Wednesday, October 30 2024

ISO 22301 version 2019 requirements, business continuity management systems

 24/03/2024

Quiz requirements ISO 22301 version 2019

You want to familiarize yourself with the structure of the standard, identify and understand the requirements of ISO 22301 version 2019, then it's up to you to play!

Start

The "ISO 22301 version 2019 Requirements" quiz will help you understand the main requirements of the standard.

The questions (requirements) included in this quiz are 161 of the 242 in the standard, but don't worry. These 161 requirements are among the most important. So do not hesitate to learn in a fun way!

Do not think you can finish this quiz in less than an hour, unless of course you are a little genius!

News about the ISO 22301 version 2019

The online training (course) T 26v19 ISO 22301 version 2019 readiness and its demo (soon)

The course T 56v19 ISO 22301 version 2019 internal audit and its demo (soon)

The package of courses T 76v195 training package ISO 22301 version 2019 readiness and internal audit

 

Based on the ISO 22301: 2019 the 242 requirements (verb shall) of clauses 4 to 10 are as follows:

ISO 22301 : 2019 requirements copyleft
No
Clause
PDCA cycle
Requirement No
Quantity
4
Context of the organization Plan 1 ÷ 16 16
5
Leadership Plan
17 ÷ 34
18
6
Planning Plan
35 ÷ 59
25
7
Support PlanDo
60 ÷ 85
26
8
Operation Do
86 ÷ 190
105
9
Performance evaluation Check
249 ÷ 228
38
10
Improvement Act
229 ÷ 242
14
Total
242

requirements iso 22301

ISO 22301 version 2019 requirements

PDCA

The Deming PDCA cycle

Remark. Any requirement normally begins with "The organization shall...". For simplicity's sake we present the requirements directly, starting with the verb.

ISO 22301 - Requirements and comments
No
Clause, sub-clause
Requirement
Comment, link
  4
Context of the organization
 
4.1
The organization and its context
 
1
4.1
Determine external and internal issues Understand everything that can influence the purpose (mission) of the company and its ability to obtain the expected results of the BCMS. Cf. sub-clause 6.1
 
4.2
Understanding the needs and expectations of the stakeholders
 
 
4.2.1
General
 
2
4.2.1 a Determine stakeholders That can influence the company's BCMS
3
4.2.1 b Determine the requirements of the stakeholders Implicit or explicit needs and wishes
 
4.2.2
Legal and regulatory requirements
 
4
4.2.2 a Implement a process to identify the legal and regulatory requirements Related to the company's business continuity
5
4.2.2 b
Ensure that these requirements are taken into account When implementing the BCMS
6
4.2.2 c
Document this information And keep it updated, cf sub-clause 7.5.1
 
4.3
Determining the scope of the business continuity management system
 
 
4.3.1
General
 
7
4.3.1
Determine the scope of the BCMS Limits and applicability
8
4.3.1 a
Take into account the external and internal issues Cf. sub-clause 4.1
9
4.3.1 b
Take into account the requirements of the stakeholders Cf. sub-clause 4.2
10
4.3.1 c
Take into account its mission and goals And internal and external obligations
11
4.3.1
Make the scope available As a record, cf sub-clause 7.5.1
 
4.3.2
Scope of the business continuity management system
 
12
4.3.2 a
Determine the parts to include in the BCMS Location, size, nature and complexity
13
4.3.3 b
Identify products and services To be included in the BCMS
14
4.3.2
Document and explain exclusions Retain a record, cf sub-clause 7.5.1
15
4.3.2
Do not affect the ability and responsibility of the company to ensure business continuity As determined by the business impact analysis and risk asessment, cf. sub-clause 8.2
 
4.4
Business continuity management system
up
16
4.4
Establish, implement, maintain and improve the BCMS

Including the processes needed and their interactions. Specific mandatory processes:

  • identify legal requirements (cf. sub-clause 4.2.2)
  • analyze business impact (cf. sub-clause 8.2.1)
  • assess risk (cf. sub-clause 8.2.2)
  • recover activities (cf. sub-clause 8.4.5)
  • audit (cf. sub-clause 9.2.2)
 
