alex_aldo - Fotolia

Manage Learn to apply best practices and optimize your operations.

Using ANSI/ASIS SPC.2-2014 for auditing risk-based management systems

Paul Kirvan looks at ANSI/ASIS SPC.2-2014, a standard designed to facilitate audits of management systems that focus on "risk, resilience, security, crisis, continuity and recovery management."

Released in March 2014, ASIS International introduced a standard, ANSI/ASIS SPC.2-2014, Auditing Management Systems: Risk, Resilience, Security and Continuity-Guidance for Application, to provide advice on auditing management systems that focus on "risk-based disciplines of risk, resilience, security, crisis, continuity and recovery management."

Management systems are systematic frameworks designed to manage an organization's policies, procedures and processes so as to fulfil all tasks required to achieve its objectives, while promoting continual improvement within.

Another way to think of a management system is to first identify all activities needed to perform a specific activity, including policies, procedures, staffing, systems and facilities, and then organize and enable them in such a way that work can be accomplished.

The standard discusses the elements that comprise an audit, such as establishing audit objectives, defining the audit team, developing an audit program, executing the audit and reviewing the audit results with management.

Tips for using the standard

First and foremost, the ANSI/ASIS standard can be adapted into a checklist to ensure you've addressed the relevant audit activities. Covering the right issues is essential when planning an audit. Next, examine the risk-focused content in the standard to see how it can be leveraged in the audit. Risks and controls used to address them are key audit items.  

Conformance to established standards and practices is important when planning an audit, as standards in particular can be adapted into control objectives for the audit. Organize the audit using the ASIS standard as the framework, and then define controls based on the issues addressed in the ASIS standard as well as other accepted industry standards.

When preparing for an audit, especially one with a risk-based focus, be sure that the people selected as auditors are properly vetted and suitably qualified to perform the audits. Section 7 of the standard provides detailed guidance on how to evaluate and select auditors. Make this one of your priorities when planning the audit.

In many international standards today, such as those released by the International Organization for Standardization (ISO), the Plan-Do-Check-Act (PDCA) model is a key component. It provides a structured and easily repeatable framework for performing the activities in the standard. In particular, Figure 2, Plan-Do-Check-Act (PDCA) Process Flow for Managing an Audit Program, provides a useful visual treatment of how the PDCA model is applied to the audit process. Wherever possible, be sure that the activities contained in the PDCA model are addressed as controls in the audit.

As we mentioned earlier, the overall ANSI/ASIS standard can be used as a checklist and/or framework for planning the audit. In particular, Section 5.3, Establishing the Framework, helps define the audit objectives and scope and simplifies the process of identifying the issues to address when planning the audit. Most everything you identify in this section can be used as a potential control. Complementing Section 5.3 is Section 5.4, which details all the components needed to organize the audit. These two sections provide a useful resource for audit design and planning, as well as control definition.

Section 5.5, Implementing the Audit Program, defines all the steps needed to set up an audit, execute the audit and then document the findings. Once your audit has been planned and organized, ensure that it is reviewed by management as well as your internal audit department, if you have one. If your organization has a formal audit process, be sure to follow it accordingly.

Additional sections address monitoring and review of the audit process, ensuring that the audit objectives will be achieved. These activities ensure that your audit is conducted according to your organization's audit policies, and that any irregularities can be identified and promptly corrected.

Finally, it's always helpful to have a model or example of an audit to see how it ought to look. The last major section in the ANSI/ASIS standard, Performing Individual Audits, provides a step-by-step plan for developing and executing audits all the way to the post-audit meeting and delivery of audit findings and work papers. Use this section as a checklist for ensuring you have included all the relevant tasks in your audit plan.


When planning an audit of risk-based management systems, such as a business continuity management system (BCMS) or an information security management system (ISMS), the guidance provided in ASIS SPC.2.-2014 can save time, improve audit efficiency and result in a successful audit.

About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at

Next Steps

Take a closer look at ISO 22301

How ASIS became part of the BC/DR standard conversation

Dig Deeper on Disaster recovery planning - management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.