R Systems International Ltd.

C-40, Sector 59
Noida 201 307
(U.P.), India
http://www.rsystems.com/

Information Security Aspects of

Business Continuity Management
Policy

Document Id.: ISPolicy032

ISguide

Version No.
No.:: 1.0
3.1

Released on
on:: 22/05/06
25/05/22

This document of R Systems International Ltd. is for internal circulation. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any from or by any means – recording,
1
photocopying, electronics and mechanical without prior written permission of R Systems International Ltd.
 Review History
S.No. Review Date Reviewed By Approved By
1 09/06/06 ISMS Forum Doc Changed and DCR raised
2 01/06/09 ISMS Forum Doc Changed and DCR raised
3 07/04/11 ISMS Forum No Change
4 01/06/12 ISMS Forum Doc Changed and DCR raised
5 09/08/12 ISMS Forum Doc Changed and DCR raised
6 01/01/14 Manager QAG Doc Changed and DCR raised
7 15/06/15 Manager QAG Doc Changed and DCR raised
8 15/06/15 Sr. Manager QAG Doc Changed and DCR raised
9 18/07/17 Sr. Manager QAG Doc Changed and DCR raised
10 25/07/19 Sr. Manager QAG No Change
11 24/07/20 Sr. Manager QAG No Change
12 22/07/21 SFG No Change
13 25/05/22 QAG Doc Changed and DCR raised

2
 DOCUMENT CONTROL SHEET

Document History
Ver. Release DCR Ref. Description of Author Reviewed Approved
No. Date Change ed/Rev By By
ised
By
1.0 09/06/06 DCR/002 Final release QA ISMS Forum CISO
Group
2.0 01/06/09 DCR/ISMS/059 ISMS Periodic QAG ISMS Forum CISO
Review
2.0 07/04/11 NA Periodic Review QAG ISMS Forum CISO
2.1 01/06/12 DCR/ISMS/100 Minor changes – QAG ISMS Forum CISO
section 3.3.2 & 3.6
updated
2.2 09/08/12 DCR/ISMS/105 Classification QAG ISMS Forum CISO
changed to Internal
2.3 01/01/14 DCR/ISMS/112 RSI Logo Updated ISMS Manager CISO
Team QAG
3.0 15/06/15 DCR/ISMS/122 Document revised ISMS Manager CISO
and updated as per Team QAG
ISO 27001:2013
3.0 15/06/15 DCR/ISMS/132 Annual Review ISMS Sr. Manager CISO
Team QAG
3.0 18/07/17 DCR/ISMS/136 Annual Review, ISMS SFG CISO
Review Date: Team
18/06/18
3.1 25/05/22 DCR/ISMS/148 Changes – section ISMS SFG CISO
3.4 and 3.5 updated Team

Notes:
 Only controlled hardcopies of the document shall have signatures on them.
 This is an internal document. Unauthorized access or copying is prohibited.
 Uncontrolled when printed unless signed by approving authority

© R Systems International Limited 2022

3
 Table of Contents

1.0 Overview ...................................................................................................... 5

2.0 Objective ...................................................................................................... 5
3.0 Policy ........................................................................................................... 5
3.1 Information Security Continuity .................................................................... 5
3.2 Business Continuity Strategy ....................................................................... 6
3.3 Disaster Recovery Plan (DRP)..................................................................... 6
3.4 Business Continuity Plan ............................................................................. 7
3.5 Testing and Maintenance of Business Continuity Plan ................................ 7
3.6 Redundancies .............................................................................................. 7

4
©R Systems International Ltd Internal ISPolicy032

Business Continuity Management Policy

1.0 Overview

Every business can experience a serious incident that can obstruct normal business
operations. The Management has the responsibility to recover from such incidents in the
acceptable down time.

