ISO 22301 Mandatory Documentation Checklist
- Home
- Blog
Categories
Latest Post
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
ISO 9001 Internal Auditor Course
Understanding Information Classification in ISO 27001
Implementing ISO 22301 involves creating comprehensive documentation to ensure effective business continuity management. This checklist outlines the mandatory documents required by ISO 22301, as well as commonly used non-mandatory documents that are beneficial for the Business Continuity Management System (BCMS).
Mandatory Documents Required by ISO 22301:2019
List of Legal, Regulatory, and Other Requirements (clause 4.2.2)
Includes all compliance requirements for your organization.
Scope of the BCMS and Explanation of Exclusions (clause 4.3)
Defines where the BCMS will be implemented.
Business Continuity Policy (clause 5.2)
Outlines main responsibilities and management’s intent.
Business Continuity Objectives (clause 6.2)
Specifies measurable objectives for business continuity.
Competencies of Personnel (clause 7.2)
Defines the necessary knowledge and skills for personnel.
Business Continuity Plans and Procedures (clause 8.4)
Includes response, communication, recovery, and return activities.
Documented Communication with Interested Parties (clause 8.4.3.1)
Could be emails or official communications from agencies.
Records of Important Information about the Disruption (clause 8.4.3.1)
Document actions taken and decisions made during a disruption.
Data and Results of Monitoring and Measurement (clause 9.1.1)
Evaluate whether BCMS objectives are met.
Internal Audit Program (clause 9.2)
Plan and conduct internal audits.
Results of Internal Audit (clause 9.2)
Usually documented in an internal audit report.
Results of Management Review (clause 9.3)
Documented in minutes or decisions.
Nature of Nonconformities and Actions Taken (clause 10.1)
Describe nonconformities and their causes.
Results of Corrective Actions (clause 10.1)
Document actions taken to eliminate the cause of nonconformities.
Commonly Used Non-Mandatory BCMS Documents and Records
Procedure for Identification of Applicable Legal and Regulatory Requirements (clause 4.2.2)
Implementation Plan for Achieving Business Continuity Objectives (clause 6.2)
Training and Awareness Plan (clauses 7.2 and 7.3)
Procedure for Control of Documented Information (clause 7.5)
Contracts and SLAs with Suppliers and Outsourcing Partners (clause 8.1)
Process for Business Impact Analysis and Risk Assessment (clause 8.2.1)
Results of Business Impact Analysis (clause 8.2.2)
Results of Risk Assessment (clause 8.2.3)
Strategies and Solutions for Business Continuity (clause 8.3.3)
Incident Scenarios (clause 8.5)
Exercise and Testing Plans (clause 8.5)
Post-Exercise Reports (clause 8.5)
Results of Post-Incident Review (clause 8.6)
Methods for Monitoring, Measurement, Analysis, and Evaluation (clause 9.1.1)
Procedure for Internal Audit (clause 9.2)
Procedure for Corrective Action (clause 10.1)
Some requirements can be documented through multiple documents. For example, the context of the organization (clause 4.1) can be covered by various documents like the List of Legal, Regulatory, and Other Requirements, and the Business Continuity Policy.
You can also merge documents into a single one, especially if you are a smaller company. For instance, you can combine the results of business impact analysis and risk assessment with the Business Continuity Strategy.
