What is a Business Continuity Plan?

An effective business continuity plan (BCP) is a proactive practice that aims to avoid and mitigate risks associated with a disruption of operations. A BCP should ensure personnel and assets are protected and able to function in the event of a disaster.


What is the Primary Goal of Business Continuity Planning?

The primary goal of business continuity planning is to minimize the impacts of an unforeseen event on business operations. However, this is a rather general goal. Before creating a business continuity plan, it’s important to keep in mind the goals of a thorough strategy:

  • Be proactive: Understand and prepare for events that may happen before they occur.
  • Mitigate risks: Reduce the impact of exposure and the likelihood of its occurrence.
  • Minimize the disruption of operations: Define the organization’s recovery objectives and develop strategies to enable their achievement


Why a Business Continuity Plan is Important

The cost of not having a business continuity plan for an organization can be significant. A wide variety of events - from a ransomware attack to a global pandemic - can degrade or destroy an organization’s ability to operate normally.

If an organization doesn't know how to write a business continuity plan, it will be caught unprepared in the event of a disruption. The downtime caused by this type of event can damage the organization’s profitability and relationships with customers. An inability to maintain operations during a crisis can cause a loss of sales and customers as consumers choose a “more reliable” alternative.

Related Reading: CISO Advice: Operating to a Cybersecurity Gold Standard During Crisis and Beyond


Business Continuity Plan vs. Disaster Recovery Plan

Business continuity plans and disaster recovery plans are often discussed together since both describe how the business plans to react to unforeseen circumstances.

However, they are not the same thing. A business continuity plan should describe how the organization plans to maintain operations while the crisis is ongoing. A disaster recovery plan, on the other hand, is a strategy for restoring normal operations throughout the business after the crisis has occurred.


Incident Response Plan vs. Business Continuity Plan

While the BCP’s goal is to continue operations in the wake of disruption of any type, an incident response plan (IRP) acts as a subset to provide instructions to follow in the event of a security breach.

Building an IRP must incorporate elements of an organization’s business continuity and disaster recovery while focusing efforts on a specific type of risk. Similar to the BCP and DRP, timeliness is a critical factor in setting an incident response plan into action. However, in this case, the plan focuses on helping staff to quickly detect, contain, and eradicate a cyber threat.

IR ebook

Empower yourself to act quickly when an attack occurs. Download the e-book.


How to Write a Business Continuity Plan

The creation of a business continuity plan is a necessary exercise for any business. However, it can seem overwhelming. The key to creating an effective business continuity plan is identifying what it should include and following a defined process to move from risk identification to a strategy for mitigating them during a crisis.

What Does a Business Continuity Plan Typically Include?

What is in a business continuity plan can vary dramatically from one organization to another. Depending upon an organization’s unique business needs, certain business continuity plan components may be included or discarded as unnecessary.

Much like disaster recovery and incident response plans, communication is critical not only in the planning phase but also execution of the strategies designed to maintain continuity of operations. Therefore, a key element in every business continuity plan is the definition of the relevant roles and responsibilities of the team, and the communication channels to be used when the plan is activated in response to a crisis.

Another important consideration when developing a business continuity plan is contractual and regulatory requirements. From a contractual viewpoint, a business continuity plan must include strategies for ensuring that the organization meets service level agreements (SLAs) with clients and customers.

Regulatory authorities can also have an impact on the structure and contents of an organization’s business continuity plan. For merchants and others who must be PCI compliant, your business continuity plan must fulfill certain requirements. According to the Payment Card Industry Data Security Standard (PCI DSS), you must ensure the plan addresses the following:

  • Roles, responsibilities, and communication and contact strategies in the event of a compromise. This includes notification of the payment brands
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and responses of all critical system components
  • Reference of inclusion of incident response procedures from the payment brands

Business Continuity Planning Steps

There are seven general steps to developing an effective business continuity plan:

  1. Perform a Business Impact Assessment
    • Identify critical information and applications
    • Determine the impact of loss
  2. Evaluate different continuity strategies based upon the impact of disruption
  3. Define recovery time objectives (RTO) and recovery point objectives (RPO) in the event continuity cannot be maintained
  4. Evaluate different recovery strategies
  5. Develop a comprehensive written plan
  6. Test the BCP at least once a year
  7. Make changes and improvements along the way

A word of caution: Having these business continuity planning steps doesn’t mean this will be a linear or one-time exercise. When working through the process, new discoveries may be made that require revisiting earlier steps. While this may lengthen the business continuity plan process, it will improve the final plan and enable it to better serve the organization.


Maintaining a Business Continuity Plan

An organization’s business continuity plan should not be a document that is created, filed, and forgotten. Business continuity plans should be reviewed and updated on at least an annual basis, and whenever significant business or system changes occur. Plans regarding critical business systems and processes should be reviewed more often, at least every six months. As part of this process, the business continuity plan should be tested to ensure that it is effective and that employees know how to respond appropriately to unforeseen circumstances.

Beyond these scheduled reviews, organizations should also have processes in place to review and update their business continuity plans asynchronously in response to an incident. For example, the COVID-19 pandemic caught many organizations unprepared as they were forced to abruptly transition most or all of their workforces to telework.

After any major incident, whether a data breach or reaction to a pandemic, the business continuity plan should be revised immediately.

Related Reading: 3 Differences in Incident Response for a New Remote Workforce


Is it Okay to Use a Business Continuity Plan Template?

Depending on the complexity of your business and how averse to risk it is, a business continuity plan template may adequately serve the organization’s needs. For instance, a small company with a high-risk threshold may be able to cover its bases with minor tailoring of stock material.

However, the most effective business continuity plan is one that is structured and written with the organization in mind from the ground up. This helps to ensure that all-important factors are considered and all areas covered.


Getting Help with Your Business Continuity Plan

The creation of an effective business continuity plan requires a great deal of in-depth and specialized knowledge. An effective business continuity plan is based upon a deep understanding of an organization’s network, regulatory requirements, and best practices for maintaining secure, effective operations in the face of a crisis.

Taking advantage of business continuity plan consultant services is a good idea while working through the process. Avertium advisors can provide information regarding regulatory requirements for business continuity plans and guidance on adapting plans based upon best practices to meet an organization’s unique business needs.

With Avertium's information security advisory services, you get a business continuity plan with more rigor, more relevance, and more responsiveness. Contact us today.