5
Leadership
 
5.1 
Leadership and commitment
 
17
5.1 a
Ensure that business continuity policy and objectives are established "When you sweep the stairs, you start at the top". Romanian proverb. Business continuity policy and objectives are compatible with the strategic direction of the company
18 5.1 b Ensure that BCMS requirements are integrated into business processes Demonstrate leadership
19
5.1 c
Ensure that BCMS resources are available Resources to establish, apply, maintain and improve the BCMS. Cf. sub-clause 4.4
20
5.1 d
Communicate on the importance of an effective BCMS And conforming to the BCMS requirements
21
5.1 e
Ensure the achievement of intended results of the BCMS Commitment, responsiveness and active support from top management
22
5.1 f
Direct and support staff In order to contribute to the effectiveness of the BCMS
23
5.1 g
Promote continual improvement Demonstrate leadership, cf. sub-clause 10.2
24
5.1 h
Support the staff involved to demonstrate leadership "Employees first, customers second". Vineet Nayar
 
5.2
Policy
 
5.2.1
Establishing the business continuity policy
 
25
5.2.1 a
Establish the business continuity policy That is appropriate to the purpose of the company
26 5.2.1 b Provide a framework for setting business continuity objectives In order to establish the objectives, cf. sub-clause 6.2
27 5.2.1 c Include meeting the requirements That are applicable, cf. sub-clause 4.2.2
28 5.2.1 d Include a commitment to continual improvement of the BCMS Cf. sub-clause 10.2
 
5.2.2
Communicating the business continuity policy
 
29 5.2.2 a Keep the business continuity policy available And make it available inside the company. Cf. sub-clause 7.5
30 5.2.2 b Communicate the policy So it is understand and applied, cf. sub-clause 7.4
31 5.2.2 c Make the policy available to stakeholders Cf. sub-clause 4.2
 
5.3
Roles, responsibilities, authorities
up
32
5.3
Ensure that the responsibilities and authorities are assigned And communicated within the company
33
5.3 a
Ensure that the BCMS conforms to the ISO 22301 requirements Requirements of clauses 4 to 10
34
5.3 b
Report on the performance of the BCMS to top management Regularly, cf. sub-clause 7.5.1
 
6
Planning
 
6.1
Actions to address risks and opportunities
 
 
6.1.1
Determining risks and opportunities
 
35
6.1.1
Determine the risks and opportunities Risk management is based on the ISO 31000 standard (see training T 51). To ensure that the BCMS can achieve the planned results. Cf. sub-clause 4.1 (context) and 4.2 (stakeholders). "Any decision involves a risk". Peter Barge
36 6.1.1 a Ensure that the BCMS can achieve its intended outcomes In order to address risks
37 6.1.1 b Reduce undesired effects In order to address risks
38 6.1.1 c Achieve a continual improvement approach Cf. sub-clause 10.2
 
6.1.2
Addressing risks and opportunities
 
39
6.1.2 a
Plan actions to address risks And opportunities, cf. sub-clause 8.2
40 6.1.2 b 1 Plan how to integrate these actions In the BCMS processes, cf. sub-clause 8.1
41
6.1.2 b 2
Plan how to evaluate the effectiveness of these actions Cf. sub-clause 9.1
 
6.2
Business continuity objectives and planning to achieve them
 
 
6.2.1
Establishing business continuity objectives
 
42
6.2.1
Establish business continuity objectives At relevant functions and levels. "He who has no goals will not achieve them". Sun Tzu"
43 6.2.1 a Determine business continuity objectives Consistant with the business continuity policy, cf. sub-clause 5.2
44 6.2.1 b Determine business continuity objectives Be measurable (if practicable)
45 6.2.1 c Determine business continuity objectives Taking into account applicable requirements, cf. sub-clauses 4.1 and 4.2
46 6.2.1 d Determine business continuity objectives Be monitored, cf. sub-clause 9.1
47 6.2.1 e Determine business continuity objectives Be communicated, cf. sub-clause 7.4
48 6.2.1 f Determine business continuity objectives Be upgrated regularly
49 6.2.1 Record the busness continuity objectives Cf. sub-clause 7.5.1
 
6.2.2
Determining business continuity objectives
 
50
6.2.2 a
Determine business continuity objectives when planning What will be done
51 6.2.2 b Determine business continuity objectives when planning What resources will be required
52
 6.2.2 c
Determine business continuity objectives when planning Who will be responsible
53
6.2.2 d
Determine business continuity objectives when planning When it will be completed
54  6.2.2 e Determine business continuity objectives when planning How the results will be evaluated
 
