Business Continuity Plan
ISO 27001 requires you to have a Business Continuity Plan (BCP) in place. You should define the requirements for such a system, considering adverse situations (eg during crisis or disaster). You should have procedures in place that can address those situations and you should test these procedures.
This section consists of 2 steps:
Step 1. The BCP must be performed by the CEO or COO.
Step 2. Process your findings in the BCP section
Step 1 – Perform the BCP
The norm doesn’t describe what should be in your BCP and what risks you can accept. That’s up to your discretion. You’ll need to prove that you have assessed events that have an impact on your business and what your backup plans are. An important part of your BCP is a Disaster Recovery Plan (DRP). There ’s a separate section to address your annual DPR test plan.
However, BCP is more than a DRP – in your BCP you’ll need to prove that you’re in control of the entire business. In the Templates section (Policies & Procedures) , you can find the BCP template . Follow the template, write down your current situation and what backups you have in place. You might find that not all topics are currently relevant to you, but they might be next year, or you could gain valuable insights about improvements.
We advise that you perform the BCP before Internal Audit and Management Review as this assessment will probably result in the last improvements you need to have in place to be ready for certification. Alternatively, perform the BCP twice: first, when start implementing your ISMS and second, before your external audit. In this way you can confidently show the external auditor that you have control of your business processes.
Final tip: During external audit, you’ll be questioned about risks and acceptance level. Please note that the auditor can have an opinion, but it’s up to you to define what risk you find acceptable or not, so prepare your arguments well.
If you have a compliance officer, it’s always good to check your answers with them. The end result of the BCP is a PDF with a number of findings that you would like to address (or not). You’re now ready for step 2.
Step 2 – Process your findings in the Compleye Online system Now that the actual work has been done, it’s time to process the findings and turn them into actual improvements. This is the final step and can be performed by your compliance officer .
You can simply click on the “Create New BCP ” button at the bottom left of the page.
It will open a new window where you can upload the BCP document. This document ca n’t be deleted, but only downloaded once it ’s attached. The BCP card will be named by the date it ’s uploaded. If you have multiple documents there is a possibility to upload more documents ; make sure you upload the main document first.
After creating the BCP you can add the findings (copy them from your main document ). You can also add other relevant documents in the ‘ Attachments ‘ tab , if needed ( not mandatory ) .
- When adding a finding, there’ll automatically be an option to create an improvement (in blue).
NOTE: if you don’t create an improvement, you’ll need to justify why to the external auditor. Perhaps you have already solved the improvement – and added the evidence in ‘Attachments’. If so, please make sure that you have addressed that in the finding (eg, by adding, ‘Already solved by .’ ….’ evidence can be found in attachment.’)
We strongly advise creating an improvement for each finding. Improvements will become part of the Management Review and show that you’re able to improve and mature your ISMS.
- When you create an improvement a new pop-up screen will appear.
The finding is already filled in, with the tag BCP , to identify where this improvement came from.
You’ll need to assign an owner who will be responsible for the improvement.
Due Date: estimated date for first expected results.
- Once every field is addressed, you can push the ‘Create Improvement’ button and it will automatically create an improvement with an ID in the ‘Improvements’ section.
- Now, the owner will need to work on the improvement. Please make sure that the owner has access to the board and has added an e-mail address in the @people section to ensure that they receive notification on improvement deadlines.
Make sure that the owner reads the wiki on the improvement and starts working on the improvement.
The compliance officer will check all improvements’ progress during the monthly security meeting.
- Once the improvement is closed it will be indicated as a green check-box tick in the tab along with the date and the person that closed the improvement. So, before you start a new BCP, check if the findings of your previous BCP have been addressed in closed improvements.
Define a name for the Improvement – this is not the finding, but e.g., the name of a project/plan that is easily recognisable to the ISMS Team
High Risk Suppliers Assessment
Person responsible for the improvement
One of your ISMS Team members
Copy them from your main document
Not all high-risk suppliers were assessed this year
Always start with a due date when you want to have your first Improvement milestone ready e.g., when the project plan, proposal or first step needs to be finalised. To be used as a reminder (owner can receive notification 3 days prior to the due date).
Select the date
Where the finding originated. In this case it is BCP, and it will be filled in automatically.