- Disaster recovery planning and management
business continuity policy
- Erin Sullivan, Site Editor
What is a business continuity policy?
A business continuity policy is the set of standards and guidelines an organization enforces to ensure resilience and proper risk management. Business continuity policies vary by organization and industry and require periodic updates as technologies evolve and business risks change.
The goal of a business continuity policy is to document what is needed keep an organization running on ordinary business days as well as times of emergency. When the policy is well-defined and clearly adhered to, the company can set realistic expectations for business continuity and disaster recovery ( BC/DR ) processes. This policy can also be used to determine what went wrong so the problems can be addressed. Ultimately, a business continuity policy is created and enforced at the organization's discretion, following its industry and compliance requirements.
While business continuity policies are different for every company, they all include basic components. Key components of business continuity policy include staffing, metrics and standard requirements.
Internal staffing in a business continuity policy should outline the roles and responsibilities of department heads, corporate management liaisons and members of the BC/DR team. It may also include external personnel such as vendors, stakeholders and customers. Keeping track of everyone involved in and affected by the business continuity policy is a key to ensuring compliance.
This article is part of
What is BCDR? Business continuity and disaster recovery guide
- Which also includes:
- Business resilience vs. business continuity: Key differences
- A free business continuity plan template and guide
- Preparing an annual schedule of business continuity activities
Download this entire guide for FREE now!
Common metrics in a policy may include key performance indicators ( KPIs ) and key risk indicators ( KRIs ). KPIs are used by corporate executives and managers to analyze crucial functions and processes required to meet goals and performance targets. KRIs measure the likelihood of an event affecting the company, These can help plan risk management.
The International Organization for Standardization and the British Standards Institution issue common business continuity standards . These standards are occasionally updated, so changes should be monitored.
What are some important BC policy considerations?
The primary thing to consider when crafting a business continuity policy is the particular risks an organization is likely to face. Is the company in an area that frequently has hurricanes or other major weather events? Is there a geopolitical element that could bring failures? Have there been problems with ransomware or other malware in the past that need particular attention? Organizations should take all these factors into account when creating a business continuity policy.
A risk assessment is a reliable method of figuring out potential threats and determining their likelihood. A risk assessment identifies potential hazards and provides ways to reduce the impact of them on the business. Similar to a business continuity policy, risks assessments differ, but follow general steps:
- Identify the hazards;
- Determine what or who could be harmed;
- Evaluate the risks and create control measures;
- Record the findings;
- Review and update the assessment.
Along with a risk assessment, conducting a business impact analysis (BIA) can help form the backbone of a business continuity policy. A BIA determines the effects of a potential disaster on an organization by finding existing vulnerabilities. Though similar to a risk assessment, a BIA often takes place first, and focuses primarily on the business impact and meeting recovery time and recovery point objectives.
Business continuity policy oversight and verification is another element to be aware of, if there are legal requirements that must be followed. Leadership, such as a company executive, may be designated as a liaison to the BC/DR team, coordinating efforts to resolve any compliance issues. The BC/DR team itself may be placed in charge of verifying policy compliance, along with any necessary internal departments. Along with setting the procedures and staffing, the BC/DR team should regularly verify policy compliance.
If non-compliance is found according to the policy, corporate management may be brought in to address it.
When to bring in a BC/DR vendor
While creating a business continuity policy is a company decision, taking a look at BC/DR vendors and what services they provide can help the process. Managed BC/DR vendors can take some of the work out of an organization's hands and help facilitate tests of a business continuity strategy.
With the wider availability of the cloud, disaster recovery as a service (DRaaS) is a popular BC/DR option. DRaaS comes in all shapes and sizes, which makes it an appealing option when deciding on a BC/DR plan. Able to handle minor issues to major disasters, DRaaS is a fairly universal method to implement.
Major DRaaS providers include Acronis , Amazon Web Services , Axcient, IBM, Unitrends, VMware and Zerto .
Business continuity policy vs. business continuity plan: How are they different?
A business continuity policy and business continuity plan (BCP) have a lot in common, in that they address all of the unique requirements and preparations for an organization to maintain continuity. They both serve different purposes within the organization, however. While the policy outlines the standards to be followed and benchmarks to be met, a plan maps out from beginning to end how the organization will get through an event. Business continuity policy information should be included in the business continuity plan, but as a separate entity.
Continue Reading About business continuity policy
- How does business continuity fit in with other management functions?
- Here are 9 skills BC managers should have
- Get started on business continuity policy with this template
- Small businesses have their own BC needs
Related Terms
Dig deeper on disaster recovery planning and management.
contingency plan
How to ensure cybersecurity and business continuity plans align
Everything CIOs need to know about IT business continuity plans
Prepare for serious health threats with a pandemic recovery plan
IBM is combining its data protection products and working with a new partner to address one of the biggest challenges for ...
