Item | Value |
Organization | Information Dynamics |
Document Name | Business Continuity and Disaster Recovery Policy |
Classification | Internal |
Compliance Reference | ISO 27001:2013 and ISO 20000:2011 |
Date | Version | Prepared By |
29th Aug, 2019 | 1.0 | Information Dynamics |
26th Aug 2020 | 1.1 | Shaik Bavajan |
26th Aug 2021 | 1.2 | Shaik Bavajan |
28th Aug 2022 | 1.3 | Shaik Bavajan |
Reviewed By | Version | Date | Signature |
Soundarrajan | 1.0 | 29-Aug-2019 | |
Soundarrajan | 1.1 | 28-Aug-2020 | |
Soundarrajan | 1.2 | 28-Aug-2021 | |
Soundarrajan | 1.3 | 28-Aug-2022 |
Table of Contents
Risk Assessment & Business Impact Analysis (BIA) 3
Business continuity planning framework 4
Business Continuity Strategy 4
Disaster Recovery Plan (DRP) 5
Testing and maintenance Program 5
The purpose of this policy is to have practice for business continuity management and ensure practices and controls are enabled to continue and manage business operations incase of a disaster or a crisis.
ISO 27001:2013 Domain Reference: A.17 – Information Security aspects of Business Continuity
ISO 27001:2013 Reference | |
A.17.1.1 | Planning information security continuity |
A.17.1.2 | Implementing information security continuity |
A.17.1.3 | Verify, review and evaluate information security continuity |
A.17.2.1 | Availability of information processing facilities |
ISO 20000:2011 Domain Reference: 6.3: Service Continuity and Availability Management
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics
Business process owners shall be responsible for ensuring that the key events that can cause disruption to their processes are identified, the probability of their occurrence and their potential adverse impact is documented. Threats and applicable vulnerabilities shall be identified for information assets within the process.
Developing the business continuity plan; and
Reviewing and updating the business continuity plan (once a year) Risk and business impact assessment shall be reported.
A single common framework shall be followed for drafting continuity plans as per business requirements, which shall include the key stakeholders and third parties.
The risks and business impacts shall be considered for developing and updating the business continuity strategy of the company.
Security controls need to be implemented on the secondary location similar to the primary.
The framework shall include but not be limited to: Establishing recovery time objectives;
Conditions for disaster declaration and plan invocation;
Disaster Recovery Plan Business
Resumption Plan
Crisis Management Program and Testing and maintenance program.
IT and Admin teams shall develop and maintain a Disaster Recovery Plan for assets whose availability is critical to the organization.
The DRP for such assets shall include but not be limited to: Alternate server room facilities;
Computer hardware replacement;
Software and data (backup and) recovery;
System connectivity;
Physical and logical security.
BRP shall be the responsibility of the respective process owners.
Business resumption plans shall include but not be limited to:
Identification of muster points where personnel would gather in the event of declaration of an emergency/disaster
Recovery organization and command center setup, including strategic outsourced partners and third parties
Damage assessment checklist Resource requirements
List of important contacts
Purchase of suitable insurance in view of the BIA
Draft release in the event of a business disruption Essential vendor list
Business continuity plan shall comprise of a crisis management program including but not limited to contain:
List of command centers Directions to muster points
Emergency response procedures (during and after normal business hours) Communication procedures, including but not limited to crisis management team, strategic outsourced partners, third parties
Business continuity plan shall be tested on a half-yearly basis. The testing and maintenance program shall include but not be limited to:
BCP audit checklist Test drills
Responsibility for testing Procedures for the updating BCP Controls for
access to BCP
Associated Documentation
Redundancy and Restoration Test Plan template