ISO 22316:2017
ORGANIZATIONAL RESILIENCE
Complete Audit Checklist
Organization:
Audit Date:
Lead Auditor:
Audit Ref #:
Auditee Name / Role:
Scope:
Conformity Rating Key:
C — Conforming
Evidence fully satisfies the requirement with no gaps identified.
NC — Non-Conforming
Evidence is absent, insufficient, or the requirement is not met.
PC — Partially Conforming
Evidence partially satisfies the requirement; gaps or weaknesses exist.
NA — Not Applicable
The requirement does not apply to the defined scope of audit.
Ref
Requirement / Audit Question
Evidence Required
Conformity
(C/PC/NC/NA)
Auditor Notes / Findings
4. CONTEXT OF THE ORGANIZATION
4.1
Understanding the organization and its context: Has the organization determined external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome of its resilience strategies?
Documented context analysis; PESTLE/SWOT; strategic plans
4.2
Has the organization identified and analyzed external context factors (political, economic, social, technological, environmental, legal) affecting resilience?
External environment analysis; stakeholder register
4.3
Has the organization identified and analyzed internal context factors (culture, capabilities, governance, resources) affecting resilience?
Internal capability assessment; organizational structure
4.4
Needs and expectations of interested parties: Has the organization determined interested parties relevant to its resilience and their requirements?
Stakeholder analysis document; interested party register
4.5
Scope of organizational resilience: Has the organization defined and documented the scope of its resilience activities?
Scope statement; resilience policy; boundary documentation
4.6
Does the scope consider the organization's products, services, and activities that could affect resilience?
Business impact analysis; product/service inventory
5. PRINCIPLES OF ORGANIZATIONAL RESILIENCE
5.1
Shared vision and clarity of purpose: Has the organization articulated a clear vision and purpose that guide resilience activities?
Mission/vision statement; strategic resilience objectives
5.2
Understanding of context and potential impacts: Does the organization maintain a current understanding of its operating environment and threats?
Risk register; threat assessments; environmental scans
5.3
Effective and empowered leadership: Does leadership actively promote and model resilience behaviors and decision-making?
Leadership commitments; delegation records; accountability frameworks
5.4
A culture that supports resilience: Is there evidence of a resilience-supporting culture embedded across the organization?
Culture surveys; communication records; behavioral indicators
5.5
Shared information and knowledge: Does the organization systematically share resilience-relevant information across all levels?
Knowledge management system; communication plans; lessons learned logs
5.6
Availability of resources: Are adequate financial, human, and physical resources allocated and available for resilience activities?
Budget allocations; resource plans; capability assessments
5.7
Development and coordination of management disciplines: Are relevant management disciplines (BCP, ERM, crisis management, etc.) coordinated and integrated?
Integrated management framework; cross-discipline coordination records
5.8
Continuity and recovery capabilities: Does the organization have tested capabilities to continue and recover critical activities?
Business continuity plans; recovery test reports; RTO/RPO documentation
5.9
Continuous monitoring and review: Is resilience performance regularly monitored, measured, and reviewed?
KPI dashboards; audit schedules; management review minutes
5.10
Learning and adapting: Does the organization learn from exercises, incidents, and near misses to improve resilience?
After-action reviews; corrective action logs; improvement plans
5.11
Anticipation of future challenges: Does the organization use foresight methodologies to anticipate emerging risks and opportunities?
Scenario planning documents; horizon scanning reports; strategic foresight records
6. LEADERSHIP
6.1
Leadership and commitment: Is top management demonstrating leadership and commitment to organizational resilience?
Leadership policy statements; board minutes; strategic plans
6.2
Has top management assigned roles, responsibilities, and authorities for resilience and communicated them?
RACI matrix; job descriptions; appointment letters
6.3
Does leadership ensure resilience is integrated into strategic planning and business processes?
Strategic plans; business planning process documentation
6.4
Policy: Has top management established a resilience policy appropriate to the organization's purpose and context?
Resilience policy document; approval records; distribution evidence
6.5
Does the resilience policy include commitments to continuous improvement and compliance with applicable requirements?
Policy content review; compliance register; improvement objectives
6.6
Is the resilience policy documented, communicated, and available to interested parties as appropriate?
Policy distribution records; intranet publication; staff acknowledgements
7. PLANNING
7.1
Actions to address risks and opportunities: Has the organization identified risks and opportunities that need to be addressed to achieve resilience objectives?
Risk register; opportunity register; strategic risk assessments
7.2
Does the organization plan actions to address these risks and opportunities and integrate them into its processes?