Asigra's forthcoming SaaSBackup platform lets Asigra data protection technology protect SaaS backups. MSPs will be able to sell ...
A new SaaS backup specialist emerges from stealth to protect data in apps such as Trello, GitHub and GitLab, which CEO Rob ...
Amazon dropped new features for its object storage service that include an open source file client, new data purchasing ...
Persistent Kubernetes storage startups like Ondat are becoming extinct as enterprise IT vendors prow the market for container ...
Analytical capabilities of the data management vendor's flagship product are now available as a separate SaaS to help provide ...
To prevent threat actors from exploiting the unpatched attack vectors, Google Project Zero made an exception for four Exynos ...
A CISA advisory said multiple threat actors recently exploited a Progress Telerik UI vulnerability, first disclosed in 2019, to ...
Vendor and incident response firm Secureworks referred to business email compromise, or BEC attacks, as 'the largest monetary ...
From consumers to employees to investors, more people are choosing companies that prioritize environmental, social and governance...
Crossrope faced hardware, software and marketing challenges -- along with the need to satisfy data-hungry fitness enthusiasts -- ...
The Federal Trade Commission has ordered eight social media companies, including Meta's Facebook and Instagram, to report on how ...
PRETESH BISWAS
Your Partner in ISO Standard compliance
Example of Business Continuity Management Policy
1 policy statement.
To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, build redundancy in teams and infrastructure and manage a quick and efficient transition to the backup arrangement for business systems and services. Business Continuity Management (BCM) Policy reiterates the commitment of XXX towards delivering the fastest transition and the highest quality of services through backup arrangements ensuring that the customers, business activities, and services do not suffer in any way. The Business Continuity Management Procedure, Backup Policy, and Backup Procedure shall be referred. The plan shall be available to the CISO and BCM team members of XXX.
The main objective of Business Continuity Management is to minimize/eliminate the loss to an organization’s business in terms of revenue loss, loss of reputation, loss of productivity, and customer satisfaction. The Business Continuity Policy intends to: a. establish a systematic approach for business continuity; b. create awareness amongst the concerned employees, about the business continuity aspects of ISMS and its importance; and c. test and review the business continuity plan for the organization.
3.1 IT Assets
BCM covers all IT assets and applications for a business transaction that are owned or utilized by XXX.
3.2 Documentation
The BCM documentation shall consist of Plans and Resumption procedures for each service.
3.3 Document Control
The BCM document and all other referenced documents shall be controlled. The version control shall be used to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.
3.4 Records
Records being generated as part of the BCM shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
3.5 Distribution and Maintenance
The BCM document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the BCP document will be with the CISO and BCM team.
The BCM document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
5 Responsibility
Role of BCM Leader shall be performed by CISO and include the following: a. Coordinate the development and maintenance of the Organizational BCM policy manual and get approval from MISF (Management Information Security Forum). b. Identify and declare disaster-scenarios according to the gravity of the disaster. c. Enforce BCM among teams as per disaster scenarios. d. Review and audit BCM Policy at planned intervals. e. Test and update Business Continuity Plan at planned intervals. f. Facilitate functional training of the members for BCM execution. g. Co-ordinate with outsourcing partners wherever applicable.
Following are the primary roles of BCM Team Members: a. Execute BCM activities as per respective procedures. b. Co-ordinate with outsourcing partners wherever applicable.
a. For catastrophic and major disasters, the BCM Leader shall invoke the BCM process in consultation with the BCM Team Members. b. It is the responsibility of the BCM Leader to ensure that adequate spare resources are available for recovering from a disaster in the infrastructure level. c. It is mandatory for all BCM Team Leaders to maintain the BCM document in an easily accessible and secure location. d. The BCM Policy shall be updated whenever major additions, upgrades, deletions take place to the underlying hardware, network environment, office infrastructure or key personnel. e. The BCM Policy and Plan testing process for vital services shall be done at least once in a year.
7 Enforcement
Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
Back to Home
If you need assistance or have any doubt and need to ask any questions contact me at [email protected] You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.
Share this:
Published by Pretesh Biswas
Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt . View all posts by Pretesh Biswas
Leave a Reply Cancel reply
- Virtual CISO
- Incident Response
- Risk Assessment
- Gap Assessment
- Vendor Risk Management
- Penetration Testing
- Purple Team
- Social Engineering
- Vulnerability Scanning
- SOC 2 Audit
- CISSP Mentor Program
Business Continuity and Disaster Recovery Policy Template
Free resource.
