ISO 22301:2019 checklist

Use this checklist to assess your ISO 22301:2019 audit readiness and implementation status.

Want to improve your score and compliance? Let CyberArrow do it for you. Schedule a live demo

Control ID Control Name Control Description Implementation Status

4.1 Understanding The The organization shall determine external and
Organization and Its internal issues that are relevant to its purpose
Context and that affect its ability to achieve the
intended outcome(s) of its BCMS. Note: Not Implemented
These issues will be influenced by the
organization�s overall objectives, its
products and services and the amount and
type of risk that it may or may not take.
4.2.1.a Understanding The The organization shall determine the
Needs and interested parties that are relevant to the
Expectations of business continuity management system. Not Implemented
Interested Parties -
Management System
4.2.1.b Understanding The The organization shall determine the
Needs and requirements of these interested parties
Expectations of relevant to business continuity. NOTE: The
Interested Parties - requirements of interested parties may Not Implemented
Business Continuity include legal and regulatory requirements and
contractual obligations.
4.2.2.a Understanding The The organization shall establish, implement,
Legal and Regulatory and maintain a process to identify, have
Requirements - access to, and assess the applicable legal
Business Continuity and regulatory requirements related to the Not Implemented
continuity of its products and services,
activities and resources.
4.2.2.b Understanding The The organization shall ensure that applicable
Legal and Regulatory legal, regulatory and other requirements are
Requirements - taken into account in implementing and Not Implemented
Management System maintaining its BCMS.
4.2.2.c Understanding The The organization shall ensure that applicable
Legal and Regulatory legal, regulatory and other requirements are
Requirements - documented and kept up to date. Not Implemented
Documentation
4.3 Business Continuity The organization shall determine the
Scope Determination boundaries and applicability of the business
continuity management system to establish Not Implemented
its scope. This scope shall be available as
documented information.

1 cyberarrow.io
4.3.1.a Business Continuity When determining the scope of the business
Scope Determination continuity management system, the
- External and organization shall consider the external and Not Implemented
Internal Issues internal issues referred to in Requirement 4.1
(Understanding the organization and its
context)
4.3.1.b Business Continuity When determining the scope of the business
Scope Determination continuity management system the
- Requirements of 4.2 organization shall consider the requirements
Not Implemented
referred to in Requirement 4.2
(Understanding the needs and expectations
of interested parties)
4.3.1.c Business Continuity When determining the scope of the business
Scope Determination continuity management system, the
Not Implemented
- Interfaces and organization shall consider its mission, goals,
Dependencies and internal and external obligations.
4.3.2 Scope of The The organization shall when defining the
Business Continuity scope document and explain exclusions.
Management System They shall not affect the organization�s
ability and responsibility to provide business Not Implemented
continuity, as determined by the business
impact analysis or risk assessment and
applicable legal or regulatory requirements.
4.3.2.a Scope of The The organization shall establish the parts of
Business Continuity the organization to be included in the BCMS,
Not Implemented
Management System taking into account its location(s), size, nature
- Scope Inclusion and complexity.
4.3.2.b Scope of The The organization shall identify products and
Business Continuity services to be included in the BCMS.
Management System Not Implemented
- Products and
Services
4.4 Business Continuity The organization shall establish, implement,
Management System maintain, and continually improve a business
continuity management system, including the
processes needed and their interactions, in Not Implemented
accordance with the requirements of this
document.
5.1.a Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Establish Policy the business continuity management system
by ensuring the business continuity policy and Not Implemented
the business continuity objectives are
established and are compatible with the
strategic direction of the organization.

2 cyberarrow.io
5.1.b Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Integration the business continuity management system Not Implemented
by ensuring the integration of the business
continuity management system requirements
into the organization's processes.
5.1.c Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Resources the business continuity management system
by ensuring that the resources needed for the Not Implemented
business continuity management system are
available.
5.1.d Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Communication the business continuity management system
by communicating the importance of effective Not Implemented
business continuity management and of
conforming to the business continuity
management system requirements.
5.1.e Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Achievement the business continuity management system
by ensuring the business continuity Not Implemented
management system achieves its intended
outcome(s).
5.1.f Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Support the business continuity management system
by directing and supporting persons to Not Implemented
contribute to the effectiveness of the business
continuity management system.
5.1.g Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Not Implemented
Continual the business continuity management system
Improvement by promoting continual improvement.
5.1.h Leadership and Top management shall demonstrate
Commitment - leadership and commitment with respect to
Demonstrate the business continuity management system
by supporting other relevant management Not Implemented
roles to demonstrate their leadership as it
applies to their areas of responsibility.
5.2.a, 2.b, Policy Establishment Top management shall establish a business
2.c, 2.d, - Appropriateness, continuity policy that is appropriate to the
2.2.a Objectives, purpose of the organization and includes
Commitment to business continuity objectives or provides the Not Implemented
Satisfy, Commitment framework for setting business continuity
to Continually objectives, includes a commitment to satisfy

