An ISO 27001 Business Continuity Policy is your company’s game plan for what to do when things go wrong. It’s a simple, easy-to-follow guide that helps you get back on your feet quickly after a disaster, like a power outage or a cyberattack. The goal is to keep your business running smoothly, no matter what happens.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Business Continuity Policy Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- List of relevant ISO 27001:2022 controls
- ISO 27001 Business Continuity Policy Example
- ISO 27001 Business Continuity Policy FAQ
What is it?
This policy is a set of rules and guidelines that make sure your business can keep operating even during a crisis. It covers things like what to do if your office building is unavailable, how to access critical information, and how to keep in touch with your team and customers. Think of it as your emergency survival guide for the business world.
Applicability to Small Businesses, Tech Startups, and AI Companies
This policy is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: A simple policy can ensure you can still send out invoices and serve customers if your main system goes down.
- Tech Startups: It’s crucial for keeping your app or service running and protecting customer data if there’s an outage.
- AI Companies: It’s essential for protecting your valuable data models and ensuring your AI services don’t stop working unexpectedly.
ISO 27001 Business Continuity Policy Template
The ISO 27001:2022 business continuity template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
Why you need it
You need this policy to protect your business from unexpected problems. It helps you minimise damage, reduce financial loss, and maintain trust with your customers. Having a plan in place shows that you’re responsible and prepared, which is a big plus for your reputation. It’s a proactive way to avoid a huge headache later.
When you need it
You need a business continuity policy before a disaster ever happens. You should create it when you’re first setting up your information security system and review it regularly. You’ll use it every time there’s a serious problem that could stop your business, like a natural disaster, a technical failure, or a security breach.
Who needs it?
Everyone in the company needs to be aware of this policy. While a small team or a single person might be in charge of writing it, every employee should know their role in an emergency. This includes the CEO, IT staff, and every team member who needs to keep working during a crisis.
Where you need it
This policy applies everywhere your business operates. It covers your physical office, your remote workers’ homes, and your cloud-based systems. It’s a universal guide for your team, no matter where they are.
How to write it
Keep it simple! Start by identifying the most important parts of your business and what could threaten them. Then, list the steps you’ll take to protect those parts. Use clear, simple language and create a step-by-step action plan. You can use checklists and flowcharts to make it even easier to follow.
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 Business Continuity Policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the ISO 27001 Business Continuity Policy Contents Page
The contents of the business continuity policy are:
1 Document Version Control
2 Document Contents Page
3 Business Continuity Policy
3.1 Purpose
3.2 Scope
3.3 Principle
3.4 Commitment and Continual Improvement
3.5 Business Impact Analysis
3.6 Business Continuity Plans
3.6.1 Business Continuity Plans Cover
3.6.2 Business Continuity Plans Contain
3.7 Recovery
3.8 Business Continuity Testing
3.9 Incident and Business Continuity Reporting and Escalation
3.10 Disaster Recovery Plans - Write the ISO 27001 Business Continuity Policy Purpose
Write the purpose of the Business Continuity Policy. The purpose of this policy is business continuity management and information security continuity. It addresses threats, risks and incidents that impact the continuity of operations.
- Write the ISO 27001 Business Continuity Policy Principle
The Business Continuity Policy requires:
People’s safety to be our first priority. Always.
The framework is based on industry best practice and the business continuity standard ISO 22301 Business Continuity Management. - Write the ISO 27001 Business Continuity Policy Scope
Consider the scope of the business continuity policy. An example:
All employees and third-party users.
All devices used to access, process, transmit or store company information. - Explain the commitment to continual improvement
The company is committed to the development and the continual improvement of the business continuity process, plans and system.
- Describe the role of the Business Impact Analysis (BIA)
Business continuity is based on a documented business impact analysis and risk assessment.
- Set out the approach to Business Continuity Plans
The company has documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures address the requirements of those who will use them.
- Explain what business continuity plans cover
Business Continuity plans cover:
Roles and responsibilities
Incident Management processes
Business priority of recovery
Information and system back up processes. - Describe what business continuity plans contain
The business continuity plans collectively contain:
– defined roles and responsibilities for people and teams having authority during and following an incident
– a process for activating the response
– details to manage the immediate consequences of a disruptive incident giving due regard to:
the welfare of individuals
strategic, tactical, and operational options for responding to the disruption, and
prevention of further loss or unavailability of prioritised activities
– details on how and under what circumstances the organisation will communicate with employees and their relatives, key interested parties and emergency contacts,
– how the organisation will continue or recover its prioritised activities within predetermined timeframes,
– details of the organisation’s media response following an incident, including:
a communications strategy
preferred interface with the media,
guideline or template for drafting a statement for the media, and
appropriate spokespeople.
– a process for standing down once the incident is over.
– Each plan shall define
purpose and scope,
objectives,
activation criteria and procedures,
implementation procedures,
roles, responsibilities, and authorities,
communication requirements and procedures,
internal and external interdependencies and interactions,
resource requirements, and
information flow and documentation processes. - Explain the approach to recovery
The company has documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident.
- Set out when business continuity testing occurs
Business continuity plans are tested at least annually and / or when significant change occurs.
- Describe the relationship between business continuity and incident management
An incident management process is in place followed.
Business continuity incidents are additionally recorded and tracked in a register.
Business continuity incidents are additionally reported to the Management Review Team. - Show commitment to disaster recovery plans
Technical recovery plans for disaster recovery are in place and tested.
How to implement it
First, share the policy with everyone. Hold a team meeting to walk through the plan and make sure everyone understands their role. You should also practice the plan with drills, like a test run of your backup systems. Finally, make sure to keep the policy updated, especially as your business changes.
Examples of using it for small businesses
If you’re a small online shop and your website server fails, your policy might tell you to switch to a backup website, use social media to update customers, and have a list of emergency contacts for your hosting company.
Examples of using it for tech startups
For a startup with a mobile app, the policy could outline how to switch to a backup server if the main one fails. It might also specify how to alert users about the issue and when to expect a fix.
Examples of using it for AI companies
An AI company’s policy might include steps to back up large datasets in multiple locations. It would also explain how to quickly restore your AI model and its services to prevent a major disruption.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is like a toolbox full of pre-made documents and guides. It gives you a head start on creating your policy and other important security documents, saving you a ton of time and effort. It’s a great way to make sure you don’t miss anything.
Information security standards that need it
This policy is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
List of relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls for business continuity:
- ISO 27001:2022 Annex A 5.29 Information security during disruption
- ISO 27001:2022 Annex A 5.30 ICT readiness for business continuity
ISO 27001 Business Continuity Policy Example
ISO 27001 Business Continuity Policy FAQ
To keep your business running smoothly during a crisis.
No, it covers all kinds of disruptions, from power outages to cyberattacks.
The person in charge of your ISMS, but everyone must follow it.
You should review it at least once a year.
It can lead to disorganised chaos, financial loss, and a damaged reputation.
No, it’s a living document that you should continually use and update.
Yes, it should include plans for how remote teams will operate during a disruption.
A disaster is any event that could stop your business from operating normally.
The policy should specify a retention period based on legal and business requirements.
No, this single policy can be a broad guide for many different scenarios.
The policy should explain how to manage their responsibilities during a crisis.
It provides clear evidence that you are prepared for disruptions, which is crucial for audits.
Yes, having a plan for business continuity is required.
Identify the most important parts of your business and what could threaten them.