Critical Impact Priorit Critical Time frame Recovery

Function/ Services on Criticali y assets for Point

Services Rendered Busine ty Recovery Objective
Name ss (RTO) (RPO)
IT Services Network Affects High 1 Servers, 4 hours 1 hour
management, operation databases,
Software s & applications,
development, communi cloud
data storage, cation platforms
Infrastructure

Facilities Office space, Affects Medium 3 Power 24 hours 12 hours

power supply, employe systems,
and physical e physical
infrastructure productivi security,
ty equipment

HR Recruitment, Employe Medium 2 HR systems, 48 hours 24 hours

payroll, e employee
employee dissatisfa records
records ction and
management legal
risks

Finance and Accounting, Financial High 1 Financial 24 hours 12 hours

Accounting budgeting, loss and systems,
financial regulator records
reporting y
penalties

Information Data protection, Affects Critical 1 Firewalls, 12 hours 1 hour

Security compliance, all IDS/IPS,
risk business encryption
management areas keys, Data

Internal support functions list

1. IT Services
 Ensure that all IT services remain operational or can be quickly restored.
 Protect data from loss or corruption.
Key Actions:
o Form a dedicated team responsible for managing IT incidents.
o Define roles and responsibilities for each team member.
o Implement regular backups of critical data, databases, and applications.
o Use off-site storage or cloud solutions for backups to protect against physical damage.
o Establish redundant systems for critical IT infrastructure (e.g., servers, networking
equipment).
o Utilize failover systems to switch to backup resources seamlessly.
o Ensure remote access capabilities for employees to work from home or alternative
locations.
o Implement secure VPNs (Virtual Private Networks) for safe access to internal systems.
2. Facilities
  Protect the physical safety of employees and assets.
 Ensure that essential facilities remain accessible and functional.
Key Actions:
o Develop procedures for evacuations, lockdowns, and emergency contacts.
o Conduct regular drills to familiarize employees with emergency procedures.
o Implement security measures such as badge access, surveillance systems, and visitor logs.
o Ensure that only authorized personnel can enter sensitive areas.
o Work with utility providers to ensure redundancy (e.g., backup generators for power
outages).
o Maintain contracts with alternative suppliers for essential services (e.g., internet, water).
o Create policies that facilitate remote work when access to facilities is compromised.
o Ensure that employees have the necessary tools and resources to work effectively from
home.
o Conduct regular tests of disaster recovery plans and backup systems to ensure
functionality.
o Simulate various incident scenarios to assess response effectiveness.
3. Human Resources (HR)
 Ensure that the organization can maintain an effective workforce.
 Adhere to labor laws and employee welfare regulations.
Key Actions:
o Develop a strategy for communicating with employees during disruptions.
o Use multiple channels (e.g., email, intranet, messaging apps) to disseminate information.
o Establish clear guidelines for remote work, including expectations for availability and
productivity.
o Provide technology support for remote employees.
o Offer mental health resources and support services to help employees cope with stress.
o Promote wellness programs that encourage physical and mental well-being.
o Ensure that critical training programs are available online.
o Focus on developing skills that support remote work and adaptability.

4. Finance and Accounting

 Ensure that financial operations can continue without disruption.
 Maintain adherence to financial regulations and reporting standards.
Key Actions:
o Monitor cash flow closely, especially during disruptions.
o Develop contingency plans for managing expenses and revenue during crises.
o Set up systems that allow for remote processing of payroll, invoicing, and financial
reporting.
o Ensure that sensitive financial data is accessible only to authorized personnel.
o Implement secure remote access solutions for key finance and accounting personnel.
o Use cloud-based accounting software to facilitate real-time access to financial information.
o Conduct internal audits to assess vulnerabilities in financial processes.
o Test financial systems regularly to ensure they are secure and functional.
5. Information Security
  Safeguard sensitive data against breaches and unauthorized access.
 Ensure a rapid and effective response to security incidents.
Key Actions:
o Develop a comprehensive plan that outlines steps to take in the event of a data breach or
cyberattack.
o Include procedures for identifying, containing, and recovering from incidents.
o Provide ongoing training for employees on security awareness and best practices.
o Simulate phishing attacks and other scenarios to test employee readiness.
o Implement strict access control measures for sensitive systems and data.
o Use multi-factor authentication (MFA) to enhance security.
o Ensure regular backups of critical data and systems.
o Test recovery procedures to confirm that data can be restored quickly and accurately.
o Establish continuous monitoring systems to detect potential threats.
o Develop a protocol for responding to alerts and investigating incidents promptly.