3 cyberarrow.io
 Improve, applicable requirements related to business
Documented continuity, and includes a commitment to the
continual improvement of the business
continuity management system. The business
continuity policy shall be available as
documented information.
5.2.2.b Policy Establishment The business continuity policy shall be
Not Implemented
- Communication communicated within the organization.
5.2.2.c Policy Establishment The business continuity policy shall be
Not Implemented
- Availability to Others available to interested parties, as appropriate.
5.3 Roles, Top management shall ensure that the
Responsibilities, and responsibilities and authorities for roles Not Implemented
Authorities relevant to business continuity are assigned
and communicated.
5.3.a Roles, Top management shall assign responsibility
Responsibilities, and and authority for ensuring that the business
Authorities - continuity management system conforms to Not Implemented
Conformity the requirements of this International
Standard.
5.3.b Roles, Top management shall assign the
Responsibilities, and responsibility and authority for reporting on
Not Implemented
Authorities - the performance of the business continuity
Reporting management system to top management.
6.1.1.a, Address Risks and When planning for the business continuity
1.1.b, Opportunities - management system, the organization shall
1.1.c Planning for Success, consider the issues referred to in
Reduce Undesired Requirements 4.1 (Understanding the
Effects, Achieve organization and its context) and 4.2
Continual (Understanding the needs and expectations Not Implemented
Improvement of interested parties), and determine the risks
and opportunities that need to be addressed
to ensure the business continuity
management system can achieve its intended
outcome(s), prevent or reduce undesired
effects, and achieve continual improvement.
6.1.2.a Address Risks and When planning for the business continuity
Opportunities - Plan management system, the organization shall
Not Implemented
to Address Risks plan actions to address risks and
opportunities.
6.1.2.b.1 Address Risks and When planning for the business continuity
Opportunities - Plan management system, the organization shall
to Integrate Process plan how to integrate and implement the Not Implemented
actions into its business continuity
management system processes.
6.1.2.b.2 Address Risks and When planning for the business continuity
Opportunities - Plan management system, the organization shall Not Implemented
to Evaluate

4 cyberarrow.io
 plan how to evaluate the effectiveness of
these actions.
6.2 Business Continuity The organization shall establish business
Objectives continuity objectives at relevant functions and
levels. The organization shall retain Not Implemented
documented information on the business
continuity objectives.
6.2.1.a, Business Continuity The organizations business continuity
2.1.b, Objectives - objectives shall be consistent with the
2.1.c, Consistent With business continuity policy, shall be Not Implemented
Policies, Measurable, measurable (if practicable), and shall take
Account Other into account applicable business continuity
Requirements requirements.
6.2.1.d Business Continuity The organizations business continuity
Objectives - objectives shall be monitored. Not Implemented
Monitored
6.2.1.e Business Continuity The organizations business continuity
Objectives - objectives shall be communicated. Not Implemented
Communicated
6.2.1.f Business Continuity The organizations business continuity Not Implemented
Objectives - Updated objectives shall be updated as appropriate.
6.2.2.a Business Continuity When planning how to achieve its business
Objectives Planning - continuity objectives, the organization shall Not Implemented
Tasks determine what will be done.
6.2.2.b Business Continuity When planning how to achieve its business
Objectives Planning - continuity objectives, the organization shall Not Implemented
Resources determine what resources will be required.
6.2.2.c Business Continuity When planning how to achieve its business
Objectives Planning - continuity objectives, the organization shall Not Implemented
Responsibilities determine who will be responsible.
6.2.2.d Business Continuity When planning how to achieve its business
Objectives Planning - continuity objectives, the organization shall Not Implemented
Timeline determine when it will be completed.
6.2.2.e Business Continuity When planning how to achieve its business
Objectives Planning - continuity objectives, the organization shall Not Implemented
Results Evaluation determine how the results will be evaluated.
6.3 Planning Changes To When the organization determines the need
The Business for changes to the BCMS, including those
Continuity identified to take corrective action and for
Management System continual improvement, the changes shall be
carried out in a planned manner. The
Not Implemented
organization shall consider: a) the purpose of
the changes and their potential
consequences; b) the integrity of the BCMS;
c) the availability of resources; d) the
allocation or reallocation of responsibilities
and authorities.

5 cyberarrow.io
7.1 Resources The organization shall determine and provide
the resources needed for the establishment,
implementation, maintenance, and continual Not Implemented
improvement of the business continuity
management system.
7.2.a Competence - The organization shall determine the
Necessary necessary competence of person(s) doing
Not Implemented
Competency work under its control that affects its business
continuity performance.
7.2.b Competence - The organization shall ensure these persons
Appropriate Training are competent on the basis of appropriate Not Implemented
and Education education, training, or experience.
7.2.c Competence - The organization shall, where applicable, take
Evaluate actions to acquire the necessary competence,
Effectiveness and evaluate the effectiveness of the actions
taken. Note: Applicable actions may include, Not Implemented
for example: the provision of training to, the
mentoring of, or the re-assignment of current
employees; or the hiring or contracting of
competent persons.
7.2.d Competence - The organization shall retain appropriate
Documentation documented information as evidence of Not Implemented
competence.
7.3.a Awareness - Persons doing work under the organization's
Business Continuity control shall be aware of the business Not Implemented
Policy continuity policy.
7.3.b Awareness - Persons doing work under the organization's
Contribution control shall be aware of their contribution to
the effectiveness of the business continuity Not Implemented
management system, including the benefits of
improved business continuity performance.
7.3.c Awareness - Persons doing work under the organization's
Consequences control shall be aware of the implications of Not Implemented
not conforming with the business continuity
management system requirements.
7.4.a Communication - The organization shall determine the need for
What internal and external communications
relevant to the business continuity Not Implemented
management system. The organization must
determine 'what' to communicate.
7.4.b Communication - The organization shall determine the need for
When internal and external communications
relevant to the business continuity Not Implemented
management system. The organization must
determine 'when' to communicate.
7.4.c Communication - The organization shall determine the need for
Not Implemented
With Whom internal and external communications

6 cyberarrow.io
 relevant to the business continuity
management system. The organization must
determine 'with whom' to communicate.
7.4.d Communication - The organization shall determine the need for
Who internal and external communications
relevant to the business continuity Not Implemented
management system. The organization must
determine 'who' shall communicate.
7.4.e Communication - The organization shall determine the need for
Effected Processes internal and external communications
relevant to the business continuity
Not Implemented
management system. The organization must
determine the processes by which
communication shall be effected.
7.5.1.a Documentation for The organization's business continuity
Business Continuity management system shall include Not Implemented
Management System documented information required by this
- Iso International Standard (ISO 22301).
7.5.1.b Documentation for The organization's business continuity
Business Continuity management system shall include
Management System documented information determined by the
- Necessary organization as being necessary for the
Information effectiveness of the business continuity
management system. Note: The extent of
documented information for a business Not Implemented
continuity management system can differ
from one organization to another due to: 1)
The size of organization and its type of
activities, processes, products and services,
and resources 2) The complexity of
processes and their interactions 3) The
competence of persons
7.5.2.a Documented When creating and updating documented
Business Continuity information the organization shall ensure Not Implemented
Management System appropriate identification and description (e.g.
- Description a title, date, author, or reference number).
7.5.2.b Documented When creating and updating documented
Business Continuity information the organization shall ensure
Management System appropriate format (e.g. language, software
Not Implemented
- Format version, graphics) and media (e.g. paper,
electronic)
7.5.2.c Documented When creating and updating documented
Business Continuity information the organization shall ensure Not Implemented
Management System appropriate review and approval for suitability
- Adequacy and adequacy.
7.5.3.1 Control Documented Documented information required by the
Not Implemented
Information business continuity management system and

7 cyberarrow.io
 by this International Standard (ISO 22301)
shall be controlled. Documented information
of external origin determined by the
organization to be necessary for the planning
and operation of the BCMS shall be identified,
as appropriate, and controlled. NOTE Access
can imply a decision regarding the permission
to view the documented information only, or
the permission and authority to view and
change the documented information.
7.5.3.1.a Control Documented Documented information required by the
Information - business continuity management system and
Availability by this International Standard (ISO 22301) Not Implemented
shall be controlled to ensure its available and
suitable for use, where it is needed.
7.5.3.1.b Control Documented Documented information required by the
Information - business continuity management system and
Protection by this International Standard (ISO 22301)
Not Implemented
shall be controlled to ensure it is adequately
protected (e.g. from loss of confidentiality,
improper use, or loss of integrity)
7.5.3.2.a Control Documented For the control of documented information,
Information - the organization shall address the distribution, Not Implemented
Distribution access, retrieval and use.
7.5.3.2.b Control Documented For the control of documented information,
Information - Storage the organization shall address the storage
Not Implemented
and preservation, including the preservation
of legibility.
7.5.3.2.c Control Documented For the control of documented information,
Information - Change the organization shall address the control of Not Implemented
Control changes (e.g. version control).
7.5.3.2.d Control Documented For the control of documented information,
Information - the organization shall address the retention Not Implemented
Retention and disposition.
8.1 Operational Planning The organization shall plan, implement and
and Control - control the process needed to meet business
Implementation continuity requirements, and to implement the
actions determined in requirement related to
actions to address risks and opportunities.
The organization shall control planned Not Implemented
changes and review the consequences of
unintended changes, taking action to mitigate
any adverse effects, as necessary. The
organization shall ensure that outsourced
processes and the supply chain are
controlled.

