Business Continuity Plan ISO 22301

1. Purpose, scope, and users

The Business Continuity Plan aims to define precisely how Resolver Inc. will manage incidents in the case of a disaster or other disruptive incident and how it will recover its activities within set deadlines. The objective of this plan is to keep the damage to a disruptive incident at an acceptable level.

This plan is applied to all critical activities inside the Business Continuity Management System (BCMS) scope.

Users of this document are all staff members, both inside and outside the organization, who have a role in business continuity.

2. Reference documents

  • ISO 22301 standard, clause 8.4
  • ISO/IEC 27701:2019 standard clause 5
  • List of statutory, regulatory, contractual and other requirements
  • Business Continuity Policy
  • Business Impact Analysis Questionnaires
  • Business Continuity Strategy

3. Business Continuity Plan

3.1. Plan Content

The Business Continuity Plan consists of these major parts:

  • Business Continuity Plan – defines top-level rules for business continuity
  • Incident Response Plan – Appendix  1 – a plan that defines the direct response to the occurrence of various types of incidents
  • Disaster Recovery Plan – a plan that defines the recovery of IT infrastructure and IT services
  • Recovery plans for individual activities – these are prepared separately for each activity – Appendix  7+ and on – plans dealing with the recovery of necessary resources for each activity

Each of these plans defines its activation procedure.

3.2. Assumptions

For this plan to be effective, at least 50% of the resources and arrangements specified in the Business Continuity Strategy need to be prepared.

3.3. Appointment and Authorities

The following bodies are formed when a disruptive incident occurs:

Crisis Management Team
Members:Substitutes:Role:
CTO & CISO Business Continuity (BC) Coordinator
CISOCrisis Management Team member
DPOCrisis Management Team member
CEO Crisis Management Team member
DevOps Director Crisis Management Team member
HR Director Crisis Team member
VP Finance BC Manager
IT Directors  
Information Security Analyst BC Manager (backup)
Crisis Management Support Team
Members:Substitutes:Role:
IT team  
DevOps Team  
Support team  
HR Team  
Marketing Team  

 

The purpose of the Crisis Management Team is to make all key decisions and coordinate actions during the disruptive incident; the purpose of the Crisis Management Support Team is to relieve the Crisis Management Team from administrative and other operational activities in order to focus on managing the disruptive incident. Crisis Management Support Team members are directly responsible for the Crisis Management Team.

Recovery managers for individual activities are appointed in the recovery plans for the said activities.

Authorizations for action during the disruptive incident are the following:

Type of decisionWho is authorized
How small incidents related to IT and communications technology are resolvedEmployees in the IT Department
How all other small incidents are resolvedEmployees in the Information Security Department
Making a decision about invoking recovery plansBC Coordinator
Making a decision about the selection of an alternative site (use of the close or remote alternative site)BC Coordinator
Informing employees about the invocation of recovery plansBC Coordinator; if he/she is unable to do it, then recovery manager for individual activity
Implementing all tasks necessary for the recovery of individual activitiesRecovery Manager for individual activity
Content of the communication for different interested partiesChief Customer Officer
Selecting information to be provided to the public media during the disruptive incidentVP Customer Success
Purchases during the disruptive incident – over CAD$100000CEO and VP Finance
Purchases during the disruptive incident – up to CAD$100000BC Coordinator or delegate

 

3.4. Plan activation; plan deactivation

The Incident Response Plan will be activated automatically if an incident occurs or a potential incident threatens its activities. The Incident Response Plan is deactivated after an incident has been contained or eradicated.

Disaster Recovery Plans and recovery plans for particular activities are activated exclusively by the BC Coordinator’s decision if he/she assesses that a particular activity will be interrupted for a period longer than the recovery time objective for that activity.  The decision of the BC Coordinator may be written or oral.

Disaster Recovery Plan and recovery plans may be deactivated by recovery managers for individual activities when they establish that all conditions for the resumption of business activities have been met. Disaster Recovery Plan and recovery plans are deactivated by resuming normal business activities

3.5. Communication

The following means will be used for communication between the Crisis Management Team and activities, and between activities themselves – they are ordered according to priority (the first one from the list is to be used first; in case it is not available, the next one is used):

  1. Mobile phones (business and private)
  2. Telephones (business and private)
  3. E-mail (sent from business or private computers)
  4. Messaging services – e.g., Zoom, Teams, Slack.

BC Coordinator in the Crisis Management Team is responsible for coordinating communication with all activities.

Responsibilities for communicating with particularly interested parties are specified in the Incident Response Plan.

3.6. Site and Transportation

BC Coordinator is responsible for ensuring access to each provided alternative site. Appendix 3 specifies all provided alternative sites.

Responsibilities for transportation to alternative sites are specified in Appendix 4 – Transportation Plan.

