In This Guide
BCP Overview
A Business Continuity Plan (BCP) is a documented set of procedures that guide organizations to respond, recover, resume, and restore operations following a disruption. ISO 22301 requires BCPs to be specific, actionable, and regularly tested.
Effective BCPs share common characteristics:
- Clear and concise: Usable under stress
- Action-oriented: Steps, not concepts
- Role-based: Who does what
- Scenario-agnostic: Adaptable to various disruptions
- Tested: Validated through exercises
- Accessible: Available when needed
ISO 22301 Requirements
Clause 8.4 specifies that BCPs must include:
- Defined purpose and scope
- Objectives of the plan
- Activation criteria
- Implementation procedures
- Roles, responsibilities, and authorities
- Communication requirements
- Internal and external interdependencies
- Required resources
- Information flow and documentation
Recommended BCP Structure
Section 1: Plan Administration
- Document control (version, date, approver)
- Distribution list
- Review schedule
- Change history
Section 2: Introduction and Scope
- Purpose of the plan
- Scope (activities, locations, scenarios covered)
- Objectives
- Assumptions and limitations
- Related documents
Section 3: Activation
- Activation criteria and thresholds
- Authority to activate
- Notification procedures
- Initial response actions
Section 4: Roles and Responsibilities
| Role | Responsibilities |
|---|---|
| Incident Commander | Overall response direction, decision authority |
| BC Coordinator | Plan execution, coordination, status tracking |
| Communications Lead | Stakeholder communications, media handling |
| IT Recovery Lead | Technology recovery, system restoration |
| Operations Lead | Business operations recovery |
| Facilities Lead | Premises, alternate site, logistics |
Section 5: Communication Plan
- Internal communication channels
- External stakeholder communication
- Media handling guidelines
- Communication templates
- Status reporting schedule
Section 6: Recovery Procedures
- Phase 1: Immediate response (0-4 hours)
- Phase 2: Stabilization (4-24 hours)
- Phase 3: Recovery (24-72 hours)
- Phase 4: Restoration (72 hours+)
Section 7: Resources and Logistics
- Alternate site details and activation
- Equipment requirements
- Supplier contacts
- Emergency supplies
Section 8: Appendices
- Contact lists
- Checklists
- Forms and templates
- Floor plans and maps
- Technical recovery procedures
Incident Response Section
The incident response section should cover:
Initial Response Checklist
- Ensure life safety
- Assess situation severity
- Notify Incident Commander
- Activate incident management team
- Establish command center
- Begin situation logging
- Communicate status to stakeholders
Escalation Matrix
| Severity | Impact | Escalation |
|---|---|---|
| Low | Minor disruption, single function | Department manager |
| Medium | Significant disruption, multiple functions | BC Coordinator + Senior management |
| High | Major disruption, critical activities affected | Incident Commander + Executive team |
| Critical | Organization-wide, survival threatened | CEO + Board notification |
Recovery Procedures
Recovery procedures should be specific and actionable:
Procedure Writing Tip
Write procedures as if someone unfamiliar with the activity must execute them. Use numbered steps, specify who performs each action, and include decision points. Avoid jargon and assumptions.
Good Procedure Example
- IT Recovery Lead: Contact data center provider at [phone number] to confirm system status
- IT Recovery Lead: If primary systems unavailable, initiate failover to DR site using procedure DR-001
- IT Recovery Lead: Verify core applications are accessible (checklist in Appendix C)
- IT Recovery Lead: Report status to BC Coordinator within 30 minutes
Contact Lists
Contact lists must be:
- Current (reviewed monthly)
- Include multiple contact methods (mobile, home, personal email)
- Include alternates for key roles
- Available offline (printed copies, mobile app)
- Include external contacts (suppliers, customers, regulators)
Plan Maintenance
BCPs must be kept current:
- Monthly: Contact list verification
- Quarterly: Review of procedures for currency
- Annually: Full review and update
- After incidents: Lessons learned incorporated
- After exercises: Improvements implemented
- After changes: Organization, process, or system changes reflected