Audit Guide: BS 25999

August 24, 2009

The following audit module is typical of the form used by BS 25999 assessors

This working document is intended as a reference/checklist for the Assessor when conducting BS 25999 Assessments.

There is a section after each element to make notes on areas investigated for conformity, noted areas of conformity or nonconformity, and follow up notations for the next auditor. It may be helpful to note evidence of conformity, such as procedures/work instructions, dates, and specific observations.

Make sure to note specific areas that may need further investigation and/or areas that were checked thoroughly. These notes should be placed in the comment section to assist the next auditor. You can keep track of these in the area provided after each element.

Please take note the checklists must include:

i) No blank boxes/no “N/A.”

ii) As many comments as possible should be written. In no event shall the auditor recommend specific solutions. This applies to all audits conducted on behalf of PJR.

If “NO” is checked, an explanation must follow in the comments section at the end of the element.

If additional questions arise during the audit, indicate them (and the appropriate responses) either in the blank working document pages at the end of this document or in the empty rows included in some of the sections.

Audit No. _____________________ Date(s): ____________________________

Client/Auditee: _______________________________________________________

Address: ________________________________________________________

Contact/Management Rep.: ___________________________________________________

Lead Auditor: ________________________________________________________

Audit Team: ________________________________________________________

Technical Expert: ________________________________________________________

BS 25999 Req.	Characteristic	Yes	No	Specific comments regarding deficiencies/ effectiveness
4.0	Business Continuity Management
4.1	General Requirements Has the organization developed, implemented, maintained and continually improved its documented BUSINESS CONTINUITY MANAGEMENT in accordance with 4.2 to 4.4?
4.2	Establishing and Managing the BUSINESS CONTINUITY MANAGEMENT SYSTEM
4.2.1	Has the organization established: requirements for business continuity taking into account organization objectives, obligations and legal duties; business continuity objectives and plans; the scope of business continuity in terms of products and services?
4.2.2	Has the organization assured itself that key suppliers and outsource partners have effective BUSINESS CONTINUITY MANAGEMENT arrangements in place?
4.2.3	BUSINESS CONTINUITY MANAGEMENT Policy
4.2.3.1	Has top management established and demonstrated its commitment to a BUSINESS CONTINUITY MANAGEMENT policy?
4.2.3.2	Does the BUSINESS CONTINUITY MANAGEMENT policy include or make reference to: the objectives of business continuity within the organization; the scope of business continuity, including limitations and exclusions
4.2.3.3	Is the policy approved by top management, communicated to all persons working for or on the behalf of the organization, and made available to relevant stakeholders?
4.2.3.4	Is the policy reviewed at planned intervals, and when significant changes occur?
4.2.4	Provision of Resources
4.2.4.1	Has the organization determined and provided resources to establish, implement, operate and maintain the BUSINESS CONTINUITY MANAGEMENT SYSTEM?
4.2.4.2	Have BUSINESS CONTINUITY MANAGEMENT roles, responsibilities, competencies and authorities been clearly defined?
4.2.4.3	Has top management: appointed a person with appropriate seniority and authority to be accountable for BUSINESS CONTINUITY MANAGEMENT policy and implementation; appointed one or more persons be responsible for implementing and maintaining the BUSINESS CONTINUITY MANAGEMENT SYSTEM, irrespective of other duties; determined and documented the acceptable level of risk relative to its BC scope; conducted management reviews of the BUSINESS CONTINUITY MANAGEMENT; communicated the program to stakeholders; communicated to the organization the importance of meeting BUSINESS CONTINUITY MANAGEMENT objectives, conforming to BUSINESS CONTINUITY MANAGEMENT policy, and continual improvement
4.2.5	Training, awareness and competency
4.2.5.1	Has the organization ensured that all personnel with responsibilities defined in the BUSINESS CONTINUITY MANAGEMENT SYSTEM are competent by: determining the necessary competencies for work affecting the BUSINESS CONTINUITY MANAGEMENT SYSTEM; conducting training needs analysis on staff assigned BUSINESS CONTINUITY MANAGEMENT SYSTEM roles; providing training; evaluating training effectiveness, and; maintaining records of education, training, skills, experience and qualifications.
4.3	Embedding BUSINESS CONTINUITY MANAGEMENT in the organization’s culture
