ISO 22301:2019
Business Continuity Management System (BCMS)
Complete Audit Checklist
This audit checklist is aligned with ISO 22301:2019 – Security and Resilience: Business Continuity Management Systems – Requirements. It covers all mandatory clauses (Clauses 4–10) and provides specific checkpoints, required evidence, and status tracking for each requirement.
Auditors should use this document during internal or certification audits to verify conformity, collect objective evidence, and identify nonconformities. Each requirement should be assessed as Conforming (C), Nonconforming (NC), or Not Applicable (NA).
Status Legend
C – Conforming
Objective evidence confirms the requirement is fully met.
NC – Nonconforming
The requirement is not met or evidence is insufficient. A Corrective Action Request (CAR) must be raised.
NA – Not Applicable
The requirement does not apply. Justification must be documented in the Notes column.
Audit Information
Organization:
Audit Date(s):
Audit Scope:
Lead Auditor:
Audit Type:
Internal / Stage 1 / Stage 2 / Surveillance
Audit Team:
Section 4 – Context of the Organization
4.1 Understanding the Organization and Its Context
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
4.1.1
The organization has identified internal and external issues relevant to its purpose that could affect its ability to achieve the intended outcomes of the BCMS.
Strategic plans, SWOT/PESTLE analysis, board minutes, management review records
☐ C ☐ NC ☐ NA
4.1.2
Internal context includes organizational structure, roles, culture, capabilities, contracts, and information systems.
Org charts, policy documents, internal audits, capability registers
☐ C ☐ NC ☐ NA
4.1.3
External context includes legal, regulatory, financial, competitive, technological, natural, and social environments.
Legal compliance register, environmental risk assessments, industry reports
☐ C ☐ NC ☐ NA
4.1.4
The organization reviews and updates context information at defined intervals or when significant changes occur.
Review schedule, management review minutes, change log
☐ C ☐ NC ☐ NA
Section 4 – Context (continued)
4.2 Understanding the Needs and Expectations of Interested Parties
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
4.2.1
Relevant interested parties (stakeholders) have been identified, including regulators, customers, suppliers, employees, shareholders, and communities.
Stakeholder register, interested party analysis
☐ C ☐ NC ☐ NA
4.2.2
The needs, expectations, and requirements of interested parties relating to business continuity have been documented.
Stakeholder requirements matrix, SLA/contract reviews
☐ C ☐ NC ☐ NA
4.2.3
Requirements that will become compliance obligations have been identified and are monitored for changes.
Legal register, compliance tracker, regulatory update procedure
☐ C ☐ NC ☐ NA
Section 4 – Context (continued)
4.3 Determining the Scope of the BCMS
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
4.3.1
The scope of the BCMS has been clearly defined, covering boundaries, locations, activities, products, and services.
BCMS scope statement, site register
☐ C ☐ NC ☐ NA
4.3.2
Interfaces and dependencies between activities in scope and those outside scope have been identified.
Dependency mapping, process interfaces documentation
☐ C ☐ NC ☐ NA
4.3.3
The scope is documented, maintained, and available to interested parties.
BCMS scope document (controlled), intranet publication
☐ C ☐ NC ☐ NA
4.3.4
Exclusions from the scope are justified and do not undermine the organization's ability to provide continuity for critical services.
Scope exclusion rationale document
☐ C ☐ NC ☐ NA
Section 5 – Leadership
5.1 Leadership and Commitment
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
5.1.1
Top management demonstrates leadership by taking accountability for the effectiveness of the BCMS.
Meeting minutes, signed policies, management review records
☐ C ☐ NC ☐ NA
5.1.2
The business continuity policy has been established, communicated, and is compatible with the strategic direction of the organization.
BC Policy document with management signature and issue date
☐ C ☐ NC ☐ NA
5.1.3
Top management ensures BCMS objectives are established and compatible with organizational strategy.
BC objectives register aligned with strategic plan
☐ C ☐ NC ☐ NA
5.1.4
Top management ensures adequate resources are provided for the BCMS.
Budget allocations, staffing records, resource plans
☐ C ☐ NC ☐ NA
5.1.5
Top management promotes a culture of business continuity awareness across the organization.
Training records, communications, awareness campaigns
☐ C ☐ NC ☐ NA
5.1.6
Top management directs persons to contribute to BCMS effectiveness and promotes continual improvement.