__________________________________________________________________________________
Simulating specific incident scenarios is a crucial part of testing a Business Continuity Plan (BCP). Here
are examples of various scenarios that organizations can use for simulations:
1. Natural Disasters
 Earthquake: Simulate an earthquake that disrupts operations, affecting both physical facilities
and IT systems.
 Flood: Create a scenario where heavy rainfall causes flooding in the office, leading to evacuation
and facility damage.
 Hurricane: Plan for the impact of a hurricane, including power outages and facility inaccessibility.
2. Technological Failures
 Server Crash: Simulate a critical server failure that affects access to essential applications and
data.
 Network Outage: Create a scenario where the organization experiences a complete network
outage, disrupting all communication and operations.
 Data Loss: Test the response to a situation where important data is accidentally deleted or
corrupted.
3. Cyber Incidents
 Ransomware Attack: Simulate a ransomware attack that encrypts files, demands payment for
decryption, and affects business operations.
 Data Breach: Create a scenario where sensitive customer information is leaked, requiring
immediate action and communication.
 Phishing Attack: Test the response to a successful phishing attack that compromises employee
credentials or sensitive information.
4. Human-Related Incidents
 Workplace Violence: Simulate a situation involving an active shooter or other violent incidents in
the workplace, requiring evacuation and emergency response.
  Pandemic Outbreak: Plan for a health crisis, such as a flu outbreak or COVID-19, affecting
employee availability and requiring remote work arrangements.
 Employee Strikes: Test the response to a labor strike that disrupts normal operations, affecting
productivity.
5. Operational Disruptions
 Supply Chain Disruption: Simulate a scenario where a key supplier fails to deliver critical
components, impacting production or service delivery.
 Utility Failure: Create a scenario where there is a power outage, water supply failure, or internet
service disruption affecting operations.
 Facility Fire: Plan for a fire in the office that necessitates evacuation and assessment of
damage.
6. Regulatory and Compliance Issues
 Regulatory Audit Failure: Simulate a scenario where a regulatory audit uncovers significant
compliance issues, requiring immediate corrective actions.
 Data Privacy Violation: Create a situation where there is a violation of data protection laws,
necessitating swift action and communication with stakeholders.
7. Financial Crises
 Economic Downturn: Simulate the impact of a sudden economic downturn that affects cash
flow, requiring cost-cutting measures and financial management.
 Fraud Incident: Plan for a scenario where financial fraud is detected, requiring investigation and
remediation.
 Risk Assessment and Impact

