Business Continuity Policy
Business Continuity Policy
ISO22301 Toolkit: Version 6 ©CertiKit Version 1
Page 1 of 13
[Insert date]
Business Continuity Policy
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document The Business Continuity policy acts as the root “Quality Manual” of the Business Continuity Management System (BCMS) and must be approved by top management (defined as the “person or group of people who direct and control the organization at the highest level”) as evidence of their commitment.
Areas of the standard addressed This document is relevant to the following sections of the ISO22301 standard: • • •
5. Leadership o 5.2 Policy ▪ 5.2.1 Establishing the business continuity policy 6. Planning o 6.3 Planning changes to the BCMS 10. Improvement o 10.2 Continual improvement
General guidance Prior to the certification audit you must ensure that the policy has been communicated to relevant staff, that they have understood it and that these facts are evidenced e.g. via meeting minutes. The inviting and answering of questions during such a meeting is likely to show evidence of understanding. We would also recommend that the document is made available via the intranet if you have one or any other appropriate means.
Version 1
Page 2 of 13
[Insert date]
Business Continuity Policy
Review frequency We would recommend that this document is reviewed as part of an annual exercise which should include significant business involvement to ensure that changed requirements are captured and feedback obtained.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Version 1
Page 3 of 13
[Insert date]
Business Continuity Policy
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 13
[Insert date]
Business Continuity Policy
Business Continuity Policy
Version 1
DOCUMENT REF
BCMS-DOC-05-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 13
[Insert date]
Business Continuity Policy
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 13
DATE
[Insert date]
Business Continuity Policy
Contents 1
Introduction ............................................................................................................... 8
2
Business continuity policy .......................................................................................... 9 2.1
Setting business continuity objectives .......................................................................... 9
2.2
Commitment to satisfying applicable requirements ...................................................... 9
2.3
Continual improvement of the BCMS .......................................................................... 10
2.4
Planning Changes to the BCMS ................................................................................... 11
2.5
Approach to managing risk ......................................................................................... 12
2.6
Control of documents and records .............................................................................. 12
Version 1
Page 7 of 13
[Insert date]
Business Continuity Policy
1 Introduction As a modern, forward-looking business, [Organization Name] recognises at senior levels the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders and other stakeholders. In order to provide such a level of continuous operation, [Organization Name] has implemented a Business Continuity Management System (BCMS) in line with the international standard for business continuity, ISO22301. The operation of this BCMS has many benefits for the business, including: • • • •
Protection of revenue streams and company profitability Ensuring the supply of goods and services to customers Maintenance and enhancement of shareholder value Compliance with legal and regulatory requirements
It is important to understand which areas of the business are currently within the umbrella of the BCMS and which are excluded. The boundaries of the BCMS as implemented within [Organization Name] are defined within the document entitled Business Continuity Context, Requirements and Scope. It is recommended that this document should be reviewed in conjunction with this policy. The purpose of this document is to define an overall policy with regard to business continuity that is appropriate to the purpose of [Organization Name], and includes: • • •
A framework for setting business continuity objectives A commitment to satisfying applicable requirements A commitment to continual improvement of the BCMS
This BCMS Policy is available in both paper and electronic form and will be communicated within the organization and to all relevant stakeholders and interested third parties.
Version 1
Page 8 of 13
[Insert date]
Business Continuity Policy
2 Business continuity policy 2.1 Setting business continuity objectives The high-level objectives for business continuity within [Organization Name] are defined within the document Business Continuity Context, Requirements and Scope. These are fundamental to the nature of the business and are not be subject to frequent change. These overall objectives will used as guidance in the setting of lower level, more short-term objectives for business continuity planning within an annual cycle timed to coincide with organizational budget planning. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the overall business requirements and how they may change during the year. Business continuity objectives will be documented in the Business Continuity Management Plan for the relevant financial year, together with details of a plan for how they will be achieved. Once approved, this plan will be reviewed on a quarterly basis as part of the management review process, at which time the objectives will also be reviewed to ensure that they remain valid. If amendments are required, these will be managed through the organizational change management process.