Performance objectives, appraisal documentation
☐ C ☐ NC ☐ NA
Section 5 – Leadership (continued)
5.2 Policy
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
5.2.1
The BC policy is appropriate to the purpose and context of the organization.
BC Policy document
☐ C ☐ NC ☐ NA
5.2.2
The policy provides a framework for setting BC objectives.
BC Policy with objectives framework
☐ C ☐ NC ☐ NA
5.2.3
The policy includes a commitment to satisfy applicable requirements.
Policy statement of compliance commitment
☐ C ☐ NC ☐ NA
5.2.4
The policy includes a commitment to continual improvement of the BCMS.
Policy statement, improvement log
☐ C ☐ NC ☐ NA
5.2.5
The BC policy is communicated within the organization and available to interested parties as appropriate.
Communication records, intranet, external website if applicable
☐ C ☐ NC ☐ NA
Section 5 – Leadership (continued)
5.3 Organizational Roles, Responsibilities, and Authorities
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
5.3.1
Roles and responsibilities for the BCMS are defined, documented, and communicated.
RACI matrix, job descriptions, organizational chart
☐ C ☐ NC ☐ NA
5.3.2
A designated competent person/role is responsible for ensuring the BCMS conforms to the standard.
BC Manager appointment letter, TOR
☐ C ☐ NC ☐ NA
5.3.3
Reporting on BCMS performance is assigned and communicated to top management.
Reporting structure, management review agenda/minutes
☐ C ☐ NC ☐ NA
Section 6 – Planning
6.1 Actions to Address Risks and Opportunities
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
6.1.1
The organization determines risks and opportunities that need to be addressed, taking into account the context and interested party requirements.
Risk register, opportunity register
☐ C ☐ NC ☐ NA
6.1.2
Actions are planned to address risks and opportunities and are integrated into the BCMS processes.
Risk treatment plan, action plans
☐ C ☐ NC ☐ NA
6.1.3
The effectiveness of these actions is evaluated.
Risk review records, KPI tracking
☐ C ☐ NC ☐ NA
Section 6 – Planning (continued)
6.2 Business Continuity Objectives and Plans to Achieve Them
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
6.2.1
BC objectives have been established at relevant functions and levels.
BC objectives register
☐ C ☐ NC ☐ NA
6.2.2
Objectives are measurable, consistent with BC policy, and communicated.
Objectives KPIs, communications to teams
☐ C ☐ NC ☐ NA
6.2.3
Plans to achieve objectives define what will be done, required resources, responsibility, timeline, and how results will be evaluated.
BC improvement plan, project plans
☐ C ☐ NC ☐ NA
Section 7 – Support
7.1 Resources
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
7.1.1
The organization determines and provides resources needed for the establishment, implementation, maintenance, and continual improvement of the BCMS.
Budget documentation, resource allocation records
☐ C ☐ NC ☐ NA
7.1.2
Human resources with the necessary competence are identified and available.
Competency framework, staffing plans
☐ C ☐ NC ☐ NA
7.1.3
Infrastructure (premises, equipment, technology) required to support the BCMS is identified and maintained.
Asset register, maintenance records, IT infrastructure plans
☐ C ☐ NC ☐ NA
Section 7 – Support (continued)
7.2 Competence
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
7.2.1
The competence requirements of personnel performing BC-related roles are determined.
Role competence profiles, JDs
☐ C ☐ NC ☐ NA
7.2.2
Personnel are competent on the basis of appropriate education, training, or experience.
CVs, certificates, training records
☐ C ☐ NC ☐ NA
7.2.3
Actions are taken to acquire necessary competence and their effectiveness is evaluated.
Training needs analysis, post-training assessments
☐ C ☐ NC ☐ NA
7.2.4
Appropriate documented information is retained as evidence of competence.
Training register, competence matrices
☐ C ☐ NC ☐ NA
Section 7 – Support (continued)
7.3 Awareness | 7.4 Communication
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
7.3.1
Personnel are aware of the BC policy, their contribution to BCMS effectiveness, and the implications of not conforming.
Induction records, awareness training log, surveys
☐ C ☐ NC ☐ NA
7.4.1
Internal and external communication requirements have been determined (what, when, with whom, how, who).
Communications plan, stakeholder communication matrix
☐ C ☐ NC ☐ NA
7.4.2
An escalation process for communication during a disruption is defined.
Crisis communication procedure, call trees
☐ C ☐ NC ☐ NA
7.4.3
Communication channels for warning and notification are tested periodically.
