Business Continuity Management Plan
ISO22301 Toolkit: Version 5 ŠCertiKit
Business Continuity Management Plan
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document The Business Continuity Management Plan sets out the objectives to be achieved within business continuity for the current financial year and a plan to deliver them.
Areas of the standard addressed This document is relevant to requirements in the following sections of the ISO22301 standard: •
•
6. Planning o 6.1 Actions to address risks and opportunities ▪ 6.1.1 Determining risks and opportunities ▪ 6.1.2 Addressing risks and opportunities o 6.2 Business continuity objectives and planning to achieve them ▪ 6.2.1 Establishing business continuity objectives ▪ 6.2.2 Determining business continuity objectives 7. Support o 7.1 Resources
General guidance Although this plan refers to a one year time period, it is acceptable to cover a longer or shorter period if it is appropriate. Prior to the certification audit you must ensure that the plan has been communicated to relevant staff, that they have understood it and that these facts are evidenced e.g. via meeting minutes. The inviting and answering of questions during such a meeting is likely to show evidence of understanding. We would also recommend that the document is made available via the intranet if you have one or any other appropriate means.
Version 1
Page 2 of 16
[Insert date]
Business Continuity Management Plan
Review frequency We would recommend that this document is created each year as part of an exercise which should include significant business involvement to ensure that changed requirements are captured and feedback obtained. It should then be reviewed at least quarterly as part of your management review cycle.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Version 1
Page 3 of 16
[Insert date]
Business Continuity Management Plan
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 16
[Insert date]
Business Continuity Management Plan
Business Continuity Management Plan Financial Year 20xx/xx
Version 1
DOCUMENT REF
BCMS-DOC-06-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 16
[Insert date]
Business Continuity Management Plan
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 16
DATE
[Insert date]
Business Continuity Management Plan
Contents 1
Introduction ............................................................................................................... 8
2
Business continuity objectives .................................................................................... 9
3
Plan to achieve objectives ........................................................................................ 11
4
Resources to manage and improve the BCMS ........................................................... 13
5
6
4.1
Human resources ....................................................................................................... 13
4.2
Technical resources .................................................................................................... 13
4.3
Information resources ................................................................................................ 14
4.4
Financial resources..................................................................................................... 14
Risks and opportunities for the BCMS ...................................................................... 15 5.1
Risks to the BCMS ...................................................................................................... 15
5.2
Opportunities for the BCMS ....................................................................................... 15
Conclusion................................................................................................................ 16
Tables Table 1: Business continuity objectives ....................................................................................... 10 Table 2: Plan to achieve objectives ............................................................................................. 12 Table 3: Human resources required to run the BCMS .................................................................. 13 Table 4: Risks to the BCMS ......................................................................................................... 15 Table 5: Opportunities for the BCMS .......................................................................................... 15
Version 1
Page 7 of 16
[Insert date]
Business Continuity Management Plan
1 Introduction [Organization Name] is committed to establishing effective business continuity plans to protect its key business activities and meet its obligations to its stakeholders. As part of this commitment the organisation has established a Business Continuity Management System (BCMS) which complies with the requirements of the ISO22301 international standard for business continuity and will be seeking certification to this standard in the near future. In line with the standard, it is essential that our business continuity objectives are consistent with our policies, measurable where practicable, communicated effectively within the organization (and outside where appropriate) and updated as part of the BCMS management review process. Objectives will be based on a clear understanding of our business continuity requirements, including those from interested parties, and will consider the results of business impact and risk assessments carried out at various levels within the organization. This document sets out the organisation’s business continuity objectives and plans for the financial year YY/YY, including • • • • •
Who will be responsible What will be done What resources will be required When it will be completed How the results will be evaluated
This document should be read in conjunction with the following other components of the BCMS which give background information about the organization’s business continuity policy and requirements: • • •
Version 1
BC Context, Requirements and Scope Business Continuity Policy Business Impact Analysis Tool
Page 8 of 16
[Insert date]
Business Continuity Management Plan
2 Business continuity objectives In order to assess whether the BCMS is working as intended it is essential that clear objectives are defined, and a system of monitoring and measurement established to record progress against targets. High-level objectives for business continuity are described in the BCMS document BC Context, Requirements and Scope and the overall framework for setting lower-level objectives is defined in the Business Continuity Policy, also a key component of the BCMS. Methods for determining to what extent objectives are being met are set out in the document Process for Monitoring, Measurement, Analysis and Evaluation. As part of the BCMS management review process, objectives for business continuity are regularly set, reviewed and updated in the following major areas: • • • • • •
Quality: generally, how well the organization’s business activities are protected by the BCMS Capability: the knowledge, skills and experience available, mainly internally but also to some extent externally to the organization Cost: financial resources required to maintain and improve the BCMS Resource utilisation: how effectively organizational resources are employed Risk reduction: the degree to which known risks are treated to within acceptable limits Other: appropriate objectives that do not fall into any of the above areas
In discussion with the management team and based upon documented requirements, [Organization Name] has agreed specific objectives in the area of business continuity as shown in Table 1. Achievement against these objectives will be tracked as part of regular management reviews of the BCMS.
