Navigating the Maze of Business Continuity Planning (BCP)
- Home
- Blog
Categories
Latest Post
ISO 14001 Lead Auditor Course
ISO 14001 Foundations Course
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
In my experience, companies tend to stumble over two critical aspects of business continuity and information security management: risk assessment and business continuity planning. Let’s demystify business continuity plans (BCP) with some essential tips.
The Blueprint for Business Continuity
A comprehensive ISO 22301 business continuity plan should encompass the following:
Purpose, scope, and users
Reference documents
Assumptions
Roles and responsibilities
Key contacts
Plan activation and deactivation
Communication
Incident response
Physical sites and transportation
Order of recovery for activities
Recovery plans for activities
Disaster recovery plan
Required resources
Restoring and resuming activities
Defining Business Continuity Plans
According to ISO 22301, a business continuity plan is defined as “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption” (clause 3.5). In essence, BCP focuses on creating actionable plans and procedures. It does not encompass the analysis that forms the foundation for these plans, nor the maintenance of such plans—key elements in business continuity management necessary for effective contingency planning.
To delve into analysis, check out “Five Tips for Successful Business Impact Analysis” and “Can Business Continuity Strategy Save Your Money?”.
Crafting a BCP: A Structure for Success
Here’s an optimal structure for a business continuity plan suitable for smaller and midsize companies:
Purpose, Scope, and Users: Outline the objectives, the organization parts covered, and intended readers.
Reference Documents: Link to related documents like the Business Continuity Policy, Business Impact Analysis, and Business Continuity Strategy.
Assumptions: List prerequisites essential for the plan’s effectiveness.
Roles and Responsibilities: Define who manages the incident and who performs specific activities, such as plan activation, urgent purchases, and media communication.
Key Contacts: Provide contact details of individuals involved in the plan’s execution—typically an annex of the plan.
Plan Activation and Deactivation: Specify conditions for plan activation and deactivation.
Communication: Detail communication methods among teams and with other stakeholders during incidents, including special rules for media and government communication.
Incident Response: Outline initial actions to mitigate damage—often an annex to the main plan.
Physical Sites and Transportation: Identify primary and alternative sites, assembly points, and transportation routes.
Order of Recovery for Activities: List activities with precise Recovery Time Objectives (RTOs).
Recovery Plans for Activities: Describe steps and responsibilities for recovering resources, including dependencies and interactions with other activities and external parties—usually annexes to the main plan. For more, see “How to Write Business Continuity Plans?”
Disaster Recovery Plan: Focus on recovering IT infrastructure. For more on this topic, see “Disaster Recovery vs. Business Continuity”.
Required Resources: List necessary employees, services, facilities, infrastructure, information, and equipment, along with responsible parties.
Restoring and Resuming Activities: Explain how to return to normal business operations post-incident.
The Essence of ISO 22301
ISO 22301 ensures that a plan includes all necessary elements for effectiveness during a disaster or disruption. However, no standard can substitute for a genuine commitment to thorough and comprehensive planning. A well-crafted BCP can save a company in challenging times, while a poorly written one may worsen the situation.