Communication test records, test exercise reports
☐ C ☐ NC ☐ NA
Section 7 – Support (continued)
7.5 Documented Information
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
7.5.1
Documented information required by the standard and necessary for effectiveness is created and maintained.
Document register, BCMS document list
☐ C ☐ NC ☐ NA
7.5.2
Documents are appropriately identified, described (e.g. title, date, author), formatted, and reviewed/approved.
Document control procedure, document headers/footers
☐ C ☐ NC ☐ NA
7.5.3
Documents are controlled: available when needed, adequately protected, distributed, stored, retrieved, and retained.
DMS access logs, version history, retention schedule
☐ C ☐ NC ☐ NA
7.5.4
External documents required for planning and operation are identified and controlled.
External document register, regulatory/standard library
☐ C ☐ NC ☐ NA
Section 8 – Operation
8.1 Operational Planning and Control
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
8.1.1
Processes needed to meet requirements and implement the actions from Section 6 are planned, implemented, and controlled.
Process documentation, procedure manuals
☐ C ☐ NC ☐ NA
8.1.2
Changes to planned operational processes are controlled; unintended changes are reviewed and mitigated.
Change management procedure, change log
☐ C ☐ NC ☐ NA
8.1.3
Outsourced processes are identified and controlled; responsibilities with external providers are defined.
Supplier list, contracts, SLAs, third-party assessments
☐ C ☐ NC ☐ NA
Section 8 – Operation (continued)
8.2 Business Impact Analysis (BIA)
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
8.2.1
A BIA process is established and documented, identifying activities that support products and services.
BIA methodology document, BIA template
☐ C ☐ NC ☐ NA
8.2.2
All activities supporting the delivery of products and services in scope have been assessed.
Completed BIA worksheets for all in-scope areas
☐ C ☐ NC ☐ NA
8.2.3
The BIA identifies the impacts over time of disruption to activities (financial, legal, reputational, operational, etc.).
Impact assessment tables, impact escalation curves
☐ C ☐ NC ☐ NA
8.2.4
Maximum Tolerable Period of Disruption (MTPD) has been determined for each critical activity.
BIA output: MTPD per activity
☐ C ☐ NC ☐ NA
8.2.5
Recovery Time Objectives (RTOs) have been set for each critical activity (must be less than MTPD).
RTO register, BIA output
☐ C ☐ NC ☐ NA
8.2.6
Recovery Point Objectives (RPOs) have been established for data-dependent activities.
RPO register, IT/data dependency analysis
☐ C ☐ NC ☐ NA
8.2.7
Minimum resource requirements for recovery (people, technology, equipment, facilities) have been identified.
Minimum business continuity objectives (MBCO) documentation
☐ C ☐ NC ☐ NA
8.2.8
The BIA is reviewed at planned intervals or following significant changes.
BIA review schedule, version history
☐ C ☐ NC ☐ NA
Section 8 – Operation (continued)
8.3 Risk Assessment
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
8.3.1
A documented risk assessment process has been established to identify, analyze, and evaluate risks to prioritized activities.
Risk assessment methodology, risk procedure
☐ C ☐ NC ☐ NA
8.3.2
Threats and vulnerabilities have been identified for each critical activity and supporting resource.
Threat and vulnerability register, risk worksheets
☐ C ☐ NC ☐ NA
8.3.3
Risks are evaluated against defined criteria (likelihood × impact) and risk appetite is documented.
Risk scoring matrix, risk appetite statement
☐ C ☐ NC ☐ NA
8.3.4
Risk treatment options have been identified and selected (avoid, reduce, transfer, accept).
Risk treatment plan, controls register
☐ C ☐ NC ☐ NA
8.3.5
Residual risks after treatment have been accepted by appropriate management authority.
Risk acceptance records, risk owner sign-off
☐ C ☐ NC ☐ NA
8.3.6
Risk assessments are reviewed periodically and when significant changes occur.
Risk review schedule, minutes, version control
☐ C ☐ NC ☐ NA
Section 8 – Operation (continued)
8.4 Business Continuity Strategy
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
8.4.1
BC strategies have been determined based on BIA and risk assessment outputs and are documented.
BC Strategy document
☐ C ☐ NC ☐ NA
8.4.2
Strategies address the protection and stabilization of prioritized activities and their recovery within RTO.