Risk Business Impacts Mitigation in Place Risk Matrix Score

Technology and IT security Data breaches, operational Cybersecurity measures (firewalls, A
(e.g., computers, internet, networks, downtime, reputational antivirus, encryption), regular
client databases, telecommunications) damage, affecting production backups, incident response plans,
environment multi-factor authentication (MFA),
employee awareness training
Cyber Threats Data loss, financial loss, Advanced threat detection A
(e.g., malware, phishing attacks, DDoS reputational damage, service systems, regular security updates,
etc.) disruptions employee training on phishing and
social engineering
Technical Threats Operational downtime, loss of System redundancy, regular D
(e.g., system failures, software bugs, or data, decreased productivity maintenance, software updates,
hardware malfunctions) and monitoring systems for
anomalies
Natural Disasters Asset damage, operational Emergency response plans, redundant B
(e.g., flood, fire, cyclone, storm, drought, disruption, employee safety data centers in geographically diverse
earthquakes) locations, insurance, disaster drills,
remote work capabilities
Pandemic Workforce shortages, Remote work policies, health D
(e.g., COVID-19, swine flu, bird flu) operational delays, health protocols, vaccination programs
risks
Global events Supply chain interruptions, Diversified suppliers, contingency B
(e.g., wars, political disruption, supply increased costs planning, risk assessments,
chain disruption) continuous market monitoring
Regulatory and government Compliance penalties, Regular monitoring of regulatory B
policy changes operational disruption, changes, compliance training,
(e.g., import and export regulations, increased costs engagement with legal advisors,
change in tax obligations) adaptable policies and procedures
Work health and safety Employee injuries, legal Regular safety audits, employee C
(e.g., hazards, equipment) liability, reduced productivity training, appropriate personal
protective equipment (PPE), risk
assessments
Utilities disruption and capital Service interruptions, Backup power systems, C
works projects increased operational costs uninterruptible power supplies
(e.g., power outages, transport (UPS), stakeholder
disruption, road works) communication plans

Legal Breach of contracts, financial Contract reviews, legal counsel, D

(e.g., supplier agreements, lease penalties, operational risk assessments, compliance
agreements, staff contracts) disruptions monitoring
Crime Financial losses, reduced Security systems (CCTV, alarms), D
(e.g., shoplifting, internal theft, staff employee morale, employee inventory control, employee
safety) safety risks background checks, anti-theft
 training, incident reporting,
Reputation Loss of customers, Effective crisis communication B
(e.g., online reviews, customer decreased revenue, negative plans, proactive customer service,
feedback) publicity reputation monitoring tools,
regular engagement with
customers
Human resources Staff shortages, decreased Succession planning, regular staff C
(e.g., recruitment, staff, training) productivity training and development,
employee engagement initiatives,
flexible hiring strategies
Market, economic and financial Reduced revenue, increased Financial forecasting, budgeting B
(e.g., economic downturns, inflation) operational costs, limited strategies, market analysis
access to funding
Human factors Data breaches, financial loss, Access controls, monitoring user B
(e.g., hacking, insider threats) and reputational damage, activity, strong password policies,
accidental actions (e.g., human error) operational disruptions, employee awareness training,
increased recovery costs clear procedures, automated
backups, error-checking
mechanisms

Risk Matrix Score:

A = HIGH likelihood and HIGH impact
B = LOW likelihood and HIGH impact
C = HIGH likelihood and LOW impact
D = LOW likelihood and LOW impact

2.1 Business Continuity Plan

2.1.1 Natural Disasters
There are numerous potential disaster situations that could result in a wide range of company
interruptions. These disruptions might range from a component failure to a major disaster.
Response Plan:
 Evacuate employees to designated safe zones immediately.
 Activate multiple channels for communication, such as emails, SMS, and emergency hotlines.
 Activate incident response teams to assess damage.
 Monitor weather updates and issue warnings in advance.
 Secure physical and digital assets, including servers, files, and critical equipment.
 Identify and equip backup facilities or enable remote work for continuity.
 Conduct regular training sessions for employees on disaster response protocols.
 Review and update the BCP periodically to adapt to new risks, technologies, and lessons learned
from past incidents.
Recovery Plan:
  Conduct structural inspections and repair damages.
 Restore IT systems using cloud backups or redundant systems.
 Resume operations from alternative facilities if primary sites are unusable.
 Repair or replace damaged infrastructure and equipment.
 Resume operations incrementally, prioritizing critical functions.
Communication
 Establish robust communication channels (e.g., satellite phones, mobile apps, hotlines).
 Provide real-time updates to employees, customers, and stakeholders.
 Designate spokespeople for media and public relations.
Precautionary measures
 Regularly back up critical data to offsite or cloud storage.
 Maintain redundant systems for IT and communication.
 Develop an evacuation plan with clear routes and designated shelters.
 Stock first-aid kits, food, water, and emergency tools at all locations.
 Install fire extinguishers, smoke alarms, and keep flammable materials away from heat sources.
 Provide employees with emergency preparedness training.
 Install backup power systems (e.g., generators, uninterruptible power supplies).
 Establish remote work capabilities and cloud-based systems.
 Update the BCP annually or after major incidents to incorporate lessons learned.
___________________________________________________________________________________

