MINIMUM DOCUMENTED INFORMATION FOR ISO 22301:2019
An Overview of ISO 22301:2019
ISO 22301 is an international standard that specifies the requirements to establish, implement, maintain and continually improve a Business Continuity Management System (BCMS) to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.
The purpose of a BCMS is to prepare for, provide and maintain controls and capabilities for managing an organization’s overall ability to continue to operate during disruptions.
What is Documented Information?
The “documented information” is defined as the information required to be controlled and maintained by an organization and the medium on which it is contained. The example of documented information can be a record, specification, procedure, drawing, report, standard, etc.
The term “document” is defined as information created in order for the organization to operate e.g. procedures, instructions, specifications, guidelines, and criteria, etc. The term “record” is defined as a document that provides evidence of results achieved or activities performed e.g. evidence of training, operational control, corrective action, internal audit, and management review activities, etc. A set of documented information, for example, specifications and records, is frequently called “documentation”.
ISO 22301:2019 uses the standardized term “documented information” to refer to both documents and records. ISO 22301 uses the term “retain documented information” to describe a record (e.g. retain the results of corrective actions) and “maintain documented information” to describe a document (e.g. maintain the scope of Business Continuity Management System). The document is live information and needs to be updated as required while a record is a history of an event, activity, or action.
Clause 7.5 of ISO 22301:2019 describes the requirements of the documented information. Documented information can be in any format and media and from any source. The medium can be paper, magnetic, electronic, or optical computer disc, photograph or master sample, or combination thereof.
What is the minimum documented information required by ISO 22301:2019?
Every organization has to produce the minimum documented information required by ISO 22301 standard to demonstrate the conformance to the standard requirements. All the requirements of minimum documented information listed below might not be applicable to every organization depending on its operations and activities and shall be listed as an exclusion in the scope statement of the Business Continuity Management System (BCMS).
How to determine the requirement for ISO 22301 Documentation?
Clause 7.5 of ISO 22301 describes the requirements for documented information. To demonstrate the conformance to the requirements of ISO 22301, an organization may need to produce more documents and records than the minimum required by the standard because according to Clause 7.5, the organization’s Business Continuity Management System (BCMS) shall include:
- documented information required by ISO 22301 (as listed above)
- documented information determined by the organization as being necessary for the effectiveness of the Business Continuity Management System (BCMS) e.g. policies, procedures, instructions, guidelines, and relevant records other than the minimum required. It is quite common that for an effective Business Continuity Management System (BCMS), organizations establish procedures for hazard identification, risk assessment, compliance obligations, corrective actions, control of documented information and operational control, etc.
The extent of documented information for ISO 22301 may differ from one organization to another due to:
- the size of the organization and its type of activities, processes, products, and services
- the complexity of processes and their interactions
- the competence of persons
The rule of thumb for an organization is to use a risk-based approach to determine the requirement for documented information other than the minimum documented information e.g. an organization may decide that due to lack of documented procedures and work instructions, there might be a risk to business continuity. The organizations also establish procedures and other documented information to establish controls as a result of a risk assessment or to address a nonconformity.
G-Certi provides ISO registration/certification services in Canada and 50 other countries for a number of ISO Standards including but limited to ISO 9001, ISO 14001, ISO 22301, ISO 22301, and ISO 22301, etc. The auditors of G-Certi ensure that your organization is conforming to the requirements of ISO 22301. Please feel free to visit gcerti.ca and contact one of our representatives for a complimentary pre-assessment to ensure that your organization is ready for ISO 22301 registration/certification.