communicating to relevant stakeholders, cf. sub-clause 7.4 | |
| 149 | 8.4.3.1 b | Document and maintain procedures for | Communicating withstakeholders, including any national risk advisory system | |
| 150 | 8.4.3.1 c | Document and maintain procedures for | Ensuring the availability of the means of communication during a disruption | |
| 151 | 8.4.3.1 d | Document and maintain procedures for | Communication with emergency responders | |
| 152 | 8.4.3.1e | Document and maintain procedures for | Media response | |
| 153 | 8.4.3.1 f | Document and maintain procedures for | Recording the details of the disruption, the actions taken and the decisions made, cf. sub-clause 7.5.1 | |
| 154 | 8.4.3.2 a | Alert stakeholders potentially impacted | By an actual or impending disruption | |
| 155 | 8.4.3.2 b | Ensure coordination and communication | Between multiple responding organizations | |
| 156 | 8.4.3.2 | Carry out exercises of warning and communication procedures | Cf. sub-clause 8.5 | |
| 8.4.4 |
Business continuity plans
|
|
||
| 157 | 8.4.4.1 | Document and maintain business continuity plans and procedures | In order to be available when needed | |
| 158 | 8.4.4.1 | Provide guidance and information in Business Continuity Plans (BCPs) | In order to assist teams to respond to a disruption | |
| 159 | 8.4.4.2 a 1 | Include details of actions to be carried out in business continuity plans | In order to recover prioritized activities | |
| 160 | 8.4.4.2 a 2 | Include details of actions to be carried out in business continuity plans | In order to monitor the impact of the disruption | |
| 161 | 8.4.4.2 b | Include in business continuity plans | Reference to the pre-defined thresholds | |
| 162 | 8.4.4.2 c | Include in business continuity plans | Procedures to enable the delivery of products and services | |
| 163 | 8.4.4.2 d 1 | Include in business continuity plans | Details to manage the immediate consequences of a disruption related to the welfare of individuals | |
| 164 | 8.4.4.2 d 2 | Include in business continuity plans | Details to manage the immediate consequences of a disruption related to the prevention of further loss | |
| 165 | 8.4.4.2 d 3 | Include in business continuity plans | Details to manage the immediate consequences of a disruption related to the impact on the environment | |
| 166 | 8.4.4.3 a | Include in each BCP | The purpose, scope and objective | |
| 167 | 8.4.4.3 b | Include in each BCP | The roles and responsibilities | |
| 168 | 8.4.4.3 c | Include in each BCP | Actions to implement the solutions | |
| 169 | 8.4.4.3 d | Include in each BCP | Supporting information needed to activate the team's actions | |
| 170 | 8.4.4.3 e | Include in each BCP | Internal and external dependencies | |
| 171 | 8.4.4.3 f | Include in each BCP | The resource requirements | |
| 172 | 8.4.4.3 g | Include in each BCP | The reporting requirements | |
| 173 | 8.4.4.3 h | Include in each BCP | A process for standing down | |
| 174 | 8.4.4.3 | Make each plan available | At the time and place at which it is required, cf. sub-close 7.5.1 | |
| 8.4.5 |
Recovery
|
|
||
| 175 | 8.4.5 | Have documented processes | To restore and return business activities during and after a disruption | |
| 8.5 |
Exercice program
|
|||
| 176 | 8.5 | Implement and maintain an exercice and test program | In order to validate over time the effectiveness of strategies and solutions | |
| 177 | 8.5 a | Conduct exercices and tests that | Are consistent with the company's business continuity objectives, cf. sub-clause 6.2 | |
| 178 | 8.5 b | Conduct exercices and tests that | Are based on appropriate scenarios, cf. sub-clause 8.3 | |
| 179 | 8.5 c | Conduct exercices and tests that | Develop teamwork, competence, confidence and knowledge, cf. sub-clause 7.2 | |
| 180 | 8.5 d | Conduct exercices and tests that | Validate its business continuity strategies and solutions, cf. sub-clause 8.3 | |
| 181 | 8.5 e | Conduct exercices and tests that | Produce post-exercice reports, cf. sub-clause 7.5.1 | |
