1. 1 of 5
Audit date(s) 2015/MAY/3
Location(s)
Jerimi Building, Ebisu 6-2-1,
Shibuya-ku, Tokyo, JAPAN
Report ref. ABC#2012-001-121
Audit objective To certify this entity to Business Continuity Management System to prove their
business resiliency and efficiency.
Audit scope Technical Scope:
- Providing live plants /shrubs/flowers for 24365 continuously to APAC based
grocery stores.
- Purchasing, Goods In, Warehouse, Planning, Picking, Dispatch, Transport
planning, Stock Control, Human Resource, Finance, Information Tech,
Operations and Security, Legal Compliance.
Physical Location(s):
- Headquarters in Tokyo, Its Car parks, Its Warehouse Camber A, Its
Warehouse Chamber B.
People:
- Business Continuity Management Department
- HR Department
- Finance department
- Operations department
- Facility Department
- IT Department
- Risk Department (Security, Legal Compliance)
Audit criteria - ISO22301 Conformity
Audit team Lead Auditor: Ms. Jerimi Soma
Auditor: Mr. James Met
Auditee
Representatives Contact Person: Mr. McDonald Whole (Senior BCM Manager)
Hypothetical Audit Report for Business Continuity MS

2. 2 of 5
Auditsummary and
coverage
Audit Conclusion
A risk and process-based audit was conducted on Idaho Potato Logistics and all
activities in audit plan were adequately audited.
CEO, Top Management, guides, and other responsible staffs were present
throughout the audit and provided assistance and resources needed for the
smooth conduct of this audit.
There was no significant change to their BCMS since Stage 1.
We interviewed the CEO Mr. Marry Soma on the context of the organization, with
respect to the intended outcomes and strategic directions. Interested parties
such as the customers, competitors, authorities, suppliers, sub-contractors,
insurers, shareholders and employees were identified.
Internal and external issues / challenges, their risks and opportunities were
presented to the auditors. The areas covered include Management, Business
continuity Aspects, Measurement and Monitoring, Exercise, Testing & Training,
and all Processes of ISO 22301 elements of the full system.
The audit trails were recorded below.
Interviewed with Int-1 to Int-10 mentioned in an attachment, sampled record
Sample Set-1, Sample Set-2, Sample Set-3 in an attachment (business continuity
plans, risks and opportunities, grab list, BIA records, risk assessment
monitoring, BCMS Awareness training records), verified the processes for IT
Backup Policy, Disaster Recovery, and traced to licenses, alternate site, and
exercise reports, Software/Hardware lists.
The processes reviewed were deemed to be effective.
See CAR # 1129.
The audit findings are listed below:
Major NC: 02
Minor NC: 01
Observations: 02
Based on the results of this audit, Logistics is recommended to be
an approved supplier of Super Japan Corporation.
Based on the results of this audit, Logistics is recommended for
certification to the ISO 22301:2019 after corrective action was
confirmed by Lead Auditor.

3. 3 of 5
Audit findings
Ref. 1 Nonconformity Requirements
#0001 (Minor NC1)
Deficiency Statement of the process:
This entity does not clarify the scope of the business continuity
management system boundary of BCMS scope.
Objective Evidence(s):
1. “BCM Manual” p5 (doc-1) does not clearly state the
scope in aspects of locations, products/services and
people.
2. “BCM Manual” p6 (doc-1) does not include the IT
department manager, legal compliant manager and
Finance manager clearly. Or insufficiently and unclearly
documented exclusions if those mentioned earlier to
clarify the scope.
3. BC Manager (Int-1) could not clearly state the scope
and exclusions and said Int-1 would come back to
Auditor after closing meeting.
ISO22301:2019
Clause 4.3.1:
The organization shall
determinethe
boundaries and
applicability of the BCMS
to establish its scope.
ISO22301:2019
Clause 4.3.2:
The organization shall
document and explain
exclusions for the scope
defined.
#0002 (Minor NC2)
Deficiency Statement of the process:
The process to ensure some business objectives are measurable
was not effectively implemented.
Objective Evidence(s):
1. “BCM Manual” p7 (doc-1) does include only business
objectives which are subjective and qualitative.
Those could be objective and measurable.
2. “BCM Manual” p54, p57 (doc-1) shows measurable
objectives as “MTPD”, and p71 shows those as “RTO” but
those still do not cover the entire business objectives for
instance, p83 does not state any measurable goals but
just an incident record.
3. BC Manager (Int-1) could not clearly state the
measurable business objectives prepared and said
Int-1 would come back to Auditor after closing
meeting.
ISO22301:2019
Clause 6.2.1:
The organization shall
establish BC objectives at
relevant functions are
levels the BC objectives
shallbe measurable
practicable.

