Business Continuity Plan (BCP) - basic principles
How to create BCP according to ISO 22301.
Business continuity plan or BCP ensure that the organisation is able to continue critical functions during the incident and restore normal operation after the malfunction. ISO 22301 is an international business continuity management standard that defines a structured approach to the development, implementation, testing and improvement of such a plan.
- Perform a business impact analysis of BIA
Identify the critical processes of the organisation, their interdependencies, impacts on performance, financial losses, legal consequences and reputational risks. The key recovery indicators for VET should be:
MTD the maximum permissible standstill period after which the organisation has significant or unacceptable influence;
RTO the target time at which the process or system must be restored after the incident;
RFMOS √ maximum permissible data loss over time;
MTTR the average time taken to restore the system, service or process after failure. - Identify risk scenarios
Assess possible interference scenarios that may affect the organisation's performance, such as natural disasters, cyber attacks, data loss, inaccessible personnel, suppliers' problems or critical infrastructure failures. - Develop response and recovery strategies
Define practical solutions to ensure business continuity, such as alternative jobs, backup systems, backup copies, manual working procedures and crisis communication arrangements. Strategies should be consistent with the MTD, RTO, RFMO and MTTR indicators identified. - Prepare BCP documentation
Document contact lists, responsibility, escalation procedures, restoration procedures, systems and process addiction maps, as well as action plans for different incident scenarios. - Perform regular testing
Test the effectiveness of BCP by various methods such as table learning, simulations or full scale tests. The test must assess whether actual recovery times meet the defined objectives of RTO and MTTR. The test must be performed at least once a year or after significant changes in the organisation's processes, systems or infrastructure. - Ensure training and regular review
The staff involved must be aware of their roles and responsibilities during the incident. The BCP needs to be regularly reviewed and updated to respond to current organisational structure, technologies, risks and operational needs.