| 182 | 8.5 f | Conduct exercices and tests that | Are reviewed, cf. sub-clause 10.2 | |
| 183 | 8.5 g | Conduct exercices and tests that | Are performed at planned intervals and when there are significant changes | |
| 184 | 8.5 | Act based on the results of exercises and tests | In order to implement changes and improvements, cf. sub-clause 6.3 | |
| 8.6 |
Evaluation of business continuity documentation and capabilities
|
|||
| 185 | 8.6 a | Evaluate the suitability, adequacy and effectiveness of the company's | Business impact analysis, risk assessment, strategies, solutions, plans and procedures, cf. sub-clauses 8.2, 8.3 and 8.4 | |
| 186 | 8.6 b | Undertake evaluations | Through reviews, analysis, exercices, tests, reports and evaluations | |
| 187 | 8.6 c | Submit to a business continuity capability evaluation | Of relevant partners and suppliers | |
| 188 | 8.6 d | Evaluate compliance with applicable legal and regulatory requirements | And with its own business continuity policy and objectives | |
| 189 | 8.6 e | Update documentation | In a timely manner | |
| 190 | 8.6 | Conduct evaluations at planned intervals | After an incident, activation or significant changes occur | |
| 9 |
Performance evaluation
|
Check | ||
| 9.1 |
Monitoring, measurement, analysis and evaluation
|
|||
| 191 | 9.1 a | Determine what needs to be inspected (monitored and measured) | Including processes and BCPs | |
| 192 | 9.1 b | Determine the methods for inspection, analysis and evaluation | In order to ensure valid results | |
| 193 | 9.1 c | Determine when to inspect | And by whom | |
| 194 | 9.1 d | Determine when and by whom the inspection results shall be analyzed | And evaluated | |
| 195 | 9.1 | Retain the results of inspection | Cf. sub-clause 7.5.1 | |
| 196 | 9.1 | Evaluate the performance of the BCMS | And the effectiveness of the BCMS | |
| 9.2 |
Internal audit
|
|||
| 9.2.1 |
General
|
|
||
| 197 | 9.2.1 a 1 | Conduct internal audits at planned intervals | In order to determine whether the BCMS meets internal company requirements. Cf. ISO 19011 | |
| 198 | 9.2.1 a 2 | Conduct internal audits at planned intervals | In order to determine whether the BCMS meets requirements of the ISO 22301 standard | |
| 199 | 9.2.1 b | Conduct regularly planned internal audits | In order to determine whether the BCMS is effectively implemented and maintained | |
| 9.2.2 |
Audit program
|
|
||
| 200 | 9.2.2 a | Plan, establish, implement and update an audit program | Including frequency, methods, responsibilities, planning and reporting requirements. Follow the recommendations of ISO 19011 | |
| 201 | 9.2.2 a | Take into account the importance of the processes concerned | And the results of previous audits | |
| 202 | 9.2.2 b | Define the audit criteria | And the audit scope | |
| 203 | 9.2.2 c | Select auditors | In order to conduct objective and impartial audits | |
| 204 | 9.2.2 d | Ensure that the audit results are reported | To concerned managers | |
| 205 | 9.2.2 e | Retain documents of the implementation of the audit program | Cf. sub-clause 7.5.1 | |
| 206 | 9.2.2 f | Ensure that corrective actions are taken without undue delay | In order to eliminate nonconformities and their causes | |
| 207 | 9.2.2 g | Ensure that follow-up audit actions include the verification of their effectiveness | And the reporting of verification results | |
| 9.3 |
Management review
|
|||
| 9.3.1 |
General
|
|||
| 208 | 9.3.1 | Proceed at planned intervals to review the BCMS | In order to confirm that it is still relevant, appropriate and effective. "No system is perfect" | |
| 9.3.2 |
Management review input
|
|
||
| 209 | 9.3.2 a | Take into account the status of actions from previous management reviews | Use the last management review report | |
| 210 | 9.3.2 b | Take into account the changes in external and internal issues | That are relevant to the BCMS | |
| 211 | 9.3.2 c 1 | Take into account the information on the performance of the BCMS and trends | In nonconformities and corrective actions, cf. sub-clause 10.1 | |
