Module 7

SECTION 3: APPENDICES
CHECKLISTS AND CONTROL MATRIX
Appendix 1: Checklist for a Business Continuity Plan and
Audit
Process Objectives:

 To seamlessly recover from the disaster situation.

 To reduce the impact of the damage of the assets, in turn reducing the data loss.
 To assure compliances
 To sustain operations so that customer service and corporate image can be
maintained.
Using this Checklist:

This checklist is to be used by the IS Auditor who is conducting the BCP Audit. This checklist
covers the entire BCP Process but it has to be customized as per the specific needs of the
assignment. An IS Auditor can use this checklist as a basis for recording observations and for
collecting evidences for the Audit engagement. This is checklist is an illustrative example as to
how an IS Auditor could conduct a BCM Audit at an organisation. It can be taken as a base for
conducting such audit engagements.

Sl. Checkpoints/Particulars
No
Policy and Procedure
1. Is business continuity plan documented and implemented?
2. Whether the scope and objectives of a BCP are clearly defined in the policy
document?
(Scope to cover all critical activities of business. Objectives should clearly spell
out outcomes of the BCP)
3. Whether there exist any exceptions to the scope of BCP i.e. in terms of location
or any specific area, and whether the management has justifications for
exclusion of the same.
4. What is the time limit for such exclusion and what is the current strategy of
covering such exclusions
5. Are the policy and procedure documents approved by the Top Management?
(Verify sign off on policy and procedure documents and budget allocations
made by the management for a BCP)

1
 Section 3

Sl. Checkpoints/Particulars
No
6. Does the business continuity plan ensure the resumption of IS operations
during major information system failures?
(Verify that the IS disaster recovery plan is in line with strategies, goals and
objectives of corporate business continuity plan).
7. Are users involved in the preparation of business continuity plan?
(Managerial, operational, administrative and technical experts should be
involved in the preparation of the BCP and DRP).
8. Does the policy and procedure documents include the following
List of critical information assets.
List of vendor for service level agreements.
Current and future business operations.
Identification of potential threats and vulnerabilities.
Business impact analysis.
Involvement of technical and operational expert in preparation of BCP and
Disaster recovery plans.
Recovery procedure to minimize losses and interruptions in business
operations.
Disaster recovery teams.
Training and test drills.
Compliance with statutory and regulatory requirements
9. Are the BCP policy and procedures circulated to all concerned?
(Verify availability and circulation of the BCP & DRP to all concerned, including
onsite and offsite storage).
10. Is the business continuity plan updated and reviewed regularly?
(Verify minutes of meeting where policy and procedures are reviewed. Verify
amendments made to the policy and procedure documents due to the change
in business environment).
Risk Assessment
1. Has the management identified potential threats/vulnerabilities to business
operations?
(Verify the business environment study report. Risk Assessment Report?)
2. Are the risks evaluated by the Management?
(Verify the probability or occurrence of the threat / vulnerability review carried
out by the management).
3. Has the organisation selected the appropriate method for risk evaluation?
4. Has the organisation carried out the assessment of internal controls?
(Verify the internal controls mitigating the risk).
5 Has the organisation taken an appropriate decision on the risks identified?
(Verify the decision-making on the options - accepted, reduced, avoided or
transferred – for the risks identified).

2
Module 7

Sl. Checkpoints/Particulars
No
6. Are the risk assessment carried out at regular interval?
(Verify the review frequency.)
Business Impact Analysis
1. Does the organisation carry out business impact analysis (BIA) for business
operations?
2. Has the organisation identified a BIA team?
3. Are RTO and RPO defined by the management?
4. Whether the SDO has been defined based upon RTO & RPO
5. Whether the organisation has measured BIA?
(Impact of risks on business operations can be measured in the form of
business loss, loss of goodwill etc.)
6. Is the business impact analysis carried out at a regular interval?
Development and Implementation of the BCP and DRP
1. Has the organisation prioritized recovery of interrupted business operations?
(Prioritization of activities is based on RTO and RPO)
2. Has the organisation identified the various BCP and DRP Teams?
(Verify employees are identified, informed and trained to take an action in the
event of disaster).
3. Are the responsibilities for each team documented?
(Verify the roles and responsibilities assigned to employees for actions to be
taken in the event of incident/disaster)
4. Does the BCP document(s) include the following?
Scope and objective.
Roles and responsibilities of BCP and DRP Teams.
Incident declaration.
Contact list.
Evacuation and stay-in procedure.
Activity priorities.
Human resource and welfare procedure.
Escalation procedures.
Procedure for resumption of business activities.
Media communication.
Legal and statutory requirements.
Backup and restore procedures.
Offsite operating procedures
5. Are the copies of up-to-date BCP Documents stored offsite?
6. Does the offsite facility have the adequate security requirements?
(Verify the logical access, physical access and environmental control of the
offsite).

3
 Section 3

Sl. Checkpoints/Particulars
No
7. Does the BCP include training to employees?
(Verify the evidences of training given).
8. Whether the organisation has an adequate media and document backup and
restoration procedures?
(Verify the backup and restoration schedules adopted by the organisation)
9. Are logs for backup and restoration maintained and reviewed?
(Verify the logs maintained and review of the same by an independent person).
10. Whether the media library has an adequate access control?
(Verify the physical and logical access controls to the media library).
11. Are the BCP and DRP communicated to all the concerned?
(Verify availability and circulation of BCP & DRP to all concerned, including
Onsite and offsite storage).
Maintenance of BCP and DRP
1. Whether the business continuity plan is tested at regular interval?
2. Has the organisation reviewed the gap analysis of testing results?
(Review process that includes a comparison of test results to the planned
results).
3. How has the organisation decided to reduce the gaps identified, what is the
time limit set for addressing the same?
4. Has the organisation got a testing plan?
(Verify copy of test plan and updates).
5. Are test drills conducted at appropriate intervals?
6. Do organisation documents and analyses have testing results?
(Verify the corrective copies of test results and analysis of the report).
7. Has the organisation prepared action points to rectify the testing results?
(Verify the corrective action plan for all problems encountered during the test
drill).
8. Does the organisation carry out retesting activity for action points?
(Verify the evidences of retesting activities).
9. Does the organisation review the BCP and DRP at regular intervals?
10. Whether a review of the BCP includes following?
BCP policy and procedure
Scope and exclusion of BCP
Inventory of IS assets
Validating assumption made while risk assessment and preparation of BCP
and DRP
Risk assessment
Business impact analysis
Back up of system and data

4
Module 7

Sl. Checkpoints/Particulars
No
Training to employees
Test drills