Overview
Auditors ask for “evidence of BCP/DR” and today that evidence is scattered across separate BIA documents, IT DR plans, test logs, and spreadsheets. This skill consolidates everything into a single, audit-ready document: BIA summary with RTO/RPO targets, recovery plans cross-referenced to critical activities, a DR test matrix with results and corrective actions, and an auditor evidence checklist mapped to the applicable framework criteria (SOC 2 A1, ISO 22301 clauses 8.2-8.5, ISO 27001 A.5.29-A.5.30).
Getting Started
Activate the BCP Audit Evidence Pack skill and tell the agent which audit framework you need to prepare for (SOC 2, ISO 22301, ISO 27001, or a combination). If you have existing BIA or DR plan documents, add them to the workspace. The agent will guide you through gathering context, building each section, and validating the final package.
Example Conversation
You: We have a SOC 2 Type II audit starting next month. The auditor wants all BCP/DR evidence consolidated. We have a BIA covering our 4 critical systems — payment API, customer database, auth service, and admin portal — and an IT DR plan with runbooks. We ran 2 tabletop exercises and 1 simulation this year.
Agent: I’ll build a consolidated evidence pack for SOC 2 Type II. Let me confirm a few things first: What are the RTO/RPO targets for each of the 4 systems? And for the 3 tests you ran — do you have the actual recovery times achieved, any findings, and corrective actions taken?
You: Payment API: RTO 1h / RPO 15min. Customer DB: RTO 2h / RPO 30min. Auth service: RTO 1h / RPO 15min. Admin portal: RTO 8h / RPO 4h. The Q1 tabletop found 2 stale vendor contacts — we fixed them. The Q2 tabletop was clean. The simulation in Q3 achieved RTO 1.5h against a 2h target for the customer DB failover.
Agent: I’ve built the BIA summary, recovery plans section, and test matrix. I created
test-matrix.jsonwith all 3 test records. Now let me map evidence to SOC 2 criteria and run validation…
After drafting, the agent runs the validation tool:
Agent: I ran
validate_bcp_evidence_packon the evidence pack. Results:
- WARNING (Traceability): BIA critical activity “Admin Portal” not found in Recovery Plans section — I need to add the admin portal’s recovery strategy
- INFO (Test Matrix): Test programme missing type(s): walkthrough, full_failover — SOC 2 A1.3 recommends progressive testing
I’ll add the admin portal recovery plan and note the missing test types in the Gap Summary section. The auditor will see that tabletops and simulations are covered, with walkthrough and full failover planned for next year.
What the Tool Validates
The skill includes one automated validation tool that cross-checks the evidence pack document and an optional test-matrix.json data file:
validate_bcp_evidence_pack performs these checks:
Structure and completeness:
- All required sections present (Executive Summary, BIA Summary, Recovery Plans, DR Test Matrix, Auditor Evidence Checklist)
- No unfilled template placeholders (catches leftover
[TODO],[TBD],[YYYY-MM-DD]markers)
BIA-to-DR traceability:
- Every critical activity listed in the BIA section appears in the Recovery Plans section
- RTO/RPO values are consistent between the BIA tables and the recovery strategy tables
Auditor checklist integrity:
- Flags items marked as “Missing” (errors that must be resolved before audit)
- Flags items marked as “Partial” (warnings to review and strengthen)
Test matrix (when test-matrix.json is provided):
- Overdue tests (scheduled date in the past, not yet executed)
- Completed tests missing results, execution dates, or RTO/RPO actuals
- RTO/RPO breaches (actual recovery time exceeded target)
- Failed or partial tests without documented corrective actions
- Test type coverage — flags if the programme is missing tabletop, walkthrough, simulation, or full failover types
- No completed tests at all (SOC 2 A1.3 requires periodic testing with results)
Output Excerpt
The final evidence pack is a structured document with seven sections plus appendices. Here is an excerpt from the BIA Summary and Auditor Evidence Checklist:
3. Business Impact Analysis Summary
3.1 Critical Activities and RTO/RPO
| # | Critical Activity | Business Process | Impact Category | MTPD | RTO | RPO | Tier |
|---|---------------------|------------------|-----------------|------|------|--------|----------|
| 1 | Payment API | Transactions | Financial | 4h | 1h | 15min | Critical |
| 2 | Customer Database | Data Platform | Operational | 8h | 2h | 30min | Critical |
| 3 | Auth Service | Identity | Operational | 4h | 1h | 15min | Critical |
| 4 | Admin Portal | Operations | Operational | 48h | 8h | 4h | High |
3.2 Dependencies and Single Points of Failure
| Critical Activity | Internal Dependencies | External Dependencies | SPOFs |
|---------------------|-----------------------------|-----------------------|-------------------------|
| Payment API | Auth Service, Customer DB | Stripe, AWS us-east-1 | Single payment gateway |
| Customer Database | Core Network | AWS RDS Multi-AZ | None (multi-AZ) |
...
6. Auditor Evidence Checklist
6.1 SOC 2 Availability (A1) Evidence
| Criterion | Requirement | Evidence Reference | Status |
|-----------|------------------------------------------|-----------------------------|-----------|
| A1.1 | Capacity management and monitoring | Infra-monitoring-SOP-v2.pdf | Available |
| A1.2 | Environmental protections and recovery | ITDRP-2025-001 v3.0 | Available |
| A1.3 | Recovery plan testing | DR-TEST-2025-Q1/Q2/Q3 | Available |
| CC7.5 | Recovery from security incidents | IRP-2025-001 | Available |
| CC9.1 | Risk mitigation through BC | BIA-2025-001 | Available |
Every BIA activity is cross-referenced to its recovery plan, and every checklist item links to a specific evidence document that the auditor can verify.