Download our free Business Continuity and Disaster Recovery Policy Template now.
Download your free copy now
Adopting a full set of information security policies is a critical step in ensuring that every department and employee understands their role in helping protect company, customer, and employee data.
Please use these policy templates as a way to get your organization on the right track when it comes to full policy creation and adoption.
Business continuity and disaster recovery allow our organizations to continue operating during or recover from unforeseen circumstances that may otherwise stall business or security operations. Having staff who understands what to do in these moments is critical and this policy will guide what goes into those decisions.
The purpose of the (Company) Continuity and Recovery Policy is to provide direction and general rules for the creation, implementation, and management of the (Company) Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
The (Company) Continuity and Recovery Policy applies to individuals accountable for ensuring business continuity and disaster recovery processes are developed, supported, tested, and maintained.
Table of Contents
Business continuity.
Business Continuity focuses on sustaining the organization’s critical business processes during and after a disruption.
- (Company) must create and implement a Business Continuity Plan (“BCP”).
- The BCP must be periodically tested and the results should be shared with executive management.
- The BCP must be reviewed and updated upon any relevant change to the organization, at the conclusion of plan testing, or least annually.
- The BCP must be communicated and distributed to all relevant internal personnel and executive management.
- the safety and security of personnel is the first priority;
- an adequate management structure is in place to prepare for, mitigate and respond to a disruptive event using personnel with the necessary authority, experience, and competence;
- documented plans, response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event.
- A risk assessment for critical business processes and operations (Business Impact Analysis);
- An inventory of critical systems and records, and their dependencies;
- Requirements for ensuring information security throughout the process;
- Identification of supply chain relationships and the organization’s role to support critical infrastructure;
- Processes to ensure the safety of personnel;
- Communication strategies for communications both inside and outside the organization;
- Mitigation strategies and safeguards to reduce impact;
- Strategies to address and limit the reputational impact from an event;
- Contingency plans for different types of disruption events;
- Protection and availability of plan documentation;
- Procedures for plan tests, review, and updates.
Disaster Recovery
Disaster Recovery focuses on restoring the technology systems that support both critical and day-to-day business operations.
- (Company) must create and implement a Disaster Recovery Plan (“DRP”) to support business objectives outlined in the (BCP/critical processes identified by a Business Impact Analysis).
- The DRP must be tested annually, at a minimum.
- The DRP must be reviewed and updated upon any relevant change to IT Infrastructure, at the conclusion of plan testing, or least annually.
- The DRP must be communicated and distributed to all relevant internal personnel and executive management.
- Roles and responsibilities for implementing the disaster recovery plan;
- List of potential risks to critical systems and sensitive information;
- Procedures for reporting disaster events, event escalation, recovery of critical operations, and resumption of normal operations;
- An inventory of backups and offsite storage locations;
Definitions
See Appendix A: Definitions
- ISO 27002: 17
- NIST CSF: ID.BE, PR.IP, RS.RP, RS.CO, RS.IM, RS.RP, RC.IM, RC.CO
- Information Classification and Management Policy
- Business Continuity Plan
- Disaster Recovery Plan
Waivers from certain policy provisions may be sought following the (Company) Waiver Process.
Enforcement
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.
Download your free copy today.
Free Business Continuity Policy Samples and Template
Smartsheet Contributor Andy Marker
February 11, 2021 (updated August 2, 2021)
Business continuity planning is essential for organizations preparing for a crisis, using a business continuity policy document as a guide. Find steps on how to write a business continuity policy, a free template, and expert advice.
Included on this page, you’ll learn what a business continuity policy is and how a business continuity policy applies in a pandemic . Find policy statement samples and a simple downloadable business continuity template .
What Is a Business Continuity Policy?
A business continuity policy provides high-level guidelines a company uses to ensure it can run in a crisis and keep addressing new risks. Each company’s policy is unique. To be successful, a policy needs the support of top leadership.
“The policy sets out that a company knows it cannot just sail through the good times,” explains Alex Fullick, General Manager of business continuity consultancy Stone Road Inc . “It knows it has to be able to respond to the bad times to maintain client satisfaction. A policy outlines that, first of all, a company is dedicated to ensuring employee safety and protecting shareholders, stakeholders, and partners. A policy shows that a company will prepare for, respond to, and recover from any adverse situations that it encounters to ensure public safety and employee safety.”
Top leadership and the business continuity planning committee shape the policy. The policy writers specify the business continuity plan's purpose. They also describe what facilities and processes the business continuity plan will cover.
