Internal Audit – Protecting Your Investment in ISO 22301

Avalution Team Avalution Team | Aug 01, 2013

Part of Avalution’s Conforming to ISO 22301 Series

This perspective takes a look at Clause 9.2, ISO 22301’s requirement for internal audit, defined as an independent assessment that provides management with feedback regarding the performance of the management system. The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the Spring of 2013).

ISO 22301 is the first standard to employ the new ISO format for management systems standards, which involves a considerable amount of “templatized” management system content across ten clauses. Because this format, language, and many of the requirements are new to most business continuity professionals, it’s important to review and consider the intent associated with some of the content and concepts.

This perspective is the fourth in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.

Today we’re going to take a look at Clause 9.2, the standard’s requirement for internal audit. The content found in this perspective is specifically based on lessons learned from our ISO 22301 certification audit (which Avalution completed successfully in the Spring of 2013).

Clause 9.2 – Internal Audit
The organization shall conduct internal audits at planned intervals to provide information on whether the business continuity management system conforms to the organization’s own requirements for its BCMS, the requirements of this International Standard, and is effectively implemented and maintained.

One of the key elements of all management systems is the ability to monitor, measure, and continually improve the performance of the organization. In Clause 9 – Performance evaluation, ISO 22301 provides the requirements for evaluating the BCMS and the business continuity procedures.  A key part of this is internal audit, as a well-designed and executed internal audit program provides assurance that the BCMS is conforming to its goals and performing.

ISO 22301 Internal Audit Requirements
There are two major elements in the ISO 22301 audit requirements. The first, as shown above in the Clause 9.2 excerpt, represents the content of the audit and assesses the conformance of the BCMS. The second element on Clause 9.2 consists of the requirements related to establishing and operating the audit program – the management system component.

Assessing Conformance of the BCMS
In accordance with ISO 22301, an organization’s BCMS must:

  1. Conform to the requirements of the Standard – ISO 22301;
  2. Conform to the requirements established by the organization to fulfill the requirements of the standard; and
  3. Provide evidence that the organization has implemented and maintained the activities to comply with the first two elements.

The requirements of the Standard are identified in each clause through the use of “shall” statements.  As such, an audit plan, as seen in the example below, should be developed that identifies all “shall” statements on a clause by clause basis and seeks validation regarding conformance to these statements.

Internal Audit Plan Example

The requirements established by the organization are the methods selected and documentation defined that demonstrate that the requirement is addressed.  In the example above, as part of the Test Plan Documentation, the organization identified the policy, standard operating procedure (SOP), and BIA report as proof that the intent of the Standard is being met.

The final requirement is that the BCMS is effectively implemented and maintained.  The audit process is a key process used to ensure compliance. In the example above, the auditor will verify the organization’s intent in the policy, the method to determine scope as defined in the SOP, and the execution of the process as documented in the BIA and during strategy identification.

Avalution Quick Tip: Remember, it is not the auditor’s job to determine if the scope is correct, only that the process is properly defined, followed, and documented.

The final element – verifying that the BCMS is maintained – is validated by ensuring that all processes and outcomes have been reviewed and updated in accordance with the timeline defined in the SOP.

Establishing and Operating the Audit Program
The other requirement noted in Clause 9.2 relates to the structure of the audit program itself.  Just as with any other element of the BCMS, the organization must define how it intends to conduct the audit program.  Within BCMS documentation, the organization must:

  • Identify the frequency, methods, responsibilities, planning requirements, and reporting for the audit program;
  • Define audit criteria and scope;
  • Select objective and impartial auditors;
  • Ensure audit results are properly reported; and
  • Retain documented evidence of the audit program and results.

Additionally, the organization must base its audit program on the results of risk assessments and evolve based on the results of previous audits.  The final requirement is that corrective actions identified through the audit process are identified, documented, prioritized and addressed to eliminate nonconformities and drive BCMS continual improvement.

Keeping the Program on Track
The intent of the internal audit is to provide information that allows management to reach a conclusion regarding BCMS conformance to a standard and their expectations.  A well-designed audit program and regular internal audits provide assurance that the BCMS meets the requirement of the Standard and is operating as designed, eliminating surprises during certification (if the organization seeks certification) and providing interim course corrections between external audits.  Even if certification to the Standard is not a goal of an organization, including internal audit as part of the BCMS will provide management with periodic guidance and protect the investment the organization has made in developing and implementing a BCMS.

Continue to visit our blog for more posts in Avalution’s Conforming to ISO 22301 series.

In the meantime, don’t hesitate to reach out to us to discuss aligning to the standard or pursuing certification. We look forward to hearing from you!

Additional Resources:
Implementing ISO 22301: The Business Continuity Management Systems Standard


Glen Bricker
Avalution Consulting: Business Continuity Consulting