84 Audit Questions to Evaluate a Business Continuity Plan
A good Business Continuity Plan (BCP) should not gather dust in the IT department’s office.
A plan is a set of decisions, dependencies, and tests that keep the organization running in the face of disaster.
Plan — Photo by charlesdeluvio on Unsplash
On the information security side, ISO 27001:2022/27002:2022 introduced “Information security during disruption” (A 5.29) and “ICT readiness for business continuity” (A 5.30).
Concretely, you must be ready to support RTO/RPO, organize information system recovery, and test everything.
Quick reminder: RTO (Recovery Time Objective) is the maximum acceptable time to restore systems or services after an incident (how long before everything works again).
RPO (Recovery Point Objective) is the maximum amount of data a company can afford to lose since the last backup. So a daily copy represents an RPO of 24 hours (you accept losing one day of work before the incident).
For more on business continuity management, I invite you to read my articles on 22301:2019 and 27031:2025.
NIST SP 800–34 remains a free reference for structuring a plan.
84 Questions to Evaluate Your BCP
Now that you’ve built a Business Continuity Plan (BCP), here are 84 questions to evaluate whether it’s complete.
Governance, policy, accountability
1-Does a business continuity policy exist?
2-Has the policy been approved by management (visible date and signature)?
3-Is a dedicated budget (hours and amounts) allocated for the current year?
4-Is a business continuity owner officially designated?
5-Is a backup for the business continuity owner designated and trained?
6-Are roles and responsibilities (RACI matrix — Responsible, Accountable, Consulted, Informed) published and communicated?
7-Is a program description (mandate, objectives, scope) available?
Scope and objectives
8-Is the scope (processes, units, sites, technologies) documented?
9-Are measurable continuity objectives (impact criteria) defined?
10-Does a list of processes ↔ sites ↔ teams ↔ vendors exist?
Business Impact Analysis (BIA)
11-Is the Business Impact Analysis (BIA) less than 12 months old?
12-Are target recovery times (RTO — Recovery Time Objective) per process defined and approved by business owners?
13-Are acceptable data losses (RPO — Recovery Point Objective) per process defined and approved?
14-Are minimum service levels (MBCO — Minimum Business Continuity Objective) documented?
15-Are interruption costs (direct and indirect) estimated and validated?
16-Are peak periods (seasonality) identified?
17-Are dependencies (applications, data, equipment, vendors) listed?
Risks and scenarios
18-Is a continuity risk register (IT services and others, regional risks, supply chain) up to date?
19-Are major disruption scenarios (site loss, network, power, cloud, ransomware, human resources, physical access, weather) defined?
20-Is each scenario linked to strategies (prevention, response, recovery)?
Continuity strategies
21-Are degraded modes (manual operations, queues, redirections) documented?
22-Is emergency teleworking (licences, multi-factor authentication — MFA, virtual private network — VPN, workstations, printing) ready to activate?
23-Is an alternate site or distributed work capacity defined?
24-Are alternate vendors prequalified (contracts and capacity)?
25-Is network/telephony failover (domain name system — DNS, session initiation protocol — SIP, forwarding) planned and tested?
26-Are activation and return criteria (thresholds, decision-makers, steps) established?
Backups and restoration
27-Are all critical systems and data covered by backups?
28-Is immutability (Write Once Read Many / locked object storage) active for sensitive data?
29-Is an offline or off-band copy and encryption (at rest and in transit) in place?
30-Are monthly restoration tests of critical systems performed with evidence?
31-Are indicators (success rate, duration) tracked and reviewed?
Runbooks and procedures
32-Do runbooks exist per service (restoration, failover, rollback)?
33-Are dependencies (Active Directory, domain name system, identity provider, public key infrastructure; secret keys, licences, vaults) listed in each runbook?
34-Are steps in order with target times?
35-Does an offline copy of runbooks exist?
