Business Continuity & Disaster Recovery Policy
1 Objective
The objective of this policy is to provide guidelines for <Company Name>’s business continuity and disaster recovery. The document prescribes the requirements to plan for recovery during disasters so that business commitments to customers can always be met.
2 Scope
This document is applicable to all processes and operations in <Company Name> within the scope of the ISMS.
3 Policy statement
<Company Name> is committed to ensuring the highest level of service to its customers. Thus continuity of operations in a secure manner must be planned for and embedded in the organization’s business continuity management and disaster recovery planning activities.
4 Information Security Aspect of Business Continuity Management
4.1 Information Security Continuity
4.1.1 Planning Information Security Continuity
The organization-wide Information security processes shall include Information Security requirements to help ensure that confidentiality, integrity, and availability of critical information assets shall be preserved even in the event of a business disruption or disaster.
<Company Name> shall identify recovery guidelines that can be taken as a baseline reference to classify mission-critical systems and develop recovery and restoration plans.
A strategy plan shall be developed for the overall business continuity/disaster recovery approach. Information security controls applicable during BAU (Business as usual) scenarios shall be relevant even during disaster scenarios. All exceptions shall need approval from the Information Security Officer and senior management.
4.1.2 Implementing Information Security Continuity
<Company Name> shall ensure that an adequate framework is in place to prepare for, mitigate, and respond to a disruptive event using personnel with the necessary authority, experience, and competence.
<Company Name> shall identify personnel with the necessary responsibility, authority, and competence to manage an incident and maintain information security.
<Company Name> should consider the development and approval of comprehensive and well-documented plans, response strategies, and recovery procedures to effectively manage and mitigate the impact of any potential disruptive event.
4.1.3 Verify, Review & Evaluate Information Security Continuity
Information security controls for all business continuity sites and systems shall be reviewed and verified. Business continuity plans shall be tested and updated regularly to ensure they are up-to-date and effective.
The roles and responsibilities for both information systems’ contingency planning and recovery shall be reviewed and updated at least annually.
4.2 Redundancies
<Company Name> shall identify business requirements for the availability of information systems.
Redundant components or architectures shall be considered wherever availability cannot be guaranteed using the existing systems architecture.
Redundant information systems shall be tested to ensure the successful failover from one component to another.
5 Document Security Classification
Company Internal (please refer to the Data Classification policy for more details).
6 Non-Compliance
Compliance with this policy shall be verified through various methods, including but not limited to automated reporting, audits, and feedback to the policy owner. Any staff member found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment or contractual agreement. The disciplinary action shall depend on the extent, intent, and repercussions of the specific violation.
7 Responsibilities
The Information Security Officer is responsible for approving and reviewing policy and related procedures. Supporting functions, departments, and staff members shall be responsible for implementing the relevant sections of the policy in their area of operation.
8 Schedule
This document shall be reviewed annually and whenever significant changes occur in the organization.
Last updated