Scribd
Upload
108 views4 pages

Business Continuity & Recovery Policy

This document outlines the Continuity and Recovery Policy for Company. The policy provides direction for developing, implementing, testing and maintaining both a Business Continuity Plan and Disaster Recovery Plan. It requires the creation of a BCP to sustain critical business processes during disruptions, and a DRP to restore technology systems. Both plans must be tested annually, updated as needed, and communicated to personnel and management. The policy defines requirements for business continuity and disaster recovery planning.

Uploaded by

Phanankosi Dube
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
108 views4 pages

Business Continuity & Recovery Policy

This document outlines the Continuity and Recovery Policy for Company. The policy provides direction for developing, implementing, testing and maintaining both a Business Continuity Plan and Disaster Recovery Plan. It requires the creation of a BCP to sustain critical business processes during disruptions, and a DRP to restore technology systems. Both plans must be tested annually, updated as needed, and communicated to personnel and management. The policy defines requirements for business continuity and disaster recovery planning.

Uploaded by

Phanankosi Dube
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Continuity and Recovery Policy, version 1.0.

0
Status: ✘ Working Draft Approved Adopted
Document Owner: Information Security Committee
Last Review Date: August 2020

Continuity and Recovery Policy


Purpose
The purpose of the (Company) Continuity and Recovery Policy is to provide direction and general rules for the
creation, implementation, and management of the (Company) Business Continuity Plan (BCP) and Disaster
Recovery Plan (DRP).

Audience
The (Company) Continuity and Recovery Policy applies to individuals accountable for ensuring business continuity
and disaster recovery processes are developed, supported, tested, and maintained.

Policy

Business Continuity
Business Continuity focuses on sustaining the organization’s critical business processes during and after a
disruption.
 (Company) must create and implement a Business Continuity Plan (“BCP”).
 The BCP must be periodically tested and the results should be shared with executive management.
 The BCP must be reviewed and updated upon any relevant change to the organization, at the conclusion of
plan testing, or least annually.
 The BCP must be communicated and distributed to all relevant internal personnel and executive
management.
 Business continuity planning should ensure that:
o the safety and security of personnel is the first priority;
o an adequate management structure is in place to prepare for, mitigate and respond to a disruptive
event using personnel with the necessary authority, experience, and competence;
o documented plans, response and recovery procedures are developed and approved, detailing how
the organization will manage a disruptive event.
 The BCP must include, at a minimum:
o A risk assessment for critical business processes and operations (Business Impact Analysis);
o An inventory of critical systems and records, and their dependencies;
o Requirements for ensuring information security throughout the process;
o Identification of supply chain relationships and the organization’s role to support critical
infrastructure;
o Processes to ensure the safety of personnel;
o Communication strategies for communications both inside and outside the organization;
o Mitigation strategies and safeguards to reduce impact;
o Strategies to address and limit the reputational impact from an event;
o Contingency plans for different types of disruption events;

(Company) Internal Page 1 of 4


(Company) Continuity and Recovery Policy

o Protection and availability of plan documentation;


o Procedures for plan tests, review, and updates.

Disaster Recovery
Disaster Recovery focuses on restoring the technology systems that support both critical and day-to-day business
operations.
 (Company) must create and implement a Disaster Recovery Plan (“DRP”) to support business objectives
outlined in the (BCP/critical processes identified by a Business Impact Analysis).
 The DRP must be tested annually, at a minimum.
 The DRP must be reviewed and updated upon any relevant change to IT Infrastructure, at the conclusion of
plan testing, or least annually.
 The DRP must be communicated and distributed to all relevant internal personnel and executive
management.
 The (Company) DRP must include at a minimum:
o Roles and responsibilities for implementing the disaster recovery plan;
o List of potential risks to critical systems and sensitive information;
o Procedures for reporting disaster events, event escalation, recovery of critical operations, and
resumption of normal operations;
o Requirements for ensuring information security throughout the process;
o An inventory of backups and offsite storage locations;
o Contingency plans for different types of disruption events;
o Protection and availability of plan documentation;
o Procedures for plan tests, review, and updates.

Definitions
See Appendix A: Definitions

References
 ISO 27002: 17
 NIST CSF: [Link], [Link], [Link], [Link], [Link], [Link], [Link], [Link]
 Information Classification and Management Policy
 Business Continuity Plan
 Disaster Recovery Plan

Waivers
Waivers from certain policy provisions may be sought following the (Company) Waiver Process.

Enforcement
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of
employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and
including removal of access rights, termination of contract(s), and related civil or criminal penalties.

(Company) Internal Page 2 of 4


(Company) Continuity and Recovery Policy

Version History
Version Modified Date Approved Date Approved By Reason/Comments

1.0.0 August 2020 FRSecure Document Origination

(Company) Internal Page 3 of 4


(Company) Continuity and Recovery Policy

NEED HELP?
FRSecure is a full-service information security consultancy.

If you need assistance with anything in this resource, please don’t hesitate to reach out to us.

CONTACT US

(877) 767 – 1891 | 6550 York Ave S #500, Edina, MN 55435

For security emergencies, or quotes on services reach out to us here.

More resources

(Company) Internal Page 4 of 4

You might also like