Iso 9001 internal audit checklistYour management has given you the task to implement business continuity, but yourenot rea...
procedures are actually the foundation of your management system, similarly to ISO27001 or ISO 9001.6. Perform business im...
You need to define the level of competence needed for the execution of businesscontinuity plans in case of disruption, and...
The best thing would be to prevent mistakes (or in terms of BS 25999, the "non-conformities") from happening - this is wha...
Upcoming SlideShare
Loading in...5
×

Iso 9001 internal audit checklist

1,379

Published on

Iso 9001 internal audit checklist

Published in: Business
1 Comment
1 Like
Statistics
Notes
  • I positively venerate celebration of a mass your blog posts, a accumulation of essay is smashing.This blog as common was educational, we have had to bookmark your site as well as allow to your feed in ifeed. Your thesis looks lovely.Thanks for sharing.
    Regards:
    iso 9000
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,379
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
38
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Iso 9001 internal audit checklist

  1. 1. Iso 9001 internal audit checklistYour management has given you the task to implement business continuity, but yourenot really sure how to do it? Although it is not an easy task, you can use the BS 25999-2methodology to make your life easier - here are the main steps necessary to implementthis standard:1. Obtain management supportAlthough this is not a mandatory step in BS 25999-2, this is certainly the crucial step inthe beginning - if the management does not understand the benefits of business continuityand is not committed to this project, your project is most probably going to fail.2. Treat it as a projectIt will take quite a lot of time and resources to set up your business continuitymanagement system (BCMS) - you have to define clearly what needs to be done, inwhich time-frame, and what are the roles in project implementation. In other words, youhave to apply project management methods.3. Define objectives and scope; write down a BCM PolicyYou have to define what is it you want to achieve with the BCMS - compliance,decreasing the level of risk, requirements of your customers/partners etc. You also haveto define what you are going to include in your BCMS - the whole organization, or just apart of it. For instance, you may decide that you are going to include only your datacentre if you are providing hosting services to your customers. All of these have to bedocumented in the BCM Policy.4. Defining roles and responsibilities for BCMSBecause the BCMS is going to become a permanent activity in your organization, youhave to define clear responsibilities for it, especially for the "sponsor" of the BCMS(someone accountable for the BCMS but not engaged in day-to-day BCMS activities) and"BCM coordinator", "BCM manager" or something similar to it - one or more personswith active duties regarding the BCMS. It is the best to document these roles andresponsibilities in your BCM Policy.5. Implement mandatory proceduresBS 25999-2 requires the following four mandatory procedures to be implemented:document and records control, internal audit, preventive and corrective actions - these
  2. 2. procedures are actually the foundation of your management system, similarly to ISO27001 or ISO 9001.6. Perform business impact analysis and risk assessmentThrough business impact analysis you have to identify the critical activities, theirmaximum tolerable period of disruption, the dependencies of those critical activities(including dependencies to suppliers and outsourcing partners), and set recovery timeobjectives.By doing the risk assessment you actually find out what could be the causes to thedisruption of your critical activities - those could be natural, but also man-made activities(either malicious or accidental). You would also need to do risk treatment, which meansyou need to decide how to decrease the possibility of something going wrong.Unfortunately, the risk assessment and treatment are not very well defined in thisstandard, so you might take a look at ISO 27001 which describes them in more detail.7. Determining the business continuity strategyBefore you proceed with writing business continuity plans, you actually have todetermine which resources you will need for resuming your critical activities - whichpeople, locations, data, hardware, software, suppliers, outsourcing partners etc.The business continuity strategy has to determine not only what you need, but also howyou are going to provide those resources.8. Developing incident management plans and business continuity plansThe purpose of incident management plans is to describe how you are going to responddirectly to the occurrence of an incident (e.g. fire, earthquake, bomb threat, power failureetc.) in order to prevent it to spread, and to try to decrease its direct effects.On the other hand, the purpose of business continuity plans is to describe how you aregoing to recover your critical activities - how you are going to put all the resources youhave prepared into action. This means you have to describe who is going to do what, inwhich time, using which data and technology, in order to put your organization back intooperation.All of these plans have to be described in detail, because they must be executed even incase the main personnel is not available - therefore, they have to be written in such a waythat somebody else would be able to execute them.9. Training and awareness
  3. 3. You need to define the level of competence needed for the execution of businesscontinuity plans in case of disruption, and then train all the personnel (both employeesand external partners) to reach this level of competence.However, this is not enough - you also need to explain to your personnel why BCM isnecessary. Lets face it - your business continuity plans will be used maybe only once in alife time, so most people consider it as a waste of time. Therefore, you have to explain tothem why such a thing must exist. (See also How to deal with BCM sceptics)10. BCMS exercisingIf you thought you have written your plans perfectly, you are probably wrong - it isalmost impossible to write a plan with no errors right at the beginning. This is whyexercising is a mandatory part of BCMS - you have to test your plans in a situation thatmore or less resembles a real disruption. Only then will you find out what you plannedwell, and what you didnt.11. Maintaining and reviewing the BCMSAnother way to keep your BCMS up-to-date is by defining the intervals at which you willreview your business continuity plans, but also other arrangements (e.g. contracts withsuppliers and outsourcing partners, training and awareness etc.). There are all sorts ofchanges in the environment that are threatening your documentation to become obsolete -it is enough for an employee to leave the company to have an unusable telephone numberin a plan if that person had a role in the BCMS.It is also mandatory to perform post-incident review if an incident really occurred - thepurpose is to find out how the organization really reacted - did it follow the plans or not.12. Internal auditThe purpose of internal audit is to find out if there is something wrong, in an objectivemanner - the internal auditor should be a person who can find out if something is donewrong within your BCMS in order to correct it. If done properly, internal audit could beone of the best ways to improve your BCMS.13. Management reviewAs said before, it is very important to get your management involved in the project -management review is designed exactly for that. The standard requires the managementto examine all the relevant facts about BCM and decide whether it has fulfilled itspurpose. Once that is done, the management has to decide which improvements must bemade.14. Preventive and corrective actions
  4. 4. The best thing would be to prevent mistakes (or in terms of BS 25999, the "non-conformities") from happening - this is what the preventive actions are used for - they area systematic way of correcting things before a problem occurs. Similar to preventiveactions, there are also corrective actions which resolve the problem that has alreadyoccurred.Now the question is - why would you use BS 25999-2? Although it is (still) not aninternational standard, it is the most popular standard for business continuity worldwide -the above mentioned steps are designed by the best business continuity experts, so if youwant to implement the best accepted practices for business continuity, you have to lookno further.Here you can download the diagram of BS 25999-2 implementation process showing allthese steps together with the required documentation (registration required).If you want to download over free 50 ebook for iso 9001 standard, you can visit:http://iso9001ebooks.infoBest regards

×