If your business continuity program is scheduled for an audit, chances are your company's management (e.g., audit committee or audit department) wants to make sure that your activities are consistent with good practice, are following company policies, are consistent with company budget guidelines and are compliant with other operational controls established by your organization for business continuity.
Although this article recommends using ISO 22301:2012 for the baseline audit controls, the following tips will help you prepare for the audit, no matter which controls are used. Regardless of the type of audit -- first-party (internal audit), second-party (external audit by a contracted organization) or third-party (fully independent external audit) -- preparation and documentation are the two essential components of a successful audit. Also, make sure the auditor/audit firm is familiar with ISO 22301:2012 and is prepared to use it in the audit.
Preparing for the audit
As we mentioned earlier, preparation and documentation are the two elements to have for the audit. The following is a checklist of items:
|Current copies of all relevant business continuity and disaster recovery documentation, including BC/DR plans, policies and procedures, assessments, business impact analyses, risk assessments, incident response plans, emergency plans, defined roles and responsibilities for emergency teams as well as employees, exercise programs, technology DR test documents, documents describing previous disasters, internal and external communications activities including emergency notification, training program materials, awareness program materials, activity maintenance schedules, evidence of previous management reviews and audits and evidence of continuous improvement activities.|
|Evidence that demonstrates your program is organized around the Plan-Do-Check-Act model as defined in the ISO 22301:2012 business continuity standard.|
|Evidence that your BC/DR program is referred to (preferably) as a "business continuity management system" or BCMS, as recommended in the ISO 22301 standard. However, you can call the administrative policies, processes and procedures that facilitate your BC program by whatever term you prefer.|
|Evidence that your program and its activities align (as closely as possible) with the structure of the ISO 22301:2012 business continuity standard, e.g., context of your company, leadership of your company, plus planning, support, operation, performance evaluation and improvement activities for your company.|
|Evidence that you have scheduled and conducted BC plan exercises, technology DR tests, BIAs, RAs, assessments, reviews, plan updates, updates to BC/DR strategies, updates to contact lists and updates to emergency procedures.|
|Evidence that demonstrates that you perform all or most of the activities defined by the ISO 22301 standard for a "business continuity management system"; specifically, the administrative policies, processes and procedures that facilitate your BC program.|
|Evidence that demonstrates that you have senior management commitment and support for the program, including a senior management sponsor/champion, a steering committee, a budget, a business plan and staff, and are considered a separate department or a sub-group of a larger department.|
|Evidence that business continuity is embedded in your organization as a strategic activity for the business, and that BC/DR activities are part of product development, IT operations, product manufacturing, supply chain activities and other key business functions.|
|Evidence that demonstrates that your emergency team members have received training and participate in regular emergency drills and exercises to ensure they are ready to respond in an emergency.|
While this is a significant list of pre-audit activities and you may not have all of them in place before the audit, be prepared to respond to the audit report that you plan to address the findings in accordance with the report's recommendations.
Preparing the auditors
As business continuity and disaster recovery are relatively new functions compared to other more traditional audit activities, check to see if the auditors are familiar with the standard, and have previously performed BC/DR audits. If BC/DR is part of a larger audit, once again, check to be sure that the auditors are familiar with the ISO 22301 standard. If you are doing a first-party audit, it may be beneficial to provide background materials on BC/DR activities for your auditors so they can prepare accordingly. For external audits, you can only ask if the prospective auditors understand BC/DR and the standard.
What else can you do?
You can do a few additional things in advance of the audit.
|Study the standard carefully and identify where you need to make changes in your program.|
|Study the companion standard, ISO 22313:2012, to gain additional insight and guidance on business continuity activities that will help prepare for an audit.|
|Consider taking a seminar or course in preparing for an ISO 22301 audit.|
|Discuss pre-audit and audit activities with other BC/DR colleagues who have been audited.|
|Post audit-related questions on LinkedIn or other business-focused social media sites.|
|Conduct research on audit preparation activities.|
|Document everything that demonstrates that you are in compliance with the standard.|
With proper preparation, an understanding of the audit process and lots of evidence supporting your BCMS and its associated activities, your audit experience should be an enlightening experience, helping you to manage the most effective BCMS possible.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.