A Guide to Business Continuity Planning

A Guide to Business Continuity Planning

[Total: 0    Average: 0/5]


Disasters can strike any time. These range from large-scale natural catastrophes and acts of terror to technology-related accidents and environmental incidents. The causes of hazards may be different – whether human negligence, malevolence or natural disasters but their likelihood (and seriousness) is no less real.

The purpose of this document is to give an overview of what is Business Continuity Planning and provide some guidance and resources for beginner.


General Information


This International Standard specifies requirements for setting up and managing an effective Business Continuity Management System (BCMS).

A BCMS emphasizes the importance of :

  • — understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives,


  • — implementing and operating controls and measures for managing an organizations overall capability to manage disruptive incidents,


  • — monitoring and reviewing the performance and effectiveness of the BCMS, and


  • — continual improvement based on objective measurement.


A BCMS, like any other management system, has the following key components:


  • a policy;


  • people with defined responsibilities;


  • management processes relating to
    1. policy,
    2. planning,
    3. implementation and operation,
    4. performance assessment,
    5. management review, and
    6. improvement;


  • documentation providing auditable evidence; and


  • any business continuity management processes relevant to the organization.


Business continuity contributes to a more resilient society. The wider community and the impact of the organization’s environment on the organization and therefore other organizations may need to be involved in the recovery process.


The Plan-Do-Check-Act(PDCA) Model






What Is Business Continuity Planning


Business Continuity refers to the activities required to keep your organization running during a period of displacement or interruption of normal operation.

Whereas,  Disaster Recovery is the process of rebuilding your operation or infrastructure after the disaster has passed.

According to Business Continuity Institute’s Glossary2:

“Business continuity plan is a collection of procedures and information which is developed, compiled and maintained in readiness for use in the event of an emergency or disaster.”



When We Need Business Continuity Plan?


We need Business Continuity Plan when there is a disruption to our business such as disaster. The Business Continuity Plan should cover the occurrence of following events:



  1. a) Equipment failure (such as disk crash).
  2. b) Disruption of power supply or telecommunication.
  3. c) Application failure or corruption of database.
  4. d) Human error, sabotage or strike.
  5. e) Malicious Software (Viruses, Worms, Trojan horses) attack.
  6. f) Hacking or other Internet attacks.
  7. g) Social unrest or terrorist attacks.
  8. h) Fire
  9. i) Natural disasters (Flood, Earthquake, Hurricanes)


Who Should Participate in Business Continuity Planning?

Normally Business Continuity Coordinator or Disaster Recovery Coordinator will responsible for maintaining Business Continuity Plan. However his or her job is not updating the Plan himself or herself alone. His or Her job is to carry out review periodically by distribute relevant parts of the Plan to the owner of the documents and ensure the documents are updated.



How ISO 22301 Helps




How to Prepare Business Continuity Plan

Business Continuity Planning Phases

  1. Project Initiation
  • Define Business Continuity Objective and Scope of coverage.
  • Establish a Business Continuity Steering Committee.
  • Draw up Business Continuity Policies.


  1. Business Analysis
    • Perform Risk Analysis and Business Impact Analysis.
    • Consider Alternative Business Continuity Strategies.
    • Carry out Cost-Benefit Analysis and select a– Strategy.
    • Develop a Business Continuity Budget.


3. Design and Development (Designing the Plan)

  • Set up a Business Recovery Team and assign responsibility to the members.
  • Identify Plan Structure and major components
  • Develop Backup and Recovery Strategies.
  • Develop Scenario to Execute Plan.
  • Develop Escalation, Notification and Plan Activation Criteria.
  • Develop General Plan Administration Policy.


4. Implementation (Creating the Plan)

  • Prepare Emergency Response Procedures.
  • Prepare Command Center Activation Procedures.
  • Prepare Detailed Recovery Procedures.
  • Prepare Vendors Contracts and Purchase of Recovery Resources.
  • Ensure everything necessary is in place.
  • Ensure Recovery Team members know their Duties and Responsibilities.



5. Testing

  • Exercise Plan based on selected Scenario.
  • Produce Test Report and Evaluate the Result.
  • Provide Training and Awareness to all Personnel.


6. Maintenance (Updating the Plan)

  • Review the Plan periodically.
  • Update the Plan with any Changes or Improvement.
  • Distribute the Plan to Recovery Team members.


Business Continuity Plan outline (simplified based on the sample BCP provided by MIT)



  1. Overview a Purpose
    1. Assumptions
    2. Development
    3. Maintenance e Testing


2. Organization of Disaster Response and Recovery

  1. Steering Committee
  2. Business Continuity Management Team
  3. Organization Support Teams
  4. Disaster Response
  5. Disaster Detection and Determination
  6. Disaster Notification


3. Initiation of the Business Continuity Plan

  1. Activation of a Site
  2. Dissemination of Public Information
  3. Disaster Recovery Strategy
  4. Emergency Phase
  5. Backup Phase
  6. Recovery Phase


  1. Scope of the Business Continuity Plan
    1. Category I – Critical Functions
    2. Category II – Essential Functions
    3. Category III – Necessary Functions
    4. Category IV – Desirable Functions



  1. Business Continuity Management Team
  2. Organization Support Teams
  • Damage Assessment/ Salvage Team
  • Transportation Team
  • Physical Security Team
  • Public Information Team
  • Insurance Team
  • Telecommunication Team


  1. Notification List

– Contact Information for all the Teams’ members.

  1. Action Procedures

– List of Actions to be carried out by each Team.









About The Author

Khaled Alaa

Khaled Alaa, Information Security Engineer at Raya Data Center



Leave a Reply

Your email address will not be published. Required fields are marked *