ISO22301 Update: What are the Mandatory Document?

 

What should your business continuity documentation contain? This is probably what you’re asking yourself if you are implementing ISO 22301 in your Business Continuity Management System (BCMS) , preparing for an upcoming internal audit, or preparing for a certification audit by external auditors.

 

 

To help you out, here’s the list of mandatory documentation for the Business Continuity Management System (BCMS).

 

Clause	Description of Clause	Action to be Taken
4.2.1	List of legal, regulatory and other requirements	Lists everything you need to comply with
4.3	The scope of the BCMS and explanation of exclusions	Defines where your BCMS will be implemented.
5.2	Business continuity policy	Defines main responsibilities, and the intent of the management.
6.2	Business continuity objectives	Defines measurable objectives that are to be achieved with business continuity.
7.2	Competencies of personnel	Define knowledge and skills needed by staff with Business Continuity responsibilities
8.4	Business continuity plans and procedures	Includes plans and procedures for response, communication, recovery (including disaster recovery plans), restore and return activities.
8.4.3.1	Documented communication with interested parties	These could be emails, but also social communication from sources such as government agencies and others.
8.4.3.1	Records of important information about the disruption, actions taken and decisions made	Normally these records are done through minutes or by lling out checklists of performed activities.
9.1.1	Data and results of monitoring and measurement	Evaluation on whether BCMS meets the objectives
9.2	Internal audit program/Results of internal audit	The Internal Audit Report
10.1	Nature of non-conformities and actions taken	A description of non-conformities and their causes
10.1	Results of corrective actions	A description of what has been done to eliminate non-conformities via corrective actions