Developing policies for your business continuity (BC) and disaster recovery (DR) programs is a key activity, and is also an important audit item. The current BC and DR international standards -- ISO 22301:2012 and ISO 27031:2011, respectively -- both advocate the preparation of policy statements.
According to the above standards, policies provide a "framework for setting business continuity objectives, include a commitment to satisfy applicable business and operational requirements, and include a commitment to continual improvement of the business continuity program."
The BC/DR policy document sets out the scope and governance of BC/DR programs and reflects the reasons why they are being implemented. It also provides the context in which the required BC/DR activities will be implemented and identifies the principles the organization aims to achieve and against which its BC/DR performance can be audited.
Click to download the template here.
To help make this process easier for you, we've prepared templates for both BC and DR policy statements. They are organized along the standards noted above, and can be tailored to your organization's policy formatting as needed. Note that each presumes the creation of a business continuity management system (BCMS), which provides the planning, administrative and operational oversight for all BC and DR activities.
Policy statements provide the foundation and authorization for your BC/DR programs, BCMS and all other relevant activities you may be performing. Once your policy has been approved, you can begin developing the procedures and launching activities that will make your programs operational.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.