ISO 22301 Clause 9.2 Internal Audit

Dec 26, 2023by Alex .

ISO 22301 is a standard that provides a framework for organizations to establish, implement, maintain, and continually improve their business continuity management system (BCMS). Clause 9.2 of ISO 22301 pertains to internal audits. Internal audits are an essential component of a BCMS, as they help organizations to ensure that their system is functioning effectively, identify areas for improvement, and demonstrate compliance with the standard. Internal audits are conducted by the organization's own personnel or by an external party appointed by the organization.

ISO 22301 Clause 9.2 Internal Audit

The internal audit process includes the following steps:

  • Planning the audit: This involves determining the audit scope, objectives, and criteria, as well as selecting the audit team.
  • Conducting the audit: This involves collecting and analyzing information about the BCMS, including policies, procedures, records, and other relevant documentation. The audit team should conduct interviews with relevant personnel to gain a deeper understanding of the BCMS.
  • Reporting the audit findings: This involves preparing an audit report that includes the audit findings, conclusions, and recommendations for improvement. The report should be communicated to the relevant stakeholders, including top management.
  • Follow-up actions: This involves tracking the implementation of corrective actions identified in the audit report and verifying their effectiveness.

It is important for organizations to ensure that their internal audit program is objective, impartial, and consistent with the requirements of the standard. The audit team should have the necessary competence and knowledge to conduct the audit effectively, and the organization should provide them with the necessary resources to carry out their duties.

ISPO 22301

Definition of Internal Audit

Clause 9.2 of ISO 22301 defines the requirements for conducting internal audits within a business continuity management system (BCMS). Specifically, it states that internal audits must be conducted at planned intervals and in accordance with a documented procedure. The purpose of these audits is to determine the effectiveness of the BCMS in achieving its objectives and identify opportunities for improvement.

ISO 22301 defines an internal audit as a "systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled." The audit criteria are the set of policies, procedures, and requirements against which the BCMS is audited. In addition to requiring that internal audits be conducted at planned intervals, ISO 22301 also requires that the organization consider the importance of the processes being audited, any changes in the organization or external environment, and the results of previous audits when determining the audit schedule.

ISO 22301 also requires that the internal audit team be competent and impartial, and that they have the necessary resources to conduct the audit effectively. The audit team must be independent of the activities being audited and report directly to top management. Once the internal audit is completed, ISO 22301 requires that the audit findings be documented and communicated to relevant stakeholders, including top management. The organization must also establish and maintain procedures for following up on the findings and recommendations from internal audits and verifying the effectiveness of any corrective actions taken.

How to understand  Internal Audit

Clause 9.2 of ISO 22301 outlines the requirements for conducting internal audits within a business continuity management system (BCMS). Here is a breakdown of how to understand this clause:

  1. Conduct internal audits: The first requirement is to conduct internal audits at planned intervals. This means that the organization must establish a schedule for conducting internal audits, taking into account the importance of the processes being audited, any changes in the organization or external environment, and the results of previous audits.
  2. Documented procedure: The second requirement is to conduct internal audits in accordance with a documented procedure. This means that the organization must establish and maintain documented procedures for conducting internal audits, which should include the criteria for selecting auditors, the audit scope and objectives, and the audit methodology.
  3. Purpose: The purpose of internal audits is to determine the effectiveness of the BCMS in achieving its objectives and to identify opportunities for improvement. This means that the internal audit process should be designed to evaluate the BCMS against the established criteria and identify areas where the BCMS can be improved.
  4. Competent and impartial audit team: The internal audit team should be competent and impartial, which means that they should have the necessary knowledge and skills to conduct the audit effectively and should not be influenced by any personal or organizational biases.
  5. Resources: The organization must provide the internal audit team with the necessary resources to conduct the audit effectively. This includes access to all relevant documentation and personnel, as well as the necessary tools and equipment.
  6. Reporting and follow-up: The audit findings must be documented and communicated to relevant stakeholders, including top management. The organization must establish and maintain procedures for following up on the findings and recommendations from internal audits and verifying the effectiveness of any corrective actions taken.

By following the requirements of clause 9.2, organizations can establish an effective internal audit program that contributes to the ongoing improvement of their BCMS. The internal audit process should be designed to be systematic, objective, and independent, and should be conducted by a competent and impartial audit team. The audit findings should be documented, communicated, and acted upon to ensure the ongoing effectiveness of the BCMS..

What are the Benefits of Internal Audit

Clause 9.2 of ISO 22301 outlines the requirements for conducting internal audits within a business continuity management system (BCMS). Here are some benefits of implementing this clause:

  1. Improved BCMS effectiveness: Conducting internal audits can help organizations identify areas where their BCMS can be improved. By evaluating the BCMS against established criteria, internal audits can help organizations identify gaps or weaknesses in their BCMS and develop targeted corrective actions to improve the overall effectiveness of the system.
  2. Increased confidence: Internal audits can provide stakeholders with increased confidence in the effectiveness of the BCMS. By conducting independent and objective assessments of the BCMS, internal audits can help reassure stakeholders that the organization is effectively managing its business continuity risks.
  3. Compliance with ISO 22301: Clause 9.2 is a requirement of ISO 22301, and compliance with this clause can help organizations demonstrate their compliance with the standard. This can be important for organizations that are seeking certification to ISO 22301, as well as those that want to ensure they are meeting the requirements of the standard.
  4. Continuous improvement: Internal audits are a key tool for driving continuous improvement within an organization. By identifying areas for improvement and developing targeted corrective actions, internal audits can help organizations improve their BCMS over time and ensure that the system remains effective in the face of changing circumstances.
  5. Better risk management: Conducting internal audits can help organizations better manage their business continuity risks. By identifying gaps or weaknesses in the BCMS, internal audits can help organizations develop targeted risk mitigation strategies to reduce the likelihood and impact of disruptive incidents.

Conclusion

Clause 9.2 of ISO 22301 outlines the requirements for conducting internal audits within a business continuity management system (BCMS). The purpose of internal audits is to determine the effectiveness of the BCMS in achieving its objectives and to identify opportunities for improvement. By implementing clause 9.2, organizations can establish an effective internal audit program that contributes to the ongoing improvement of their BCMS.
In conclusion, implementing clause 9.2 is an important aspect of ISO 22301 and can help organizations ensure the ongoing effectiveness of their BCMS, manage business continuity risks, and drive continuous improvement. By establishing an effective internal audit program, organizations can demonstrate their commitment to managing business continuity risks and protecting their stakeholders in the face of disruptive incidents.

 

ISPO 22301