8 cyberarrow.io
8.1.a Operational Planning The organization shall plan, implement and
and Control - Criteria control the process needed to meet business
continuity requirements, and to implement the
Not Implemented
actions determined in requirement related to
actions to address risks and opportunities by
establishing criteria for the processes.
8.1.b Operational Planning The organization shall plan, implement and
and Control - Control control the process needed to meet business
of Processes continuity requirements, and to implement the
actions determined in requirement related to Not Implemented
actions to address risks and opportunities by
implementing control of the processes in
accordance with the criteria.
8.1.c Operational Planning The organization shall plan, implement and
and Control - control the process needed to meet business
Documented continuity requirements, and to implement the
Information actions determined in requirement related to Not Implemented
actions to address risks and opportunities by
keeping documented information to the extent
necessary to have confidence that the
processes have been carried out as planned.
8.2.1.a Business Impact The organization shall implement and
Analysis and Risk maintain systematic processes for analyzing
Assessment - the business impact and assessing the risks Not Implemented
Systematic of disruption.
Processes
8.2.1.b Business Impact The organization shall review the business
Analysis and Risk impact analysis and risk assessment at
Assessment - planned intervals and when there are
Periodic Review significant changes within the organization or Not Implemented
the context in which it operates. NOTE The
organization determines the order in which
the business impact analysis and risk
assessment are conducted.
8.2.2 Business Impact The organization shall use the process for
Analysis analyzing business impacts to determine
Not Implemented
business continuity priorities and
requirements.
8.2.2.a Business Impact The business impact analysis process shall
Analysis - Impact define the impact types and criteria relevant Not Implemented
Types to the organization�s context.
8.2.2.b Business Impact The business impact analysis process shall
Analysis - Supported identify the activities that support the Not Implemented
Activities provision of products and services.
8.2.2.c Business Impact The business impact analysis process shall
Analysis - Impact use the impact types and criteria for Not Implemented
Over Time

9 cyberarrow.io
 assessing the impacts over time resulting
from the disruption of these activities.
8.2.2.d Business Impact The business impact analysis process shall
Analysis - MTPD identify the time frame within which the
impacts of not resuming activities would
become unacceptable to the organization. Not Implemented
NOTE 1 This time frame can be referred to as
the "maximum tolerable period of disruption
(MTPD)".
8.2.2.e Business Impact The business impact analysis process shall
Analysis - RTO set prioritized time frames within the time
identified in d) for resuming disrupted
activities at a specified minimum acceptable Not Implemented
capacity. NOTE 2 This time frame can be
referred to as the "recovery time objective
(RTO)".
8.2.2.f Business Impact The business impact analysis process shall
Analysis - Prioritized use this analysis to identify prioritized Not Implemented
Activities activities.
8.2.2.g Business Impact The business impact analysis process shall
Analysis - Needed determine which resources are needed to Not Implemented
Resources support prioritized activities.
8.2.2.h Business Impact The business impact analysis process shall
Analysis - determine the dependencies, including
Not Implemented
Dependencies partners and suppliers, and
interdependencies of prioritized activities.
8.2.3 Risk Assessment The organization shall implement and
maintain a risk assessment process. NOTE
Not Implemented
The process for risk assessment is addressed
in ISO 31000.
8.2.3.a Risk Assessment - The organization shall identify the risks of
Risk Identification disruption to the organization�s prioritized Not Implemented
activities and to their required resources.
8.2.3.b Risk Assessment - The organization shall analyze and evaluate
Not Implemented
Risk Analysis the identified risks.
8.2.3.c Risk Assessment - The organization shall determine which risks
Not Implemented
Risk Treatment require treatment.
8.3.1 Business Continuity Based on the outputs from the business
Strategies and impact analysis and risk assessment, the
Solutions organization shall identify and select business
continuity strategies that consider options for
Not Implemented
before, during and after disruption. The
business continuity strategies shall be
comprised of one or more solutions.
8.3.2.a Identification of Identification shall be based on the extent to
Strategies and which strategies and solutions meet the Not Implemented
requirements to continue and recover

10 cyberarrow.io
 Solutions - Meet prioritized activities within the identified time
Requirements frames and agreed capacity.
8.3.2.b Identification of Identification shall be based on the extent to
Strategies and which strategies and solutions protect the Not Implemented
Solutions - Protect organization�s prioritized activities.
Activities
8.3.2.c Identification of Identification shall be based on the extent to
Strategies and which strategies and solutions reduce the
Solutions - Reduce likelihood of disruption. Not Implemented
Likelihood
8.3.2.d Identification of Identification shall be based on the extent to
Strategies and which strategies and solutions shorten the
Not Implemented
Solutions - Shorten period of disruption.
Disruption
8.3.2.e Identification of Identification shall be based on the extent to
Strategies and which strategies and solutions limit the impact
Not Implemented
Solutions - Limit of disruption on the organization�s
Impact products and services.
8.3.2.f Identification of Identification shall be based on the extent to
Strategies and which strategies and solutions provide for the
Solutions - Provide availability of adequate resources. Not Implemented
Availability
8.3.3.a Selection of Selection shall be based on the extent to
Strategies and which strategies and solutions meet the
Solutions - Meet requirements to continue and recover Not Implemented
Requirements prioritized activities within the identified time
frames and agreed capacity.
8.3.3.b Selection of Selection shall be based on the extent to
Strategies and which strategies and solutions consider the
Solutions - Risk amount and type of risk the organization may Not Implemented
Appetite or may not take.
8.3.3.c Selection of Selection shall be based on the extent to
Strategies and which strategies and solutions consider Not Implemented
Solutions - Costs & associated costs and benefits.
Benefits
8.3.4.a, Resource The organization shall determine the resource
3.4.b, Requirements requirements to implement the selected
3.4.c, business continuity solutions. The types of
3.4.d, resources considered shall include, but not be
3.4.e, limited to: a) people b) information and data
3.4.f, c) physical infrastructure such as buildings, Not Implemented
3.4.g, workplaces or other facilities and associated
3.4.h utilities d) equipment and consumables e)
information and communication technology
(ICT) systems f) transportation and logistics
g) finance h) partners and suppliers.