Version 1
Page 9 of 16
[Insert date]
Business Continuity Management Plan #
AREA
OBJECTIVE
TASKS
MEASUREMENT METHOD
TARGET
TIMESCALE
PERSON RESPONSIBLE
1.
Quality
Ensure that all identified key business activities have a business continuity plan in place to protect them
Hold workshops to define plans
Percentage of key business activities with a plan
80%
12 months
BC Manager
Ensure that all business continuity plans have been tested with the last 2 years
Agree testing schedule with top management
Percentage of plans tested within 2 years
75%
12 months
BC Manager
2.
3.
Capability
Provide training in business continuity for key resources
Identify courses; secure training budget
Number of people trained
5
6 months
Person A
4.
Cost
Reduce amount spent on business continuity
Review budget to identify savings
Percentage reduction on last year’s budget
5%
12 months
BC Manager
5.
Resource utilisation
Increase number of days provided by business teams for analysis and testing
Agree allocation with top management
Percentage increase over last year’s commitment
10%
12 months
Team leaders
6.
Risk reduction
Reduce number of high priority risks on risk register
Increase focus on high priority risks; hold workshops to identify ideas
Percentage reduction
10%
9 months
BC Manager
Table 1: Business continuity objectives
Version 1
Page 10 of 16
[Insert date]
Business Continuity Management Plan
3 Plan to achieve objectives In order to achieve our objectives, it is essential that we have a clear plan that is adequately resourced and has the full support of top management. The success of this plan will determine whether [Organization Name] remains adequately protected against disruptive events and their potential impacts. The plan is shown in Table 2. The tasks required in order to achieve each objective are listed, together with the resources required, person responsible and completion timescale for each one. The method of evaluating the success of each task will vary according to the nature of the task, but an attempt to determine this is also shown. This plan will be managed in conjunction with background improvement activities, which may be driven by internal and external audit results, risk assessments and management reviews, amongst other sources. Additional, more detailed plans may also be created in order to control the activities required and take account of internal and external dependencies. Progress against the plan will be tracked by the Business Continuity Manager and reported to top management on a regular basis. In the event that a task is looking unlikely to be completed within the target timescale, the effect on the relevant business continuity objective should be evaluated. Depending on the conclusion, top management may decide whether or not to take action, such as increasing the resources available, to improve the expected completion time. In the event that business continuity objectives are changed, the associated plan will also need to be revised.
Version 1
Page 11 of 16
[Insert date]
Business Continuity Management Plan #
OBJECTIVE
TASKS
RESOURCES REQUIRED
PERSON RESPONSIBLE
COMPLETION TIMESCALE
EVALUATION METHOD
1.
All identified plans are in place
List plans Implement plans Verify plans
Specialist IT team Internal audit
Business Continuity Manager
12 months
List of signed off plans
2.
All business continuity plans have been tested with the last 2 years
Agree testing schedule Conduct tests Produce test reports
Operational staff time
Business Continuity Manager
12 months
Business Continuity test reports
3.
