List of documents required for ISO 22301:2012 business continuity management system (BCMS)
You must document:
- Context of the organisation (4.1)
- Identification of interested parties and legal and regulatory requirements (4.2)
- Scope of the business continuity policy (BCMS) (4.3)
- Business continuity policy (5.3)
- Business continuity objectives and planning (6.2)
- Evidence of competence (7.2)
- Documents necessary to carry out processes as planned (7.2)
- Business impact analysis procedure (8.2)
- Evaluation procedure to determine continuity and recovery priorities including assessing impacts (8.2)
- A formal risk assessment procedure (8.2.3)
- Identify, analyse and evaluate risks (8.2.3)
- Procedures to establish and implement business continuity (8.4)
- Incident response structure including responsibilities and authorities (8.4.2)
- Business continuity plan (8.4.4)
- Procedures to return to normal after an incident (8.4.5)
- Evaluation of business continuity procedures and incident review (9.1)
- Internal audit (9.2)
- Management review (9.3)
Auditors will need to confirm each of your organisation’s processes is systematically communicated, understood, executed and effective, so it is likely that your list of documentation will not end here.
Supporting documentation for the BCMS may include a business continuity strategy (8.3) or a corrective action report (10.1).
Where to start with ISO 22301 documentation
Providing the documentation for your BCMS is often the hardest part of achieving ISO 22301 certification. It’s a daunting process and many organisations don’t know where to start.
Accelerate your BCMS implementation project with the ISO 22301 BCMS Documentation Toolkit, which includes:
- A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 22301-compliant;
- Helpful dashboards and gap analysis tools to ensure complete coverage of the Standard; and
- Direction and guidance from experienced business continuity consultants.