ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Free_Downloads
 

Have a question on ISO 27001 or ISO 22301?

Ask an Expert
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 27001 & ISO 22301/BS 25999-2: Why is it better to implement them together?

    

Wednesday
May 7, 2014

    Register_now_green
    
 
 
 

Business continuity plan: How to structure it according to ISO 22301

'By 'Dejan Kosutic on September 24, 2012

In my experience, companies usually find two things in their business continuity or information security management to be the most difficult: risk assessment, and business continuity planning. Here I’ll give you some tips on business continuity plans (BCP).

What is a business continuity plan?

According to ISO 22301, business continuity plan is defined as “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.” (clause 3.5)

This basically means that BCP focuses on developing plans/procedures, but it doesn’t include the analysis that forms the basis of such planning, nor the means of maintaining such plans – all these are required elements of business continuity management that are necessary for enabling successful contingency planning.

To read more about analysis, see Five Tips for Successful Business Impact Analysis, and to find out how to interpret the analysis, read Can business continuity strategy save your money?.

Business continuity plan example

Here’s what I found to be the optimal structure for the business continuity plan for smaller and midsize companies, and what each section should include:

Purpose, scope and users – why this plan is developed, its objectives, which parts of the organization it covers, and who should read it.

Reference documents – to which documents does this plan relate? Normally, these are Business Continuity Policy, Business Impact Analysis, Business Continuity Strategy, etc.

Assumptions – the prerequisites that need to exist in order for this plan to be effective.

Roles and responsibilities – who will be responsible for managing the disruptive incident, and who is authorized to perform certain activities in case of a disruptive incident – e.g. activation of the plans, urgent purchases, communication with media, etc.

Key contacts – contact details for persons who will participate in the execution of the business continuity plan – this is usually one of the annexes of the plan.

Plan activation and deactivation – in which cases can the plan be activated, and the method of activation; which conditions need to exist to deactivate the plan.

Communication – which communication means will be used between different teams and with other interested parties during the disruptive incident. Who is in charge of communicating with each interested party, and the special rules of communication with media and government agencies.

Incident response – how to react initially to an incident in order to reduce the damage – this is very often an annex to the main plan.

Physical sites and transportation – which are the primary and alternative sites, where the assembly points are, and how to get from primary to alternative sites.

Order of recovery for activities – list of all the activities, with precise Recovery Time Objective (RTO) for each.

Recovery plans for activities – description of step-by-step actions and responsibilities for recovering manpower, facilities, infrastructure, software, information, and processes, including interdependencies and interactions with other activities and external interested parties – these are very often annexes to the main plan. To read more about them, see How to write business continuity plans?

Disaster recovery plan – this is normally a type of recovery plan that focuses on recovering the information and communication technology infrastructure. To read more about the relationship between disaster recovery and business continuity, see Disaster recovery vs business continuity.

Required resources – a list of all the employees, third-party services, facilities, infrastructure, information, equipment, etc. that are necessary to perform the recovery, and who is responsible to provide each of them.

Restoring and resuming activities from temporary measures – how to restore business activities back to business-as-usual once the disruptive incident has been resolved.

What I like about ISO 22301 is that it requires all the elements that are necessary for this plan to be useful in case of a disaster (or any other disruption in a company’s activities). However, no standard can help you unless you understand this task seriously – a properly written and comprehensive plan can save your company in tough times, while a superficially written plan will only make things worse.

Click here to see a sample Business Continuity Plan.


  • Yusuf Mashar

    Dear Sir,
    Basicly, what’s different between ISO 9004 and ISO 22301?

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Yusuf, ISO 9004 is focused on sustaining the level of quality of company’s products and services, while ISO 22301 defines how to prepare an organization to survive the disruption.

  • Ari Septiyanto

    Dear Mr. Dejan. Regarding Business Continuity Plann, I need your help to prepare of strike disruption. I need references to making guidance (step by step) if labour strike is happen to my company.
    Thanks, your attention.

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Ari, preparing for strike is not very different from preparation for other types of disruptions – you need to plan how you will continue your operations with smaller number of employees or with completely different employees, possibly on a different location. Our ISO 22301 Documentation Toolkit has all the necessary documentation for such preparation: http://www.iso27001standard.com/en/services/bs-25999-documentation-toolkit

  • Ari Septiyanto

    Thanks for your reply.
    I’am already download your preview template. it’s really help me.
    Regards.