Suite of documents

Published under Risk Management

The suite of documents comprising the BCP will vary from organisation to organisation, but it is recommended that the following plans be considered. In smaller organisations these plans might be combined into one, but in larger organisations they will probably either exist as separate entities or some of the plans may be combined together.

Plan	Incident Timeline	Purpose of Plan	Used by
Incident Response Plan	Response	To manage the immediate aftermath of an incident, including evacuation, liaison with the emergency services and health, safety and welfare of the staff and public	Incident Response Team
Incident Management Plan	Recovery	To centrally manage the incident and ensure that the teams effecting recovery are equipped with their critical resources	Silver Team
Business Recovery Plans	Recovery	To provide the teams who are recovering their critical processes, with the necessary action lists, information, procedures and contact details	Bronze Teams
Recovery Support Plans • HR Plan • Facilities Plan • Health and Safety Plan	Recovery	To provide the teams who have specialist roles in an incident with the necessary information and procedures to be able to support the bronze recovery teams	Bronze Teams
IT Service Continuity Plan	Recovery and Resumption	To detail the actions that ICT and IS should follow in order to restore the critical components to the critical processes within the agreed component RTOs and RPOs	ICT and IS
Communications and Media Plan	Response, Recovery and Resumption	This plan contains all the information necessary to enable the Communication and Media Team to communicate accurately and effectively with the staff, customers, public, suppliers and media	Gold, Silver and Bronze Teams
Business Resumption Plan	Resumption	This plan details the procedures to follow to bring the organisation back to normal. It may be one plan or a series of plans and could include long term project plans	Gold, Silver and Bronze Teams

A further illustration of the relationship between the plans comprising the BCP and the phases of recovery are shown in the diagram below.

When BC is introduced into an organisation one of the results is the production of a number of documents, not all of which are necessarily included in the BCP (e.g. a number of policies and procedures such as HR policies). The BCP can be used in isolation to effect recovery in the event of an incident affecting the organisation but in reality it interacts with other documents in the areas of Risk Management, Information Security, HR/Health and Safety policies and ITSC.

The following diagram shows the relationship between the potential plethora of documents and their relative ownership.

Some of the documents and processes already in place will require modification as different information is required e.g. HR will need next of kin information with current contact details, this system will require change management process to ensure the information is current, an information security policy to ensure that it is not widely accessible and BC to ensure that the information is available during an incident involving the information repository.

The details of the interfaces between these programmes (ISMS, ITSCM, BCM, RM) is dependent on the organisation and method of implementation.

Design BCP not only comprises a whole suite of documents, but further work is required to enable delivery and successful adoption of the plan. In this stage some consideration should be given to:

How the BCP will be distributed (paper, electronic, intranet, z-cards);
How the training will be delivered (e-learning, classroom learning, scenario exercises);
How awareness of the plan will be raised (lunch n' learn, company newsletter articles, intranet, questionnaires).

These elements influence the way the plans are written and delivered, therefore it is important to give some thought to them at this stage.

Browse the Topics