4. 4 of 5
#0003
(Major NC1)
Deficiency Statement of the process:
This entity does not provide the opportunities to gain
necessary competencies for the scoped people and they may
not have undertaken their roles and responsibility for the
disruptions.
Objective Evidence(s):
1. “BCM Manual” p78 (doc-1) shows fundamental trainings
such as BC Awareness, First Aid, Fire Safety, HAZAMAT
does not have to be undertaken by all scoped people
without any convincible reasons by responsible person.
2. “BCM Manual” p78 (doc-1) stated not all needed training
was completed without any reasonable reasons by
responsible person.
3. BC Manager (Int-1) could not clearly explain how this
entity determined the necessary competencies for each
based on their roles and responsibilities and said Int-1
would come back to Auditor after the closing meeting.
ISO22301:2019
Clause 7.2
The organization shall
ensure that these persons
are competent on the
basis of appropriate
education, training, or
experience.
ISO22301:2019
Clause 7.3
Persons doing work
Under the organizations
control shall be aware of
d)their own role and
responsibilities before,
during and after
disruptions.
Ref. Observations
#0004 Deficiency Statement of the process:
This entity does not clarify the roles & responsibilities, its dependencies towards all scoped
individual about BC Plan and it has some discrepancies.
Refer ISO22301:2019 Clause 5.3:
Top management shall ensure that the responsibilities and authorities for relevant
roles are assigned and communicated within the entity. Refer ISO22301:2019
Clause 8.4.2.2:
The roles and responsibilities of each team and the relationships between the teams shall
be clearly stated.
Objective Evidence(s):
1. “BCM Manual” p 65 (doc-1) ‘s statement and the contents of the table has some
discrepancies about the roles & responsibilities of Planning manager, IT Manager,
and Warehouse operation manager, then Top management; General Manager (Int-2)
could not clearly explain about those to auditors.
2. “BCM Manual” does not define all scoped members including staff and service provider,
business partners if any roles and responsibilities about their BC response and
Int-1 could not clearly explain it.

5. 5 of 5
#0005
Deficiency Statement of the process:
This entity does not collect then use opportunities input as Risks for a continual
improvement.
Refer ISO22301:2019 Clause 6.1:
Determining risks and opportunities when planning for the BCMS, the organization shall
consider the issues referred to in clause 4.1 and the requirements referred to in 4,2 and
determine the risks and opportunities that need to be addressed to achieve c) continual
improvement.
Refer ISO22301:2019 Clause 8.2.3:
The organization shall implement and maintain a risk assessment process
b) analyze and evaluate the identified risks.
Objective Evidence(s):
1. “BCM Manual” p59, p61 (doc-1) sates “None”, “Nothing to report”, and some
negative comments on Notes of Risk Assessment; however, opportunities could be
also reported as input for a continuous improvement.
2. “BCM Manual” p23 to p28 (doc-1) show only Negative Risks in “Risks and
opportunities (Clause 6.1)” columns; however, opportunities could be also reported as
input for a continuous improvement.
Ref. Positive findings
#0006 ・Top management well prepared for BCMS audit and his explanation was clear and enough
convincible to the auditors.
・This entity’s closely works together for the BC management cycle’s continuous
improvement.
・This entity’s Risk Assessment procedure including BIA’s one was very detailed and it
adequately show their resiliency to the business disruption.
Ref. Agreed actions
#0007 ・Idaho Potato Logistics shall respond to 2 minor nonconformities within 7 days by
submitting a corrective action plan and close-out shall happen during the next visit.
・This entity shall respond to 1 Major nonconformities within 30 days with corrective
actions and an on-site close-out shall be arranged within 90 days.
・This entity may respond to 2 OFIs (#0004 and #0005) in the next surveillance visit to
auditors; however, #0005 is an option and not mandate. #0004 is strongly recommend
feedback us next year so that it does turn to non-conformity.
※The information detailed within this report relates to the audit which was undertaken objectively in
accordance with company procedures. The findings within this report and the activities discussed during the
audit remain confidential to these Entities. The audit was based on sampling therefore there may be areas
of nonconformity not identified within this report.