11 cyberarrow.io
8.3.5 Implementation of The organization shall implement and
Solutions maintain selected business continuity
Not Implemented
solutions so they can be activated when
needed.
8.4.1 Business Continuity The organization shall implement and
Plans and maintain a response structure that will enable
Procedures - General timely warning and communication to relevant
interested parties. It shall provide plans and
procedures to manage the organization
during a disruption. The plans and
Not Implemented
procedures shall be used when required to
activate business continuity solutions. NOTE
There are different types of procedures that
comprise business continuity plans. The
organization shall identify and document
business continuity plans and procedures
based on the output of the selected strategies
and solutions.
8.4.1.a Business Continuity The business continuity plans and procedures
Plans and shall be specific regarding the immediate Not Implemented
Procedures - Specific steps that are to be taken during a disruption.
8.4.1.b Business Continuity The business continuity plans and procedures
Plans and shall be flexible to respond to the changing
Not Implemented
Procedures - Flexible internal and external conditions of a
disruption.
8.4.1.c Business Continuity The business continuity plans and procedures
Plans and shall focus on the impact of incidents that
Not Implemented
Procedures - Focus potentially lead to disruption.
On Impact
8.4.1.d Business Continuity The business continuity plans and procedures
Plans and shall be effective in minimizing the impact
Not Implemented
Procedures - through the implementation of appropriate
Effective solutions.
8.4.1.e Business Continuity The business continuity plans and procedures
Plans and shall assign roles and responsibilities for
Not Implemented
Procedures - Assign tasks within them.
Roles
8.4.2.1 Response Structure - The organization shall implement and
Roles and maintain a structure, identifying one or more
Not Implemented
Responsibilities teams responsible for responding to
disruptions.
8.4.2.2 Response Structure - The roles and responsibilities of each team
Team Relationships and the relationships between the teams shall Not Implemented
be clearly stated.
8.4.2.3.a Team Competency - Collectively, the teams shall be competent to
Assess Disruption assess the nature and extent of a disruption Not Implemented
and its potential impact.

12 cyberarrow.io
8.4.2.3.b Team Competency - Collectively, the teams shall be competent to
Assess Impact assess the impact against pre-defined
Not Implemented
thresholds that justify initiation of a formal
response.
8.4.2.3.c Team Competency - Collectively, the teams shall be competent to
Activate Response activate an appropriate business continuity Not Implemented
response.
8.4.2.3.d Team Competency - Collectively, the teams shall be competent to
Not Implemented
Plan Actions plan actions that need to be undertaken.
8.4.2.3.e Team Competency - Collectively, the teams shall be competent to
Establish Priorities establish priorities (using life safety as the Not Implemented
first priority).
8.4.2.3.f Team Competency - Collectively, the teams shall be competent to
Monitor Effects monitor the effects of the disruption and the Not Implemented
organization�s response.
8.4.2.3.g Team Competency - Collectively, the teams shall be competent to Not Implemented
Activate BC Solutions activate the business continuity solutions.
8.4.2.3.h Team Competency - Collectively, the teams shall be competent to
Communicate communicate with relevant interested parties, Not Implemented
authorities and the media.
8.4.2.4.a BCMS Team - For each team there shall be identified
Alternative Team personnel and their alternates with the
Not Implemented
necessary responsibility, authority and
competence to perform their designated role.
8.4.2.4.b BCMS Team - For each team there shall be documented
Documented procedures to guide their actions, including
Procedures those for the activation, operation, Not Implemented
coordination and communication of the
response.
8.4.3.1.a Warning and The organization shall document and
Communication - maintain procedures for communicating
Documentation internally and externally to relevant interested
parties, including what, when, with whom and
how to communicate. NOTE The organization
can document and maintain procedures for Not Implemented
how, and under what circumstances, the
organization communicates with employees
and their emergency contacts. The warning
and communication procedures shall be
exercised as part of the organization�s
exercise program described.
8.4.3.1.b Warning and The organization shall document and
Communication - maintain procedures for receiving,
Response documenting and responding to
Not Implemented
Procedures communications from interested parties,
including any national or regional risk
advisory system or equivalent.

