Page 1 of 1

Business Continuity Policy

1. Staff contact list

If there is ever a business disruption or emergency, call the main contact on-call as soon as you can. Please fill in the on-call contacts below or upload the list of on-call contacts in section 1.1
1.1 Upload list of on-call contacts (Optional)

2. Business Priorities

Priority 1: Functioning of the (including portal, website, and all other tech assets] within 1 day
Priority 2: Restore physical workspace within 2 weeks
Priority 3: Restore IT Infrastructure within 1 day
Priority 4: Replace key Resource within 2 months

2.1 Fill in 's business priorities

3. Plan Activation Procedures

3.0.1 Does have a plan activation procedure?

3.1 Plan activation process

3.1.1. Identify the nature of disruption.
3.1.2. Is the nature of disruption impacting the:
1. Site?
2. Key Staff?
3. Physical premises?
4. Other resources
If the answer to above is No, do not activate the BCP, but monitor the situation
3.1.3. If the answer to above is Yes,
1. Activate the plan
2. Notify key stakeholders
3. Take Steps to manage the disruption
4. See relevant section of the plan for key actions (depending on the impact type)
3.1.4. Once the disruption is over, stand down plan & return to business as usual

3.2 Physical premises

Objective
1. Establish the current situation at the affected physical premise
Actions/ Considerations
1. What has happened?
2. When did it occur?
3. Are the Emergency Services informed or on-site?
4. Is there access to the site?
5. Are the IT systems and services still running?
6. Who else has been informed?
7. How potentially serious is it?
8. Are there any casualties? If so, details?
2. Decide whether to invoke Business Continuity plan
Consideration should be given to:
1. How quickly the business will be able to re-enter the affected workspace?
2. Prevailing weather conditions.
3. Whether the area is currently responding to an external incident.
4. If the decision is to relocate key staff to the agreed alternative accommodation alert the site
5. If the decision is made not to invoke the plan, continue to monitor the situation until such time as normal access is granted to the disrupted location.
3. Communicate with staff, external vendors, or customer
1. IF EVACUATION IS NEEDED: follow site evacuation plan considering staff, customer, and visitor safety.
2. Keep staff informed at Assembly Points until a decision has been made about whether the building is likely to become available again soon. If the building will not be available, relocate identified key staff to the agreed alternative workspace and consider sending other staff home and tell them to await instructions. Remind them to check in with their manager at an agreed time.
3. Out of Hours: if the disruption occurs outside office hours, staff communication will be coordinated by the manager or their designated staff member.
4. Take the Emergency Grab bag with you.

3.2.1 What is your BCP plan activation for physical premises?

3.3 Platform/ IT Systems/ Data

Objective
1. Confirm the nature of disruption.
Actions/ Considerations
1. What has happened?
2. When did it occur?
3. Which systems and/or services are affected?
4. How potentially serious is it?
5. What is the estimated duration of the problem?
6. Who else has been informed (staff/suppliers/customers)?
2. Decide whether to invoke Business Continuity Plan
The decision will be based on the information provided.
Consideration should be given to:
1. How long systems will be unavailable?
2. Whether the systems affected required to support the business priorities?
3. Whether the area currently responding to an external incident?
4. Inform staff that the Business Continuity Plan is being invoked or put staff on standby or invoke alternate systems to ensure that the service can continue to operate.
5. If the decision is made to not invoke the plan, continue to monitor the situation until such time as normal service is resumed.
3. Enter specific actions or considerations if the disruption is due to non availability of IT Systems or Data
1. Shift to alternate server/infrastructure
2. Rerouting of access to an alternate server
3. Accessing and making available critical data to customers
4. Accessing and making available critical data to key staff which has been protected.
5. Keeping backup data securely off-site as defined in the ISMS Policy
6. Working from a secondary location unaffected by the IT issue.

3.3.1 What is your Platform/ IT systems/ Data plan if BCP is invoked?

3.4 Key Staff

Objective
1. Confirm the nature of disruption.
Actions/ Considerations
1. What has happened?
2. When did it occur? 3. Who and how many are affected?
4. Which systems and/or services are affected?
5. How potentially serious is it?
6. What is the estimated duration of the problem?
7. Who else has been informed (staff/suppliers/customers)?
2. Decide whether to invoke Business Continuity Plan
The decision will be based on the information provided.
Consideration should be given to:
1. How long staff will be unavailable?
2. Whether the staff affected required to support the business priorities?
3. Whether the area is currently responding to an external incident?
4. Inform staff that the Business Continuity Plan is being invoked or put staff on standby or invoke alternate systems to ensure that the service can continue to operate.
5. If the decision is made to not invoke the plan, continue to monitor the situation until such time as normal service is resumed.
3. Enter specific actions or considerations if the disruption is due to non availability of Staff
1. Shift to alternate server/infrastructure
2. Rerouting of access to an alternate server
3. Accessing and making available critical data to customers
4. Accessing and making available critical data to key staff which has been protected.
5. Keeping backup data securely off-site as defined in the ISMS Policy
6. Working from a secondary location unaffected by the IT issue.

