Business Continuity and Disaster Recovery Policy Template

Adopting a full set of information security policies is a critical step in ensuring that every department and employee understands their role in helping protect company, customer, and employee data.

Please use these policy templates as a way to get your organization on the right track when it comes to full policy creation and adoption.

Business continuity and disaster recovery allow our organizations to continue operating during or recover from unforeseen circumstances that may otherwise stall business or security operations. Having staff who understands what to do in these moments is critical and this policy will guide what goes into those decisions.

Free Resource

Download our free Business Continuity and Disaster Recovery Policy Template now.

Purpose

The purpose of the (Company) Continuity and Recovery Policy is to provide direction and general rules for the creation, implementation, and management of the (Company) Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).

Audience

The (Company) Continuity and Recovery Policy applies to individuals accountable for ensuring business continuity and disaster recovery processes are developed, supported, tested, and maintained.

Table of Contents

Policy

Business Continuity

Business Continuity focuses on sustaining the organization’s critical business processes during and after a disruption.

• (Company) must create and implement a Business Continuity Plan (“BCP”).
• The BCP must be periodically tested and the results should be shared with executive management.
• The BCP must be reviewed and updated upon any relevant change to the organization, at the conclusion of plan testing, or least annually.
• The BCP must be communicated and distributed to all relevant internal personnel and executive management.
• Business continuity planning should ensure that:
  • the safety and security of personnel is the first priority;
  • an adequate management structure is in place to prepare for, mitigate and respond to a disruptive event using personnel with the necessary authority, experience, and competence;
  • documented plans, response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event.
  • A risk assessment for critical business processes and operations (Business Impact Analysis);
  • An inventory of critical systems and records, and their dependencies;
  • Requirements for ensuring information security throughout the process;
  • Identification of supply chain relationships and the organization’s role to support critical infrastructure;
  • Processes to ensure the safety of personnel;
  • Communication strategies for communications both inside and outside the organization;
  • Mitigation strategies and safeguards to reduce impact;
  • Strategies to address and limit the reputational impact from an event;
  • Contingency plans for different types of disruption events;
  • Protection and availability of plan documentation;
  • Procedures for plan tests, review, and updates.

  Disaster Recovery

  Disaster Recovery focuses on restoring the technology systems that support both critical and day-to-day business operations.

  • (Company) must create and implement a Disaster Recovery Plan (“DRP”) to support business objectives outlined in the (BCP/critical processes identified by a Business Impact Analysis).
  • The DRP must be tested annually, at a minimum.
  • The DRP must be reviewed and updated upon any relevant change to IT Infrastructure, at the conclusion of plan testing, or least annually.
  • The DRP must be communicated and distributed to all relevant internal personnel and executive management.
  • The (Company) DRP must include at a minimum:
    • Roles and responsibilities for implementing the disaster recovery plan;
    • List of potential risks to critical systems and sensitive information;
    • Procedures for reporting disaster events, event escalation, recovery of critical operations, and resumption of normal operations;
    • Requirements for ensuring information security throughout the process;
    • An inventory of backups and offsite storage locations;
    • Contingency plans for different types of disruption events;
    • Protection and availability of plan documentation;
    • Procedures for plan tests, review, and updates.

    Definitions

    References

    • ISO 27002: 17
    • NIST CSF: ID.BE, PR.IP, RS.RP, RS.CO, RS.IM, RS.RP, RC.IM, RC.CO
    • Information Classification and Management Policy
    • Business Continuity Plan
    • Disaster Recovery Plan

    Waivers

    Waivers from certain policy provisions may be sought following the (Company) Waiver Process.

    Enforcement

    Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

    Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.