Copy 1 ss540 audit guide 201214 rar bia rs plan

Standardised Audit Program

document.xlsx 1 05/03/2023

Risk Analysis and Review Clause Component Yes No

1 5.1

2 5.1 / 5.2.2 Policies

3 5.1 Policies

4 5.2 Policies

5 5.2.1 Policies

6 5.2.3 Policies

7 5.2.4 Policies

8 5.2.5 Policies

9 5.2.6 Policies / People

10 5.4.2 People

11 5.5 Infrastructure

Specific comments regarding deficiencies/ effectiveness

Are internal and external risk events and impacts identified and reviewed by all business units and their operational processes?

Policies / Processes

How is this done and are records available for audit ?Are both qualitative and quantitative impacts evaluated ? Records available ?Is procedure for identification of external and operational risks established and available ?Has the BCM committee reviewed the findings and recommendations of risk analysis efforts? Selected appropriate cost effective treatment?How are identified risks treated and are they documented ?Is list of potential disasters established and what is selected as the most probable disaster ?Is risk analysis carried out consistently across all business units ? Are records of analysis available for all business units ?Are people involved or responsible for risk analysis competence ? Are training records available for these training conducted ?Are roles and skills of essential staff and external parties needed identified, established and documented ?Has risk review and anaysis been performed on critical equipment and facilities? Are there available risk treatments for all identified risks?



Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness1 Was the BIA process completed ? 6

2 6.1

3 6.1

4 6.2 Policies

5 6.2.1 Policies

6 6.2.1 Policies

7 6.2.1 Policies

8 Is there a BCM Steering committee ? 6.2.2 Policies

9 6.2.2 Policies

10 6.2.2 Policies

11 6.2.2 Policies

12 6.2.2 Policies

13 6.2.2 Policies

Was the BIA conducted on a periodic and systematic basis ? i.e. pre-determined frequency? Are there any business or technology changes that require a review of the BIA ?Are there policies to govern assessment of losses due to interruptions to business operations or processes ?

Is the MBCO of the organization clearly stated and documented by the Exe Mgt?How is the MBCO clearly defined and approved by the Exe Mgt ?Are there any significant internal or external changes especially for legal or contractual requirement that requires a review of the MBCO ?

Is there a list for review of potential threats and risks for each business unit for the BCM Steering committee ?

Is the list reviewed by the BCM Steering committee ?Is the list of CBF produced and priortised by the Committee?Is the list of CBF the decision of the Committee ?Are there any discrepancies of the CBF between the Business Unit Head and the BC team ?



Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectiveness14 Has the CBF been prioritized ? 6.2.2 Policies

15 6.2.2 Policies

16 6.2.2 Policies

17 6.2.3 Policies

18 6.2.4 Policies

19 Does the CBFs support the MBCO ? 6.2.4 Policies

20 6.2.5 Policies

21 6.2.5 Policies

22 6.2.5 Policies

23 6.2.5 Policies

24 6.2.5 Policies

25 6.3 Processes

26 Are all the individual BU identified by: 6.3.1 ProcessesName and description?Processes employed?Supporting systems?

Is the prioritized list reviewed and approved by the BCM Steering committee ?Has the recovery prioritization of CBF been done in conjunction with allocation of resources ?Are there policies to ensure that the MBCO comply with legal and regulatory requirements ?What is the expertise level of personnel undertaking the BIA ?

What considerations are the priority for analyzing the impact of risk on CBFs ?

Establish and approve the recovery priority with the allocation of resourceIs workplace safety and health considerations considered in the prioritization of the CBFsAre legal and regulatory requirements considered in the prioritization of CBFs

Are quantitative or qualitative impacts considered for the CBF's impact of risk?

Are there processes established to identify different disruptions to the business operations and functions ?



Business Impact Analysis Clause Component Yes No Specific comments regarding deficiencies/ effectivenessSpecial skills and expertise required?Resource requirements?

28 6.3.1.1 Processes


30 6.3.2 Processes




Are the operational constraints of each Business Unit CBFs provided ?Has each BU identify the minimum level of services that must be provided to support the organisation 's MCBO

Has an assessment of CBFs been done ?Has inter-dependencies been identified for internal and external parties ?

Has alternate process been examined and documented?Has the documentation done for all the CBF and processes? I.e. SOP, flowcharts, manuals.



Strategy Clause Component Yes No Specific comments regarding deficiencies/ effectiveness

1 What is the scope for Recovery Strategy? 7.1 Scope

2 7.2 Policies

3 7.2.1

4 7.2.1

5 7.2.2

6 7.2.2

What are the policies guiding the evaluation of recovery strategies?

