Documented information is the evidence base of the BCMS. It is both the mechanism through which the system operates (procedures tell people what to do) and the evidence that auditors examine to verify compliance. This article provides a complete reference for mandatory documented information — what must exist, the distinction between documents that are maintained and records that are retained, and the documentation management requirements of Clause 7.5. Using this article, organisations can create a documentation checklist for certification.
ISO 22301 does not prescribe a specific document management system or format. It requires that documented information is available when needed and is suitable for its intended use. A paper-based system with version control and a retention schedule can comply; a sophisticated electronic system can also comply. The requirement is discipline in managing documents and records, not a particular technology.
Documents vs Records: A Critical Distinction
A document is living information that is regularly reviewed and updated. Examples include the Business Continuity Policy, Business Continuity Plans, procedures, communication plans, and strategy documentation. Documents must be kept current. A BCP that was last reviewed 18 months ago and does not reflect current systems, staff, or suppliers is not an operational document.
A record is evidence of activities performed at a specific point in time. Examples include exercise reports, training records, management review minutes, audit reports, and incident response records. Records are retained as evidence but not updated (you do not change last year’s exercise report). The distinction matters because document management (version control, review cycles, approval requirements) differs from record management (storage, retention schedules, preservation).
Document control for managed documents includes: version numbering so current and obsolete versions can be distinguished; review cycles that define when documents must be reviewed (typically annually); approval authority (who must approve the document before it becomes active); distribution lists (who needs access to the current version); and retirement of obsolete versions (removing old versions from circulation so they cannot be accidentally used). Record management includes: retention periods (how long records must be kept, often defined by regulation); storage that preserves integrity; access controls that prevent unauthorised access or alteration; and disposal procedures (how records are securely destroyed when the retention period ends).
Mandatory Documents (Shall Be Maintained)
ISO 22301 requires the organisation to create and maintain documented information that covers the BCMS scope, the BC Policy, BCMS objectives, results of context analysis and risk assessment, the continuity strategy, Business Continuity Plans, procedures for exercising and testing, and procedures for handling nonconformity and improvement. These are the documents that describe how the BCMS operates. They must be current, accurate, and available to the people who need them.
The BCMS scope statement must define what is in scope and what is out scope — which organisational units, which processes, which systems, which locations. It must be documented so that everyone understands the BCMS boundaries. The BC Policy, approved by top management, must state the organisation’s commitment to continuity and must be communicated to relevant personnel. BCMS objectives must be documented and measurable. The Business Continuity Plans must describe what each critical activity will do to continue or recover if disrupted.
These documents are maintained in a document management system that ensures version control, review cycles, and access. The most common documentation error is plans or procedures that exist but are not linked to the document management system, resulting in multiple versions in circulation and no clarity about which is current. When an exercise or emergency requires activating a plan, which version is used? If different versions exist, confusion will result.
| Document | Purpose | Clause | Minimum Content Requirements |
|---|---|---|---|
| BCMS Scope Statement | Define what is in and out of scope, establish boundaries | 4.3 | In-scope organisational units and processes; out-of-scope areas and reason; in-scope locations and systems; any exclusions and justification |
| Business Continuity Policy | Establish top management commitment and continuity principles | 5.2 | Commitment to establishing, implementing, maintaining BCMS; commitment to regulatory/contractual obligations; commitment to continual improvement; how resources will be provided; approval by top management and date |
| BCMS Objectives and Planning | Establish measurable objectives and plan their achievement | 6.3 | Specific, measurable BCMS objectives; target values; timelines; responsibility assignment; link to risk assessment and BIA results |
| BC Risk Assessment Results | Document threats, likelihood, and consequence analysis | 6.2 | Threats identified; likelihood and consequence assessed; risk evaluation; risk treatment decisions (mitigate, accept, avoid); residual risk |
| Business Impact Analysis Results | Document critical activities and recovery requirements | 6.2 | Activities identified; disruption impact by activity; Maximum Acceptable Outage; dependencies; Recovery Time Objective; Recovery Point Objective; Minimum Business Continuity Objective |
| Continuity Strategy Documentation | Document strategy decisions for recovery | 8.3 | Strategy choices for people, premises, technology, suppliers, finance; rationale for choices; resource requirements; MBCO levels; recovery sequence priorities |
| Business Continuity Plans | Provide operational procedures for recovery | 8.4 | Activation criteria and authority; roles and responsibilities; step-by-step procedures; resource requirements; communication procedures; deactivation criteria |
| Crisis Management Procedures | Define incident response and escalation | 8.4 | Incident classification; escalation criteria; crisis team structure; incident commander authority; deactivation procedures; post-incident review process |
| ICT Continuity Plans | Describe technology recovery procedures | 8.5 | Systems identified; backup procedures and frequency; recovery procedures and timing; testing schedule; interdependencies; failover procedures |
| Communication Plans | Define internal and external communication during disruption | 7.4 | Internal communication structure and channels; external communication protocols; who communicates externally; message content for different scenarios; contact directories |
| Exercise and Test Plans | Schedule and define exercises and recovery testing | 8.5 | Exercise types and frequency; objectives for each exercise; scenario details; roles and responsibilities; timing; post-exercise review process |
| Competence Framework | Define competence requirements for BCMS roles | 7.2 | Roles requiring BCMS-specific competence; competence requirements for each role; training or experience needed; how competence will be assessed or maintained |
| KEY IDEA | Document control is not bureaucracy — it is the mechanism that ensures BCPs are current when activated. A BCP that was last reviewed 18 months ago and does not reflect the organisation’s current systems, staff, and suppliers is operationally useless and an audit finding. Document control (version numbers, review dates, approval signatures, distribution lists) ensures that the document used in an emergency is the document that reflects current reality. The investment in document management systems and discipline pays dividends in operational effectiveness. |
Mandatory Records (Shall Be Retained)
Records are evidence of activities performed. ISO 22301 requires the organisation to maintain records that demonstrate BCMS compliance and effectiveness. These include training records, exercise records, audit records, management review records, and improvement/corrective action records. Records are retained (kept as evidence) but not updated. An exercise report documents what happened at a specific exercise; it is not revised unless it was factually inaccurate.
