Business Continuity Policy

Introduction

It is essential that the company is able to survive major disasters, can counteract major disruptions to its activities and can protect critical business processes from the effects of major failures or disasters and ensure their timely resumption.  Risk and disruption can be reduced to an acceptable level through a combination of preventative and recovery controls.

Scope 

The process of business continuity management should be applied to all aspects of the business in accordance with their priority rating as determined by a risk analysis.

Responsibility

It is the responsibility of the Managing Director to:

  • Initiate actions.
  • Ensure that all the necessary human, physical and financial elements are available. 

Procedure

Information Security Aspects of Business Security Management

The objective is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

A business continuity management process is implemented to reduce to an acceptable level the disruption caused by disaster and security failures which may be the result of, for example, natural disasters, accidents, equipment failures and deliberate actions.

The consequences of disasters, security failures and loss of service will be analysed, and contingency plans will be developed and implemented to ensure the business process can be restored within required timescales. Business continuity management will include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

 

Including Information Security in the Business Continuity Management Process

There is a managed process in place throughout the company and it will bring together the following key elements of business continuity management:

  • understanding the risks, the company is facing in terms of their likelihood and their impact, including an identification and prioritisation of critical business processes;
  • understanding the impact which interruptions are likely to have on the business and establishing the business objectives of information processing facilities;
  • considering the purchase of suitable insurance which may form part of the business continuity process;
  • formulating and documenting a business continuity strategy consistent with the agreed business objectives and priorities;
  • formulating and documenting business continuity plans in line with the agreed strategy;
  • regular testing and updating of the plans and processes put in place;
  • ensuring that the management of business continuity is incorporated in the company’s processes and structures.

Responsibilities for co-ordinating the business continuity management process is assigned to an appropriate level within the company.

Business Continuity and Risk Assessments

Business continuity begins by identifying events that can cause interruptions to business processes such as fire, flood and equipment failure and subjecting their impact to a risk assessment.  Both these activities require the involvement of owners of the business resources and process and are not limited to the information processing facilities.

Depending on the results of the risk assessment, a strategy plan can be developed and approved by the Managing Director and other senior management.

Developing and Implementing Continuity Plans including Information Security

Plans will be developed to maintain or restore business operations in the required timescales following interruptions to or failure of, critical business processes.  The business continuity planning process will consider the following:

  • identification and agreement of all responsibilities and emergency procedures;
  • implementation of emergency procedures to allow recovery and restoration in required timescales giving due consideration to the assessment of external business dependencies and the contracts in place;
  • documentation of agreed procedures and processes;
  • appropriate education of staff in the agreed emergency procedures and processes including crisis management;
  • testing and updating of the plans.

The planning process will focus on the required business objectives and the services and resources that will enable this to occur should be considered.

Business Continuity Planning Framework

A single framework will be maintained to ensure all plans are consistent and to identify priorities for testing and maintenance.  Conditions for activation will be clearly specified as well as individuals responsible for the execution of each component.  When new requirements are identified, established emergency procedures will be amended as appropriate.

A Business Continuity Planning Framework will include:

  • conditions for activating the plans.
  • emergency procedures which describe action to be taken following an incident which jeopardises business operations and/or human life.
  • fall-back procedures describing actions to move essential activities to other locations.
  • resumption procedures which describe actions to return to normal business operations.
  • maintenance schedule which specifies how and when the plan will be tested and the process of maintaining the plan.
  • awareness/education activities designed to create understanding of the process.
  • responsibilities of the individuals, with alternates nominated as required.

Each plan will have a specific owner. Emergency procedures, manual fall-back plans and resumption plans will be within the responsibility of the owners of the appropriate business resources or processes involved.

Fall-back arrangements for alternative technical services, such as information processing and communications facilities, are usually the responsibility of service providers.

Business Continuity & Disaster Recovery 

Business continuity and disaster recovery is provided through backed up data via iCloud and data is stored off site in a secure location.  If required these data can be accessed immediately together with the information stored within them.

The only personnel that have access to these data are business continuity team/IT.  

To ensure continuity of operations, business systems and data the company operates a robust business continuity process with a strong degree of fail-safe mechanisms 

  • iCloud and Offsite data held in secure storage 
  • Should the need arise access to a replacement server within 48hrs
  • Uninterrupted power supplies – the server is installed with a UPS to prevent external factors such as brown or black outs, from interrupting workflow data
  • IT systems are checked by the business continuity team/IT.
  • IT is reviewed annually to ensure that our customers and clients receive the best service with the least amount of disruption to the business environment. 

Resources 

Staffing levels are primary responsibility of the HR Department with the support of the Managing Director. 

Employees Health and Welfare 

Pandemics and other contagions are minimized and controlled as much as possible in the workplace by methods such as:

  • Sanitary and hygiene notices are place around the office and periodically updated for seasonal or endemic conditions and diseases – influenza, norovirus or any other type of virus
  • Stay home sick policy – rather than coming in sick, staff are encouraged to call the office from homes and then remain out of the office/site whilst contagious.  This helps the company control the spread of illness.

Quarantine – all company head office staff have access to the network so if required they can work from home.  This means we do not lose productivity from staff that otherwise are able to do their jobs but require time at home to avoid infection of their colleagues.  This also means that staff do not have to attend the temporary office during disaster recovery period so reducing the carb.

Testing, Maintaining and Reassessing Business Continuity Plans

The testing of plans will be a regular requirement to ensure that they are up to date and effective.  All members of the recovery team will be aware of the test plans.  The test schedule will indicate how and when each element will be tested, and frequent tests are advised.

Techniques to test effectiveness should include:

  • desk-top testing of various scenarios.
  • simulations.
  • technical recovery testing.
  • testing recovery at an alternative site.
  • tests of suppliers’ facilities and services.
  • complete rehearsals.

Maintaining and reassessing the plans requires updates to ensure their continuing effectiveness.

Procedures will be included within the company’s change management programme to ensure that business continuity matters are appropriately addressed.

Responsibility will be assigned for regular review to reflect changes and updates of the plan.  

A formal change control process will ensure that updated plans are distributed and reinforced by regular reviews of the completed plan.  The following may necessitate the updating of plans:

  • personnel.
  • addresses or phone numbers.
  • business strategy.
  • location, facilities and resources;
  • legislation;
  • contractors, key suppliers and customers;
  • processes, or new/withdrawn ones;
  • operational or financial risk.

Review of Policy 

The Policy shall be reviewed on a regular basis to identify the needs for change arising changes to legal requirements, standards or as a result of the review of the process.  

A current version of this document is available to all members of staff on the company network and is published.

This procedure was approved by the company and is issued on a version-controlled basis