3.7. Order of recovery for activities

Activities must be recovered in the following order:

No.Name of activityRecovery time objective
#1Customer Support Department1 hour
#2DevOps Department1 hour
#3IT Department4 hours
#4Professional Services4 hours
#5Information Security Department4 hours
#6Legal Department8 hours
#7Development/Engineering Department8 hours
#8QA Department8 hours
#9Finance Department24 hours
#10HR Department48 hours
#11Executive Department48 hours
#12Product Management Department72 hours
#13Sales Department72 hours
#14Marketing Department96 hours

3.8. Interdependencies and interactions

The dependencies and interactions between activities, as well as with suppliers and external parties, are detailed in the Incident Response Plan, the Disaster Recovery Plan, and individual recovery plans for activities.

3.9. Required resources

Resources that are required for the recovery of the activities are listed in their recovery plans; the resources required for the recovery of IT infrastructure and IT services are listed in the Disaster Recovery Plan.

3.10. Regular review of business impact analysis

BC Manager must conduct a review of the Business Impact Analysis Questionnaires and update the Business Continuity Strategy accordingly. The review is conducted at least once a year, or more frequently in case of significant organizational changes, a significant change in technology, change of business objectives, changes in the business environment, etc.

The Command Centre, which serves the Crisis Management Team and Crisis Management Support Team, is equipped as follows:

Name of resourceDescriptionAmountWhen the resource is necessaryThe person responsible for obtaining the resource
Applications / databases:    
Office 365Online SaaS service immediatelyInformation Systems Director
SlackOnline SaaS service 1 hour 
SalesforceOnline SaaS service 4 hours 
BoxOnline SaaS service4 hours
Data stored in electronic form:    
Business Continuity Strategy and plans for all activitiesAll documentation stored online in Shared Box folder and One Drive and local machines immediately 
Data stored on paper:    
Business Continuity Strategy and plans for all activities  immediately 
IT and communications equipment:    
Workstations  immediately 
Mobile or landline phones  immediately 
Printer / Fax Machine  within 2 hours 
Communication channels:    
Telephone landlines RingCentral immediately 
Internet access  immediately 
Facilities and infrastructure:    
Computer network  immediately 
Furniture  immediately 
External services:    
Electricity  immediately 

4. Restoring and resuming business activities from temporary measures

The purpose of restoring and resuming the business activities from temporary measures is to bring the business operations back to business-as-usual – to the normal state as it was prior to the disruptive incident.

The steps described in this section are not time-critical – they are to be performed in proportion to the impact of the disruptive incident and in accordance with available resources.
The BC Coordinator makes the decision to activate each of the following steps.

The following steps need to be performed, in this order:

  1. Preservation of the damaged assets and evaluation of damage
  2. Assessment of the situation and determining options and responsibilities
  3. Developing an action plan – determining the steps needed to return activities to the normal state

4.1. Preservation of damaged assets and evaluation of damage

BC Coordinator will nominate the team to preserve the damaged assets – the focus of this team is to prevent the damage from spreading.

BC Coordinator will nominate the team for evaluation of the damage. The evaluation must consist of the following: name of the asset, location of the asset, type of damage, and cost of damage.

4.2. Assessment of the situation & determining options and responsibilities

Depending on the extent of the damage, the BC Coordinator needs to decide the following: (1) whether to move back to the primary location or look for a new location, (2) whether to purchase new equipment or repair the existing, (3) when and where the operations of activities that do not support key products and services (activities with lower priority) will be recovered/resumed, and (4) whether there are enough human resources to support normal operations, etc.

Based on these decisions, the BC Coordinator must nominate responsible persons for the following:

  1. Making claims against insurance policies
  2. Restoring facilities
  3. Acquiring new facilities
  4. Logistics for moving to other locations
  5. Repairing the equipment
  6. Purchasing new equipment
  7. Hiring new personnel
  8. Recovering lower priority activities

4.3. Developing action plans

Each responsible person must develop an action plan for his/her area of responsibility, which will – amongst other information – contain the following:

  1. steps to be taken,
  2. required human resources,
  3. required financial resources, and
  4. deadlines.

 

The BC Coordinator must define

  1. how to provide the necessary funding,
  2. procurement process and authorizations,
  3. which reports will be sent to the Crisis Management Team, and
  4. Who will review the steps once they are complete?

5. Validity and document management

This document is valid as of August 2022.

This document is stored in the following way:

  • The electronic form of the document is stored in the following way: shared folder in Box: Link should be provided

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • Did activities recover within the required time?
  • Are the Recovery plan and Incident Response Plan synchronized?
  • Did exercising and testing achieve objectives?

6. Appendices

  • Appendix 1 – Incident Response Plan
  • Appendix 6 – Disaster Recovery Plan

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed