Internal Audit Report
ISO22301 Toolkit Version 3 ©CertiKit 2016
Internal Audit Report
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document describes the results of an internal audit of the Business Continuity Management System.
Areas of the standard addressed The following areas of the ISO22301 standard are addressed by this document: 9 Performance evaluation 9.2 Internal audit
General Guidance Internal audit reports will almost certainly be reviewed by a certification auditor to understand how they were carried out and to give clues about the strong and weak areas of the BCMS. The report should show that the audit was comprehensive enough to satisfy the requirements of the standard and that it covered the areas needed.
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO22301 Toolkit Version 3 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon)
Version 1
Page 1 of 14
[Insert date]
Internal Audit Report
3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document
Version 1
Page 2 of 14
[Insert date]
Internal Audit Report
templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 14
[Insert date]
Internal Audit Report
[Replace with your logo]
Internal Audit Report Date of Audit:
dd/mm/yyyy
BCMS Areas Covered:
[State the sections of ISO22301 covered by this audit]
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 14
BCMS-DOC-09-5 1 [Insert date]
[Insert date]
Internal Audit Report
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 14
Date
[Insert date]
Internal Audit Report
Contents 1
MANAGEMENT SUMMARY .................................................................................................................. 7
2
AUDIT DETAILS ....................................................................................................................................... 8 2.1 2.2 2.3 2.4
3
AUDIT FINDINGS ................................................................................................................................... 11 3.1 3.2 3.3 3.4
4
AUDIT CRITERIA AND REFERENCE DOCUMENTS ....................................................................................... 8 AUDIT OBJECTIVES .................................................................................................................................... 8 SCOPE OF AUDIT ....................................................................................................................................... 8 STATUS OF NONCONFORMITIES RAISED AT LAST ASSESSMENT ................................................................ 9
CONTEXT OF THE ORGANISATION ........................................................................................................... 11 LEADERSHIP ............................................................................................................................................ 11 PLANNING ............................................................................................................................................... 11 NONCONFORMITIES AND OBSERVATIONS RAISED ................................................................................... 12
NEXT VISIT PLAN .................................................................................................................................. 14 4.1.1 4.1.2
Day One ........................................................................................................................................ 14 Day Two ........................................................................................................................................ 14
List of Tables TABLE 1 - SCOPE OF THE AUDIT ................................................................................................................................ 9 TABLE 2 - NONCONFORMITIES FROM LAST AUDIT ..................................................................................................... 10 TABLE 3 - NEXT VISIT PLAN DAY ONE........................................................................................................................ 14 TABLE 4 - NEXT VISIT PLAN DAY TWO ....................................................................................................................... 14
Version 1
Page 6 of 14
[Insert date]
Internal Audit Report
1 Management Summary [Summarize the findings of the audit, such as in the example below] This audit covered the context, leadership and planning sections of the management system part of the ISO22301:2012 standard. In general, it was found that a good level of support is in place for the business continuity management system (BCMS) and top management is adequately committed to its success. Comprehensive risk assessments are carried out to a documented process and a solid treatment plan has been created to address those risks that are above the acceptable level. The criteria for carrying out risk assessments could be better defined however. The main finding of the audit is that business continuity objectives need to be defined at various levels so that the success of the BCMS can be better judged. This area should be addressed as a matter of urgency.
Version 1
Page 7 of 14
[Insert date]
Internal Audit Report
2 Audit Details Date(s): Location(s):
Auditor(s): Audit Participants: Scope Summary:
2.1
Audit Criteria and Reference Documents
ISO22301:2012, the international standard for business continuity was used as the basis of the audit criteria. The ISO22313:2012 guidance was used where clarification of the requirements of the standard was required. The audit was carried out in the English language.
2.2
Audit objectives
In line with the requirements of the standard, the overall objectives of this internal audit are to provide information on whether the [Organization Name] business continuity management system (BCMS): a) conforms to 1.
[Organization Name]’s requirements for its BCMS; and
2.