The policy specifies key personnel who will administer the plan and outlines the role of staff in the continuity system. A business continuity policy also notes any legal, regulatory, or contractual obligations, as well as exclusions, such as service level agreements, that a company must maintain in all circumstances. Learn more about business continuity management from our article on business continuity planning .
The document defines how the company communicates to staff that the organization is implementing a business continuity management system and has the endorsement of the C-level.
Today, in the era of social media, reputation is everything. “If you're not protecting your brand, it's very easy for someone to suddenly start sending off messages in social media saying, no, they're not doing this, they're not doing that. It comes down to the brand. If you do things right, the policy protects the brand,” says Fullick.
The procedures in the business continuity plan puts the policy into action. Together both documents emphasize these elements:
- Contingency Planning: A company makes a proactive effort to foresee possible events and plan how to deal with them. This planning mostly addresses events that are negative but can also be positive. Contingency planning is different from crisis management , which is how a company reacts to an incident.
- Recovery: This step describes the efforts of a company to save and restart critical processes after an incident. A recovery approach also dictates acceptable levels of service after a disruption.
- Resilience: This concept refers to a company’s ability to provide critical products and services during and after a crisis. Resilience includes protecting staff, other resources, and the brand.
Large companies usually have a business continuity policy; small companies often don’t. “I've worked for a medium-sized company, and there wasn't a documented policy,” says Fullick. “I worked for a large company that had a documented policy that the president looked at every year. In reality, he probably just signed it and added a new date.”
A written policy is mandatory for any business pursuing ISO 22301 certification. For Service Organization Control (SOC) 2 compliance, which governs how service providers manage data to ensure privacy, you need documented business continuity and disaster recovery plans. See our article to learn more about ISO 22301 .
Policy also does not exist on its own. “I use the image of a three-legged stool,” explains Mike Semel, President and Chief Compliance Officer of Semel Consulting . “A three-legged stool can't stand without all of its legs. Take away a leg, it's going to fall. If you have a policy, then you have to back it up with procedures and back the procedures up with evidence that you're following them. That’s the hardest and most expensive part.” Learn more about writing procedures and work instructions in our article.
Business Continuity Policy in a Pandemic
Business continuity policy templates can save you time when writing a policy. Editing an existing document takes less effort than formatting a new one and serves as a reminder to add key information.
Use our free downloadable business continuity policy template available in Microsoft Word and Google Docs formats. The document contains all the sections you might need for a policy document, along with a customizable header block and confidentiality label.
Download Simple Business Continuity Policy Template
Microsoft Word | Google Docs | Smartsheet
For other most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article.
How to Write a Business Continuity Policy
When drafting a business continuity plan , a company must write a business continuity policy document. The policy document outlines requirements for developing the business continuity plan.
Use concise, simple words when writing a business continuity policy. Write in the third person using “he,” “she,” and “it.” If possible, avoid adding information that may quickly go out of date. Consult good examples of straightforward policies for reference. (We provide examples of policy statements later in this article).
Step by Step: Writing a Business Continuity Policy
Follow this procedure to prepare your business continuity policy:
- Write the Policy Statement The statement describes the aim of the policy. Directors or managers often sign the document. “In most cases I’ve been associated with [for any type of policy document], about 80 percent of the statement is written at the beginning,” says Cox. “After there’s been some discussion, often after completing a risk analysis, there are some modifications and expansions on the original statement.” Learn more about business continuity policy statements later in this article.
- Conduct the Risk Assessment and BIA A business impact analysis (BIA) determines the financial and functional impact of disruption and reveals key processes and information about recovery time objectives. Conduct a risk assessment to determine and rank threats and risks. Read our guide to learn how to write a BIA. A business continuity policy is a tactical tool, but it must be grounded in company strategy, which comes from senior management (senior management could be an executive in a corporation or the owner in a small business). Mike Semel gives the example of an accounting firm with employees who thought their recovery time objective (RTO) was eight business hours. The managing partner said the company couldn’t possibly afford to recover so quickly and determined it was cheaper to pay any fees clients incurred from late filings. Thus, it’s management’s job to determine risk tolerance. Semel explains further that companies often guess at RTO without a full understanding of what the number really means. For example, if power goes out, unless you can fire up a generator, your recovery must wait on power being restored. Thus, an eight-hour RTO clock doesn’t begin until power is restored. “The problem with RTO is that it's usually like a hope or a wish or a guess,” he says. “The biggest flaw when it comes to recovering systems is that nobody tests them adequately. They do the backups. Every day, they get the message that the backup is successful. But they don't test recovering from the backup and trying to operate the business. Then they go to recover in a disaster, and instead of eight hours, let's say it takes 14 hours. If the policy says it should take eight hours, they either have to change the policy to say 14 hours, or they have to change the process to get it down to eight hours.” When describing scope and recovery parameters in a policy, also consider that the timing of a disruption makes a difference. “A disaster the day before payday is completely different from a disaster the day after payday. In accounting firms, a disaster a week before tax day is different from a disaster the week after. Those are the things that people don't always think through,” shares Semel.