Training in business continuity has been provided for all key resources
Identify key resources Identify courses Attend courses Complete training records
Training budget Time of attendees
Business Continuity Manager
Six months
Training records
4.
Reduce amount spent on business continuity
Review budget Identify savings Evaluate effect of reduction
Finance Manager
Business Continuity Manager
12 months
Financial budget reports
5.
Increase number of days provided by business teams for business continuity activities
Agree allocation with top management Plan involvement Conduct activities Record days spent
Business teams
Chief Operations Officer
12 months
Timesheets of key personnel
6.
Reduce number of high priority risks on risk register
Hold workshops to identify ideas Implement ideas Reassess risks
Risk owners IT team
Business Continuity Manager
Nine months
Risk register
Table 2: Plan to achieve objectives
Version 1
Page 12 of 16
[Insert date]
Business Continuity Management Plan
4 Resources to manage and improve the BCMS In addition to the specific resources required to meet the objectives set out within this document, the following resources will be required on an ongoing basis to manage and improve the BCMS.
4.1 Human resources The human resources needed for the BCMS are shown in Table 3. For more details of the specific responsibilities and authorities of the roles described here, see the BCMS document Roles, Responsibilities and Authorities.
BCMS ROLE
RESOURCES REQUIRED
COMMENTS
Business Continuity Steering Group
1 day per quarter for each member
Assuming quarterly meetings
Business Continuity Manager
1 x Full Time Equivalent
Assumed to be a full-time role
Business Process Owners
1-3 days per quarter
Depends upon nature and number of processes owned
Department Managers
2 days per annum
Mainly awareness activities and participation in exercises and testing
IT Technicians
No additional resource
Business continuity is already part of relevant roles
IT Users
1 day per annum
Attendance at awareness events
Table 3: Human resources required to run the BCMS
[Describe any additional human resources that may be required e.g. contractors or secondments]
4.2 Technical resources [Set out any equipment and IT hardware and software that will be needed as part of running the BCMS]
Version 1
Page 13 of 16
[Insert date]
Business Continuity Management Plan
4.3 Information resources [State what additional information you will need e.g. new reports from existing systems, access to external sources such as subscriptions to relevant organizations]
4.4 Financial resources [What additional budget, if any, is needed? When is it required and is it capital or revenue?]
Version 1
Page 14 of 16
[Insert date]
Business Continuity Management Plan
5 Risks and opportunities for the BCMS 5.1 Risks to the BCMS The following risks have been identified to the plans to achieve the objectives set out in this document. These will be managed as part of regular management reviews of the BCMS.
#
RISK
LIKELIHOOD
1.
Resources may not be available to take on the proactive elements of business continuity that are not currently being carried out.
2.
Timescales to implement the improvements necessary to achieve ISO 22301 may not be long enough given the degree of change and show sufficient track record for the audit
3.
Staff fail to engage with the BCMS leading to issues with plan development and testing
4.
Management are not sufficiently involved in the creation of the new quality system to carry it forward once certification gained
IMPACT
SCORE
RISK RATING
TREATMENT
Table 4: Risks to the BCMS
5.2 Opportunities for the BCMS The following opportunities have been identified which may assist in preventing or reducing undesired effects or achieving continual improvement within the BCMS:
#
OPPORTUNITY
OPP. OWNER
POTENTIAL BENEFIT
ACTIONS
TIMESCALE
1.
Recent disruptive incidents at competitor organizations have raised the profile of business continuity in the industry
Business Continuity Manager
May make it easier to convince management of the need for additional strategies and plans
Identify strategies that may have prevented the incidents at competitors
Six months
2.
Increased budget in key departments
Business Continuity Manager
Some of this budget could be invested in additional business continuity protection
Discuss with department heads
12 months
Table 5: Opportunities for the BCMS
Version 1
Page 15 of 16
[Insert date]
Business Continuity Management Plan
6 Conclusion This business continuity management plan is an essential part of the continual improvement of the BCMS within [Organization Name]. The objectives set for the year under consideration and the plans made to achieve them are intended to be challenging but achievable and will go a long way to protecting the organisation from disruptive incidents that may occur both now and in the future.
Version 1
Page 16 of 16
[Insert date]