IT Services
Ensure the availability, integrity, and reliability of IT infrastructure and services.
o Maintain real-time replication of critical systems to cloud environments.
o Regularly test and verify data backups for accessibility.
o Implement a secondary data center (hot site) or cloud-based failover solution.
o Use load balancers and redundant hardware to minimize downtime.
o Deploy Virtual Private Networks (VPNs) for secure remote work.
o Provide employees with remote access credentials and secure endpoint
Endpoint security
Protect endpoint devices such as laptops, desktops, and mobile devices to ensure secure operation
during disruptions.
o Deploy advanced endpoint protection tools, including antivirus, anti-malware, and
endpoint detection and response (EDR) systems.
o Monitor endpoint activity for suspicious behavior and mitigate threats in real-time.
o Enforce device encryption to protect sensitive data.
o Implement robust authentication measures, including multi-factor authentication (MFA).
o Regularly update endpoint operating systems and software to address vulnerabilities.
 o Automate patch deployments to ensure compliance.
o Isolate compromised endpoints to prevent the spread of malware.
o Restore devices from secure backups after an incident.
o Ensure that remote access solutions are available for users to connect securely from
alternative locations.
Data Security
Safeguard organizational data from loss, corruption, and unauthorized access.
o Enable regular, automated backups of critical data to separate cloud or local storage.
o Maintain multiple copies of critical data across geographically dispersed locations to
mitigate risks of regional outages.
o Implement role-based access controls (RBAC) to limit access to authorized personnel.
o Enforce multi-factor authentication (MFA) for all accounts.
o Use strong encryption protocols for data both at rest and in transit.
o Define and execute a response plan for data security incidents.
o Restore repositories and other data promptly from backups.
o Use end-to-end encryption for data in transit when integrating GitHub with other systems.
o Encrypt sensitive files stored in GitHub using tools like Git LFS with encryption
extensions.
o Enable branch protection rules to prevent direct commits to critical branches (e.g.,
main/master).
o Use signed commits and tags to verify the authenticity of changes.
o Define a response plan for potential security incidents involving GitHub, such as
compromised credentials or repository deletion.
o Restoring repositories promptly from backups in the event of accidental deletion or
corruption.
o Train developers on secure practices for using GitHub, such as avoiding hardcoding
credentials and regularly reviewing pull requests for vulnerabilities. Safeguard
organizational data from loss, corruption, and unauthorized access.
o Maintain multiple copies of critical data across geographically dispersed locations.
o Use both on-premises and cloud-based backups for redundancy.
o Implement DLP tools to monitor and control data flows, preventing leakage of sensitive
information.
o Educate employees on proper data handling practices.
o Define and enforce policies for data retention and secure deletion of obsolete records.

Servers
Ensure the availability, performance, and security of server infrastructure during disruptions.
o Use clustered servers and load balancers to ensure high availability.
o Maintain failover servers in secondary locations for disaster recovery.
o Continuously monitor server performance and health.
o Continuously monitor server performance and health.
o Disable unnecessary services and ports.
o Apply security configurations and patches promptly.
o Use role-based access controls (RBAC) to limit server access to authorized personnel.
Code
Protect the integrity and security of software applications and development processes.
o Implement secure coding guidelines (e.g., OWASP best practices).
o Conduct regular code reviews and static code analysis to identify vulnerabilities.
o Use version control systems (e.g., Git) with access controls to track changes and prevent
unauthorized modifications.
o Perform penetration testing and dynamic application security testing (DAST) to uncover
security weaknesses.
o Secure CI/CD pipelines to prevent tampering during software deployment.
o Use signed certificates for application authenticity.