4.3.1	Management and Training
4.3.1.1	Has the organization ensured that BUSINESS CONTINUITY MANAGEMENT is part of its core values and effective management?
4.3.1.2	Does the organization : ensured that relevant personnel are aware of the importance of their BUSINESS CONTINUITY MANAGEMENT activities and how they contribute to achievement of BUSINESS CONTINUITY MANAGEMENT SYSTEM objectives; raise, enhance and maintain awareness through an on-going BUSINESS CONTINUITY MANAGEMENT education and information program for all staff, including evaluation of the effectiveness of the BUSINESS CONTINUITY MANAGEMENT awareness delivery methods; have a process for identifying and delivering BUSINESS CONTINUITY MANAGEMENT training requirements of BUSINESS CONTINUITY MANAGEMENT-staff and non-BUSINESS CONTINUITY MANAGEMENT staff who need skills to undertake incident response and business recovery. conduct and evaluate the effectiveness of practical response training with active participatory exercises.
4.4	BUSINESS CONTINUITY MANAGEMENT SYSTEM documentation and records
4.4.1	BUSINESS CONTINUITY MANAGEMENT SYSTEM documentation
4.4.1.1	Is there a documented procedure established to define the management actions needed to ensure the approval, confidentiality, integrity, availability and currency of all documents required by the BUSINESS CONTINUITY MANAGEMENT SYSTEM?
4.4.1.2	The organization shall have as a minimum, the following BUSINESS CONTINUITY MANAGEMENT SYSTEM documentation: BC policy; Scope of the BUSINESS CONTINUITY MANAGEMENT SYSTEM, and procedures and controls in support of the BUSINESS CONTINUITY MANAGEMENT SYSTEM; BUSINESS CONTINUITY MANAGEMENT SYSTEM terms of reference; Business impact analysis report; Risk assessment report; Details of BUSINESS CONTINUITY MANAGEMENT strategies; Procedures for effective planning, operation and control of the BUSINESS CONTINUITY MANAGEMENT processes; Business continuity and incident management plans; Up to date contact information for resources required to support response; Change control procedures; Risk and issues register; Test schedule / test actions register; Incident log; Training program; Response structure; Any other documents required to support implementation of this standard.
4.4.2	BUSINESS CONTINUITY MANAGEMENT SYSTEM records
4.4.2.1	Does the organization identify the controls for identification, storage, protection, retrieval, retention time and disposition of records? A process shall determine the need and extent for records.
4.4.2.2	Are records kept for all business interruptions and incidents related to the BUSINESS CONTINUITY MANAGEMENT SYSTEM?
5	Implement and operate the BUSINESS CONTINUITY MANAGEMENT SYSTEM
5.1	Understanding the organization
5.1.1	Business impact analysis
5.1.1.1	Has the organization defined a documented process for determining impacts of disruption for key products and services that is appropriate to the organization? Are findings and conclusions documented?
5.1.1.2	Has the organization: identified activities that support key products and services; identified impacts that relate to these activities; assessed how these activities are impacted over time; established minimum tolerable period of disruption (MTD) for each activity by: identifying the maximum time period after disruption within which each activity needs to be resumed; identifying minimum levels of performance after resumption; identified the time within which normal operational levels need to be resumed; identified all dependencies relevant to each critical activity, including suppliers and outsource partners; identified critical activities and prioritized them for recovery; estimated the resources each critical activity will require for resumption, taking into account the needs of stakeholders; set recovery time objectives for resumption within the maximum tolerable period of disruption; reviewed the adequacy of the business impact analysis at planned intervals, and when significant changes occur to management or its activities.
5.2	Risk assessment
5.2.1	Risk assessment process
5.2.1.1	Is there a defined and documented process for risk assessment that enables the organization to understand threats and vulnerabilities, as well as impacts, of its critical activities and supporting resources?
5.2.1.2	With respect to critical activities and supporting resources, has the organization: identified threats; identified vulnerabilities; documented the impacts associated with the identified threats and vulnerabilities and determined the risks; established and maintain a register of risks; identified and documented loss mitigation and risk treatment measures appropriate to the level of risk acceptance; reviewed the adequacy of the risk assessment at planned intervals, and when significant changes occur to management or its activities.
5.2.2	Determining choices