- Determine Your Strategy for Business Continuity A business continuity strategy provides a high-level view of what recovery and continuity mean for a company. Consider the scope, approaches, and recovery timelines.
- Write the Policy Document the scope, key business areas and functions as determined by the BIA, key roles, and the general approach to continuity.
- Secure Stakeholders’ Review for Both the Policy Statement and the Document If you haven’t included them already on your writing team, be sure to get input from the CISO, CTO, and CIO, as well as comments from important third parties.
- Get Executive Endorsement of the Policy Statement Obtaining senior sponsorship will set your business continuity planning on the path to success.
- Promote the Policy Share the policy with employees and interested third parties. Promotion can be as simple as posting the statement on bulletin boards where people gather frequently.
Finally, although every business has unique needs, brevity is indeed the soul of wit for business continuity policies. “If a policy is 20, 30 pages, that means nothing, because that’s too much detail, which means too much fluff,” explains Fullick. “Policies must be short and simple: This is what it is, this is why we're doing it, and this is everyone's part in it.”
Common Structure of a Business Continuity Policy
Knowing the typical format of a policy frees you to focus on the content of the document. Here is an example of a business continuity policy format:
Header Block: Depending on your company’s style, you might need to include a header block on the policy. A header block includes the policy holder, policy signatory, policy date, review cycle, and version control details.
Introduction: Policy documents might or might not include an introduction. The introduction explains why a business continuity policy is important to the organization and the fundamental reasons for the policy.
Policy Statement: The policy statement might be one paragraph or an entire page. The statement describes the purpose and aims of the business continuity policy. The statement might also be called an aim or the purpose. In some organizations, the managing director or another officer signs and dates the statement page.
Definitions: Your industry might use specialized terminology that needs clarification. Definitions can also help explain the business continuity system’s scope.
Purpose and Scope: The scope section describes the facilities, processes, and activities the policy covers. “The scope tells you what to worry about. For example, ‘We’re only worrying about our main office in Mississauga. That’s the one we have to make sure is always running 24/7,’” Fullick explains.
Policy Personnel: This section lists the individuals or roles who review, approve, and enact the policy. Those responsible for policy administration are also responsible for ensuring compliance.
Compliance: The compliance area describes the requirement for testing to verify that the business continuity plans and activities adhere to the policy.
Consequences for Non-Compliance: Detail the results of not conforming to the policy.
Confidentiality Level: The confidentiality level describes who may see the document. This label usually appears in the header or footer of each page of the policy. Outside of government, businesses typically use three confidentiality levels: confidential, wherein only management can read it; restricted, wherein only company employees can read it; and public, when anyone can read it.
References and Resources: When your business continuity planning is complex, you might have a suite of policies and plans. You might also refer to legal or regulatory documents that affect business continuity policy.
Appendixes: In some cases, it makes sense to attach documents, charts, or drawings to a policy.
Business Continuity Management Policy Statement Examples
A business continuity policy statement outlines the broad goals of a company’s business continuity management program. The statement sets out the scope of efforts and outlines staff roles and duties for carrying out the continuity plan.
Top leadership should sign and endorse the statement, and you should communicate the policy to all employees. A statement might include the following:
- Details on the purpose and scope of the policy.
- A clear explanation of the framework of the organization’s business continuity management program.
- Details on who within the organization is responsible for implementing the policy.
- Details on how the organization will monitor its compliance with the policy.
In these examples of real policy statements, note the different formats and locations of the statement within the policy document:
Healthcare Providers
This healthcare business continuity policy example calls the statement an aim , but it serves the same purpose as a policy statement. Here’s an example:
Greenwich Clinical Commissioning Group (CCG)
Commercial Company
Business continuity policy statements for commercial organizations tend to specify an expected time to resume service. Here’s an example:
Compass Disability Services
Universities
These business continuity management policy statements might begin with a purpose, which can help you to understand business continuity systems. Universities might incorporate objectives and scope. See these examples:
- Monash University
- Sheffield University
City Government
A statement for a city’s business continuity policy outlines what continuity planning aims to accomplish for the city. Here’s an example:
Leicester, UK City Government
Business Continuity Policy Best Practices
Keep your policy simple and remember to focus on creating attainable continuity goals. Follow these best practices to enhance your business continuity policy preparation experience:
- Bring in expert help when needed. Creating a policy and business continuity system requires a concerted level of effort.
