Business Continuity Plan

by Elina D

What is a business continuity plan?

A business continuity plan (BCP) is a plan to help an organisation continue to operate during and after a major interruption or disaster. The goal of a BCP is to minimise the impact of an interruption on the organisation's ability to function.
A BCP typically includes procedures and information related to the following:

  • Alternate site locations
  • Backup power supplies
  • Data and system backups
  • Employee communications
  • Evacuation procedures
  • Essential supplies
  • Insurance
  • Recovery procedures
  • Risk assessment

Organisations should periodically review and update their BCPs as needed to ensure that they are prepared for any potential disruptions. Additionally, they should practice their BCPs to identify any potential weaknesses or gaps.

Business Continuity Plan

Purpose, scope and users

ISO 27001 is an information security standard that outlines how organisations can keep information assets secure. The standard is designed to help organisations ensure that their information security management system (ISMS) is effective. The purpose of ISO 27001 is to protect information assets from unauthorised access, use, disclosure, disruption, or destruction. The scope of ISO 27001 includes all information assets of an organisation, including those that are stored electronically, on paper, or in other formats. The users of ISO 27001 include all personnel who have access to information assets, including employees, contractors, and third-party service providers.

Reference documents

It provides a framework for managing risks to the confidentiality, integrity, and availability of information. One of the key requirements of ISO 27001 is the development of a risk treatment plan. This plan must consider the organisation's strengths and weaknesses, as well as the threats and vulnerabilities that could impact the confidentiality, integrity, and availability of information.
A reference document is a document that provides guidance on how to implement ISO 27001. It is not a mandatory part of the standard, but it can be used to supplement the requirements of ISO 27001.


An assumption is a statement that is made based on incomplete information. An assumption may be made about the likelihood of an event occurring, or the consequences of an event occurring. Assumptions are often made when there is insufficient data to make a definitive statement. For example, when conducting a security risk assessment, you may not have access to all the relevant information about the organisation's assets, vulnerabilities, and threats. As a result, you may need to make assumptions about these factors in order to complete the risk assessment.

Roles and responsibilities

In order to ensure that information assets are properly protected, organisations need to define roles and responsibilities for those involved in the ISO 27001 implementation process. These roles and responsibilities will vary from organisation to organisation, depending on the size and complexity of the organisation. However, there are some common roles and responsibilities that should be considered when developing an ISO 27001 Implementation plan.

The following table lists some of the common roles and responsibilities associated with an ISO 27001 implementation:

Role Responsibility

  1. Executive Sponsor - Provide overall direction and guidance for the ISO 27001 implementation.Ensure that resources are available to support the ISO 27001 implementation.
  2. Project Manager - Develop and maintain the project plan for the ISO 27001 implementation.Coordinate activities between different stakeholders involved in the ISO 27001 implementation.
  3. Information Security Officer - Identify information security risks and develop mitigating controls.
  4. Define role-based access control measures to protect information assets.
  5. System Administrator - Install, configure and maintain security controls on systems and networks
  6. IT Auditor - Conduct periodic audits of systems and networks to ensure compliance with security policies and procedures.

Key contacts

In order to ensure the security of its assets, an organisation must have a clear understanding of its key contacts and their roles in relation to ISO 27001. The standard requires the identification of four specific types of key contacts:

  • The management representative
  • The internal auditor
  • The information security manager
  • The security committee.


The main goal of communication in ISO 27001 is to ensure that information security risks are effectively managed. To do this, the standard requires organisations to establish and maintain an appropriate internal communication structure. This structure should promote open communication between all interested parties, including management, employees, contractors, and other stakeholders. The standard also requires that communication plans be developed and implemented to ensure that information security risks are effectively managed. Communication plans should include provisions for the timely dissemination of information about new or revised policies and procedures, as well as changes to the organisation's information security posture.
In addition, the standard requires that communication strategies be developed to ensure that all stakeholders are aware of their responsibilities with respect to information security. These strategies should promote a culture of open communication and collaboration between all interested parties.

ISO 22301

Business Continuity Plan

Why is Business Continuity Plan Important?

A business continuity plan (BCP) is a document that outlines the steps that an organisation will take to continue operating in the event of an emergency or disaster. The purpose of a BCP is to help organisations protect their employees, customers, and other stakeholders.

There are many reasons why a BCP is important. First, a BCP can help an organisation recover from an incident more quickly. Second, a BCP can help an organisation minimise the impact of an incident on its employees, customers, and other stakeholders. Third, a BCP can help an organisation ensure that its critical functions continue to be performed during and after an incident.
The development of a BCP should be a collaborative effort involving representatives from all parts of the organisation. The BCP should be reviewed and updated on a regular basis, and all employees should be aware of the plan and their roles in its execution.

Benefits of Business Continuity Plan

A business continuity plan is a document that outlines how your business will continue to operate in the event of an interruption. It should include information on how to keep your employees safe, how to contact customers, and how to maintain your business operations.

The benefits of having a business continuity plan are clear. In the event of an interruption, you 'll know exactly what to do and how to keep your business running. But creating a plan can be daunting. Here are a few tips to get you started:

1. Define your goals.

Before you start creating your plan, you need to know what you want to achieve. What are your goals for your business continuity plan? Do you want to keep your employees safe? Maintain customers? Keep your business running?
Take some time to think about what's important to you and what you want to achieve with your plan. Once you have a clear goal in mind, you can start putting together your plan.

2. Identify potential risks.

After you've defined your goals, it's time to identify potential risks. What could disrupt your business operations? Make a list of all the potential risks that could impact your business. These could include natural disasters, power outages, IT failures, or anything else that could disrupt your business.

3. Create a contingency plan for each risk.

Once you've identified potential risks, it's important to develop contingency plans. A contingency plan is a course of action that you'll take if a particular risk occurs. This plan should be designed to help you avoid or minimize the negative impact of the risk.
For example, let's say that you're worried about the possibility of losing key personnel. Your contingency plan might involve ensuring that all employees have up-to-date job descriptions and training manuals. This way, if someone does leave, another employee will be able to quickly step in and take over their duties.

4. Monitor risks regularly.

It's not enough to simply identify and develop contingency plans for risks. You also need to monitor risks on an ongoing basis. This will help you determine whether any new risks have arisen and whether your existing contingency plans are still effective.
There are several ways that you can monitor risks. For example, you might hold regular meetings with your management team to discuss potential risks. You might also conduct periodic surveys of employees to get their feedback on any new or existing risks they're aware of.