11) Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?
Business Resilience Business Continuity Plan
Written by Haydn Brooks
Created on March 18, 2019
Modified on October 16, 2019

Answer yes if your organisation has a documented business continuity plan that has been reviewed in the last year. Please provide the Business Continuity Plan (as a PDF file) as evidence.

A documented Business Continuity Plan (BCP) should provide all the information your business needs in order to manage an immediate incident, continue operations during the incident and recover critical business activities back to a normal state after the incident has concluded.

It differs from an IT Disaster Recovery (ITDR) plan in that an ITDR plan focuses primarily on recovering IT systems and data. A BCP plan includes an ITDR plan amongst other plans to help mitigate disruption to business processes, employees, and the organisation as a whole.

Your BCP plan should define who within your business can declare a crisis, and once declared, the plan should outline the steps that should be followed to maintain business activities and recover for each department that is deemed critical. This should include relevant communications plans that have redundancy as typical methods of communication might not be effective in a disaster scenario.

A BCP should, as a minimum, be administratively reviewed annually to ensure that the information therein is still relevant and physically rehearsed to confirm that it is a viable plan.

How to implement the control:
Risk Ledger have created an Information Security Policy template that includes a BCP for SMEs that can be taken and adapted to suit your organisation. The template policy for a small organisation can be requested at info@riskledger.com. For larger organisations, or organisations that provide a critical service to their clients, a business continuity expert should be engaged to conduct a full business resilience assessment. As part of the assessment they will evaluate and recommend improvements to your BCP.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.