 6.3
Planning changes to the business continuity management system
up
55
6.3 Plan the need for changes to the BCMS "The only person who likes change is a wet baby". Cf. clause 10
56
6.3 a Take into account The purpose of the changes and their consequences
57
6.3 b Take into account The integrity of the BCMS
58
6.3 c Take into account The availability of resources
59
6.3 d Take into account The allocation of responsibilities and authorities
 
 7
Support
 
 7.1
Resources
 
60
 7.1.1 Provide the necessary resources In order to establish, implement, maintain and improve the BCMS
   7.2
Competence
 
61 7.2 a Determine the necessary competence of concerned persons Persons who can impact business continuity performance
62 7.2 b Ensure that the persons are competent Education, training or experience
63 7.2 c Undertake actions to acquire the necessary competence And evaluate the effectiveness of these actions
64 7.2 d Retain staff competence Record, cf. sub-clause 7.5
   7.3 Awareness
up
65 7.3 a Ensure the staff is aware of the business continuity policy Including people who carry out work under the company's control. Cf. sub-clauses 5.26.2 and 7.5.1
66 7.3 b Raise staff awareness of the importance of their contribution to the effectiveness of the BCMS And the beneficial effects of improved BCMS performance
67 7.3 c Raise staff awareness of the consequences of non-compliance with BCMS requirements Do not forget the potential consequences on all professional activities
68 7.3 d Raise staff awareness of their role and responsibilities During and after disruptions
   7.4
Communication 
 
69 7.4 a Determine the internal and external communications On what. Internally and externally. "Good news walks, bad news runs". Swedish proverb
70  7.4 b Determine the internal and external communications When to communicate
71 7.4 c Determine the internal and external communications With whom to communicate
72
7.4 d 
Determine the internal and external communications How, orally, in writing, Internet, video
73
7.4 e 
Determine the internal and external communications Who will communicate, the one who is closest to the subject
   7.5
Documented information
 
   7.5.1
General
up
74  7.5.1 a Include in the BCMS the documents (documented information) required by ISO 22301 Documented procedures (* mandatory): procedure
  • legal requirements (sub-clause 4.2.2)
  • document control (sub-clause 7.5)
  • backup (sub-clause 8.1)
  • business continuity (sub-clause 8.4.1) *
  • response to disturbances (sub-clause 8.4.2)
  • warning and communication (sub-clause 8.4.3) *
  • business continuity plan (sub-clause 8.4.4) *
  • internal audit (sub-clause 9.2.2)
  • corrective actions (sub-clause 10.1.3)

Policy (* mandatory): policy

  • business continuity policy (5.2) *
Records (*mandatory): record
  • business context (sub-clause 4.1)
  • list of legal requirements (sub-clause 4.2.2) *
  • scope (sub-clause 4.3) *
  • responsibilities and authorities (sub-clause 5.3)
  • business continuity objectives (sub-clause 6.2) *
  • plan to achieve the objectives (sub-clause 6.2)
  • skills (sub-clause 7.2) *
  • training program (sub-clause 7.3)
  • communication plan (sub-clause 7.4)
  • list of documents of external origin (sub-clause 7.5.3.2)
  • operational control (sub-clause 8.1)
  • changes (sub-clause 8.1)
  • outsourced processes (sub-clause 8.1)
  • impact assessment, analysis, results (sub-clause 8.2.2)
  • risk treatment (sub-clause 8.2.3)
  • strategies and solutions (sub-clause 8.3.3)
  • risk communication (sub-clause 8.4.3) *
  • disturbances, actions and decisions (8.4.3.1) *
  • business continuity plans (sub-clause 8.4.4) *
  • exercise program (sub-clause 8.5)
  • incident scenarios (sub-clause 8.5)
  • exercise results (sub-clause 8.5)
  • review of business continuity capabilities (sub-clause 8.6)
  • performance evaluation (sub-clause 9.1) *
  • methods and results of inspection, analysis and evaluation (sub-clause 9.1)
  • BCMS maintenance plan (sub-clause 9.1)
  • internal audit, program (sub-clause 9.2.2) *
  • internal audit, report (sub-clause 9.2.2) *
  • management review, results (sub-clause 9.3.3.2) *
  • nonconformities and corrective actions (sub-clause 10.1)
  • improvement report (sub-clause 10.2)
75 7.5.1 b Include in the BCMS documents deemed necessary for the effectiveness of the BCMS

