Business Continuity and Disaster Recovery Procedure
Ported from policies/Core 12 Security Policy - Business Continuity Plan.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.
Purpose
The purpose of this Business Continuity and Disaster Recovery (BCP/DR) Plan is to ensure the organization's ability to maintain essential operations, safeguard critical assets, and recover systems and data in a timely and controlled manner in the event of a disruption. This includes, but is not limited to, incidents such as cyberattacks, system failures, natural disasters, crisis, and infrastructure outages, and human error.
Scope
Applies to all Locations, IT systems, employees, and business units responsible for service delivery, client work, and internal operations. Includes office, employees, cloud services, workstations, web applications, marketing platforms, and file storage.
Objectives
-
Ensure safety of employees during crisis or disaster.
-
Maintain office safety and security during crisis or disaster.
-
Minimize downtime and business impact.
-
Ensure protection and recovery of customer and company data.
-
Maintain communication and coordination during incidents.
-
Ensure regulatory and contractual compliance.
Business Continuity Disaster Recovery Procedures
Step 1: Incident Detection & Notification
- Monitor systems continuously.
- Report incidents to the Incident Manager.
- Notify staff via internal chat/email.
Step 2: Impact Assessment
- Assess affected systems.
- Determine downtime duration and data loss potential.
- Escalate to management if needed.
Step 3: System Recovery
- Implement appropriate BCP DR Plan
- Use failover systems or cloud redundancy if available.
- Verify system integrity and access control.
Step 4: Communication
- Internal update: Status email/teams message every 2 hours.
- Client notification (if impact extends beyond SLA).
Step 5: Post-Incident Review
- Document timeline and actions.
- Perform root cause analysis.
- Review and update BCP/DR procedures.
Response Teams and Roles
| Role | Responsibility |
|---|---|
| Incident Manager | Activates plan, oversees recovery |
| Communications Lead | Updates clients, internal staff |
| Information Security Officer | Ensures regulatory communication |
Employee & Office Strategy
To ensure business continuity and the safety of personnel during incidents or disruptions, the following strategies are in place:
| Function | Description |
|---|---|
| Office Security | All employees are issued a building access card, key to the office, and alarm code. Setting the alarm and securing the office is the responsibility of the last employee in the building at any given time. |
| Remote Work Capability | All employees are able to access work tools and cloud platforms from their home office in the event of office inaccessibility. |
| Emergency Communication | Alternate channels (e.g., Microsoft Teams, personal SMS groups, encrypted messaging apps) are maintained for business continuity and safety updates. |
| Access Control and Offboarding | Personnel access rights are reviewed regularly. System access is revoked immediately upon termination or role change. |
| Evacuation Procedures | All staff are trained on emergency exit routes, evacuation meeting points, and fire drill protocols. |
| Shelter-in-Place Readiness | If evacuation is unsafe, employees are informed of shelter-in-place locations and protocols within the building. |
| Visitor Safety Protocols | All visitors must sign in at the main entrance and be accompanied by authorized personnel to ensure their safety in emergencies. |
| Workplace Safety Training | Annual training covers not only cyber threats but also physical safety, incident response, and personal preparedness. |
IT Systems Strategy
Client Projects, IT Services, Managed Devices, and must have defined backup procedures in the BCP DR Plan for each type of asset. Backups follow the schedule outlined below.
| |||
|---|---|---|---|
| Client Communication | Continuous / 30 days | Cloud Hosts / Cloud Storage / Off-Premise Backups | |
| Design & Creative Work | Continuous / 2years / 180days | Managed Device / Cloud Storage / Cloud Design Tools / Off-Premise Backups | |
| Web Application / Website Development | Continuous / Versioned | Managed Device /Cloud Code Repos / Off-Premise Backups | |
| Hosting Web Application / Website | Daily / 30 days | Cloud Hosts / Off-Premise Backups | |
| Digital Projects (Email / Social) | Daily / 30 days | Managed Device / Cloud Storage / Cloud Hosts / Off-Premise Backups | |
| File Storage & Backup | Ongoing | Manged Device / Cloud Storage / Off-Premise Backups |
Recovery SLA
| |||
|---|---|---|---|
| Client Communication | 4 hours | Alternate Email / Messaging Platforms | |
| Design & Creative Work | 1 business day | Cloud Storage / Cloud Design Tools / Off-Premise Backups | |
| Web Application / Website | 1 business day | Cloud Code Repos / Off-Premise Backups | |
| Hosting & Web Support | 2 hours | Cloud Hosts / Auto-Scaling / Failover Systems / Off-Premise Backups | |
| Digital Projects (Email / Social) | 1 business day | Cloud Hosts / Cloud Storage / Off-Premise Backups | |
| File Storage & Backup | Ongoing | Cloud Storage / Off-Premise Backups |