Network
Protect the organization's network infrastructure from unauthorized access, misuse, and disruptions.
o Deploy firewalls, intrusion detection/prevention systems (IDS/IPS), and web application
firewalls (WAF).
o Use network segmentation to limit the impact of breaches.
o Enforce encryption for all network communications using secure protocols (e.g., HTTPS,
VPNs).
o Implement continuous network monitoring and log analysis to detect anomalies.
o Use Security Information and Event Management (SIEM) tools for centralized visibility.
o Apply the principle of least privilege (PoLP) to network resources.
o Implement network access control (NAC) to authenticate devices before granting access.

Facilities
Maintain workspace availability and essential infrastructure during disruptions.
o Encourage and support remote work capabilities when physical access to offices is
restricted.
o Ensure backup generators are regularly tested and maintained.
 o Secure contracts with utility providers for priority restoration.
o Install intrusion detection systems and surveillance cameras at all sites.
o Ensure facilities meet disaster-specific safety codes (e.g., fireproofing, earthquake
resistance).
Human Resources (HR)
Ensure employee safety and maintain HR operations during disruptions.
o Maintain an up-to-date database of employee contact and emergency information.
o Distribute an emergency response guide to employees, outlining evacuation procedures
and communication protocols.
o Use multi-channel communication platforms (email, SMS, collaboration tools) to
disseminate information.
o Assign HR representatives to provide updates and support to affected employees.
o Automated payroll processing through cloud-based systems to ensure uninterrupted
salary disbursements.
o Provide counseling services for employees dealing with trauma or stress from the
disruption.
Finance and Accounting
Safeguard financial data and ensure continuity of financial operations.
o Use cloud storage for secure backup of financial records and transactions.
o Implement automated backup schedules for accounting software and databases.
o Set up alternate payment processing mechanisms to handle vendor and employee
payments during system downtime.
o Maintain relationships with financial institutions to expedite emergency funding if needed.
o Assign a recovery team to reconcile accounts and provide stakeholders with timely
financial updates.
Information Security (IS)
Protect sensitive data and ensure cybersecurity during and after disruptions.
o Deploy intrusion detection systems and firewalls to safeguard against cyberattacks.
o Regularly update antivirus and endpoint protection software.
o Activate an Incident Response Team (IRT) to investigate and mitigate security breaches.
o Follow a predefined protocol for containment, eradication, and recovery.
o Enforce multi-factor authentication (MFA) for all critical systems.
o Conduct periodic access reviews to prevent unauthorized use of credentials.

Disaster Recovery Plan (DRP)

IT Services
Restore IT infrastructure and services to operational status within defined RTO and RPO parameters.
 o Prioritize the recovery of mission-critical systems, including servers, databases, and
applications.
o Use cloud-based backups or secondary data centers for rapid restoration.
o Restore lost or corrupted data using the latest verified backups.
o Validate data integrity and system compatibility after restoration.
o Conduct rigorous testing to ensure recovered systems meet operational requirements.
o Address issues such as system performance and security vulnerabilities.
Facilities
Re-establish physical and operational infrastructure to enable business continuity.
o Engage pre-approved vendors and contractors for facility repairs.
o Ensure rapid restoration of essential utilities such as power, water, and HVAC systems.
o Activate backup office locations or implement long-term remote work solutions.
o Assess damage to physical security systems and implement interim measures.