5.2.2.1	For each critical activity, has the organization determined potential loss mitigation and risk treatment that: reduces the likelihood of disruption; shortens the period of disruption; limits the impact of disruption on key products and services.
5.2.2.2	Has the organization chosen appropriate risk treatments for each critical activity?
5.3	Determining business continuity strategy
5.3.1	Has the organization defined how it will provide for the recovery of its critical activities for which business continuity is the chosen risk treatment and take account of those activities not defined as critical?
5.3.2	Has the organization: defined a fit for purpose, predefined and documented incident response structure that will enable effective response and recovery from disruptions; determined how it will recover each critical activity within its Recovery Time Objective and the resources needed for resumption; determined how it will manage relationships with key stakeholders and external parties involved in the recovery.
5.4	Developing an implementing a BUSINESS CONTINUITY MANAGEMENT response
5.4.1	Incident response structure
5.4.1.1	Has the organization identified incident response personnel who have the necessary seniority, authority and competence to take control of situations and communicate with stakeholders?
5.4.1.2	Are (do) incident response personnel: capable of confirming the nature and extent of the incident, the incident; and managing the incident; responsible for triggering an appropriate business continuity response; have plans, processes and procedures to manage an incident; have plans for the activation, operation, coordination and communication of the incident response; have resources available to support the plans, processes and procedures to manage the incident.
5.4.2	Plans
5.4.2.1	Does the organization have documented plans that detail how it will mange the incident, and how it will recover or maintain its activities to a predetermined level in the vent of a disruption?
5.4.2.1	Are the plans: accessible to those with responsibilities defined within; agreed to by top management and understood by those who will implement the plans; owned by a named person with responsibility for review, update and approval; under version control with formal change notification and distribution records; reviewed at planned intervals, when significant changes occur to the organization or its activities; aligned with other contingency arrangements external to the organization.
5.4.2.2	Do the plans contain: identified lines of communication, roles, responsibilities, key tasks and reference information; defined purpose and scope; defined roles and responsibilities for people and teams having authority during and following an incident; guidelines and criteria regarding which individuals have the authority to invoke each plan and under what circumstances; a method by which each plan is invoked, meeting locations with alternatives, up-to-date mobilization and contact details for relevant agencies, organizations and resources that might be required to support the response; a process for standing down once the incident is over; essential contact details for all stakeholders; details for managing the incident including: immediate consequences of disruption, provisions for managing issues during the incident, processes and procedures to enable continuity and recovery of critical activities; details for managing immediate consequences giving due regard to: the welfare of individuals, strategic and tactical options, and prevention of further loss or unavailability of critical activities; details on communication with staff and relatives, key stakeholders and emergency contacts; details on media response including: incident communication strategy, preferred interface with the media, guidelines for drafting statements for the media, and appropriate spokespeople; methods for recording vital information about the incident, actions taken and decisions made; details of actions and tasks that need to be performed; prioritized objectives of critical activity recovery, timescales for recovery, and recovery levels; nominated persons to manage the business continuity and recovery phases of a disruption.
5.5	Exercising and maintaining BUSINESS CONTINUITY MANAGEMENT arrangements
5.5.1	General
5.5.1.1	Has the organization ensured that its BUSINESS CONTINUITY MANAGEMENT arrangements are validated by exercise and kept up-to-date?
5.5.2	BUSINESS CONTINUITY MANAGEMENT Exercising
5.5.2.1	Has the organization evaluated the competence and capability of its BUSINESS CONTINUITY MANAGEMENT with a view to continual improvement?
