Before auditors examine the various documents that provide evidence of your organization's conformance to business continuity controls, you'll want to ensure the items they will need are available.
The first step is to understand the controls to be audited. Review standards and regulations as sources of business continuity controls. Standards like ISO 22301:2012, generally regarded as the global standard for business continuity (BC) management, and NIST SP 800-34, a government standard for technology contingency planning, are rich sources of control statements.
If your organization is in a specific vertical market, such as banking and finance, you'll have a variety of standards, good practices and regulations as your sources for controls. One such source of audit controls within the banking industry is the Federal Financial Institutions Examination Council's business continuity handbook (2015 edition). Prepare your evidence to support the appropriate standards, regulations and other good practice metrics associated with your particular industry.
Business continuity audit control checklist
Documented BC and DR plans. These should address business continuity controls such as emergency response activities; lists of primary and alternate contacts in a disaster; methods of notifying emergency team members, as well as employees; methods of notifying clients, stakeholders, vendors and other entities; criteria for declaring a disaster; people authorized to declare a disaster; insurance resources available with insurance agency contacts; and procedures to follow when an event occurs.
Business impact analysis and risk assessment documents. These deal with how BIA and RA plans are used, how often they are updated and who is responsible for updating them.
Internal policy documents. These present evidence that the organization supports BC/DR activities, and may provide additional evidence to support other audit controls.
Meeting reports. These show that the company conducts regular meetings to discuss BC/DR issues. Meeting minutes of such activities are essential.
Emails. Copies of emails relevant to BC/DR activities are critical business continuity audit evidence. Examples can include email notifications of upcoming meetings, notices to department representatives telling them to update their BC plans, invitations to attend training meetings, management approval of a BC/DR document (in lieu of a formal signature) and responses to previous audit requests.
External audit reports. Copies of assessment reports and/or audits of BC/DR activities by an external audit or consulting firm may be required to ensure the work can be reviewed and that the company's response to the report can be examined.
Internal audit reports. Internally generated audit reports by the firm's audit staff will be examined to see what was identified, the recommendations that were made and how quickly the recommended actions were implemented.
BC/DR test plans and results. Most auditors will want to examine evidence of tests and/or exercises of BC and DR plans. Be sure to retain the test plan, test scripts, copies of comments by test participants and post-DR test reports that summarize what happened in the tests, as well as next steps to remediate any problems.
Awareness and training materials. Both of these activities are important to auditors, so you should have copies of documents and screenshots of all of the items that demonstrate the existence of a training program, as well as all efforts to increase awareness of BC/DR activities throughout the organization.
Auditors will likely request a lot of evidence during their audit. Ensure you are fully prepared by addressing the appropriate business continuity controls and keeping audit evidence in an easy-to-locate folder and/or electronic site for quick retrieval when auditors call.
Developments in the business continuity management market
Use BIA and RA data in business continuity strategy
Five musts for business disaster recovery plans