- Understand your key assets and processes.
- Recognize the difference between disaster recovery and business continuity.
- Consider third-party risks. Knowledge of third-party risks is especially important for regulated industries because you are liable, even if your data is stored offsite on infrastructure you don’t own.
- Promote transparency and visibility. “Once you have a policy, make it visible to all staff. Be sure to communicate the policy — a detailed policy with extensive resources is useless if staff don’t know it exists,” advises Alex Fullick.
Manage Your Business Continuity Policy Statement and Collect Relevant Documents with Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Business continuity management in Azure
- 6 minutes to read
- 1 contributor
Azure maintains one of the most mature and respected business continuity management programs in the industry. The goal of business continuity in Azure is to build and advance recoverability and resiliency for all independently recoverable services, whether a service is customer-facing (part of an Azure offering) or an internal supporting platform service.
In understanding business continuity, it's important to note that many offerings are made up of multiple services. At Azure, each service is statically identified through tooling and is the unit of measure used for privacy, security, inventory, risk business continuity management, and other functions. To properly measure capabilities of a service, the three elements of people, process, and technology are included for each service, whatever the service type.
For example:
- If there's a business process based on people, such as a help desk or team, the service delivery is what they do. The people use processes and technology to perform the service.
- If there's technology as a service, such as Azure Virtual Machines, the service delivery is the technology along with the people and processes that support its operation.
Shared responsibility model
Many of the offerings Azure provides require customers to set up disaster recovery in multiple regions and aren't the responsibility of Microsoft. Not all Azure services automatically replicate data or automatically fall back from a failed region to cross-replicate to another enabled region. In these cases, recovery and replication must be configured by the customer.
Microsoft does ensure that the baseline infrastructure and platform services are available. But in some scenarios, usage requires the customer to duplicate their deployments and storage in a multi-region capacity, if they opt to. These examples illustrate the shared responsibility model. It's a fundamental pillar in your business continuity and disaster recovery strategy.
Division of responsibility
In any on-premises datacenter, you own the whole stack. As you move assets to the cloud, some responsibilities transfer to Microsoft. The following diagram illustrates areas and division of responsibility between you and Microsoft according to the type of deployment.
A good example of the shared responsibility model is the deployment of virtual machines. If a customer wants to set up cross-region replication for resiliency if there's region failure, they must deploy a duplicate set of virtual machines in an alternate enabled region. Azure doesn't automatically replicate these services over if there's a failure. It's the customer's responsibility to deploy necessary assets. The customer must have a process to manually change primary regions, or they must use a traffic manager to detect and automatically fail over.
Customer-enabled disaster recovery services all have public-facing documentation to guide you. For an example of public-facing documentation for customer-enabled disaster recovery, see Azure Data Lake Analytics .
For more information on the shared responsibility model, see Microsoft Trust Center .
Business continuity compliance: Service-level responsibility
Each service is required to complete Business Continuity Disaster Recovery records in the Azure Business Continuity Manager Tool. Service owners can use the tool to work within a federated model to complete and incorporate requirements that include:
Service properties : Defines the service and how disaster recovery and resiliency are achieved and identifies the responsible party for disaster recovery (for technology). For details on recovery ownership, see the discussion on the shared responsibility model in the preceding section and diagram.
Business impact analysis : This analysis helps the service owner define the recovery time objective (RTO) and recovery point objective (RPO) based on the criticality of the service across a table of impacts. Operational, legal, regulatory, brand image, and financial impacts are used as target goals for recovery.
Microsoft doesn't publish RTO or RPOs for services because this data is for internal measures only. All customer promises and measures are SLA-based because it covers a wider range versus RTO or RPO, which is only applicable in catastrophic loss.
Dependencies : Each service maps the dependencies (other services) it requires to operate no matter how critical, and is mapped to runtime, needed for recovery only, or both. If there are storage dependencies, another data is mapped that defines what's stored, and if it requires point-in-time snapshots, for example.
Workforce : As noted in the definition of a service, it's important to know the location and quantity of workforce able to support the service, ensuring no single points of failure, and if critical employees are dispersed to avoid failures by cohabitation in a single location.
External suppliers : Microsoft keeps a comprehensive list of external suppliers, and the suppliers deemed critical are measured for capabilities. If identified by a service as a dependency, supplier capabilities are compared to the needs of the service to ensure a third-party outage doesn't disrupt Azure services.
Recovery rating : This rating is unique to the Azure Business Continuity Management program. This rating measures several key elements to create a resiliency score:
- Willingness to fail over: Although there can be a process, it might not be the first choice for short-term outages.
- Automation of failover.
