Business Continuity and Disaster Recovery Policy

1. Purpose and Scope

This policy defines how the organisation ensures resilience, continuity, and recovery of critical business operations and IT systems during disruptions. It applies to all employees, contractors, suppliers, and partners.

Policy Statements:

• Business continuity and disaster recovery (BC/DR) plans are documented, tested, and reviewed annually, consistent with ISO 22301:2019 Clause 8.4 (Business Continuity Procedures) and Clause 9.1 (Performance Evaluation).
• Continuity objectives are measurable and reviewed annually (ISO 22301 Clause 6.2).
• Recovery planning aligns with NIST CSF v2.0 Recover (RC) functions, including RC.IM (Recovery Communications) and RS.MI (Mitigation).
• Governance oversight is provided by the board, consistent with ISO/IEC 38500:2015 Clause 5.1–5.6 and, where applicable to the organisation’s jurisdiction, instruments such as US SOX Section 404 and equivalent national governance codes.
• Supplier participation in continuity exercises is mandated under SIAM v4 (2020) and ISO 44001:2017 Clause 7.4 (Joint Incident Response).

2. Governance and Accountability

Continuity responsibilities are clearly defined and enforced.

Policy Statements:

• The board demonstrates leadership and commitment to continuity governance (ISO 22301 Clause 5.1).
• A formally appointed Business Continuity Manager is accountable for BC/DR plan execution (Clause 5.3).
• Department heads ensure continuity compliance within their teams, with responsibilities documented in job descriptions.
• Quarterly continuity performance reports are presented to the Audit & Risk Committee in the form required by applicable governance instruments; representative reference points include US SOX Section 404, South Africa King IV Principle 12, and equivalent national codes.
• Collaborative continuity responsibilities with suppliers and partners are documented and reviewed annually (ISO 44001 Clause 5.2).
• Continuity governance aligns with the COSO Internal Control — Integrated Framework (Principle 1: Governance & Culture) or equivalent internal-control framework adopted by the organisation.

3. Risk Management

Continuity risks are identified, assessed, and treated systematically.

Policy Statements:

• Risk assessments include continuity risks quarterly (ISO 22301 Clause 8.2).
• Risk treatment plans are documented and approved (ISO 27001 Clause 6.1.3).
• ICT resilience risks are tracked under the EU Cybersecurity Act (2019).
• Cybercrime risks are explicitly tracked under applicable cybercrime legislation in each operating jurisdiction; representative references include the South Africa Cybercrimes Act (2020) and the Mauritius Cybercrime Act (2003/2018).
• Shared risk registers with strategic partners include continuity risks (ISO 44001 Clause 6.3).
• Continuity risk assessments are embedded into the organisation’s enterprise risk management framework — COSO ERM (Principle 6: Risk Identification & Assessment), ISO 31000:2018, or equivalent ERM framework adopted by the organisation.

4. Continuity Planning and Testing

Continuity and recovery plans are documented, tested, and validated.

Policy Statements:

• Continuity plans cover critical systems, facilities, and personnel (ISO 22301 Clause 8.4.2).
• Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and reviewed annually (ISO 22301 Clause 6.2).
• Continuity exercises are conducted annually (ISO 22301 Clause 8.4.3).
• Supplier contracts mandate continuity participation (SIAM v4, ISO 44001 Clause 7.4).
• Case studies drawn from significant publicly-reported continuity incidents are used in continuity exercises. Illustrative examples include the COVID-19 pandemic, Colonial Pipeline 2021, MOVEit 2023, and regionally-relevant incidents in each organisation’s operating jurisdiction.
• Continuity planning integrates with enterprise risk reporting channels (COSO Principle 17: Risk Reporting & Communication, or equivalent).

5. Disaster Recovery Procedures

Disaster recovery ensures rapid restoration of IT systems.

Policy Statements:

• Disaster recovery plans are documented and tested annually; where PCI DSS applies, the corresponding reference is PCI DSS v4.0 Req. 12.11.
• Backup and restoration procedures are validated quarterly (ISO 22301 Clause 8.4.4).
• Recovery procedures restore systems from clean backups and validate controls (NIST CSF RC.IM).
• Cloud recovery aligns with ISO/IEC 27017:2015 Clause 9.1 (Cloud Security Controls).
• Where HIPAA applies, contingency planning requirements are satisfied under §164.308(a)(7); equivalent continuity obligations apply under other applicable regimes.

6. Communication and Notification

Continuity communication is coordinated internally and externally.

Policy Statements:

• Internal notifications include executives, legal, HR, and affected business units.
• External notifications include regulators, customers, partners, and law enforcement.
• Public relations messaging is coordinated to protect reputation.
• Documentation of continuity exercises is retained for compliance audits (SOC 2 Availability Criteria).

7. Training and Awareness

Employees and partners are trained to support continuity and recovery.

Policy Statements:

• Annual continuity training is mandatory (ISO 22301 Clause 7.2).
• Role‑specific training is provided to continuity and recovery teams.
• Tabletop exercises and simulations are conducted quarterly.
• Awareness campaigns reinforce resilience culture.

8. Compliance Obligations

Continuity and recovery comply with applicable laws and standards.

Policy Statements:

• Under EU GDPR Article 32, resilience of processing systems is required; equivalent obligations exist under other applicable data protection law.
• Under POPIA Section 19, safeguards for continuity are required; equivalent obligations exist under other applicable regimes.
• Where HIPAA applies, contingency planning obligations are integrated; equivalent continuity obligations apply under other applicable regimes.
• The organisation maintains a living register of data protection obligations applicable to its jurisdictions of operation; representative reference points include Singapore PDPA, India DPDP Act, Brazil LGPD, and California CCPA/CPRA.
• Continuity obligations under the AU Convention on Cybersecurity (2014) are observed where the organisation operates in signatory states.

9. Audit and Assurance

Independent audits validate continuity and recovery effectiveness.

Policy Statements:

• Internal audits are conducted annually (ISO 22301 Clause 9.2).
• Management reviews continuity performance quarterly (Clause 9.3).
• External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context; representative reference: SOC 2 Availability Criteria (AICPA).
• Corrective actions are tracked and verified (ISO 9001 continual improvement).

10. Appendices

• Appendix A: Business Impact Analysis template.
• Appendix B: Continuity Exercise Schedule.
• Appendix C: Disaster Recovery Playbooks (Malware, Ransomware, Natural Disaster, Power Outage).
• Appendix D: Recovery Time Objective (RTO) and Recovery Point Objective (RPO) matrix.
• Appendix E: Supplier Continuity Participation Agreement template.
• Appendix F: Continuity Communication Plan template.
• Appendix G: Post‑Exercise Review checklist.

Enterprise and Conglomerate implementation content will be added here.