Evaluation of Business Continuity Documentation and Capabilities for ISO 22301
ISO 22301 Clause 8.6
This sub-clause requires periodic evaluation of the suitability, adequacy and effectiveness of the BIA, risk assessment, strategies, solutions and plans, including supplier continuity.
ISO 22301 Clause 8.6 - Evaluation of Business Continuity Documentation and Capabilities
Clause 8.6 closes Clause 8 by stepping back and asking whether the analysis, the strategies and the plans are still doing the job. It is the operational counterpart to the management review at Clause 9.3, but with a sharper focus on continuity capability rather than the BCMS as a whole.
What ISO 22301 Clause 8.6 Requires
The clause requires the organisation to evaluate the suitability, adequacy and effectiveness of the BIA, the risk assessment, strategies, solutions, plans and procedures. The evaluation can be conducted through reviews, analysis, exercises, tests, post-incident reports and performance evaluations. The evaluation must include the continuity capabilities of partners and suppliers that are relevant. It must also assess compliance with applicable legal and statutory obligations, industry good practice, and conformity with the organisation's own policy and objectives. Documentation and procedures must be updated in a timely manner. Evaluations must be conducted at planned intervals, after an incident or activation, and when major changes occur.
Evaluating Supplier Continuity Capability
The supplier capability requirement is one that often gets less attention than it deserves. If a prioritised activity depends on a supplier - whether for a product, a service or an outsourced process - the BCMS is only as resilient as that supplier. Evaluating supplier continuity means understanding whether the supplier has its own continuity arrangements, whether those arrangements meet the recovery requirements the BIA has set, and whether there is a credible alternative if the supplier itself is the disruption.
Evaluation of suppliers can take several forms - reviewing supplier continuity statements, requiring evidence of supplier exercises, conducting supplier audits, including continuity questions in the supplier appraisal process, and rating suppliers for continuity risk in the supplier register. The depth of evaluation should reflect the criticality of the supplier to prioritised activities.
If the BC register includes monitoring and testing information, the annual management review is a natural place to conduct the 8.6 evaluation. Comments and actions from exercises and any incidents, plus the supplier continuity reviews, all roll up into a single evaluation that drives the next year's improvements.
I look for evidence that the BIA, risk assessment, strategies and plans have been formally reviewed and updated. Post-exercise reports and post-incident reports feeding into changes are particularly compelling evidence. I will also look for evidence that supplier continuity has been considered - the standard explicitly requires this.
Practical Compliance Guidance
The F-Q91 Supplier Continuity Appraisal supports detailed review of high-risk suppliers. The F-Q92 Business Critical Function Appraisal supports detailed review of critical functions. The F-IMS21 Business Continuity Register summarises monitoring and testing arrangements that feed into the periodic evaluation. The F-Q3 Management Review form is where the evaluation conclusions are typically recorded.
| alphaZ document | How to use it |
|---|---|
| ISO 22301 Toolkit | The full set of policies, procedures, registers and plans that build a BCMS to the requirements of the standard. |
| F-IMS21 Business Continuity Register | The register that summarises monitoring, testing and review arrangements feeding into the periodic evaluation. |
| F-Q91 Supplier Continuity Appraisal | The form used for detailed continuity appraisal of high-risk suppliers - capability, arrangements and credible alternatives. |
| F-Q92 Business Critical Function Appraisal | The form used for detailed appraisal of critical functions, demonstrating that all assumptions and continuity arrangements have been considered. |
| F-Q3 Management Review | The management review form where the evaluation conclusions are recorded and the actions arising are tracked. |
Subscribers to alphaZ have access to all of these documents and supporting material. Find out more about the alphaZ subscription.