"Spoken words fly away, written one stay". Latin proverb. These documents are specific to the size of the company, the field of activity, the complexity of the processes and their interactions, and the skills of the personnel

   7.5.2
Creating and updating
up
76 7.5.2 a Identify and describe documents appropriately Codification, title, author, subject, product
77 7.5.2 b Ensure that format and media of documents are appropriate Language, graphics, paper, electronic
78 7.5.2 c Review and validate documents appropriately Who writes, codifies, who approves
   7.5.3
Control of documented information 
 
79 7.5.3.1 a  Make documents available and suitable for use Where and when required in a form that is suitable for use
80 7.5.3.1 b Protect adequately the documents Loss of confidentiality, loss of integrity, misuse
81 7.5.3.2 a Apply distribution, access, retrieval and usage activities Who is in charge, method to use, rule to follow
82 7.5.3.2 b Apply storage and preservation activities Including protection and readability
83 7.5.3.2 c Apply control of changes activities Use of updated versions, restricted access to obsolete versions
84 7.5.3.2 d Apply retention and removal activities Retention period, disposal method
85 7.5.3.2 Identify and control documents of external origin List of documents deemed necessary for the planning and operation of the BCMS, cf. sub-clause 7.5.1
   8
Operation
Do
   8.1
Operational planning and control
 
86  8.1 a Plan, apply, control and maintain the necessary processes to comply with the requirements of the BCMS By establishing criteria for these processes and carrying out actions determined in sub-clause 6.1 
87  8.1 b Plan, apply, control and maintain the necessary processes In order to comply with the requirements of the BCMS
88  8.1 c Maintain documentation of necessary processes In order to have confidence that the processes have been carried out as planned
89  8.1 Control planned changes And analyze unforeseen ones
90 8.1 Ensure that outsourced processes are controlled and relevant And the supply chain is also controlled
   8.2
Business impact analysis and risk assessment
 
   8.2.1
General
up
91 8.2.1 a Apply systematic processes For analysing the business impact and assessing the risks of disruption
92 8.2.1 b Review the business impact analysis and the risk assessment At planned intervals and when there are significant changes
   8.2.2
Business impact analysis
 
93 8.2.2 Use the process Analyze business impacts on activity In order to determine business continuity priorities and requirements
94 8.2.2 a Define impact types And company's criteria
95 8.2.2 b Identify the activities That support the provision of products and services
96 8.2.2 c Use the impact types and criteria for assessing the impacts over time From disruption of these activities
97 8.2.2 d Identify the time frame beyond which the impacts of a non-resumption of activities would pose a problem This time frame is refered as "maximum tolerable period of disruption" (MTPD)
98 8.2.2 e Determine prioritized time frames Within the time identified in MTPD, referred as "recovery time objective" (RTO)
99 8.2.2 f Use this analysis In order to identify prioritized activities
100 8.2.2 g Determine the needed resources In order to support prioritized activities
101 8.2.2 h Determine dependencies on priority activities Including partners and suppliers
   8.2.3 Risk assessment
 
102  8.2.3 Apply the process Assess risk Cf. sub-clause 6.1 and the training T 51v18
103  8.2.3 a Identify the risks of disruption To the company's prioritized activities and resources needed
104  8.2.3 b Analyze the identified risks And evaluate the risks
105
 8.2.3 c
Determine which risks require treatment These risks relate to the disruption of business activities, the other risks (related to the effectiveness of the BCMS) are addressed in sub-clause 6.1
   8.3
Business continuity stratégies and solutions
 
   8.3.1
General
up
106  8.3.1 Identify and select business continuity strategies That consider options before, during and after disruption
107  8.3.1 Include more than one solution For each business continuity strategy
   8.3.2 Identification of strategies and solutions  
108 8.3.2 a Take into account, when identifying, the extent to which strategies and solutions Meet the requirements to continue and recover prioritized activities
109 8.3.2 b Take into account, when identifying, the extent to which strategies and solutions Protect the company's prioritized activities
110 8.3.2 c Take into account, when identifying, the extent to which strategies and solutions Reduce the likelihood of disruption
111 8.3.2 d Take into account, when identifying, the extent to which strategies and solutions Shorten the period of disruption
112 8.3.2 e Take into account, when identifying, the extent to which strategies and solutions Limit the impact of disruption
113 8.3.2 f Take into account, when identifying, the extent to which strategies and solutions Provide for the availability of adequate resources
   8.3.3
Selection of strategies and solutions
 
