ISO 22301 Clause 9: Performance Evaluation

Book a demo

What will Clause 9 of ISO 22301 help us achieve?

Once your BCMS is up and running, you’ll need to monitor it by running ongoing performance enhancement reviews. This clause shows you how to keep those reviews fully compliant with the ISO 22301 standard.

9.1 Monitoring, measurement, analysis and evaluation

Your team will have to assess the efficiency and progress of your BCMS. And they’ll have to record those assessments, because – as with so many other ISO 22301 requirements – if it’s not recorded it doesn’t exist.

But it’s not just about recording data. You’ll need to explain what’s happening and why your BCMS works in the way it does. That means deciding which parts of your BCMS to review and analyse, how much detail to go into, and what evaluation methods to use to make sure your analysis is correct and your findings are both accurate and helpful.

You’ll also have to choose the right people to monitor and measure your BCMS, and assess the results of that activity too. All of their findings, conclusions and actions need to be carefully and fully documented.

You’ll achieve compliance with a lot of clause 9.1 as you put together your BCMS and work through the other relevant sections of the ISO. Just remember to document everything as you go!

9.2 Internal audit

You’ll need to carry out internal audits to confirm that your BCMS meets both your company’s needs and the ISO’s specifications. That means checking that your organisation’s effectively applying and managing its BCMS, then documenting and acting on your findings.

ISO 22301 sets out specific requirement for those internal audits. It asks you to define:

You’ll need to set clear, purposeful audit criteria. Then you’ll choose your internal auditors, making sure they’re objective and impartial. Once they’ve carried out each audit, they’ll have to show that they’re:

  • Reporting their findings to all interested parties
  • Defining and explaining any cases of non-compliance
  • Certifying corrective actions taken to remedy any non-compliance

You’ll need to keep a list of the results of all internal audits and any improvements they’ve led to. That’ll help you guarantee that corrective actions triggered by a new audit take account of any changes made in response to previous ones.

ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.

Daniel Clements

Information Security Manager, Honeysuckle Health

Book a demo

See our platform in action

9.3 Management review

Your senior management must carry out regular, pre-planned strategic reviews of your BCMS. That means meeting at least once a year, though given how quickly business continuity risks can develop we recommend carrying out this kind of review more often. They’ll help you make sure that your BCMS continues to meet the needs of both your organisation and ISO 22301.

Each review must drive your BCMS’ ongoing improvement. Your senior managers should use them as opportunities to understand its current status, map out any issues relating to it, take onboard any feedback about it, discuss developments that might affect it, look at how it’s performing in practice and decide on specific improvements to it. As ever, your organisation must retain all relevant documentation as proof of each review’s outcomes.

We know that managing that kind of review can be stressful and time consuming. So we’ve done our best to make them as easy as possible. Our system brings all the review information together in one secure, online environment.

You can easily access it before, during and after the review. We also give you everything you need to carry out reviews online, saving you senior management travel time and expense, and simplifying your organisation process too.

ISO 22301:2019 Requirements

ISO 22301:2019 implements the framework, fundamental text and definitions of Annex L, formerly Annex SL. Annex L establishes a high-level framework for ISO management system standards. The Annex was drawn up to incorporate a similar core text and common terminology and concepts.

Except for Clause 8, the Annex L requirements address many of the same areas as the core requirements of ISO 27001, covered in Section 4.1 through to 10.2.

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

How to easily demonstrate 9.1 Performance evaluation

The ISMS.online platform makes it easy for you to evaluate the performance and effectiveness of the system, by connecting up the relevant requirements of ISO 27001.

Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence requirement 9.1 within our platform and easily adapt it to your organisation’s needs. The AAA content for 9.3 references the relevant requirements that address this area. During planning and research, you will identify what to monitor and measure, you’ll then identify your business objectives and align those with management reviews and internal audits.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Adopt, adapt and add

100% of our users pass certification first time

See how we can help you

Streamline your workflow with our new Jira integration! Learn more here.