- business continuity management self-assessment -

image36

Which direction is your business going?


This ISO 22301:2019 Business Continuity Management System (BCMS) self-assessment will assess your business readiness.


By completing this questionnaire your results will allow you to self-assess your business and identify what areas needed to be implemented or improved.


Context of the Organization:

  • (Yes / No) Have the risks and opportunities that need to be addressed to ensure the Business Continuity Management System (BCMS) can achieve its intended result(s) been established?
  • (Yes / No) Has the business planned actions to address these risks and opportunities and integrated them into the system processes?
  • (Yes / No) Have measurable Business Continuity (BC) objectives been established, documented and communicated throughout the business with a plan to achieve them?


Support:

  • (Yes / No) Has the business determined and provided the resources needed for the establishment, implementation, maintenance and continual improvement of the Business Continuity Management System (BCMS) (including people, infrastructure and environment for the operation of processes)?
  • (Yes / No) Is this process consistent with the personnel in the defined Business Continuity Management System (BCMS) roles?
  • (Yes / No) Has the business determined the knowledge necessary for those performing Business Continuity Management System (BCMS) roles?
  • (Yes / No) Has the business ensured that those persons who can affect the performance and effectiveness of the Business Continuity Management System (BCMS) are competent on the basis of appropriate education, training, or experience or taken action to ensure that those persons can gain the necessary competence?
  • (Yes / No) Has the documented information required by the standard and necessary for the effective implementation and operation of the Information Security Management System (ISMS) been established?
  • (Yes / No) Is the documented information controlled in a way that it is available and adequately protected, distributed, stored, retained and under change control, including documents of external origin required by the business for the Business Continuity Management System (BCMS)?


Operation:

  • (Yes / No) Have you devised and implemented a program to ensure the Business Continuity Management System (BCMS) achieves its outcomes?
  • (Yes / No) Is there a plan for the determining the need for changes to the Information Security Management System (ISMS) and managing their implementation?
  • (Yes / No) Is there a plan for the determining the need for changes to the Business Continuity Management System (BCMS) and managing their implementation?
  • (Yes / No) When changes are planned, are they carried out in a controlled way and actions taken to mitigate any adverse effects?
  • (Yes / No) If you have outsourced processes, are they appropriately controlled?
  • (Yes / No) Is there a formal and documented process for understanding the business through a Business Impact Analysis (BIA)?
  • (Yes / No) Is there a formal process for determining continuity objectives based on understanding the impact of disruptive incidents?
  • (Yes / No) Does the Business Impact Analysis (BIA) enable prioritization of time frames for resuming each activity (Recovery Time Objectives) and have minimum levels for resuming activities that have been identified?
  • (Yes / No) Have these actions been documented?
  • (Yes / No) Is the Business Continuity (BC) strategy based on the outputs of the Business Impact Analysis (BIA) and risk assessment?
  • (Yes / No) Does the Business Continuity (BC) strategy protect prioritized activities and provide appropriate continuity and recovery of them, their dependencies and resources?
  • (Yes / No) Does the Business Continuity (BC) strategy provide for mitigating, responding to and managing impacts?
  • (Yes / No) Have prioritized time frames been set for the resumption of all activities?
  • (Yes / No) Have the Business Continuity (BC) capabilities of suppliers been evaluated and mitigated?
  • (Yes / No) Have the resource requirements for the selected strategy options been determined, including people, information and data, infrastructure, facilities, consumables, IT, transport, finance and partner/ supplier services?
  • (Yes / No) Have measures to reduce the likelihood, duration or impact of a disruption for identified risks been considered and implemented, and are these in accordance with the business’s risk appetite?
  • (Yes / No) Have documented Business Continuity (BC) procedures been put in place to manage a disruptive incident, and have continuity activities based on recovery objectives been identified in Business Impact Analysis (BIA)?
  • (Yes / No) Have internal and external communication protocols been established as part of these procedures?
  • (Yes / No) Is there an Incident Response Structure (IRS) which details the management structure and trained personnel in place to respond to a disruptive incident?
  • (Yes / No) Does the Incident Response Structure (IRS) and associated procedures include thresholds, assessment, activation, resource provision and communication?
  • (Yes / No) Do the people in your Incident Response Structure (IRS) have the necessary competencies to perform their duties and are records kept to demonstrate this?
  • (Yes / No) Is there a procedure for detecting and monitoring incidents which included recording vital information, actions taken and decisions made?  
  • (Yes / No) Is there a procedure for managing internal and external communications during a disruptive incident?
  • (Yes / No) Is there a procedure for receiving and responding to warnings from outside agencies and emergency responders?
  • (Yes / No) Is there a procedure for issuing alerts and warnings and is this communication regularly exercised and records kept of the results?
  • (Yes / No) Are there documented plans/procedures for restoring business operations after an incident, do they reflect the needs of those who will use them and contain all the essential information they need?
  • (Yes / No) Do the plans define roles and responsibilities and a process for activating the response?
  • (Yes / No) Do the plans consider the management of the immediate consequences of a disruption, in particular the welfare of individuals, options for response and further loss prevention?
  • (Yes / No) Do the plans detail how to communicate with interested parties, including the media during the disruption and how to prioritize activities?
  • (Yes / No) Do the plans include a procedure for standing down the response and returning to normal business?
  • (Yes / No) Have the business continuity procedures been tested, at planned intervals and with appropriate scenarios to ensure they are consistent with your Business Continuity (BC) objectives?
  • (Yes / No) Have formal post-exercise reports been produced for the tests and outcomes reviewed to ensure they lead to improvement?


Performance Evaluation:

  • (Yes / No) Have you determined what needs to be monitored and measured, when, by whom, the methods to be used, and when the results will be evaluated?
  • (Yes / No) Are the results of monitoring and measurement documented?
  •  (Yes / No) Are internal audits conducted periodically to check that the Business Continuity Management System (BCMS) is effective and conforms to both ISO 22301:2019 and the business’s requirements?
  •  (Yes / No) Has the business established a program for internal audits of the Business Continuity Management System (BCMS)?
  • (Yes / No) Are results of these audits reported to management, documented and retained?  
  • (Yes / No) Where nonconformities are identified, has the organization established appropriate processes for managing nonconformities and the related corrective actions?
  •  (Yes / No) Does top management undertake regular and periodic reviews of the Business Continuity Management System (BCMS)?
  • (Yes / No) Does the Business Continuity Management System (BCMS) output from the Business Continuity Management System (BCMS) management review identify changes and improvements?
  • (Yes / No) Are the results of the management review documented, acted upon and communicated to interested parties as appropriate?
  • (Yes / No) Where nonconformities are identified, has the organization put in place appropriate processes for managing nonconformities and the related corrective actions?


Improvement: 

  • (Yes / No) Have actions to control, correct and deal with the consequences of nonconformities been identified?
  • (Yes / No) Has the need for action been evaluated to eliminate the root cause of nonconformities to prevent reoccurrence?
  • (Yes / No) Have any actions identified been implemented and reviewed for effectiveness and given rise to improvements to the Business Continuity Management System (BCMS)?
  • (Yes / No) Is documented information kept as evidence of the nature of nonconformities, actions taken and the results?