Does the BCM Steering committee review and approve recommended BCM strategies?

BCM Steering Committee

Does the BCM Steering committee formulate the organisational recovery strategy based on probable disasters and CBFs?

BCM Steering Committee

Was the strategy formulated based on risks faced by CBFs from one or a combination of the following:a. Revert to alternate processing capability;b. Arrange reciprocal arrangements, e.g. with another organization in the same industry;c. Establish alternate site or business facility;d. Arrange for alternate source of supply, e.g. of raw materials;e. Outsource to external vendor(s);f. Transfer of operation(s) to subsidiary business units;g. Rebuild from scratch after disaster;h. Do not take any action.

Strategy Formulation

Is a set of guidelines established to guide the decision making process for the above strategy?

Strategy Formulation




7 7.3 Processes

8 7.3.1

9 7.3.1

10 7.3.2

Does the BCM steering committee undertake the following set of activities based on the feedback from business units with CBFs?

a. deliberate on the recovery strategies for various CBFs and formulate an organisational recovery strategy in conjuction with probable disasters; andb. consolidate recovery requirements based on the organisational recovery strategy into contract specifications

Are there processes for a given recovery strategy to determine the following requirements:a. Skill set required by supporting staff;b. Technology and equipment;c. Facilities;d. Off-site storage and alternate site(s); ande. Alternate processing capabilities.

Recovery Strategy Requirements

Were the non-tecnology continuity issues for each support service of CBFs reviewed?

Recovery Strategy Requirements

Does a set of criteria have been established to guide the evaluation of the appropriate recovery strategy for each CBF?

Recovery Strategy Evaluation

Criteria




11 7.4 People

12 7.4 People


14 7.5.1

15 7.5.1

16 Have the existing facilities been reviewed? 7.5.2 Facilities

17 7.5.2.1

18 7.5.2.2

1920

Does the organisation have adequate number of staff with relevant skill set to support the organisational recovery strategy?

Does the alternate infrastructure have been examined if the existing infrastructure is indaquate to support the recovery strategy?

Does the organisation capable of providing the necessary infrastructure to support the organisational recovery strategy?

Is there a review of existing technology and equipment?

Technology and equipment

Does a list of technical specifications for the technology and equipment have been specified?

Technology and equipment

Does deliberation on the facilities used to support alternate processing include the following considerations:a. Acquisitions;b. Mutual agreement;c. Outsource to external vendors; andd. Manual workarounds

Alternate Processing

Does the criteria to guide the selection process of alternate processing vendors have been established?

Alternate facilities

outsourcing




2122



BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness

1 8.2 Policies

2 8.2.1 Policies

3 8.2.2 Policies

4 Policies

5 8.3 Processes

6 8.4 People

Is policy and process established and documented to govern the development of BC plans ?

Is the BC Plan, and subsequent changes, reviewed and approved by the BCM Steering Committee?

Is an Emergency Operations Centre set up and associated conditions for operation and closure established and the head appointed ?

Is policy governing emergency response and the priority for actions to be carried out established and documented ?

8.2.5 / 8.2.6

Are formal processes established for each component of the BC plan to determine their requirements?1) Pre-incident preparation2) Initial damage assessment…13) BC plan distribution and control

Who are the people in the BCM Steering Committee? Are roles and responsibilities established and documented including :8.4.2 ) BCM Coordinator....8.4.8) Damage assessment team (DAT )



BC Plan Clause Component Yes No Specific comments regarding deficiencies/ effectiveness

7 People

8 8.4.11 People


10 8.5.1 Infrastructure

11 8.5.2 Infrastructure

Is procedure established to manage appropriate medical attention, assembly area and personnel safety ?

8.4.9 / 8.4.10

Is contact list for key personnel drawn up and maintained ?

Does the BC plan address the requirements needed to operate and maintain all the infrastructure componenets to ensure that CBFs can continue within the planned levels of disruption?

Are critical and general equipment / supplies as well as communication requirements established and documented ?

Are EOC as well as alternate site requirements identified and documented ?



Testing and Exercising Clause Component Yes No Specific comments regarding deficiencies/ effectiveness



Progamme Management Clause Component Yes No Specific comments regarding deficiencies/ effectiveness

123456789

10111213141516171819202122

Copy 1 ss540 audit guide 201214 rar bia rs plan

Documents

Transcript of Copy 1 ss540 audit guide 201214 rar bia rs plan