Record retention periods should be defined by regulation where applicable. Regulatory obligations often specify how long records must be retained (e.g., financial records for 30 years). Where no regulation applies, retention periods are typically 3–7 years for operational records (exercises, training) and longer for governance records (audit reports, management reviews). The organisation’s document management system should track retention schedules and dispose of records appropriately when the retention period expires.
In audits, auditors verify that records exist and are available. Missing records — no training logs for people in BCM roles, no exercise reports, no evidence of management review — are audit findings. Records must be stored in a way that preserves their integrity and prevents unauthorised alteration. A spreadsheet on a shared drive where anyone can edit cell contents is not adequate record storage. An audit trail showing who created, reviewed, and approved records is better.
| Record | What It Evidences | Clause | Retention Recommendation |
|---|---|---|---|
| Training and competence records | Personnel have completed BCM training and have required competence | 7.2 | Duration of employment plus 3 years; longer if regulated |
| Awareness programme records | Personnel are aware of BC Policy and their roles | 7.3 | 3 years minimum |
| Management review minutes | Top management actively reviews BCMS performance and makes decisions | 9.3 | Permanent; these are governance records |
| Internal audit plan and reports | BCMS compliance is independently assessed | 9.2 | 3 years minimum; longer if finding tracking requires historical context |
| Corrective action register | Nonconformities are identified and addressed systematically | 10.1 | Permanent; shows pattern of improvement |
| Exercise records | Plans are tested, capability is demonstrated, findings drive improvement | 8.5 | 3 years minimum; longer for trend analysis |
| Post-incident review records | Actual disruptions are analysed and lessons are captured | 8.4 | Permanent; critical governance evidence |
| BIA review and update records | Business Impact Analysis remains current as the organisation changes | 6.2 | 3 years; shows currency and review discipline |
| Supplier BCM assessment records | Critical suppliers are assessed for continuity capability | 8.1/8.3 | Duration of supplier relationship plus 3 years |
| Communication logs during disruption | Communication during actual events is documented | 7.4 | Permanent; evidence of incident response effectiveness |
| BCP activation and deactivation records | When plans are activated, deactivated, and why | 8.4 | 3 years minimum for operational analysis |
| Monitoring and measurement data | BCMS KPIs are tracked and show performance trends | 9.1 | 3 years minimum for trend analysis |
Document Management System Requirements (7.5.2–7.5.3)
Clause 7.5 requires controls on the creation, approval, revision, and retention of documented information. For documents, controls include: a process to approve documents before they are used (ensuring accuracy and appropriateness); a version control mechanism to distinguish current from obsolete versions; a mechanism to ensure updated documents are distributed and obsolete versions are removed from circulation; and a review cycle that ensures documents remain current (typically, BCMS documents should be reviewed at least annually or when significant organisational changes occur).
For records, controls include: a retention schedule defining how long each record type is kept; storage that preserves integrity (preventing unauthorised access or alteration); an audit trail showing who created, reviewed, and approved records; and a disposal process that securely destroys records when the retention period expires.
ISO 22301 does not specify a particular document management system. A well-organised SharePoint with version control, defined review cycles, access controls, and retention policies meets the requirement. A shared drive where multiple versions of the same document accumulate, no owner is assigned, no one knows which version is current, and deleted files are not tracked does not. The system matters less than the discipline with which it is operated.
| IMPORTANT | ISO 22301 does not require a specific document management system — it requires documented information to be available, suitable for use, and adequately protected. A well-organised SharePoint with version control, defined review cycles, and access controls satisfies the requirement. A shared drive with multiple versions of the same BCP, no version control, no review dates, and no idea who is responsible for updates does not. The system matters less than the discipline with which it is operated. Many organisations underestimate the importance of documentation management and end up with scattered documents, outdated plans, and no audit trail. Investing in a simple but disciplined document management process pays dividends. |
Documentation Checklist for ISO 22301 Certification
For organisations preparing for ISO 22301 certification, this checklist summarises the mandatory documented information. Before the Stage 1 audit, organisations should confirm that all items are created, reviewed, approved (where required), and available for auditor review. Before the Stage 2 audit, all records should be collected and made available. Gaps in documentation are common causes of delays in certification; addressing them systematically avoids surprises during audit.
The documentation should not be perfect or exhaustive; it should be fit for purpose. A 50-page document that no one reads is less useful than a 5-page document that clearly explains how something works. Documentation should answer the question: “If someone needed to know how we do this, would the document tell them?” If yes, it is sufficient.
| BITLION INSIGHT | The documented information requirement that most consistently generates Stage 2 findings in Indonesian ISO 22301 audits is the exercise record. Organisations conduct exercises but do not produce structured records: no attendance list, no exercise objectives, no scenario documentation, no findings register, no improvement action log. An exercise without a record is an exercise that did not happen from an audit perspective. Investing 20% of exercise effort in pre-exercise planning documentation and post-exercise reporting (one template with scenario overview, attendance list, findings, and improvement actions) pays dividends that are disproportionate to the effort. Good documentation practices make audit preparation straightforward. |