Strategy-to-activity mapping
☐ C ☐ NC ☐ NA
8.4.3
Alternative supply arrangements for resources (people, technology, premises, supply chain) have been identified and implemented.
Alternative supplier agreements, MoUs, reciprocal agreements
☐ C ☐ NC ☐ NA
8.4.4
People strategies address unavailability scenarios: cross-training, succession, remote working, and outsourcing.
Cross-training records, succession plan, remote work policy
☐ C ☐ NC ☐ NA
8.4.5
Technology and data strategies include backup, replication, failover, and alternative systems.
IT DR plan, backup test records, cloud failover configuration
☐ C ☐ NC ☐ NA
8.4.6
Premises strategies include alternative work sites, work-from-home, mobile solutions, or reciprocal arrangements.
Alternate site agreements, WFH policy, site survey reports
☐ C ☐ NC ☐ NA
8.4.7
Supply chain strategies include approved alternate suppliers and pre-qualification of critical components.
Alternate supplier register, supplier continuity assessments
☐ C ☐ NC ☐ NA
Section 8 – Operation (continued)
8.4 (cont.) – Resource Requirements
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
8.4.8
Minimum resource levels required to operate at an acceptable level (MBCO) are documented for each critical activity.
MBCO register by activity
☐ C ☐ NC ☐ NA
8.4.9
Strategies have been selected and approved based on cost-benefit analysis and residual risk levels.
Strategy selection rationale, sign-off records
☐ C ☐ NC ☐ NA
Section 8 – Operation (continued)
8.5 Business Continuity Plans and Procedures
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
8.5.1
Documented BC plans and procedures have been developed to implement the selected strategies.
BC Plan library, plan index
☐ C ☐ NC ☐ NA
8.5.2
Each plan includes purpose, scope, activation criteria, roles and responsibilities, and escalation procedures.
Plan template / plan structure review
☐ C ☐ NC ☐ NA
8.5.3
Incident response procedures include initial response, damage assessment, declaration criteria, and communication protocols.
Incident response procedure, declaration authority matrix
☐ C ☐ NC ☐ NA
8.5.4
Business continuity procedures define step-by-step recovery tasks for each critical activity, aligned to RTO.
Activity-level BCPs, recovery task checklists
☐ C ☐ NC ☐ NA
8.5.5
IT/Technology disaster recovery plans align with business RTOs and RPOs.
IT DR Plan, system recovery runbooks
☐ C ☐ NC ☐ NA
8.5.6
Crisis communications plans address media, customers, regulators, staff, and other stakeholders.
Crisis Communications Plan, pre-approved messaging templates
☐ C ☐ NC ☐ NA
8.5.7
Plans include a procedure for stand-down and return to normal operations.
Stand-down/recovery procedure, normalization checklist
☐ C ☐ NC ☐ NA
8.5.8
Plans identify dependencies on external organizations and define liaison arrangements.
External dependency matrix, emergency service contacts
☐ C ☐ NC ☐ NA
8.5.9
Contact lists and call trees are maintained and kept current, including out-of-hours contacts.
Contact directory, last review date, call tree tests
☐ C ☐ NC ☐ NA
8.5.10
Plans are version controlled and accessible during a disruption (including offline/hard copies).
Plan version history, offline/hard copy register
☐ C ☐ NC ☐ NA
Section 8 – Operation (continued)
8.6 Exercising and Testing
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
8.6.1
A programme for exercising and testing BC plans has been established.
Exercise programme/schedule
☐ C ☐ NC ☐ NA
8.6.2
Exercises validate that BC plans will meet BC objectives and identify improvement opportunities.
Exercise objectives, post-exercise reports
☐ C ☐ NC ☐ NA
8.6.3
A range of exercise types is used (tabletop, walkthrough, functional, full live, simulation).
Exercise records showing varied types
☐ C ☐ NC ☐ NA
8.6.4
Exercises are conducted at planned intervals and following significant changes to plans or the business.
Exercise log, trigger-based exercise records
☐ C ☐ NC ☐ NA
8.6.5
Exercise results are documented, reviewed, and improvement actions are assigned and tracked.
Exercise reports, action tracker, closure evidence
☐ C ☐ NC ☐ NA
8.6.6
Lessons learned from exercises and real incidents are used to improve BCPs.
Lessons learned log, plan version history
☐ C ☐ NC ☐ NA
Section 9 – Performance Evaluation
9.1 Monitoring, Measurement, Analysis, and Evaluation
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
9.1.1
The organization determines what needs to be monitored and measured in relation to BC performance.
