ISO 22301 Clause 9: Performance Evaluation

What will Clause 9 of ISO 22301 help us achieve?

Once your BCMS is up and running, you’ll need to monitor it by running ongoing performance enhancement reviews. This clause shows you how to keep those reviews fully compliant with the ISO 22301 standard.

9.1 Monitoring, measurement, analysis and evaluation

Your team will have to assess the efficiency and progress of your BCMS. And they’ll have to record those assessments, because – as with so many other ISO 22301 requirements – if it’s not recorded it doesn’t exist.

But it’s not just about recording data. You’ll need to explain what’s happening and why your BCMS works in the way it does. That means deciding which parts of your BCMS to review and analyse, how much detail to go into, and what evaluation methods to use to make sure your analysis is correct and your findings are both accurate and helpful.

You’ll also have to choose the right people to monitor and measure your BCMS, and assess the results of that activity too. All of their findings, conclusions and actions need to be carefully and fully documented.

You’ll achieve compliance with a lot of clause 9.1 as you put together your BCMS and work through the other relevant sections of the ISO. Just remember to document everything as you go!

See how simple it is with

9.2 Internal audit

You’ll need to carry out internal audits to confirm that your BCMS meets both your company’s needs and the ISO’s specifications. That means checking that your organisation’s effectively applying and managing its BCMS, then documenting and acting on your findings.

ISO 22301 sets out specific requirement for those internal audits. It asks you to define:

  • Audit frequency and process
  • Any audit planning requirements
  • Expected audit outcomes
  • How you’ll report your outcomes

You’ll need to set clear, purposeful audit criteria. Then you’ll choose your internal auditors, making sure they’re objective and impartial. Once they’ve carried out each audit, they’ll have to show that they’re:

  • Reporting their findings to all interested parties
  • Defining and explaining any cases of non-compliance
  • Certifying corrective actions taken to remedy any non-compliance

You’ll need to keep a list of the results of all internal audits and any improvements they’ve led to. That’ll help you guarantee that corrective actions triggered by a new audit take account of any changes made in response to previous ones.

9.3 Management review

Your senior management must carry out regular, pre-planned strategic reviews of your BCMS. That means meeting at least once a year, though given how quickly business continuity risks can develop we recommend carrying out this kind of review more often. They’ll help you make sure that your BCMS continues to meet the needs of both your organisation and ISO 22301.

Each review must drive your BCMS’ ongoing improvement. Your senior managers should use them as opportunities to understand its current status, map out any issues relating to it, take onboard any feedback about it, discuss developments that might affect it, look at how it’s performing in practice and decide on specific improvements to it. As ever, your organisation must retain all relevant documentation as proof of each review’s outcomes.

We know that managing that kind of review can be stressful and time consuming. So we’ve done our best to make them as easy as possible. Our system brings all the review information together in one secure, online environment.

You can easily access it before, during and after the review. We also give you everything you need to carry out reviews online, saving you senior management travel time and expense, and simplifying your organisation process too.

ISO 22301:2019 Requirements

ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.

Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.


How to easily demonstrate 9.1 Performance evaluation

The platform makes it easy for you to evaluate the performance and effectiveness of the system, by connecting up the relevant requirements of ISO 27001.

Step 1 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence requirement 9.1 within our platform and easily adapt it to your organisation’s needs. The AAA content for 9.3 references the relevant requirements that address this area. During planning and research, you will identify what to monitor and measure, you’ll then identify your business objectives and align those with management reviews and internal audits.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Adopt, adapt and add

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. Requirement 9.1 is part of the third section that ARM will guide you on, where once the foundations of your ISMS have been paid, and Annex A controls have been described, you’ll detail how you comply with the remaining core requirements.
Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it