- Automation of the decision to fail over.
The most reliable and shortest time to failover is a service that's automated and requires no human decision. An automated service uses heartbeat monitoring or synthetic transactions to determine a service is down and to start immediate remediation.
Recovery plan and test : Azure requires every service to have a detailed recovery plan and to test that plan as if the service has failed because of catastrophic outage. The recovery plans are required to be written so that someone with similar skills and access can complete the tasks. A written plan avoids relying on subject matter experts being available.
Testing is done in several ways, including self-test in a production or near-production environment, and as part of Azure full-region down drills in canary region sets. These enabled regions are identical to production regions but can be disabled without affecting customers. Testing is considered integrated because all services are affected simultaneously.
Customer enablement : When the customer is responsible for setting up disaster recovery, Azure is required to have public-facing documentation guidance. For all such services, links are provided to documentation and details about the process.
Verify your business continuity compliance
When a service has completed its business continuity management record, you must submit it for approval. It's assigned to a business continuity management experienced practitioner who reviews the entire record for completeness and quality. If the record meets all requirements, it's approved. If it doesn't, it's rejected with a request for reworking. This process ensures that both parties agree that business continuity compliance has been met and that the work is only attested to by the service owner. Azure internal audit and compliance teams also do periodic random sampling to ensure the best data is being submitted.
Testing of services
Microsoft and Azure do extensive testing for both disaster recovery and for availability zone readiness. Services are self-tested in a production or pre-production environment to demonstrate independent recoverability for services that aren't dependent on major platform failovers.
To ensure services can similarly recover in a true region-down scenario, "pull-the-plug"-type testing is done in canary environments that are fully deployed regions matching production. For example, the clusters, racks, and power units are literally turned off to simulate a total region failure.
During these tests, Azure uses the same production process for detection, notification, response, and recovery. No individuals are expecting a drill, and engineers relied on for recovery are the normal on-call rotation resources. This timing avoids depending on subject matter experts who might not be available during an actual event.
Included in these tests are services where the customer is responsible for setting up disaster recovery following Microsoft public-facing documentation. Service teams create customer-like instances to show that customer-enabled disaster recovery works as expected and that the instructions provided are accurate.
For more information on certifications, see the Microsoft Trust Center and the section on compliance.
- Azure services and regions that support availability zones
- Azure Resiliency whitepaper
- Quickstart templates
Submit and view feedback for
Additional resources
Connect With Us at #GartnerIAM. Book Your Meeting Now!
- Why StrongDM
- Privileged Session Management
- Permission Management
- Just-in-time Access
- Vendor Privileged Access
- Privileged Credential Management
- Logging & Reporting
- Security Standards & Frameworks
- Admin Guide
- StrongDM University
- How to Demos
- Observability
- Authentication
- Try it free
Best Practices when Creating a Business Continuity Policy
- Share Create a Business Continuity Policy on LinkedIn
- Share Create a Business Continuity Policy on Twitter
- Share Create a Business Continuity Policy on Reddit
- Share Create a Business Continuity Policy on Facebook
- Share Create a Business Continuity Policy on Hacker News
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
A business continuity policy is a critical part of your SOC 2 preparation. According to the Federal Emergency Management Agency (FEMA) , nearly 40 percent of small businesses never reopen their doors after a disaster.
For small businesses, in particular, it can be difficult to return to normalcy after a significant disruption. Most companies have insurance and emergency funds, but those won’t protect you from failure to provide business functions at an acceptable level to your customers.
A Business Continuity Policy (BCP) is critical to your information security program and defines the critical steps your employees need to keep the business processes running after a disruptive event. The plan addresses the critical infrastructure, backup plans, emergency contacts and detailed recovery procedures you need to address potential threats.
Here are some best practices you should consider when writing your business continuity plan:
1. Don’t just rely on a SaaS vendor
Yes, it is possible to migrate all your infrastructure and other critical assets to SaaS. But by doing so, you inherit whatever controls the SaaS vendor has in place, and shift responsibility entirely onto them during a failure. However, you are still ultimately responsible for creating a failover plan and having redundant solutions in place.
If you are going to rely on SaaS vendors, you need to be cautious about what is outlined in your contract with them. Here are a few questions to ask:
- What happens if the SaaS systems or networks stop working?
- How will a loss of connectivity or system availability impact your critical activities and services?
- What is the expected or guaranteed timeline to restore service?
- What are each parties’ responsibilities during a failure?
The last point is especially important to think about ahead of time. Many organizations wait until a disaster hits to figure out the who, what, when, where and why of recovering from it. Also, remember that vendors can sometimes make lofty promises about the availability and quality of their services when you initially explore their products and services. But unfortunately, you won’t be able to lean on those conversations in a state of emergency. Get everything in writing, and make sure your leadership team reviews all vendor contracts before they are signed.
