I have recently taken the role of a BCM Coordinator. According to the ISO 22301 clause 4.2.2, an org needs to document the legal and regulatory requirements of the org. Please can you let me know what documents can be considered as a evidence of this? Or what details are relevant from the legal aspect if I have to include them in the BC Strategy document itself? Any help on this or a sample document etc. will greatly help me please.
Examples of legal and regulatory requirements for ISO 22301 are:
- Service agreements with customers or suppliers
- NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan (CFTC – Commodity Futures Trading Commission) (regulation)
- IDA By-Law 17.19 – Business Continuity Plan Requirement (OSC (Ontario Securities Commission))
Regarding details to be considered, you have to identify items like: requirements for the recovery time to be achieved (e.g., minimal business activities must return after no more then 3 hours after a disruption), technologies or infrastructure to be used, etc.