the requirements of the ISO22301:2012 international standard
b) Is effectively implemented and maintained
2.3
Scope of Audit
The following sections of the ISO22301 standard were covered during this audit:
Version 1
Page 8 of 14
[Insert date]
Internal Audit Report
Section 4. Context of the Organisation 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 4.4 Business continuity management system 5. Leadership 5.1 Leadership and Commitment 5.2 Management commitment 5.3 Policy 5.4 Organizational roles, responsibilities and authorities 6. Planning 6.1 Actions to address risks and opportunities 6.2 Business continuity objectives and plans to achieve them 7. Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 8. Operation 8.1 Operational planning and control 8.2 Business impact analysis and risk assessment 8.3 Business continuity strategy 8.4 Establish and implement business continuity procedures 8.5 Exercising and testing 9. Performance Evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review 10. Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement
Included Y Y Y Y Y Y Y Y Y Y Y Y
Y
Table 1 - Scope of the audit
2.4
Status of Nonconformities Raised at Last Assessment
As at the date of this audit, the status of the nonconformities raised at the last assessment was as follows: Ref. Description NCR123 Resources not discussed at management review
Version 1
Type Actions Status Minor Minutes of latest Closed Nonconformity management review show resources are now discussed
Page 9 of 14
[Insert date]
Internal Audit Report
Ref. Description NCR124 Business continuity incident not handled according to procedures
Type Actions Status Minor Additional procedural Closed Nonconformity training has now been delivered
Table 2 - Nonconformities from last audit
Version 1
Page 10 of 14
[Insert date]
Internal Audit Report
3 Audit Findings [Describe the findings of the audit in the areas covered. Examples are given below] 3.1
Context of the Organisation
The external and internal issues affecting the BCMS are well understood and the needs and expectations of interested parties have been taken into account. For certification purposes, the scope of the business continuity management system within [Organization Name] is defined as follows: “The management of business continuity in the provision of [products and services] provided by [Organization Name] to its customers.� This scope was agreed to be still valid for the purposes of the audit. 3.2
Leadership
Business continuity policies and plans are in place in most areas, although objectives have not been set (NCR142 raised). The BCMS is well integrated with business processes and sufficient resources are being provided. Communication from top management is good, but more use could be made of team meetings (OBS163 raised) to get the business continuity message across. Leadership is generally strong and continual improvement is heavily promoted within the organization. A high level business continuity policy includes the required elements but not, as previously stated, a framework for setting objectives. The policy is approved and well communicated. Roles and responsibilities are clearly understood and fulfilled. The Business Continuity Manager is responsible for the BCMS and reporting from it. 3.3
Planning
A risk assessment has recently been carried out by following a documented process, although the criteria for performing them are not fully defined (NCR143 raised). Risks have been comprehensively assessed and an appropriate set of controls identified to treat risks that are beyond the acceptance threshold. A viable risk treatment plan is in place which is monitored as part of management reviews. All risks have identified owners who have signed off on the risk treatment plan.
Version 1
Page 11 of 14
[Insert date]
Internal Audit Report
However, business continuity objectives have not been established and accordingly a plan is not in place to achieve them. This is an area that must be addressed as a matter of urgency. 3.4
Nonconformities and Observations Raised
Where a discrepancy against the standard has been found, one of three types of item has been raised as follows:
Major nonconformity - a significant issue which represents a breakdown of the operation of the management system Minor nonconformity – a single lapse which does not in itself indicate a breakdown of the management system Observation – a comment which may be of use to the auditee, based on experience of other BCMS implementations
The following nonconformities and observations were raised as a result of this audit. Ref.
NCR142
Type
Major nonconformity
Area
Policy and objectives
Clause
5.3 Policy 6.2 Business continuity objectives and planning to achieve them
Description
Business continuity policy does not include objectives or a framework for setting them. Objectives have not been set.
Requirements
Top management shall establish a business continuity policy that: a) is appropriate to the purpose of the organization b) provides a framework for setting business continuity objectives and Top management shall ensure thatbusiness continuity objectives are established and communicated for relevant functions and levels within the organization
Evidence
Version 1
The policy does not include the required sections and no objectives were evidenced.
Page 12 of 14
[Insert date]
Internal Audit Report
Ref.
NCR143
Type
Minor nonconformity
Area
Business continuity risk assessment
Clause
8.2.1 General
Description
Criteria for performing business continuity risk assessments are not fully defined
Requirements
The organization shall establish, implement and maintain a formal and documented process for business impact analysisand risk assessment that: a) establishes the context of the assessment, defines criteriaand evaluates the potential impact of a disruptive incident
Evidence
The risk assessment and treatment process does not cover this area.
Ref.
OBS163
Type
Observation
Area
Leadership
Clause
5.2 Management commitment
Description
Top management could make more use of team meetings to emphasize the importance of the BCMS
Requirements
Top management shall demonstrate leadership and commitment with respect to the BCMS by: -
Evidence
Version 1
communicating the importance of effective business continuity management and conforming to the BCMS requirements
Minutes of team meetings showed that top management had not attended any within the last 6 months
Page 13 of 14
[Insert date]
Internal Audit Report
4 Next Visit Plan The next audit will take place over two days, starting on dd/mm/yyyy. The proposed audit schedule is as follows: 4.1.1
Time 09:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00
Day One
Auditor
Auditee
Areas to be Covered Opening meeting
Lunch
Day wrap up and summary
Table 3 - Next visit plan day one
4.1.2
Time 09:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00
Day Two
Auditor
Auditee
Areas to be Covered Initial briefing
Lunch
Audit wrap up and summary
Table 4 - Next visit plan day two
Version 1
Page 14 of 14
[Insert date]