2.2 Commitment to satisfying applicable requirements Commitment to the delivery of business continuity extends to senior levels of the organization and will be demonstrated through this Business Continuity Policy and the provision of appropriate resources to establish and develop the Business Continuity Management System. Top management will also ensure that a systematic review of performance of the programme is conducted on a regular basis to ensure that business continuity objectives are being met and business continuity issues are identified through the audit programme and management processes. Management Review can take several forms including departmental and other management meetings. Within the field of Business Continuity Management, there are a number of key roles that need to be undertaken to ensure the success of the BCMS and protect the business from risk. The [Business Continuity Manager] shall have overall authority and responsibility for the implementation and management of the Business Continuity Management System, specifically: • •
The identification, documentation and fulfilment of applicable requirements Assigning authorities and responsibilities for the implementation, management and improvement of BCM processes
Version 1
Page 9 of 13
[Insert date]
Business Continuity Policy • • •
Integration of business processes with the BCMS Compliance with statutory, regulatory and contractual requirements in the management of assets used to deliver products and services Reporting to top management on performance and improvement of the BCMS
It is also the responsibility of the [Business Continuity Manager] to ensure that employees understand the roles they are required to fulfil and that they have appropriate skills and competence to do so. [Organization Name] will ensure that all employees involved in business continuity management are competent on the basis of appropriate education, training, skills and experience. The skills required to ensure business continuity will be determined and reviewed on a regular basis together with an assessment of existing skill levels within [Organization Name]. Training needs will be identified, and a plan maintained to ensure that the necessary competencies are in place. Training, education and other relevant records will be kept by the HR Department to document individual skill levels attained. Full details of the responsibilities associated with each of the required roles and how they are allocated within [Organization Name] are given in a separate document entitled Roles, Responsibilities and Authorities. [Organization Name] makes use of various third parties, both internal and external, in the delivery of products and services to its customers. Where this involves the operation of a business process, or a part of the process on behalf of [Organization Name], that falls within the defined scope of the BCMS, this is identified in the Business Continuity Management Plan. In all cases, [Organization Name] will retain governance of the relevant BCM processes by demonstrating: • • • •
Accountability for the process Control of the definition of and interface to the process Performance and compliance monitoring Control over process improvements
This will be evidenced by documents and records such as contracts, meeting minutes and performance reports.
2.3 Continual improvement of the BCMS [Organization Name]’s policy with regard to Continual Improvement of the BCMS is to:
Version 1
Page 10 of 13
[Insert date]
Business Continuity Policy • • • • • • • •
Continually improve the effectiveness of the Business Continuity Management System across all areas within scope Enhance current processes to bring them into line with good practice as defined within ISO 22301 Achieve ISO 22301 certification and maintain it on an on-going basis Increase the level of proactivity (and the business perception of proactivity) with regard to the on-going management of business continuity Achieve an enhanced understanding of, and relationship with, the business units to which the BCMS applies Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data and feedback from relevant sources Obtain ideas for improvement via regular review meetings with stakeholders and document them Review ideas for continual improvement at regular management meetings in order to prioritise them and assess timescales and benefits
Ideas for improvements may be obtained from any source including customers, suppliers, employees, risk assessments and audits. Once identified they will be documented and evaluated by the staff member responsible for continual improvement. As part of the evaluation of proposed improvements, the following criteria will be used: • • • • •
Cost Business Benefit Risk Implementation timescale Resource requirement
If accepted, the improvement proposal will be prioritised in order to allow more effective planning.
2.4 Planning Changes to the BCMS A need for change to the BCMS may arise from any number of sources, including the continual improvement process, events related to the internal and external context of the organization (such as internal re-organizations or mergers and acquisitions) or an increase or decrease in its scope. Where changes arise, they must be carried out in a planned manner so that the required adjustments are approved and implemented in areas such as: • • • •
Adjustment of the scope of the BCMS Allocation of resources Assignment of roles and their associated responsibilities and authorities Required competence levels
Version 1
Page 11 of 13
[Insert date]
Business Continuity Policy • •
Communication of the purpose and nature of changes Documented information required to support the change
2.5 Approach to managing risk Risk management will take place at several levels within the Business Continuity Management System, including: • • • •
Business continuity management planning – risks to the achievement of objectives Business continuity risk assessment Assessment of the risk of changes as part of the business change management process At the project level as part of the management of significant business change
High level risk assessments will be reviewed on an annual basis, or upon significant change to the business environment. For more detail on the approach to risk assessment please review the document Risk Assessment and Treatment Process. Once in place, it is vital that regular reviews take place of how well business continuity management processes and procedures are being adhered to. This will happen at three levels: 1. 2. 3.
Structured regular management review of conformity to policies and procedures within [Organization Name] Internal audit reviews against the ISO 22301 standard by the [Organization Name] Quality Team External audit against the standard in order to gain and maintain certification to ISO22301
Details of how internal audits will be carried out can be found in the Procedure for Internal Audits.
2.6 Control of documents and records All business continuity management policies and plans that form part of the BCMS must be documented. The way in which these documents are created and managed through their lifecycle is set out in Procedure for the Control of Documented Information. All documents in the BCMS are uniquely numbered and the current versions are tracked – see document BCMS Documentation Log. The keeping of records is a fundamental part of the Business Continuity Management System. Records are key information resources and represent evidence that processes are being carried out effectively.
Version 1
Page 12 of 13
[Insert date]
Business Continuity Policy
The controls in place to manage records are also defined in the document Procedure for the Control of Documented Information.
Version 1
Page 13 of 13
[Insert date]