13 cyberarrow.io
8.4.3.1.c Warning and The organization shall document and
Communication - maintain procedures for ensuring the
Not Implemented
Ensuring Availability availability of the means of communication
during a disruption.
8.4.3.1.d Warning and The organization shall document and
Communication - maintain procedures for facilitating structured Not Implemented
Structured communication with emergency responders.
Communication
8.4.3.1.e Warning and The organization shall document and
Communication - maintain procedures for providing details of
Media Response the organization�s media response Not Implemented
following an incident, including a
communications strategy.
8.4.3.1.f Warning and The organization shall document and
Communication - maintain procedures for recording the details
Not Implemented
Recording Details of the disruption, the actions taken and the
decisions made.
8.4.3.2.a Warning and Where applicable, the organization shall
Communication - consider alerting interested parties potentially
Not Implemented
Alert Interested impacted by an actual or impending
Parties disruption.
8.4.3.2.b Warning and Where applicable, the organization shall
Communication - consider ensuring appropriate coordination Not Implemented
Appropriate and communication between multiple
Coordination responding organizations.
8.4.4.1 Business Continuity The organization shall document and
Plans maintain business continuity plans and
procedures. The business continuity plans
shall provide guidance and information to
assist teams to respond to a disruption and to Not Implemented
assist the organization with response and
recovery. Each plan shall be usable and
available at the time and place at which it is
required.
8.4.4.2.a.1 Business Continuity Collectively, the business continuity plans
Plans - Continuity & shall contain details of the actions that the
Recovery Procedures teams will take in order to continue or recover Not Implemented
prioritized activities within predetermined time
frames.
8.4.4.2.a.2 Business Continuity Collectively, the business continuity plans
Plans - Monitor shall contain details of the actions that the
Impact teams will take in order to monitor the impact Not Implemented
of the disruption and the organization�s
response to it.
8.4.4.2.b Business Continuity Collectively, the business continuity plans Not Implemented
Plans - Thresholds shall contain reference to the pre-defined

14 cyberarrow.io
 threshold(s) and process for activating the
response.
8.4.4.2.c Business Continuity Collectively, the business continuity plans
Plans - Delivery shall contain procedures to enable the
Not Implemented
delivery of products and services at agreed
capacity.
8.4.4.2.d.1 Business Continuity Collectively, the business continuity plans
Plans - Welfare of shall contain details to manage the immediate
Not Implemented
Individuals consequences of a disruption giving due
regard to the welfare of individuals.
8.4.4.2.d.2 Business Continuity Collectively, the business continuity plans
Plans - Prevention shall contain details to manage the immediate
consequences of a disruption giving due Not Implemented
regard to the prevention of further loss or
unavailability of prioritized activities.
8.4.4.2.d.3 Business Continuity Collectively, the business continuity plans
Plans - Impact on shall contain details to manage the immediate
Environment consequences of a disruption giving due Not Implemented
regard to the impact on the environment.
8.4.4.3.a Business Continuity Each plan shall include the purpose, scope
Plans - Scope & and objectives. Not Implemented
Objectives
8.4.4.3.b Business Continuity Each plan shall include the roles and
Plans - Roles & responsibilities of the team that will implement Not Implemented
Responsibilities the plan.
8.4.4.3.c Business Continuity Each plan shall include actions to implement
Plans - the solutions.
Implementation Not Implemented
Actions
8.4.4.3.d Business Continuity Each plan shall include supporting
Plans - Activation information needed to activate (including
Not Implemented
Criteria activation criteria), operate, coordinate and
communicate the team�s actions.
8.4.4.3.e Business Continuity Each plan shall include internal and external
Not Implemented
Plans - Dependencies interdependencies.
8.4.4.3.f Business Continuity Each plan shall include the resource
Plans - Resource requirements. Not Implemented
Requirements
8.4.4.3.g Business Continuity Each plan shall include the reporting
Plans - Reporting requirements. Not Implemented
Requirements
8.4.4.3.h Business Continuity Each plan shall include a process for standing
Plans - Process for down. Not Implemented
Standing Down
8.4.5 Recovery The organization shall have documented
Not Implemented
processes to restore and return business

15 cyberarrow.io
 activities from the temporary measures
adopted during and after a disruption.
8.8.5 Exercise Program The organization shall implement and
maintain a program of exercising and testing
to validate over time the effectiveness of its
business continuity strategies and solutions. Not Implemented
The organization shall act on the results of its
exercising and testing to implement changes
and improvements.
8.8.5.a Exercise Program - The organization shall conduct exercises and
Consistent tests that are consistent with its business Not Implemented
continuity objectives.
8.8.5.b Exercise Program - The organization shall conduct exercises and
Scenarios tests that are based on appropriate scenarios
Not Implemented
that are well planned with clearly defined
aims and objectives.
8.8.5.c Exercise Program - The organization shall conduct exercises and
Develop Teamwork tests that develop teamwork, competence,
confidence and knowledge for those who Not Implemented
have roles to perform in relation to
disruptions.
8.8.5.d Exercise Program - The organization shall conduct exercises and
Validate Strategies tests that taken together over time, validate
Not Implemented
its business continuity strategies and
solutions.
8.8.5.e Exercise Program - The organization shall conduct exercises and
Formalized Reports tests that produce formalized post-exercise
reports that contain outcomes, Not Implemented
recommendations and actions to implement
improvements.
8.8.5.f Exercise Program - The organization shall conduct exercises and
Reviewed tests that are reviewed within the context of Not Implemented
promoting continual improvement.
8.8.5.g Exercise Program - The organization shall conduct exercises and
Periodic tests that are performed at planned intervals
and when there are significant changes within Not Implemented
the organization or the context in which it
operates.
8.8.6 Evaluation of These evaluations shall be conducted at
Business Continuity planned intervals, after an incident or Not Implemented
Documentation and activation, and when significant changes
Capabilities occur.
8.8.6.a Evaluation of The organization shall evaluate the suitability,
Business Continuity adequacy and effectiveness of its business
Documentation and impact analysis, risk assessment, strategies, Not Implemented
Capabilities - solutions, plans and procedures.
Evaluate BIA & RA

