Skip to main content

Business Continuity and Disaster Recovery Procedure

Source basis

Ported from policies/Core 12 Security Policy - Business Continuity Plan.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.

Purpose

The purpose of this Business Continuity and Disaster Recovery (BCP/DR) Plan is to ensure the organization's ability to maintain essential operations, safeguard critical assets, and recover systems and data in a timely and controlled manner in the event of a disruption. This includes, but is not limited to, incidents such as cyberattacks, system failures, natural disasters, crisis, and infrastructure outages, and human error.

Scope

Applies to all Locations, IT systems, employees, and business units responsible for service delivery, client work, and internal operations. Includes office, employees, cloud services, workstations, web applications, marketing platforms, and file storage.

Objectives

  • Ensure safety of employees during crisis or disaster.

  • Maintain office safety and security during crisis or disaster.

  • Minimize downtime and business impact.

  • Ensure protection and recovery of customer and company data.

  • Maintain communication and coordination during incidents.

  • Ensure regulatory and contractual compliance.

Business Continuity Disaster Recovery Procedures

Step 1: Incident Detection & Notification

  • Monitor systems continuously.
  • Report incidents to the Incident Manager.
  • Notify staff via internal chat/email.

Step 2: Impact Assessment

  • Assess affected systems.
  • Determine downtime duration and data loss potential.
  • Escalate to management if needed.

Step 3: System Recovery

  • Implement appropriate BCP DR Plan
  • Use failover systems or cloud redundancy if available.
  • Verify system integrity and access control.

Step 4: Communication

  • Internal update: Status email/teams message every 2 hours.
  • Client notification (if impact extends beyond SLA).

Step 5: Post-Incident Review

  • Document timeline and actions.
  • Perform root cause analysis.
  • Review and update BCP/DR procedures.

Response Teams and Roles

RoleResponsibility
Incident ManagerActivates plan, oversees recovery
Communications LeadUpdates clients, internal staff
Information Security OfficerEnsures regulatory communication

Employee & Office Strategy

To ensure business continuity and the safety of personnel during incidents or disruptions, the following strategies are in place:

FunctionDescription
Office SecurityAll employees are issued a building access card, key to the office, and alarm code. Setting the alarm and securing the office is the responsibility of the last employee in the building at any given time.
Remote Work CapabilityAll employees are able to access work tools and cloud platforms from their home office in the event of office inaccessibility.
Emergency CommunicationAlternate channels (e.g., Microsoft Teams, personal SMS groups, encrypted messaging apps) are maintained for business continuity and safety updates.
Access Control and OffboardingPersonnel access rights are reviewed regularly. System access is revoked immediately upon termination or role change.
Evacuation ProceduresAll staff are trained on emergency exit routes, evacuation meeting points, and fire drill protocols.
Shelter-in-Place ReadinessIf evacuation is unsafe, employees are informed of shelter-in-place locations and protocols within the building.
Visitor Safety ProtocolsAll visitors must sign in at the main entrance and be accompanied by authorized personnel to ensure their safety in emergencies.
Workplace Safety TrainingAnnual training covers not only cyber threats but also physical safety, incident response, and personal preparedness.

IT Systems Strategy

Client Projects, IT Services, Managed Devices, and must have defined backup procedures in the BCP DR Plan for each type of asset. Backups follow the schedule outlined below.

FunctionFrequency / RetentionStorage Location Strategy
Client CommunicationContinuous / 30 daysCloud Hosts / Cloud Storage / Off-Premise Backups
Design & Creative WorkContinuous / 2years / 180daysManaged Device / Cloud Storage / Cloud Design Tools / Off-Premise Backups
Web Application /
Website Development
Continuous / VersionedManaged Device /Cloud Code Repos / Off-Premise Backups
Hosting Web Application /
Website
Daily / 30 daysCloud Hosts / Off-Premise Backups
Digital Projects (Email / Social)Daily / 30 daysManaged Device / Cloud Storage / Cloud Hosts / Off-Premise Backups
File Storage & BackupOngoingManged Device / Cloud Storage / Off-Premise Backups

Recovery SLA

FunctionRecovery Time ObjectiveRecovery Strategy
Client Communication4 hoursAlternate Email / Messaging Platforms
Design & Creative Work1 business dayCloud Storage / Cloud Design Tools / Off-Premise Backups
Web Application / Website1 business dayCloud Code Repos / Off-Premise Backups
Hosting & Web Support2 hoursCloud Hosts / Auto-Scaling / Failover Systems / Off-Premise Backups
Digital Projects (Email / Social)1 business dayCloud Hosts / Cloud Storage / Off-Premise Backups
File Storage & BackupOngoingCloud Storage / Off-Premise Backups