3.4.1 What is your plan for key staff if BCP is invoked?

3.5 Vendor Services

Objective
1. Confirm the nature of disruption.
Actions/ Considerations
1. What has happened?
2. When did it occur? 3. Who and how many are affected?
4. Which systems and/or services are affected?
5. How potentially serious is it?
6. What is the estimated duration of the problem?
7. Who else has been informed (staff/suppliers/customers)?
2. Decide whether to invoke Business Continuity Plan
The decision will be based on the information provided.
Consideration should be given to:
1. How long the vendor services will be unavailable
2. Whether the vendor is required to support the business priorities?
3. Whether the vendor area is currently responding to an external incident
4. Inform staff and vendor that the Business Continuity Plan is being invoked.
5. If the decision is made to not invoke the plan, continue to monitor the situation until such time as normal service is resumed.
3. Enter specific actions or considerations if the disruption is due to non availability of vendor services
1. Change to alternate servers, if necessary
2. Allow the vendor staff to operate out of some other temporary office premises
3. Employ temporary staff
4. Offer overtime
5. Consider outsourcing some services to another vendor if possible until you are ready to restore and deliver them yourselves.

3.5.1 What is your plan for vendor services if BCP is invoked?

3.6 Other Resources

Objective
1. Confirm the nature of disruption.
Actions/ Considerations
1. What has happened?
2. When did it occur? 3. Which systems and/or services are affected?
4. How potentially serious is it?
5. What is the estimated duration of the problem?
6. Who else has been informed (staff/suppliers/customers)?
2. Decide whether to invoke Business Continuity Plan
The decision will be based on the information provided.
Consideration should be given to:
1. How long resources will be unavailable?
2. Whether the resources affected required to support the business priorities?
3. Whether the area is currently responding to an external incident?
4. Inform staff that the Business Continuity Plan is being invoked or put staff on standby to ensure that the service can continue to operate.
5. If the decision is made not to invoke the plan, continue to monitor the situation until such time as normal service is resumed
3. Enter specific actions or considerations if the disruption is due to non availability of resources
1. Arrangements/contracts to hire / borrow / purchase replacement resources from suppliers.
2. Protective measures for resources e.g. not having all resources at one site/shop/office.
3. Planning for loss of power for up to 2 days.
4. Planning for disruption to key water utilities.

3.6.1 What is your plan for other resources if BCP is invoked?

4. Supporting information

4.1 Staff welfare

4.1.1 Staff needs to be given clear direction about what the priorities of the business are, this can be achieved by having well-thought-out continuity strategies in place. Ensure that you monitor staff more closely to ensure that their welfare is maintained (e.g. regular breaks due to increased intensity or pressure of work, and support in case their normal duties change).
4.1.2 Staff must be made aware of what communication methods are going to be used so they can find out the latest information, especially if they are going to be working from home or a different location than normal. If staff is going to be working from a different location, ensure that they know where the location is (provide a map and or directions, if necessary) and they are able to get there and get access.
4.2.1 Out of office hours
The manager for the business or the designated staff member will keep staff up to date by the following methods:
1. Calling staff and passing on essential information.
2. Mobile phone text cascade of information if appropriate.
Information may be available via the following depending on the reason for disruption:
4.2.2 Information may be available via the following depending on the reason for disruption:
Business name and website
Or via the Social Media account

4.1.2 Do you have a staff welfare and communication plan as part of your Business Continuity Plan at

4.1.3 Do you have an onboarding team to carry out the instructions sent by ISM and VP Engineering for all HR security-related matters.

4.3 Media/PR

4.3.1. Do you have a media or communications plan in place?

4.3.1. In the event of a major disruption to the business, the communications lead must be contacted to inform them of what has happened and the estimated length of the disruption and possible impacts of the disruption.

5.Maintenance

5.1. Review contact lists every 12 months and reviews the whole plan annually. Carry out a text during the meeting to test the Business Continuity Plan works and that your staff understands the arrangements.

6. Exceptions

6.1. Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.
6.2. All exception requests shall be submitted to (CTO). These shall be submitted through an email and be approved by (CTO).

7. Disclaimer

7.1. [ reserves all rights and is the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is made available with ISM and/or any other forum as decided by the management of Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.
7.2. For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team at