In This Article
Documentation Overview
ISO 22301 uses the term "documented information" to cover both documents (policies, procedures, plans) and records (evidence of activities performed). Understanding what must be documented is essential for certification readiness.
The standard requires documented information that is:
- Explicitly required by ISO 22301
- Determined by the organization as necessary for BCMS effectiveness
Mandatory Documents
The following documents are explicitly required by ISO 22301:
| Document | Clause | Purpose |
|---|---|---|
| BCMS Scope | 4.3 | Defines boundaries and applicability |
| Business Continuity Policy | 5.2 | Top management commitment and direction |
| BC Objectives | 6.2 | Measurable goals for the BCMS |
| BIA Process | 8.2.2 | Methodology for impact analysis |
| Risk Assessment Process | 8.2.3 | Methodology for risk identification and analysis |
| BC Strategy | 8.3 | Selected approaches for BC and recovery |
| BC Plans and Procedures | 8.4 | Response and recovery procedures |
| Exercise Programme | 8.5 | Testing schedule and approach |
Mandatory Records
The following records must be retained as evidence:
| Record | Clause | Purpose |
|---|---|---|
| Competence Evidence | 7.2 | Training, education, experience records |
| Operational Planning Evidence | 8.1 | Evidence processes executed as planned |
| BIA Results | 8.2.2 | Critical activities, RTOs, dependencies |
| Risk Assessment Results | 8.2.3 | Identified risks and treatments |
| Exercise Reports | 8.5 | Exercise outcomes and lessons learned |
| Monitoring and Measurement Results | 9.1 | Performance evaluation data |
| Internal Audit Programme | 9.2 | Audit schedule and criteria |
| Internal Audit Results | 9.2 | Audit findings and reports |
| Management Review Results | 9.3 | Review inputs, outputs, decisions |
| Nonconformity and Corrective Action | 10.1 | NC records and action evidence |
Recommended (Non-Mandatory) Documents
While not explicitly required, these documents support effective BCMS implementation:
Context and Planning
- Interested parties register
- Legal and regulatory requirements register
- BCMS roles and responsibilities matrix
- Communication plan
Operations
- Critical activities register
- Dependencies matrix
- Risk register
- Risk treatment plan
- Contact lists (internal and external)
- Incident log template
- Communication templates
- Recovery checklists
Support
- Training plan
- Awareness programme
- Document control procedure
- Record retention schedule
Performance
- Internal audit procedure
- Management review procedure
- Corrective action procedure
- KPI definitions and targets
Document Control Requirements
Clause 7.5 requires documented information to be controlled to ensure:
Availability and Suitability
- Available and suitable for use when and where needed
- Adequately protected (confidentiality, integrity, proper use)
Control Activities
- Distribution, access, retrieval, and use
- Storage and preservation (including legibility)
- Control of changes (version control)
- Retention and disposition
External Documents
Documents of external origin determined necessary must be identified and controlled.
Retention Requirements
ISO 22301 does not specify retention periods. Organizations should determine retention based on:
- Legal requirements: Employment records, contracts, regulatory compliance
- Certification cycle: Minimum 3 years to cover recertification
- Historical value: Trend analysis, lessons learned
- Litigation risk: Potential legal proceedings
Recommended Minimum Retention
| Record Type | Suggested Retention |
|---|---|
| Management reviews | 3 years (minimum one certification cycle) |
| Internal audits | 3 years |
| Exercise reports | 3 years |
| Training records | Duration of employment + 3 years |
| Incident records | 5+ years (consider legal requirements) |
| Corrective actions | 3 years after closure |
| BIA and risk assessments | Current version + previous version |
During certification audits, auditors will request evidence of implementation. Ensure records are readily accessible, well-organized, and demonstrate consistent application over time. A gap in records is often treated as a gap in implementation.