In the event of a cyber incident or natural disaster, your organization will need a business continuity plan (BCP) to resume its most critical business operations quickly. Your BCP will identify the risks from various threats and the impact they would have on your organization. BCPs outline the main assets, roles, responsibilities, and processes required to minimize disruptions and keep critical business functions running until your operations can be fully restored. Organizational resilience and compliance with regulations, policies, and standards are some of the reasons you should have a BCP.
On this page
Business continuity lifecycle
Your BCP needs to be tested, reviewed, and updated regularly. To ensure your BCP is relevant, useful, and reliable, you should follow the 5 steps of the business continuity planning lifecycle.
Initiate
Identify your organization’s unique goals and objectives, as well as the key people and processes required to meet these goals. Create a response team and assign a team leader. Be sure to include members from various operational areas of your organization. Each member should know the threats that could affect your organization and the level of impact of the associated risks. Ensure you communicate the intent of your BCP and the expected outcomes to senior management for approval.
Analyze
Conduct a threat and risk assessment (TRA) to identify the possible threats and risks that could disrupt your organization’s operations. Once the TRA is finalized, complete your business impact analysis (BIA). Your BIA will identify critical and non-critical business operations. Additionally, your BIA will list the consequences of disruption from the risks identified in your TRA. Examine critical operations to determine their recovery time objective (RTO) and recovery point objective. Your RTO is the planned time and level of service needed to meet the system owner’s minimum expectations.
For more information on TRA and BIA, read:
- Harmonized TRA Methodology (TRA-1)
- National Institute of Standards and Technology’s Using Business Impact Analysis to Inform Risk Prioritization and Response (PDF)
Develop and implement
Create strategies that will allow your most critical business operations to resume for each of your identified risks. These strategies should mitigate or minimize the impact on your organization’s stakeholders, operations, and assets. As you develop your BCP, consider the following best practices:
- identify the response team, their roles, and their responsibilities
- develop communication methods and recovery procedures
- identify an alternate work site and an employee relocation plan
- consolidate a list of alternate resources and suppliers
- establish an IT recovery plan
- establish policies to be implemented during a disaster, emergency, or incident
- determine the resources required to roll out the activities in your plan
- identify timeframes in which services and business operations need to be available
- identify the resources required to ensure prioritization and a quick, relevant response
- create reports to share with stakeholders
- provide your employees with awareness and training on the identified risks, emergency preparedness, and response strategies
- document your plan, validate it, and share it with your organization’s management teams
- store your BCP in a secure location that is known to your response team and available in a disaster or incident
Communicate and integrate
Communicate your BCP to employees and stakeholders. Ensure you integrate your plan into your organization’s policies. To avoid misinformation during an incident, develop a communication and public relations plan. Include guidance on how to communicate to all internal and external parties, including the media.
Test and validate
Risks, priorities, and business operations will change over time. Your BCP will require improvement through ongoing analysis, testing, validation, and implementation. Learning opportunities like seminars, tabletop exercises, and live simulations will assess your response team’s preparedness and identify any weak points in your plan. Testing your BCP will evaluate and validate your identified procedures, training initiatives, technical solutions, and recovery procedures. Use test results to update the BCP and ensure it remains aligned to your organization’s operational requirements and threat landscape.
Common disruptors to business operations
Natural disasters, global events, equipment failures, and compromises to your supply chain can all impact your business operations. In addition to these events, your organization needs to be prepared to mitigate the effects of various cyber threats, such as:
- malware and ransomware incidents
- data theft
- distributed denial of service attacks
- account compromises
Additional emergency preparedness strategies
Your BCP will address how to recover and resume only your most critical business operations during an incident. Your organization needs other plans to ensure it can detect, respond to, and fully recover all operations after any incident.
Your incident response plan (IRP) details the steps your organization will take to handle a specific security incident, mitigate the related risks, and recover quickly. Having an IRP will help your response team reduce organizational downtime and business disruption during an incident.
Your disaster recovery plan, which can include your IT recovery plan, will help your organization return to full operations after an incident.
For more information on developing these plans, read the Cyber Centre’s publications:
- Developing your incident response plan (ITSAP.40.033)
- Developing your IT recovery plan (ITSAP.40.004)
In addition to these plans, your organization can further reduce vulnerabilities and increase incident preparedness by taking the following preventative measures:
- back up your systems and data online and leverage mechanisms to verify that these backups are trustworthy
- provide employees with cyber security training tailored to their roles and your organization
- monitor your network and review your audit logs to identify anomalies or potential compromises
- enforce phishing-resistant multi-factor authentication wherever possible
- limit the number of administrator accounts
- ensure administrator tasks are completed on a dedicated administrative workstation
Learn more
- Improving cyber security resilience through emergency preparedness planning (ITSM.10.014)
- Foundational cyber security actions for small organizations (ITSAP.10.300)
- Preventative security tools (ITSAP.00.058)
- How updates secure your device (ITSAP.10.096)
- Tips for backing up your information (ITSAP.40.002)
- Offer tailored cyber security training to your employees (ITSAP.10.093)