2. What are your critical assets?
Within your system, you need to perform an impact assessment and determine which assets are critical to operation. Your assessment should include:
- Infrastructure
- Intellectual property
- Financial processes, software, and tools to maintain cash flow
- Processes to know where people are and ensure access to their location is still available
Companies often don’t realize how vast their network is and thus fail to adequately take inventory of critical assets until it is too late. One way to start this discovery is by creating an inventory of all the assets in your network. Many free and commercial tools will do this discovery and identify not just the physical devices, but the software installed on them as well. Use this inventory to start labeling the assets your business activities can’t survive without. Also, keep in mind that data is an asset as well. It might initially be easy to identify a pool of SaaS servers as mission-critical, yet there is a crucial database or file share that lives elsewhere on the network that these systems rely on.
3. How quickly do you need to recover from an adverse event?
As part of your business continuity strategy, you need to establish recovery time objectives (RTOs). These objectives define a duration of time and service level in which a business process needs to be restored. If the business continuity objectives are not met, your business can incur penalties for non-compliance with your customers’ contracts. Because RTOs are a critical part of business continuity management (BCM), they should be established in cooperation with your board or senior management. You might also want to engage the help of a third-party consultant, who may conduct a risk assessment to identify what kinds of incidents your company may face. From there, it might make sense to conduct a business impact analysis (BIA), which will help you figure out how quickly you need to recover from incidents to avoid fines and damage to your reputation. As part of the risk assessment and BIA, the consultant can help you develop RTOs and advise on other essential business continuity activities as well.
4. What do you need to do to keep the lights on?
Once you’ve decided what assets are critical to keeping the business afloat, and how quickly you need to restore them after a disruption, the next step in disaster recovery planning is to create procedures that restore impacted services during a disruption. A good practice here is to be redundant; test regularly and test often. This is an area where companies will often partner with their SaaS vendor or another third party to assist. Working together with these resources, create a technology recovery plan that contains a narrative of how you will recover from a disruptive event, the roles each person or team will own during the disruption and details of how the event will be tracked and communicated. Ensure that the communication strategy includes not just executives, but a mix of personnel mapped out in a hierarchy in case some employees aren’t able to work during the event. Make sure everyone knows how to access the communication plan. A key component to making this plan work is to perform frequent data backups that are stored offsite.
5. Put your plan in action
Your plan won’t be perfect the first time around, so it’s essential to test it out and make adjustments – ideally when you are not in a state of emergency. An effective way to proactively test your plan is with tabletop exercises. These exercises, which should be performed with a cross-functional team, give you an effective way to talk through the plan’s details and identify any gaps or areas for improvement. On the technical side, tabletop exercises are an ideal time to assemble the team and go through the motions of restoring a file, database or even an entire server. Take all the feedback you receive from the exercises – good or bad – and use it to update your disaster plan periodically to stay up to date with your business.
You do not want to be one of the many businesses that close up shop after a major incident. As part of your overall risk management strategy, take the time to review and adjust your SaaS contracts, inventory your software and hardware assets, and build out a thorough disaster recovery plan. And, as part of your business continuity planning, conduct regular testing of this plan. Doing this preparation ahead of time will save you headaches – and potentially your client base – when disaster strikes.
About the Author
Brian Johnson , Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks. Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.
You May Also Like
IMAGES
VIDEO
COMMENTS
A business continuity policy is the set of standards and guidelines an organization enforces to ensure resilience and proper risk management.
This policy supports the [Company Name] mandate for Business Continuity Management (BCM), a comprehensive program concerned with improving the resilience of [
Ownership, oversight and governance of the Business Continuity Program belongs to the Business Resilience Team. Compliance with this policy is required of all
This includes both Business. Continuity plans and IT Disaster Recovery plans to cover the whole organization. Scope. This policy applies to all users of
Business Continuity Management (BCM) Policy reiterates the commitment of XXX towards delivering the fastest transition and the highest
The purpose of the (Company) Continuity and Recovery Policy is to provide direction and general rules for the creation, implementation, and management of
A business continuity policy provides high-level guidelines a company uses to ensure it can run in a crisis and keep addressing new risks. Each
confirm the capability of the unit to implement the plan. Scope. This policy affects the following groups of the University: • Hiring/Supervising Managers.
Each service is required to complete Business Continuity Disaster Recovery records in the Azure Business Continuity Manager Tool. Service owners
A Business Continuity Policy (BCP) is critical to your information security program and defines the critical steps your employees need to keep