16 cyberarrow.io
8.8.6.b Evaluation of The organization shall undertake evaluations
Business Continuity through reviews, analysis, exercises, tests,
Documentation and post-incident reports and performance Not Implemented
Capabilities - evaluations.
Evaluation Methods
8.8.6.c Evaluation of The organization shall conduct evaluations of
Business Continuity the business continuity capabilities of relevant
Documentation and partners and suppliers. Not Implemented
Capabilities -
Partners & Suppliers
8.8.6.d Evaluation of The organization shall evaluate compliance
Business Continuity with applicable legal and regulatory
Documentation and requirements, industry best practices, and Not Implemented
Capabilities - conformity with its own business continuity
Evaluate Compliance policy and objectives.
8.8.6.e Evaluation of The organization shall update documentation
Business Continuity and procedures in a timely manner.
Documentation and Not Implemented
Capabilities - Update
Documentation
9.1 Monitoring, The organization shall retain appropriate
Measurement, documented information as evidence of the
Analysis and results. The organization shall evaluate the Not Implemented
Evaluation BCMS performance and the effectiveness of
the BCMS.
9.1.a Monitoring, The organization shall determine what needs
Measurement, to be monitored and measured. Not Implemented
Analysis and
Evaluation - Scope
9.1.b Monitoring, The organization shall determine the methods
Measurement, for monitoring, measurement, analysis and
Not Implemented
Analysis and evaluation, as applicable, to ensure valid
Evaluation - Methods results.
9.1.c Monitoring, The organization shall determine when and
Measurement, by whom the monitoring and measurement of Not Implemented
Analysis and the business continuity management system
Evaluation - When effectiveness shall be performed.
9.1.d Monitoring, The organization shall determine when and
Measurement, by whom the results from business continuity
Analysis and management system effectiveness monitoring Not Implemented
Evaluation - Review and measurement shall be analyzed and
of Results evaluated.
9.2.1.a.1, Internal Audit - The organization shall conduct internal audits
2.1.a.2, General at planned intervals to provide information on
Not Implemented
2.1.b Requirements whether the BCMS: a) conforms to: 1) the
organization�s own requirements for its

17 cyberarrow.io
 BCMS; 2) the requirements of this document;
b) is effectively implemented and maintained.
9.2.2.a Audit Program(s) - The organization shall plan, establish,
Establish implement and maintain an audit program(s)
including the frequency, methods,
responsibilities, planning requirements and Not Implemented
reporting, which shall take into consideration
the importance of the processes concerned
and the results of previous audits
9.2.2.b Audit Program(s) - The organization shall define the audit criteria Not Implemented
Scope and scope for each audit.
9.2.2.c Audit Program(s) - The organization shall select auditors and
Objectivity conduct audits that ensure objectivity and the Not Implemented
impartiality of the audit process.
9.2.2.d Audit Program(s) - The organization shall ensure that the results
Reporting of the audits are reported to relevant Not Implemented
managers.
9.2.2.e Audit Program(s) - The organization shall retain documented
Documentation information as evidence of the audit Not Implemented
program(s) and the audit results.
9.2.2.f Audit Program(s) - The organization shall ensure that any
Corrective Action necessary corrective actions are taken Not Implemented
without undue delay to eliminate detected
nonconformities and their causes.
9.2.2.g Audit Program(s) - The organization shall ensure that follow-up
Follow up audit actions include the verification of the Not Implemented
actions taken and the reporting of verification
results.
9.3.1 Management Review Top management shall review the
- Business Continuity organization�s BCMS, at planned intervals,
Not Implemented
Management System to ensure its continuing suitability, adequacy
and effectiveness.
9.3.2.a Management Review The management review shall include
Input - Status of Past consideration of the status of actions from Not Implemented
Actions previous management reviews.
9.3.2.b Management Review The management review shall include
Input - Internal and consideration of changes in external and
Not Implemented
External Issues internal issues that are relevant to the
business continuity management system.
9.3.2.c.1 Management Review The management review shall include
Input - Corrective consideration of information on the business Not Implemented
Actions continuity performance, including trends in
nonconformities and corrective actions.
9.3.2.c.2 Management Review The management review shall include
Input - Monitoring consideration of information on the business Not Implemented
continuity monitoring and measurement
evaluation results.