| 212 | 9.3.2 c 2 | Take into account the information on the performance of the BCMS and trends | In inspection results, cf. sub-clause 9.1 | |
| 213 | 9.3.2 c 3 | Take into account the information on the performance of the BCMS and trends | In audit results, cf. sub-clause 9.2 | |
| 214 | 9.3.2 d | Take into account the feedback from stakeholders | Cf. sub-clause 4.2 | |
| 215 | 9.3.2 e | Take into account the need for changes to the BCMS | Including the policy and objectives, cf. sub-clauses 5.2 and 6.2 | |
| 216 | 9.3.2 f | Take into account the procedures and resources | That could be used to improve the BCMS, cf. sub-clause 10.2 | |
| 217 | 9.3.2 g | Take into account the information from the business impact analysis | And risk assessment, cf. sub-clause 8.2 | |
| 218 | 9.3.2 h | Take into account output from the evaluation of business continuity documentation | And capabilities, cf. sub-clause 8.6 | |
| 219 | 9.3.2 i | Take into account the risks or issues not adequately addressed | In any previous risk assessment | |
| 220 | 9.3.2 j | Take into account lessons learned and actions | Arising from near-misses and disruptions | |
| 221 | 9.3.2 k | Take into account opportunities | For continual improvement. Cf. sub-clause 10.2 | |
| 9.3.3 |
Management review outputs
|
|
||
| 222 | 9.3.3.1 a |
Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review |
Including variations to the scope of the BCMS | |
| 223 | 9.3.3.1 b | Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review | Including update of the business impact analysis, risk assessment, startegies, solutions and BCPs | |
| 224 | 9.3.3.1 c | Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review | Including modifications of procedures and controls | |
| 225 | 9.3.3.1 d | Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review | Including how the effectiveness of controls will be measured | |
| 226 | 9.3.3.2 | Retain the records of the results of management reviews | Cf. sub-clause 7.5.1 | |
| 227 | 9.3.3.2 a | Communicate the results of the management review | Cf. sub-clause 7.4 | |
| 228 | 9.3.3.2 b | Take appropriate action | Relating the results of the management review | |
| 10 |
Improvement
|
Act | ||
| 10.1 |
Nonconformity and corrective action
|
|||
| 229 | 10.1.1 | Determine improvement opportunities | In order to implement actions to achieve the intended outcomes of its BCMS | |
| 230 | 10.1.2 a 1 | React to the nonconformity and take action to control it | And correct it | |
| 231 | 10.1.2 a 2 | React to the nonconformity and deal with the consequences | That can influence the effectiveness of the BCMS | |
| 232 | 10.1.2 b 1 | Evaluate the need for action to eliminate the root causes by | Reviewing the nonconformity | |
| 233 | 10.1.2 b 2 | Evaluate the need for action to eliminate the root causes by | Determining the root causses of the nonconformity | |
| 234 | 10.1.2 b 3 | Evaluate the need for action to eliminate the root causes by | Determining if similar nonconformities exist | |
| 235 | 10.1.2 c | Implement any action needed | In order that the nonconformity does not recur | |
| 236 | 10.1.2 d | Review any corrective action taken | And its effectiveness | |
| 237 | 10.1.2 e | Make changes to the BCMS | If necessary | |
| 238 | 10.1.2 | Implement corrective actions | Appropriate to the nonconformities encountered | |
| 239 | 10.1.3 a | Retain records | Of the nature of the nonconformity | |
| 240 | 10.1.3 b | Retain records | Of the results of the corrective action | |
| 10.2 |
Continual improvement
|
|
||
| 241 | 10.2.1 a 1 | Improve continually the suitability, adequacy and effectiveness of the BCMS | Based on qualitative and quantitative measures | |
| 242 | 10.2.1 a 2 | Take into account the results of the analysis and evaluation and the decisions of the management review | In order to detremine if there are needs and opportunities that shall be addressed | |
.jpg){kind=small}