Emergency access
36-Is an emergency access procedure (e.g., secret code in a sealed envelope at the bank) for triggering, approval, and duration defined?
37-Is a seal-break log (who, when, why) maintained?
38-Are secrets changed and privileges revoked after use?
Crisis communications
39-Do an escalation tree and up-to-date contacts (internal, vendors, insurer) exist?
40-Are message templates (clients, authorities, media) pre-approved?
41-Are out-of-band channels (cellular/SMS) operational?
42-Is synchronization with legal and public relations (roles, rapid approvals) defined?
43-Are periodic tests of channels and lists performed?
Third parties and supply chain
44-Is the inventory of other dependencies (SaaS software, operators, data centres, identity provider, domain name system, payments, etc.) complete?
45-Are continuity clauses and Service Level Agreements aligned with the Business Impact Analysis (BIA) (RTO/RPO, penalties, audit rights)?
46-Is evidence (certifications, reports, joint tests) kept up to date?
47-Is a replacement plan (substitution, failover, standby contracts) defined?
Security during disruption (ISO/IEC 27001 — control 5.29)
48-Do controls allow operating in degraded mode without sacrificing confidentiality and integrity?
49-Are temporary exemptions documented with end-of-life and compensating measures?
50-Is re-hardening of environments after recovery systematically executed?
BCP ↔ information security alignment (ransomware and major incidents)
51-Are isolation and containment (network, identities, endpoint detection and response — EDR, digital forensics) defined in a runbook?
52-Is cleanup (re-imaging, indicators of compromise — IOC validation, reintegration) documented?
53-Is restoration validated (data integrity, business application tests)?
54-Is regulatory notification (personal information, authorities) planned as needed?
55-Are ransomware exercises (tabletop exercises and red team simulations) held at least annually?
Tests and exercises
56-Is an annual exercise calendar (tabletop, technical, end-to-end, unannounced) published?
57-Are acceptance criteria (RTO/RPO achieved, validations by business teams) defined?
58-Is a succession test (tests without key people) performed?
59-Are exercise reports with lessons learned produced?
60-Are corrective action plans tracked to closure?
Metrics and continuous improvement
61-Is the percentage of successful tests tracked monthly?
62-Are RTO/RPO gaps (difference between results and targets) measured and explained?
63-Is decision time (activation then return to normal) measured and reduced?
64-Are the percentage of up-to-date runbooks and backup failure rate tracked?
65-Are mean time to detect (MTTD) and mean time to restore (MTTR) for continuity incidents measured and tracked?
66-Is a management review with indicators and traced decisions held?
Offline documentation
67-Are critical items (plans, runbooks, contacts) printed?
68-Are encrypted media (USB keys, vault) up to date and tested?
69-Is a media maintenance and rotation procedure applied?
Training and skills
70-Is business continuity onboarding (training) included for relevant roles?
71-Are quarterly exercises for IT and operations teams (including backups) executed?
72-Are skills assessed and gaps filled?
Finance and insurance
73-Is downtime cost (per minute or per hour) estimated and validated by finance?
74-Is an insurer file (control and exercise evidence) compiled?
75-Are business interruption thresholds and claim conditions known?
Compliance and regulatory
76-Are applicable sector obligations (health, finance, etc.) identified?
77-Are incident notifications (timelines, content, contacts) documented?
78-Is exercise evidence and decision traceability retained?
Integration with change management
79-Is a continuity trigger integrated into the Change Advisory Board (CAB) for every major change?
80-Are runbooks and the Business Continuity Plan (BCP) updated after every major change?
81-Are post-change impact tests planned and performed?
Lessons learned and improvements
82-Are lessons learned recorded for each exercise or incident?
83-Are actions assigned with 30 / 60 / 90 day deadlines?
84-Does a semi-annual management review allow arbitration and closure of improvement opportunities (OFI)?
I invite you to click “Follow” to keep learning about information security and privacy topics.