The resilience dossier¶

ISO 22301 – auditing & evidence (Clause 9: Performance evaluation)

Evidence shows that continuity measures are real, tested, and embedded, not just written on paper. For executives, the focus is on what can be shown to auditors, regulators, or the board to prove that your OT operations can withstand disruptions.

Evidence divides into two categories. Implementation evidence confirms a control is in place and running: plans approved, assets inventoried, training scheduled, procedures documented. effectiveness evidence confirms a control produces its intended effect under realistic conditions: a restoration test that succeeded under time pressure, a tabletop that surfaced a gap in the escalation chain and generated a corrective action, a drill where the team reached recovery time objectives with current staffing. An audit that draws only on implementation evidence produces a documentary picture of preparedness that a real disruption will test against operational reality.

Key evidence categories¶

1. Continuity plans and procedures

   • What to have: Current, approved, accessible plans covering all critical OT systems and supporting IT functions.

   • Checks: Are procedures complete? Are roles and responsibilities documented? Are recovery steps clear and feasible?

   • Common gaps: Outdated plans, missing sections for critical assets, inaccessible procedures.

2. Test logs and exercise reports

   • What to have: Records of drills, scenario exercises, and post-mortem reviews.

   • Checks: Are results documented? Are follow-up actions implemented? Are recurring exercises scheduled?

   • Common gaps: No formal test reports, incomplete follow-up, lessons not applied to the plans.

3. Asset and impact registers

   • What to have: Up-to-date mapping of critical assets to operational priorities, redundancy, and recovery requirements.

   • Checks: Are all assets listed? Is criticality assigned? Are owners documented?

   • Common gaps: Missing assets, unclear ownership, inconsistent criticality ratings.

4. Incident and near-miss reports

   • What to have: Documentation of disruptions, near-misses, and lessons learned.

   • Checks: Are root causes analysed? Are corrective actions applied? Are recurring issues tracked?

   • Common gaps: Undocumented near-misses, no action tracking, missing integration into continuity plans.

5. Training records

   • What to have: Evidence that personnel are trained in their continuity roles.

   • Checks: Are trainings scheduled and documented? Are new staff included? Are refresher sessions conducted?

   • Common gaps: Missing attendance records, inconsistent training content, no evidence of role-specific exercises.

   • Attendance records are implementation evidence. Role-specific exercise records are effectiveness evidence: a recovery drill that required the team to restore a system from backup under time pressure, a communications exercise that tested whether escalation contacts responded within the required window, a tabletop that walked through a shift handover mid-incident. Keeping simulations current requires current threat intelligence; a phishing scenario built on attack patterns from eighteen months ago does not test the same assumptions as one built from what is getting through defences in the sector right now.

Executive gap‑spotting¶

• Completeness: Can you demonstrate coverage for all critical OT and supporting systems?

• Testing proof: Are continuity plans tested, recorded, and improved based on exercises?

• Ownership clarity: Are responsibilities documented for each asset, procedure, and response?

• Historical evidence: Are incidents, near-misses, and corrective actions captured and integrated into continuous improvement?

• Board-ready view: Could an auditor or board member understand at a glance that your operations are resilient? (The dossier organises implementation evidence; effectiveness evidence comes from test and exercise results showing controls produced their intended effect under realistic conditions. Both categories are needed to support that claim.)

Think of this as your resilience dossier. If any section (plans, tests, assets, incidents, training) cannot be immediately produced and explained, it is a gap that could be flagged in an audit or cause delays in a real disruption.

Related¶

• IEC 62443 The paper trail under inspection

• NIS2 Reaching the far bank

• ISO 27001 Base camp check

• Gap analysis

• Unseen University Power & Light Co. IT/OCS pentest