5.5.2.2	Does the organization: develop exercises consistent with the scope of its business continuity plan(s); ensure that exercises are carried out at periods determined by top management and when significant changes occur to the organization; carry out a range of different exercises to validate its business continuity arrangements; plan exercises so that: there is minimum risk of disruption, and the risk of an incident occurring as a direct result of the exercise is minimized; define the aims and objectives of every exercise; \produce a written report of the exercise, outcomes and feedback, including recommendations and a timetable for their implementation; and, carry out a post-exercise review of each exercise that will assess the achievement of aims and objectives of the exercise.
5.5.3	Maintaining BUSINESS CONTINUITY MANAGEMENT arrangements
5.5.3.1	Does the organization ensure that its BUSINESS CONTINUITY MANAGEMENT competence and capability remains effective, fit-for-purpose and up-to-date to meet its requirements?
6	Monitor and review the BUSINESS CONTINUITY MANAGEMENT SYSTEM
6.1	BUSINESS CONTINUITY MANAGEMENT SYSTEM review
6.1.1	Does the organization ensure its business continuity capability and appropriateness by review at planned intervals and when significant changes occur to ensure continuing suitability, adequacy and effectiveness?
6.1.2	Does the organization regularly review its BUSINESS CONTINUITY MANAGEMENT SYSTEM through self-assessment or audit?
6.2	Management review of the BUSINESS CONTINUITY MANAGEMENT SYSTEM
6.2.1	General
6.2.1.1	Does the organization review the BUSINESS CONTINUITY MANAGEMENT SYSTEM at planned intervals to ensure continuing suitability, adequacy and effectiveness? Does the review include assessing opportunities for improvement and the need for changes to the BUSINESS CONTINUITY MANAGEMENT SYSTEM, including BUSINESS CONTINUITY MANAGEMENT policy and objectives. Are results of review documented and records maintained?
6.2.2	Review input
6.2.2.1	Does input to management review include: results of BUSINESS CONTINUITY MANAGEMENT SYSTEM audits and reviews, including key suppliers and outsource partners; feedback from interested parties; techniques, products or procedures that could improve the performance or effectiveness of the BUSINESS CONTINUITY MANAGEMENT SYSTEM; status of corrective and preventive actions; level of residual and acceptable risk; vulnerabilities not adequately addressed in the previous risk assessment; follow-up actions from previous management reviews; changes that could affect the BUSINESS CONTINUITY MANAGEMENT SYSTEM; recommendations for improvement and exercise results; emerging guidance and good practices; observations / recommendations following incidents; lessons from incident response, near misses, and exercises; results of the education and awareness training programs.
6.2.3	Review output
6.2.3.1	Does management review output include any decisions and actions related to: improving effectiveness of the BUSINESS CONTINUITY MANAGEMENT SYSTEM modification of procedures that affect business continuity, response to internal or external events impacting the BUSINESS CONTINUITY MANAGEMENT SYSTEM, including any changes to: business requirements, resilience requirements, business processes, regulatory or legal environment, and levels of risk or risk acceptance; resource needs; funding and budget requirements.
7	Maintain and improve the BUSINESS CONTINUITY MANAGEMENT SYSTEM
7.1	Continual improvement
7.1.1.1	Does the organization continually improve the effectiveness of the BUSINESS CONTINUITY MANAGEMENT SYSTEM through use of the BUSINESS CONTINUITY MANAGEMENT policy and objectives, audit results, analysis of monitored events, corrective and preventive actions and their timescales, and management review?
7.1.2	Corrective action
7.1.2.1	Do the organizations documented procedures for corrective action include elimination of the cause of nonconformities associated with implementation and operation of the BUSINESS CONTINUITY MANAGEMENT SYSTEM to prevent recurrence and do they define requirements for : identifying nonconformities; determining cause of nonconformities; evaluating the need for action to ensure nonconformities do not recur; determining and implementing needed corrective action; recording results of actions taken; reviewing the corrective action taken.
7.1.3	Preventive action
7.1.3.1	Does the organizations documented procedure for preventive action guard against future nonconformities in order to prevent occurrence, are they appropriate to the impact of potential problems, and do they define requirements for: identifying potential nonconformities and their cause; determining and implementing needed preventive action; recording results of actions taken; reviewing preventive actions taken; identifying changed risks and ensuring attention is focused on significantly changed risks; ensuring that those who need to know are informed of the preventive action put in place; prioritization of preventive actions based on the results of the risk assessment and the business impact analysis (BIA).