V     Business Continuity Plan

Action Summary


Management should develop business continuity plan(s) (BCP) with sufficient detail in relation to the entity’s size and complexity. The BCP should address key business needs and incorporate inputs from all business units.


Examiners should review the plan for the following:


  • Authorities, responsibilities, and relocation strategies.
  • Communications protocols, event management, business continuity, and disaster recovery.
  • Liquidity concerns before and during an adverse event.Refer to NIST SP 800-61, Computer Security Incident Handling Guide.
  • Alternatives for payment systems, facilities and infrastructure, data center(s), and branch relocation during a disaster.

As shown in figure 2, a BCP is an important component of BCM. The BCP documents the practices and procedures for continuing business operations during a disruption. The BCP focuses on critical business functions and varies according to the entity’s size and complexity. The BCP includes specific elements, such as incident response, disaster recovery, and crisis management. Smaller entities may have a single BCP that includes these elements whereas large, complex entities may have multiple plans supported by subsidiary components for business functions, locations, or departments. Furthermore, the BCP should be a living document, regularly updated so that it remains current with system enhancements and organizational changes.Refer to “BCP Strategy Concept,” NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. NOTE: While this document pertains to federal information systems, the principles are relevant for non-federal information systems.

A comprehensive plan describes the authorities, responsibilities, procedures, and relocation strategies. Components of the plan should include:

  • Roles, responsibilities, and required skills for entity personnel and third-party service providers.
  • Solutions to various types of foreseeable disruptions, including those emanating from cyber threats.
  • Escalation thresholds.
  • Immediate steps to protect personnel and customers and minimize damage.
  • Prioritization and procedures to recover functions, services, and processes.
  • Critical information protection (e.g., physical, electronic, hybrid, and use of off-site storage).
  • Logistical arrangements (e.g., housing, transportation, or food) for personnel at the recovery locations.
  • Network equipment, connectivity, and communication needs, including entity-owned and personal mobile devices.
  • Personnel at alternate sites, including arrangements for those permanently located at the alternate facility.
  • Scope and frequency of testing.
  • Resumption of a normalized state for business processes.

Representatives from all business units should contribute to BCP development and implementation. The BCP may be developed and maintained internally or outsourced. In either case, the entity’s board and senior management should be responsible for the BCP. Management should verify the third-party service provider’s qualifications and expertise when outsourcing BCP development. Management should work with the third-party service provider to design executable and viable strategies. Regardless of its development process, the BCP and supporting documentation should be stored so that it is readily accessible by personnel during adverse events.


Previous Section
IV.B Communications
Next Section
V.A Event Management