114  8.3.3 a Take into account, when selecting, to what extent the strategies and solutions Meet the requirements to continue and recover prioritized activities
115  8.3.3 b Take into account, when selecting, to what extent the strategies and solutions Consider the amount and type of risk worth taking or not
116  8.3.3 c Take into account, when selecting, to what extent the strategies and solutions Consider associated costs and benefits
   8.3.4
Resource requirements
up
117 8.3.4 Determine the resource requirements In order to implement the selected business continuity solutions
118 8.3.4 a Include in considered resource types People
119 8.3.4 b Include in considered resource types Information and data
120 8.3.4 c Include in considered resource types Infrastructure
121 8.3.4 d Include in considered resource types Equipment and consumables
122 8.3.4 e Include in considered resource types ICT (information and communication technology)
123 8.3.4 f Include in considered resource types Transport and logistics
124 8.3.4 g Include in considered resource types Finance
125 8.3.4 h Include in considered resource types Partners and suppliers
   8.3.5 Implementation of solutions
 
126 8.3.5 Implement selected business continuity solutions In order to be activated when needed
   8.4
Business continuity plans and procedures
up
   8.4.1
General
 
127 8.4.1 Apply a response structure In order to enable timely warning and communication to stakeholders
128 8.4.1 Provide plans and procedures In order to manage the company during a disruption
129 8.4.1 Use plans and procedures when required In order to activate business continuity solutions
130 8.4.1 Identify and document plans and procedures Based on selected strategies and solutions, cf. sub-clause 7.5.1
131 8.4.1 a Use precises plans Regarding the immediate steps
132 8.4.1 b Use flexible plans In order to respond to the changing conditions of a disruption
133 8.4.1 c Focus on the impact of incidents That can lead to disruption
134 8.4.1 d Use effective procedures Through the implementation of appropriate solutions
135 8.4.1 e Assign roles and responsibilities For every task concerned
   8.4.2
Response structure
 
136 8.4.2.1 Implement and maintain a structure identifying one or more teams In charge of responding to disruptions
137 8.4.2.2 Establish clearly the roles and responsibilities of each team And the relationships between the teams
138 8.4.2.3 a Designate collectively competent teams to Assess the nature of a disruption and its impact
139 8.4.2.3 b Designate collectively competent teams to Assess the impact against pre-defned thresholds
140 8.4.2.3 c Designate collectively competent teams to Activate an appropriate response
141 8.4.2.3 d Designate collectively competent teams to Plan actions to be undertaken
142 8.4.2.3 e Designate collectively competent teams to Establish priorities
143 8.4.2.3 f Designate collectively competent teams to Monitor the effects of the disruption and the company's response
144 8.4.2.3 g Designate collectively competent teams to Activate the business continuity solutions
145 8.4.2.3 h Designate collectively competent teams to Communicate with relevant stakeholders including authorities and media
146 8.4.2.4 a Have for each team An identified personnel to perform their designated role
147 8.4.2.4 b Have for each team Documented procedures to guide their actions, cf. sub-clause 8.4.4
   8.4.3
Warning and communication
up
148 8.4.3.1 a  Document and maintain procedures for Communicating to relevant stakeholders, cf. sub-clause 7.4
149 8.4.3.1 b Document and maintain procedures for Communicating with stakeholders, including any national risk advisory system
150 8.4.3.1 c Document and maintain procedures for Ensuring the availability of the means of communication during a disruption
151 8.4.3.1 d Document and maintain procedures for Communication with emergency responders
152 8.4.3.1e Document and maintain procedures for Media response
153 8.4.3.1 f Document and maintain procedures for Recording the details of the disruption, the actions taken and the decisions made, cf. sub-clause 7.5.1
154 8.4.3.2 a Alert stakeholders potentially impacted By an actual or impending disruption
155 8.4.3.2 b Ensure coordination and communication Between multiple responding organizations
156 8.4.3.2 Carry out exercises of warning and communication procedures Cf. sub-clause 8.5
   8.4.4
Business continuity plans
up
157 8.4.4.1  Document and maintain business continuity plans and procedures In order to be available when needed
158 8.4.4.1 Provide guidance and information in Business Continuity Plans (BCPs) In order to assist teams to respond to a disruption
159 8.4.4.2 a 1 Include details of actions to be carried out in business continuity plans In order to recover prioritized activities
160 8.4.4.2 a 2 Include details of actions to be carried out in business continuity plans In order to monitor the impact of the disruption
161 8.4.4.2 b Include in business continuity plans Reference to the pre-defined thresholds
162 8.4.4.2 c Include in business continuity plans Procedures to enable the delivery of products and services
163 8.4.4.2 d 1 Include in business continuity plans Details to manage the immediate consequences of a disruption related to the welfare of individuals
164 8.4.4.2 d 2 Include in business continuity plans Details to manage the immediate consequences of a disruption related to the prevention of further loss
165 8.4.4.2 d 3 Include in business continuity plans Details to manage the immediate consequences of a disruption related to the impact on the environment
166 8.4.4.3 a Include in each BCP The purpose, scope and objective
167 8.4.4.3 b Include in each BCP The roles and responsibilities
168 8.4.4.3 c Include in each BCP Actions to implement the solutions
169 8.4.4.3 d Include in each BCP Supporting information needed to activate the team's actions
170 8.4.4.3 e Include in each BCP Internal and external dependencies
171 8.4.4.3 f Include in each BCP The resource requirements
172 8.4.4.3 g Include in each BCP The reporting requirements
173 8.4.4.3 h Include in each BCP A process for standing down
174 8.4.4.3 Make each plan available At the time and place at which it is required, cf. sub-close 7.5.1
   8.4.5
Recovery
up
175 8.4.5 Have documented processes To restore and return business activities during and after a disruption
   8.5
Exercice program
 
