For the below policy template anything in < Here > should be tailored to the organisation.
Purpose
This Business Continuity and Disaster Recovery Plan guides <Company> in the event of a significant business disaster or other disruption to normal service. <Company> responds to business disasters and disruptions by safeguarding employees’ lives and company assets, making a financial and operational assessment, securing data, and quickly recovering operations.
Scope
This policy applies to:
- <Environment, servers, systems etc should be listed if in scope>
RACI matrix
<Include a RACI matrix table to cover roles and responsibilities for the processes set up by the policy>
Policy Statement
Alternate Physical Location(s) of Employees
<Here we should list out alternative locations for offices, this can be remote work, co-working locations, Hot or Warm office sites or similar, depending on your business – Below assuming remote>
<Company> employees and contractors are typically capable and available to work remotely, such as from home in a disaster. A decision on shutting a location should be made by the Business Continuity Committee.
Priorities
In the event of a disaster affecting our essential systems or team members, the Business Continuity Committee will meet and designated a Disaster Recovery Team for immediate action.
The priorities during a business disaster are to – in order:
- Secure the safety of team members and visitors;
- Mitigate threats or limit the damage that threats can cause to <Company>, and/or our stakeholders.
- Ensure that essential business functions can continue or determine what is required to
restart essential business functions
Alternate Communication
<Here we include alternative communication plans for the Business Continuity Committee to use, it can be Telegram, WhatsApp, Signal or old fashioned phones. The goal is to have a way to get in touch that doesn’t rely on the standard communication tooling (emails, IM’s etc)>
Testing
Testing the plan is critical to ensuring the plan is effective and practical. Any gaps in the plan
that are discovered during the testing phase will be addressed by <> and any
designee. All tests must be thoroughly documented.
Testing of this plan may be performed using the following methods:
Walkthroughs
Team members walk through the steps documented in this plan to confirm effectiveness,
identify gaps, bottlenecks or other weaknesses. This walkthrough provides the opportunity to
review the plan with a larger subset of people, allowing <>to draw upon an increased
pool of knowledge and experiences. Team members should be familiar with
procedures, equipment, and offsite facilities.
Table Top Exercises
A disaster is simulated so normal operations will not be interrupted. Hardware, software,
personnel, communications, procedures, supplies and forms, documentation, transportation,
utilities, and alternate site processing should be thoroughly tested in a simulation test.
Validated checklists can provide a reasonable level of assurance for many of these scenarios.
Analyze the output of the previous tests carefully before the proposed simulation to ensure the
lessons learned during the previous phases of the cycle have been applied.
Exemption process
For environments that cannot meet the above requirements for any reason, the team responsible for managing the impacted systems must raise an exemption request. To raise a request please follow the below process:
- <This process should be tailored to the organisation, it can tie into a formal risk management process or it can be an email request/approval depending on the organisations maturity.>
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with the company.