18 cyberarrow.io
9.3.2.c.3 Management Review The management review shall include
Input - Audit Results consideration of information on the business Not Implemented
continuity audit results.
9.3.2.d Management Review The management review shall include
Input - Feedback consideration of feedback from interested Not Implemented
parties.
9.3.2.e Management Review The management review shall include
Input - Changes consideration of the need for changes to the Not Implemented
BCMS, including the policy and objectives.
9.3.2.f Management Review The management review shall include
Input - Improvement consideration of procedures and resources
that could be used in the organization to Not Implemented
improve the BCMS� performance and
effectiveness.
9.3.2.g Management Review The management review shall include
Input - BIA & RA consideration of information from the
Not Implemented
business impact analysis and risk
assessment.
9.3.2.h Management Review The management review shall include
Input - Capabilities consideration of output from the evaluation of
Not Implemented
Evaluation business continuity documentation and
capabilities.
9.3.2.i Management Review The management review shall include
Input - Risks consideration of risks or issues not
Not Implemented
adequately addressed in any previous risk
assessment.
9.3.2.j Management Review The management review shall include
Input - Lesson consideration of lessons learned and actions Not Implemented
Learned arising from near-misses and disruptions.
9.3.2.k Management Review The management review shall include
Input - Continual consideration of opportunities for continual Not Implemented
Improvement improvement.
9.3.3.1.a Management Review The outputs of the management review shall
Outputs - Continual include decisions related to continual
Improvement improvement opportunities and any need for
Not Implemented
changes to the BCMS to improve its
efficiency and effectiveness, including
variations to the scope of the BCMS.
9.3.3.1.b Management Review The outputs of the management review shall
Outputs - Update include decisions related to continual
improvement opportunities and any need for
changes to update of the business impact Not Implemented
analysis, risk assessment, business continuity
strategies and solutions, and business
continuity plans.
9.3.3.1.c Management Review The outputs of the management review shall
Not Implemented
Outputs - Modification include decisions related to continual

19 cyberarrow.io
 improvement opportunities and any need for
changes to modification of procedures and
controls to respond to internal or external
issues that may impact the BCMS.
9.3.3.1.d Management Review The outputs of the management review shall
Outputs - include decisions related to continual
Effectiveness improvement opportunities and any need for Not Implemented
Measurement changes to how the effectiveness of controls
will be measured.
9.3.3.2.a Management Review The organization shall retain documented
Outputs - Document information as evidence of the results of
& Communicate management reviews. It shall communicate Not Implemented
the results of the management review to
relevant interested parties.
9.3.3.2.b Management Review The organization shall take appropriate action Not Implemented
Outputs - Take Action relating to management review output results.
10.1.1 Nonconformity and The organization shall determine
Corrective action opportunities for improvement and implement
Not Implemented
necessary actions to achieve the intended
outcomes of its BCMS.
10.1.2.a.1 Nonconformity and When nonconformity occurs, the organization
Corrective action - shall react to the nonconformity, and as Not Implemented
React applicable take action to control and correct it.
10.1.2.a.2 Nonconformity and When nonconformity occurs, the organization
Corrective action - shall react to the nonconformity and as Not Implemented
Consequences applicable deal with the consequences.
10.1.2.b.1 Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall evaluate the need for
Review action to eliminate the causes of
nonconformity, in order that it does not recur Not Implemented
or occur elsewhere by reviewing the
nonconformity.
10.1.2.b.2 Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall evaluate the need for
Root Cause action to eliminate the causes of
Not Implemented
nonconformity, in order that it does not recur
or occur elsewhere by determining the
causes of the nonconformity.
10.1.2.b.3 Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall evaluate the need for
Potential to Recur action to eliminate the causes of
nonconformity, in order that it does not recur Not Implemented
or occur elsewhere by determining if similar
nonconformities exist, or could potentially
occur.

20 cyberarrow.io
10.1.2.c Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall implement any action Not Implemented
Corrective Action needed to correct the nonconformity.
10.1.2.d Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall review the effectiveness of
Not Implemented
Review Corrective any corrective action taken.
Action
10.1.2.e Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall make changes to the
Changes to Business business continuity management system, if
Not Implemented
Continuity necessary. Corrective actions shall be
Management System appropriate to the effects of the
nonconformities encountered.
10.1.3.a Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall retain documented
Documentation information as evidence of the nature of the Not Implemented
nonconformities and any subsequent actions
taken.
10.1.3.b Nonconformity and When a nonconformity occurs, the
Corrective action - organization shall retain documented Not Implemented
Results information as evidence of the results of any
corrective action.
10.2 Continual The organization shall continually improve the
Improvement suitability, adequacy and effectiveness of the
business continuity management system.
The organization shall consider the results of
analysis and evaluation, and the outputs from
management review, to determine if there are
needs or opportunities, relating to the Not Implemented
business, or to the BCMS, that shall be
addressed as part of continual improvement.
NOTE The organization can use the
processes of the BCMS, such as leadership,
planning and performance evaluation, to
achieve improvement.

21 cyberarrow.io
22 cyberarrow.io