2.0 Objective

 To counteract interruptions to business activities

 To protect critical business processes the effects of major failures of information
systems or disasters
 To ensure the timely resumption of business activities from disruptions
 To ensure that the Business Continuity Plan is tested and updated regularly

3.0 Policy

3.1 Information Security Continuity

3.1.1 Planning Information Security Continuity

RSI shall determine its requirements for information security and the continuity of
Information security management in adverse situations, e.g. during a Crisis or
disaster
 Risk Assessment
Business process owners shall be responsible for ensuring that the key events that
can cause disruption to their processes are identified, the probability of their
occurrence and their potential adverse impact is documented. Threats and
applicable vulnerabilities shall be identified for information assets within the
process. Threats, applicable vulnerabilities, their impact on assets and existing
controls shall be evaluated to identify risks to information assets while:

 Developing the business continuity plan; and

 Reviewing and updating the business continuity plan (once a year)
 Testing Business Continuity plan through tests, which shall be
performed bi-annually

Risk and impact assessment shall be reported by process owners to ISMS Forum.

3.1.2 Implementing Information Security Continuity

 A managed process shall be developed and maintained for business

continuity throughout the organization that addresses the information
security requirements needed for the organization’s business
continuity.
 Plans shall be developed and implemented to maintain or restore
operations and ensure availability of information at the required level

Version No: 3.1 5 Page 5 of 7 Release Date: 25/05/22

 ©R Systems International Ltd Internal ISPolicy032

and in the required time scales following interruption to, or failure of,
critical business processes.

The business continuity management cycle at RSI shall be as below:

Disaster Recovery
Plan



Business Testing and

Continuity Maintenance
Strategy
Business Impact
Analysis

Business
Continuity Plan

Figure 1: Business Continuity Management Process

3.2 Business Continuity Strategy

A single common framework shall be followed for drafting continuity plans as per
business requirements, which shall include the key stakeholders and third parties.
The risks and business impacts shall be considered for developing and updating
the business continuity strategy of the company. The framework shall include but
not be limited to:
Establishing recovery time objectives;
Conditions for disaster declaration and plan invocation;

 Disaster Recovery Plan

 Business Continuity Plan; and
 Testing and maintenance program.

3.3 Disaster Recovery Plan (DRP)

IT and Technical teams shall develop and maintain a Disaster Recovery Plan for
assets whose availability is critical to the organization. The DRP for such assets
shall include but not be limited to:
 Alternate server room facilities;
 Computer hardware replacement;
 Software and data (backup and) recovery;
 System connectivity; and
 Physical and logical security.

Version No: 3.1 6 Page 6 of 7 Release Date: 25/05/22

©R Systems International Ltd Internal ISPolicy032

3.4 Business Continuity Plan

Processes identified to be at considerable risk and causing significant business

impact (as per risk and business impact analysis) shall have a plan for resuming
the business process in the event of disruption. BRP shall be the responsibility of
the respective process owners. Business resumption plans shall include but not be
limited to (Refer to ISPlan002):

 Identification of muster points where personnel would gather in the

event of declaration of an emergency/disaster;
 Recovery organization and command center setup, including strategic
outsourced partners and third parties;
 Damage assessment checklist;
 Resource requirements;
 List of important contacts;
 Purchase of suitable insurance in view of the BIA;
 Draft press release in the event of a business disruption; and
 Essential vendor list.

It shall also comprise of a crisis management program including but not limited to :
 List of command centers;
 Directions to muster points;
 Emergency response procedures (during and after normal business
hours);
 Communication procedures, including but not limited to crisis
management team, strategic outsourced partners, third parties; and
 Executive succession.

3.5 Testing and Maintenance of Business Continuity Plan

Business continuity plan shall be tested on a half-yearly basis in order to ensure

that the BCP is valid and effective during adverse situations. The testing and
maintenance program shall include but not be limited to (Refer to ISPlan002):
 BCP audit checklist;
 Test drills;
 Responsibility for testing;
 Procedures for the updating BCP; and
 Controls for access to BCP.

3.6 Redundancies
3.6.1 Availability of Information Processing Facilities
Information processing facilities shall be implemented with redundancy sufficient to
meet availability requirements as per the business objectives.

Version No: 3.1 7 Page 7 of 7 Release Date: 25/05/22