176 8.5 Implement and maintain an exercice and test program In order to validate over time the effectiveness of strategies and solutions
177 8.5 a Conduct exercices and tests that Are consistent with the company's business continuity objectives, cf. sub-clause 6.2
178 8.5 b Conduct exercices and tests that Are based on appropriate scenarios, cf. sub-clause 8.3
179 8.5 c Conduct exercices and tests that Develop teamwork, competence, confidence and knowledge, cf. sub-clause 7.2
180 8.5 d Conduct exercices and tests that Validate its business continuity strategies and solutions, cf. sub-clause 8.3
181 8.5 e Conduct exercices and tests that Produce post-exercice reports, cf. sub-clause 7.5.1
182 8.5 f Conduct exercices and tests that Are reviewed, cf. sub-clause 10.2
183 8.5 g Conduct exercices and tests that Are performed at planned intervals and when there are significant changes
184 8.5 Act based on the results of exercises and tests In order to implement changes and improvements, cf. sub-clause 6.3
   8.6
Evaluation of business continuity documentation and capabilities
 
185 8.6 a Evaluate the suitability, adequacy and effectiveness of the company's Business impact analysis, risk assessment, strategies, solutions, plans and procedures, cf. sub-clauses 8.2, 8.3 and 8.4
186 8.6 b Undertake evaluations Through reviews, analysis, exercices, tests, reports and evaluations
187 8.6 c Submit to a business continuity capability evaluation Of relevant partners and suppliers
188 8.6 d Evaluate compliance with applicable legal and regulatory requirements And with its own business continuity policy and objectives
189 8.6 e Update documentation In a timely manner
190 8.6 Conduct evaluations at planned intervals After an incident, activation or significant changes occur
   9
Performance evaluation
Check
   9.1
Monitoring, measurement, analysis and evaluation
 
191  9.1 a Determine what needs to be inspected (monitored and measured) Including processes and BCPs
192 9.1 b Determine the methods for inspection, analysis and evaluation In order to ensure valid results
193 9.1 c Determine when to inspect And by whom
194 9.1 d Determine when and by whom the inspection results shall be analyzed And evaluated
195 9.1 Retain the results of inspection Cf. sub-clause 7.5.1
196 9.1 Evaluate the performance of the BCMS And the effectiveness of the BCMS
   9.2
Internal audit
 
   9.2.1
General
up
197 9.2.1 a 1 Conduct internal audits at planned intervals In order to determine whether the BCMS meets internal company requirements. Cf. ISO 19011
198 9.2.1 a 2 Conduct internal audits at planned intervals In order to determine whether the BCMS meets requirements of the ISO 22301 standard
199 9.2.1 b Conduct regularly planned internal audits In order to determine whether the BCMS is effectively implemented and maintained
   9.2.2
Audit program
up
200 9.2.2 a Plan, establish, implement and update an audit program Including frequency, methods, responsibilities, planning and reporting requirements. Follow the recommendations of ISO 19011
201 9.2.2 a Take into account the importance of the processes concerned And the results of previous audits
202 9.2.2 b Define the audit criteria And the audit scope
203 9.2.2 c Select auditors In order to conduct objective and impartial audits
204 9.2.2 d Ensure that the audit results are reported To concerned managers
205 9.2.2 e Retain documents of the implementation of the audit program Cf. sub-clause 7.5.1
206 9.2.2 f Ensure that corrective actions are taken without undue delay In order to eliminate nonconformities and their causes
207 9.2.2 g Ensure that follow-up audit actions include the verification of their effectiveness And the reporting of verification results
   9.3
Management review
 
   9.3.1
General
 
208  9.3.1 Proceed at planned intervals to review the BCMS In order to confirm that it is still relevant, appropriate and effective. "No system is perfect"
   9.3.2
Management review input
 up
209 9.3.2 a Take into account the status of actions from previous management reviews Use the last management review report
210 9.3.2 b Take into account the changes in external and internal issues That are relevant to the BCMS
211 9.3.2 c 1 Take into account the information on the performance of the BCMS and trends In nonconformities and corrective actions, cf. sub-clause 10.1
212 9.3.2 c 2 Take into account the information on the performance of the BCMS and trends In inspection results, cf. sub-clause 9.1
213 9.3.2 c 3 Take into account the information on the performance of the BCMS and trends In audit results, cf. sub-clause 9.2
214 9.3.2 d Take into account the feedback from stakeholders Cf. sub-clause 4.2
215 9.3.2 e Take into account the need for changes to the BCMS Including the policy and objectives, cf. sub-clauses 5.2 and 6.2
216 9.3.2 f Take into account the procedures and resources That could be used to improve the BCMS, cf. sub-clause 10.2
217 9.3.2 g Take into account the information from the business impact analysis And risk assessment, cf. sub-clause 8.2
218 9.3.2 h Take into account output from the evaluation of business continuity documentation And capabilities, cf. sub-clause 8.6
219 9.3.2 i Take into account the risks or issues not adequately addressed  In any previous risk assessment
220 9.3.2 j Take into account lessons learned and actions Arising from near-misses and disruptions
221 9.3.2 k Take into account opportunities For continual improvement. Cf. sub-clause 10.2
   9.3.3
Management review outputs
up
222 9.3.3.1 a

Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review

Including variations to the scope of the BCMS
223 9.3.3.1 b Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review Including update of the business impact analysis, risk assessment, startegies, solutions and BCPs
224 9.3.3.1 c Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review Including modifications of procedures and controls
225 9.3.3.1 d Include continual improvement decisions and any need for changes to the BCMS in the outputs of the management review Including how the effectiveness of controls will be measured
226 9.3.3.2 Retain the records of the results of management reviews Cf. sub-clause 7.5.1
227 9.3.3.2 a Communicate the results of the management review Cf. sub-clause 7.4
228 9.3.3.2 b Take appropriate action Relating the results of the management review
   10
Improvement
Act
   10.1
Nonconformity and corrective action
 
229 10.1.1 Determine improvement opportunities In order to implement actions to achieve the intended outcomes of its BCMS
230 10.1.2 a 1 React to the nonconformity and take action to control it And correct it
231 10.1.2 a 2 React to the nonconformity and deal with the consequences That can influence the effectiveness of the BCMS
232 10.1.2 b 1 Evaluate the need for action to eliminate the root causes by Reviewing the nonconformity
233 10.1.2 b 2 Evaluate the need for action to eliminate the root causes by Determining the root causses of the nonconformity
234 10.1.2 b 3 Evaluate the need for action to eliminate the root causes by Determining if similar nonconformities exist
235 10.1.2 c Implement any action needed In order that the nonconformity does not recur
236 10.1.2 d Review any corrective action taken And its effectiveness
237 10.1.2 e Make changes to the BCMS If necessary
238 10.1.2 Implement corrective actions Appropriate to the nonconformities encountered
239 10.1.3 a Retain records Of the nature of the nonconformity
240 10.1.3 b Retain records Of the results of the corrective action
   10.2
Continual improvement
up
241 10.2.1 a 1 Improve continually the suitability, adequacy and effectiveness of the BCMS Based on qualitative and quantitative measures
242 10.2.1 a 2 Take into account the results of the analysis and evaluation and the decisions of the management review In order to detremine if there are needs and opportunities that shall be addressed