The resilience dossier¶

ISO 22301 – auditing & evidence (Clause 9: Performance evaluation)

Evidence shows that continuity measures are real, tested, and embedded—not just written on paper. For executives, the focus is on what can be shown to auditors, regulators, or the board to prove that your OT operations can withstand disruptions.

Key evidence categories¶

1. Continuity plans and procedures

   • What to have: Current, approved, accessible plans covering all critical OT systems and supporting IT functions.

   • Checks: Are procedures complete? Are roles and responsibilities documented? Are recovery steps clear and feasible?

   • Common gaps: Outdated plans, missing sections for critical assets, inaccessible procedures.

2. Test logs and exercise reports

   • What to have: Records of drills, scenario exercises, and post-mortem reviews.

   • Checks: Are results documented? Are follow-up actions implemented? Are recurring exercises scheduled?

   • Common gaps: No formal test reports, incomplete follow-up, lessons not applied to the plans.

3. Asset and impact registers

   • What to have: Up-to-date mapping of critical assets to operational priorities, redundancy, and recovery requirements.

   • Checks: Are all assets listed? Is criticality assigned? Are owners documented?

   • Common gaps: Missing assets, unclear ownership, inconsistent criticality ratings.

4. Incident and near-miss reports

   • What to have: Documentation of disruptions, near-misses, and lessons learned.

   • Checks: Are root causes analysed? Are corrective actions applied? Are recurring issues tracked?

   • Common gaps: Undocumented near-misses, no action tracking, missing integration into continuity plans.

5. Training records

   • What to have: Evidence that personnel are trained in their continuity roles.

   • Checks: Are trainings scheduled and documented? Are new staff included? Are refresher sessions conducted?

   • Common gaps: Missing attendance records, inconsistent training content, no evidence of role-specific exercises.

Executive gap‑spotting¶

• Completeness: Can you demonstrate coverage for all critical OT and supporting systems?

• Testing proof: Are continuity plans tested, recorded, and improved based on exercises?

• Ownership clarity: Are responsibilities documented for each asset, procedure, and response?

• Historical evidence: Are incidents, near-misses, and corrective actions captured and integrated into continuous improvement?

• Board-ready view: Could an auditor or board member understand at a glance that your operations are resilient?

Think of this as your resilience dossier. If any section—plans, tests, assets, incidents, training—cannot be immediately produced and explained, it is a gap that could be flagged in an audit or cause delays in a real disruption.

Related¶

• IEC 62443 The paper trail under inspection

• NIS2 Reaching the far bank

• ISO 27001 Base camp check

• Unseen University Power & Light Co. IT/OCS pentest