Risk treatment plans; action logs; integration evidence in procedures
7.3
Resilience objectives: Has the organization established resilience objectives at relevant functions and levels?
Objectives register; SMART objectives; alignment to policy
7.4
Do resilience objectives consider what will be done, resources required, timelines, and how results will be evaluated?
Objective action plans; resource plans; metrics and milestones
7.5
Are resilience objectives consistent with the resilience policy and overall organizational strategy?
Strategy alignment matrix; policy-objectives linkage document
7.6
Planning of changes: Are changes to resilience processes and systems planned systematically, including assessment of impacts?
Change management procedure; change log; impact assessments
8. SUPPORT
8.1
Resources: Has the organization determined and provided the resources needed for resilience activities?
Budget approvals; resource allocation records; capability registers
8.2
Competence: Has the organization determined the necessary competencies for resilience roles and ensured these are met?
Competency framework; training records; skills assessments
8.3
Are personnel performing resilience activities trained and competent, with evidence of ongoing development?
Training plans; certificates; performance appraisals
8.4
Awareness: Are personnel aware of the resilience policy, their contribution to resilience, and implications of non-conformity?
Awareness training records; communication logs; surveys
8.5
Communication: Has the organization determined internal and external communication needs related to resilience?
Communication plan; stakeholder communication records; crisis communications protocols
8.6
Is communication structured to ensure timely and accurate information flows during normal and disrupted operations?
Communication matrices; escalation procedures; notification systems
8.7
Documented information: Has the organization documented information required to support resilience and its effective operation?
Document inventory; document control procedure; retention schedules
8.8
Is documented information controlled, accessible, protected, and retained for appropriate periods?
Document management system; version control logs; access controls
9. OPERATION
9.1
Operational planning and control: Has the organization planned, implemented, and controlled processes to meet resilience requirements?
Operational procedures; process maps; control evidence
9.2
Does the organization establish criteria for its resilience processes and control these processes according to criteria?
Process criteria documentation; monitoring records; compliance checks
9.3
Are outsourced and externally provided processes, products, and services controlled from a resilience perspective?
Supplier resilience assessments; contract clauses; third-party audits
9.4
Assessment of resilience: Does the organization assess its resilience performance using appropriate methods and tools?
Resilience assessment reports; maturity models; benchmarking
9.5
Are resilience exercises and tests conducted to validate plans, capabilities, and response procedures?
Exercise program; test schedules; exercise reports; after-action reviews
9.6
Is the outcome of resilience assessments and exercises documented and used to drive improvement?
Improvement action plans; tracking logs; management review inputs
10. PERFORMANCE EVALUATION
10.1
Monitoring, measurement, analysis and evaluation: Does the organization monitor and measure resilience performance?
KPI reports; dashboards; measurement methodology documentation
10.2
Has the organization determined what needs to be monitored, measurement methods, timing, and who analyzes and evaluates results?
Measurement plan; reporting schedules; responsibility assignments
10.3
Internal audit: Does the organization conduct internal audits at planned intervals to determine conformity and effectiveness?
Audit programme; audit schedules; audit reports; corrective actions
10.4
Are internal auditors competent, objective, and impartial? Is audit criteria, scope, frequency, and method defined?
Auditor competency records; audit procedure; audit plans
10.5
Management review: Does top management review the resilience approach at planned intervals?
Management review agenda; minutes; decisions; action tracking
10.6
Do management reviews include performance data, audit results, changes in context, and improvement opportunities?
Review input records; trend analyses; benchmarking reports
11. IMPROVEMENT
11.1
Continual improvement: Does the organization continually improve the suitability, adequacy, and effectiveness of its resilience approach?
Improvement plans; trend analysis; maturity progression evidence
11.2
Nonconformity and corrective action: Does the organization react to nonconformities, take corrective actions, and review their effectiveness?
NCR register; root cause analyses; corrective action closure records
11.3
Are corrective actions appropriate to the effects of the nonconformities encountered?
CAR forms; proportionality assessments; verification evidence
11.4
Does the organization retain documented information as evidence of nonconformities and corrective actions?
NCR log; corrective action database; closure evidence
AUDIT SUMMARY & FINDINGS
Total Items Audited
Conforming (C)
Partially Conforming (PC)
Non-Conforming (NC)
Key Strengths Observed:
Priority Improvement Opportunities:
Recommended Actions:
SIGN-OFF
Lead Auditor Name
Signature
Auditee Representative
Signature
Date:
Date: