Professional Documents
Culture Documents
D, CISSP®
INTRODUCTION
EXECUTIVE SUMMARY
This policy describes how the company implements appropriate controls for a recovery and continuity business
plan in the delivery of services covering IT and business operations, in case of an event or disaster.
The company shall establish necessary processes to effectively deliver services at any point of time, with no
interruption. This includes employees’ activities, data processing, and security controls in place as well as third
parties’ management.
The Policy takes into account the requirements of ISO 27001 and other relevant standards.
SCOPE
The policy addresses controls and IT processes to enabling and ensuring continuous service to customers. It does
cover information technology processes providing service availability as per the business impact analysis in the
event of major business disruption. It also describes how to validate the continuity plan and test the business
requirements, taking in consideration:
Criticality classification
Alternative procedures
DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
Magda CHELLY, Ph.D, CISSP®
Problem management
RESPONSIBILITIES
Company’s management must establish and build with the business owners a continuity framework, with defined
roles and responsibility, as well as methodology to adapt in case of disaster.
There should be a written Business Continuity Plan, developed and containing the below details:
The continuity plan shall list with all the required identification the:
Critical applications;
Third-party services,
Operating systems,
Personnel,
Suppliers
Related Data
DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
Magda CHELLY, Ph.D, CISSP®
The critical data and operations shall be identified, documented, prioritized and approved by the business
owners, in cooperation with IT security players.
The management should ensure that the business continuity plan related to IT and information security is aligned
with the global business continuity plan. Both need to be consistent. The plan should ensure the short and long-
term consistency. The plan should reduce the requirements to the minimum to provide continuity and
consistency, including all the parts: facilities, hardware, software, equipment, forms, suppliers, etc.
PROCEDURES
If the business continuity plan is being outsourced, the below points are crucial:
If the business continuity plan is being carried out by IT or management, the below points are crucial:
a. The IT/security manager collects all information from the IT employees, the business owners and the other
stakeholders
b. The IT/security manager builds a short and long-term IT strategy plan. The plan needs senior management
approval, following by a budget committee approval, to finally being tested structurally, and practically.
c. The plan should take in consideration as well the change procedures, to ensure the business plan continuity
d. The plan must be maintained, updated, and tested, after any major technology change. The changes that need
to be taken in consideration should include any updates regarding:
Personnel;
Addresses or telephone numbers;
Business strategy;
Location, facilities and resources;
Legislation;
Contractors, suppliers;
DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
Magda CHELLY, Ph.D, CISSP®
Processes;
Clients;
Risk (Technical, operational and financial).
The business continuity plan should follow the continuity plan maintenance procedures.
The business continuity plan updates need to be justified with a business cases and prepared for approval. After
the approval, the changes might be implemented to the business continuity plan.
The business continuity plan must be tested on regular basis. The test needs to ensure the plan’s accuracy and
efficiency. The frequency of testing should be at least once a year.
The business continuity plan test should prepare, document and report all the test results. The test results should
support an action plan. The objective of the test should be confirming the efficiency of the plan in real life.
Full simulation
An important step for the success of the business continuity plan is the training. In fact, when several
stakeholders are involved, a clear training session is a must, and it should include all procedures to be followed.
The continuity plan is confidential and should be only distributed to authorized personnel. The plan should be
kept in a secured location, with an additional backup. The plan should be distributed on a need-to-know basis.
The plan shall be classified “Internal Use Only”.
After a successful resumption of the services after a disaster, the company and its management should assess
the success and adequacy of the continuity plan and update it accordingly.
DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
professional advice. Any similarities are coincidental as per usual and standard policies in the industry.
Magda CHELLY, Ph.D, CISSP®
Does your company have a formal Business Continuity and Disaster Recovery Plan?
How often your company test the plan, and update it?
Does your company have alternative facilities, if yes which kind and how far away from the principle
office?
Does your company offer redundancy options, if yes, how do you test its efficiency?
Does your company have redundant data centers? How often does the company test backups?
DISCLAIMER. The sample documents below are provided for general information purposes only. Your use of any of these sample
documents is at your own risk, and you should not use any of these sample documents without first seeking legal and other
professional advice. Any similarities are coincidental as per usual and standard policies in the industry.