BC KPIs, measurement framework
☐ C ☐ NC ☐ NA
9.1.2
Methods for monitoring, measurement, analysis, and evaluation are defined to ensure valid results.
Measurement methodology, data collection procedures
☐ C ☐ NC ☐ NA
9.1.3
Monitoring and measurement results are analysed and evaluated and reported to relevant management.
BC performance dashboard, management reports
☐ C ☐ NC ☐ NA
9.1.4
Trends and patterns in BCMS performance are identified and actioned.
Trend analysis reports, improvement actions
☐ C ☐ NC ☐ NA
Section 9 – Performance Evaluation (continued)
9.2 Internal Audit
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
9.2.1
An internal audit programme is established, covering the full scope of the BCMS at planned intervals.
Audit programme/schedule, audit coverage matrix
☐ C ☐ NC ☐ NA
9.2.2
Internal audits are conducted by competent, objective auditors who are independent of the audited area.
Auditor competence records, independence declarations
☐ C ☐ NC ☐ NA
9.2.3
Audit results are documented and reported to relevant management and top management.
Audit reports, distribution records
☐ C ☐ NC ☐ NA
9.2.4
Nonconformities identified in audits are addressed through the corrective action process.
CAR log, corrective action closure records
☐ C ☐ NC ☐ NA
Section 9 – Performance Evaluation (continued)
9.3 Management Review
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
9.3.1
Top management reviews the BCMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
Management review schedule, meeting records
☐ C ☐ NC ☐ NA
9.3.2
Review inputs include: status of previous actions, changes in context, BC performance (KPIs, exercise results), nonconformities, audit results, interested party feedback.
Management review agenda and minutes
☐ C ☐ NC ☐ NA
9.3.3
Review outputs include decisions and actions related to improvement opportunities and changes to the BCMS.
Management review minutes with action items and owners
☐ C ☐ NC ☐ NA
9.3.4
Management review outputs are documented and retained.
Signed management review minutes, action tracker
☐ C ☐ NC ☐ NA
Section 10 – Improvement
10.1 Nonconformity and Corrective Action
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
10.1.1
When a nonconformity occurs, it is identified, reacted to, and controlled; the immediate impact is addressed.
Nonconformity log, incident/event records
☐ C ☐ NC ☐ NA
10.1.2
Root cause analysis is performed to determine the cause of the nonconformity.
RCA records (5-Why, fishbone, etc.)
☐ C ☐ NC ☐ NA
10.1.3
Corrective actions are implemented to eliminate the root cause and prevent recurrence.
CAR forms, implementation evidence
☐ C ☐ NC ☐ NA
10.1.4
The effectiveness of corrective actions is reviewed.
Effectiveness review records, re-audit evidence
☐ C ☐ NC ☐ NA
10.1.5
Similar nonconformities in other areas are identified and addressed proactively.
Horizontal deployment records, risk-based scanning
☐ C ☐ NC ☐ NA
10.1.6
Documented information is retained as evidence of the nature of nonconformities and actions taken.
CAR register with full closure documentation
☐ C ☐ NC ☐ NA
Section 10 – Improvement (continued)
10.2 Continual Improvement
Ref.
Audit Checkpoint / Requirement
Evidence / Guidance
Status
Notes
10.2.1
The organization continually improves the suitability, adequacy, and effectiveness of the BCMS.
Improvement log, innovation records
☐ C ☐ NC ☐ NA
10.2.2
Opportunities for improvement are identified through audits, exercises, incidents, management reviews, and monitoring.
Improvement opportunity register, source tracking
☐ C ☐ NC ☐ NA
10.2.3
Improvement initiatives are prioritized, resourced, and implemented with measurable outcomes.
Improvement project records, before/after metrics
☐ C ☐ NC ☐ NA
Audit Summary
Category
Conforming (C)
Nonconforming (NC)
Not Applicable (NA)
Section 4 – Context
Section 5 – Leadership
Section 6 – Planning
Section 7 – Support
Section 8 – Operation
Section 9 – Performance Evaluation
Section 10 – Improvement
TOTAL
Overall Findings and Observations
__________________________________________________________________________________________________________
__________________________________________________________________________________________________________
__________________________________________________________________________________________________________
Auditor Signature
Lead Auditor: ____________________________________________ Date: ____________________
Auditee Representative: __________________________________ Date: ____________________