ISO 22301 Clause 9: Performance Evaluation
What will Clause 9 of ISO 22301 help us achieve?
Once your BCMS is up and running, you’ll need to monitor it by running ongoing performance enhancement reviews. This clause shows you how to keep those reviews fully compliant with the ISO 22301 standard.
9.1 Monitoring, measurement, analysis and evaluation
Your team will have to assess the efficiency and progress of your BCMS. And they’ll have to record those assessments, because – as with so many other ISO 22301 requirements – if it’s not recorded it doesn’t exist.
But it’s not just about recording data. You’ll need to explain what’s happening and why your BCMS works in the way it does. That means deciding which parts of your BCMS to review and analyse, how much detail to go into, and what evaluation methods to use to make sure your analysis is correct and your findings are both accurate and helpful.
You’ll also have to choose the right people to monitor and measure your BCMS, and assess the results of that activity too. All of their findings, conclusions and actions need to be carefully and fully documented.
You’ll achieve compliance with a lot of clause 9.1 as you put together your BCMS and work through the other relevant sections of the ISO. Just remember to document everything as you go!
Pull Together All Your ISO 22301 and BCMS Work in One Place With Our Range of Business Continuity Management Tools
9.2 Internal audit
You’ll need to carry out internal audits to confirm that your BCMS meets both your company’s needs and the ISO’s specifications. That means checking that your organisation’s effectively applying and managing its BCMS, then documenting and acting on your findings.
ISO 22301 sets out specific requirement for those internal audits. It asks you to define:
- Audit frequency and process
- Any audit planning requirements
- Expected audit outcomes
- How you’ll report your outcomes
You’ll need to set clear, purposeful audit criteria. Then you’ll choose your internal auditors, making sure they’re objective and impartial. Once they’ve carried out each audit, they’ll have to show that they’re:
- Reporting their findings to all interested parties
- Defining and explaining any cases of non-compliance
- Certifying corrective actions taken to remedy any non-compliance
You’ll need to keep a list of the results of all internal audits and any improvements they’ve led to. That’ll help you guarantee that corrective actions triggered by a new audit take account of any changes made in response to previous ones.
9.3 Management review
Your senior management must carry out regular, pre-planned strategic reviews of your BCMS. That means meeting at least once a year, though given how quickly business continuity risks can develop we recommend carrying out this kind of review more often. They’ll help you make sure that your BCMS continues to meet the needs of both your organisation and ISO 22301.
Each review must drive your BCMS’ ongoing improvement. Your senior managers should use them as opportunities to understand its current status, map out any issues relating to it, take onboard any feedback about it, discuss developments that might affect it, look at how it’s performing in practice and decide on specific improvements to it. As ever, your organisation must retain all relevant documentation as proof of each review’s outcomes.
We know that managing that kind of review can be stressful and time consuming. So we’ve done our best to make them as easy as possible. Our system brings all the review information together in one secure, online environment.
You can easily access it before, during and after the review. We also give you everything you need to carry out reviews online, saving you senior management travel time and expense, and simplifying your organisation process too.
We Give You the Opportunity to Do All Your Business Continuity, Not Just Your Information Security
ISO 22301:2019 Requirements
ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.
Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.