APPENDIX 1: BCM POLICY
<Organization>
Business continuity management policy
<Version>
<Date of approval and publishing>
Objective
The objective of the business continuity management (BCM) policy is to ensure the sufficient and effective design, initiation, implementation and maintenance of the BCM program within <organization> according to the stakeholders’ requirements, legal and regulatory mandates, and recognized and adopted standards and best practices.
Policy statement
<Organization> will initiate, implement, and maintain an effective BCM program and related activities to ensure proper identification and protection of critical assets, proactive threat reduction and risk management, and effective recovery from failures and incidents in order to continue the delivery of critical processes and products and services.
Policy ownership and maintenance
The ownership of the BCM policy for <organization> is assigned to <BCM owner>. <BCM owner> is responsible for maintaining the BCM program as relevant, enforced, and continuous.
Disaster definition
At <organization>, disasters are defined as events that have occurred, or expected to occur, and affecting the critical assets causing:
- severe effects on human lives and well-being, directly or indirectly;
- severe outage to the critical processes;
- severe damage to the critical assets of <organization>;
- severe damage, or loss, to <organization>‘s data and information;
- severe damage to <organization>‘s IT infrastructure and services;
- severe damage, or impact, to <organization>‘s reputation, brand, and public perception.
Policy guidelines
BCM – main guidelines
- The BCM program at <organization> will have effective management, financial support, and resource allocation for its various activities and tasks.
- <Organization> will ensure that the BCM program will conform to recognized standards and best practices as well as legal and regulatory requirements, such as <applicable standards>.
- A set of crisis management, business recovery, and IT disaster recovery plans will be developed, tested, and maintained.
BCM – program ownership and management
- The BCM program at <organization> will be owned by <BCM owner>, who is responsible for the effective setup and maintenance of the program.
- <BCM owner> will be assisted by a steering committee composed of <list of members (with titles) of BCM steering committee> in order to facilitate supervision and control over the program.
- The operational activities of the BCM at <organization> will be assigned to <BCM manager>, who will coordinate and participate in the implementation and the execution of the plans and activities.
- <BCM manager> will be assisted by a team of business continuity professionals and departmental/regional coordinators facilitating the implementations and activities in their respective departments/geographical areas.
- The decision to declare the start/end of disasters and invoke/end the relevant actions and plans is the sole responsibility of the BCM owner assisted by the BCM steering committee.
Business impact analysis
- <Organization> will conduct a business impact analysis in which critical processes, assets, and resources are identified according to the impacts of outages and failures on <organization>.
- The business impact analysis at <organization> will be conducted once a year or whenever major changes have occurred in <organization> or when instructed by <BCM owner>.
- Business impact analysis will define criticality over time, maximum acceptable downtime, recovery time objective, recovery point objective, and recovery resources.
- The execution of the business impact analysis process may be based on the organizational structure or on the products and services of <organization>.
- The results of the business impact analysis should be consolidated in one report raised to, reviewed, and approved by the BCM owner assisted by the BCM steering committee.
Threat and risk assessment
- <Organization> will implement a threat and risk assessment process following the execution of the business impact analysis and in accordance with <organization>‘s risk management policies, frameworks, and practices.
- The threat and risk assessment process will be implemented once a year or whenever there is a major change within <organization>.
- Identified threats and risks should be accompanied by a management action and treatment plan.
- The results of the threat and risk assessment should be consolidated in one report raised to, reviewed, and approved by the BCM owner assisted by the BCM steering committee.
Strategy
- <Organization> will set the strategic options and directions to follow in order to meet the requirements of the business impact analysis and to mitigate the risks identified by the threat and risk assessment.
- The strategy will be reviewed once a year or whenever there is a major change in <organization>.
- The strategy should cover the following areas: processes, people, premises, technology, data and information, and vendors and supplies.
- The results of the strategy options should be consolidated in one report raised to, reviewed, and approved by the BCM owner assisted by the BCM steering committee.
Planning
- <Organization> will develop the required plans to direct recovery efforts in the event of disasters.
- The plans should cover: crisis management, departmental recovery, IT disaster recovery, and technical recovery procedures.
- Plans should be reviewed and updated once a year or whenever a major change has occurred within <organization>.
Testing
- <Organization> will put the developed plans under testing to make sure they are effective.
- Tests will be conducted once a year or whenever a major change has occurred in <organization>.
Training and awareness
- <Organization> will deliver a training program to develop the required skills for the relevant teams in BCM.
- An awareness program will be delivered to raise BCM knowledge and the information levels of employees at <organization>.
Maintenance and update
- The BCM program at <organization> will be reviewed and updated once a year. Nevertheless, new products, services, strategic plans, organization restructures, and other initiatives will be considered for their impact on the BCM program and may trigger, if needed, a review and update action to the program.