Human Resources (HR)

Support employees during recovery and facilitate workforce re-engagement.
o Notify employees of recovery progress and provide instructions for returning to work.
o Offer updates on benefits, payroll, and support programs.
o Organize staggered workforce returns to align with facility and system availability.
o Provide post-incident counseling and mental health support for employees.
Finance and Accounting
Resume financial operations, including payments, reporting, and compliance.
o Restore access to financial systems to resume payroll and vendor payments.
o Utilize backup payment mechanisms if primary systems remain offline.
o Assess financial impacts and prepare recovery-related reports for stakeholders.
o File insurance claims for damages and recovery costs promptly.
o Keep records of all expenditure
Information Security
Recover from security incidents and prevent further vulnerabilities.
o Investigate the root cause of breaches or security incidents.
o Apply patches and updates to mitigate vulnerabilities.
o Strengthen system security post-recovery to prevent recurrence of incidents.
o Ensure recovery efforts meet legal and regulatory requirements for data protection.
Preservation of Records
 Do not destroy anything. Try to recover as many documents as possible and preserve them
somewhere where they can be retrieved easily.
  This is an ongoing obligation throughout and after the incident.
 Make someone responsible for coordinating and preserving a Master Log.
 Make a record of all meetings and briefing sessions.
 Make a hard copy of any relevant computer data and electronic mail.
At the end of the recovery phase when normality is achieved, inform all interested parties and mark with
an occasion. Review the Business Continuity Plan to learn from the decisions taken.
Plan for telephones and post to be re-directed to your new location.
Disaster Recovery Strategies
The disaster recovery strategies define how each critical asset will be restored:
1. Cloud-Based Disaster Recovery:
o Use cloud-based systems (e.g., AWS, Microsoft Azure) for real-time replication and
failover.
o Maintain hot or warm cloud sites for quick recovery, ensuring minimal downtime.
2. On-Premises Backup and Failover:
o Maintain failover servers, clustered systems, and backup data centers in geographically
dispersed locations.
o Use redundant power supplies, network connections, and hardware to minimize risk.
3. Backup and Restore:
o Ensure regular backups of data and systems are stored in geographically dispersed
locations (cloud and/or physical storage).
o Verify backup integrity and test restore processes regularly.
o Implement an offsite or cloud-based backup solution for critical data (e.g., GitHub
repositories, financial records).
4. Third-Party Services:
o Leverage third-party disaster recovery providers that specialize in infrastructure recovery,
ensuring external support in the event of an emergency.
Disaster Recovery Procedures
 Implement a system for reporting and tracking incidents as soon as they occur.
 Use monitoring tools (SIEM, IDS/IPS, etc.) to detect anomalies and trigger recovery procedures.
 Assess the nature and scope of the disaster and categorize its impact (e.g., system failure, data
breach, environmental disaster).
 Identify critical systems, data, and processes that require immediate recovery.
 Notify the Disaster Recovery Team and all relevant stakeholders.
 Begin recovery efforts based on pre-defined RTOs and RPOs for each critical asset.
 Begin with the recovery of the most critical systems based on the prioritized recovery list.
 Restore data from backups, failover systems, or cloud-based environments as necessary.
 Perform system checks to validate the integrity and security of restored systems.
  Ensure that all applications, databases, and services are fully functional before full-scale
operational resumption.

Situation Assessment & Disaster Declaration

Situation Assessment
Evaluate the scope, impact, and severity of an incident to determine the appropriate recovery measures.
o Assess the safety of personnel and physical assets.
o Identify affected systems, services, and facilities.
o Determine the cause of the disruption (e.g., natural disaster, cyberattack, utility outage).
 Impact Analysis:
o Measure the extent of operational, financial, and reputational impacts.
o Consult stakeholders to identify priority areas for recovery.
 Resources Assessment:
o Evaluate the availability of backup systems, data, and alternate facilities.
o Determine additional resources required for recovery (e.g., equipment, personnel,
vendors).
Disaster Declaration
Officially recognize the occurrence of a disaster and initiate the BCP/DRP.
 Declaration Criteria:
o Significant disruption to critical systems or services.
o Threats to employee safety or organizational viability.
o Insufficient resources to manage the situation without activating recovery procedures.
 Declaration Process:
o Notify key decision-makers (e.g., BCP Committee, executives).
o Convene an emergency meeting to validate the disaster status.
o Activate the Incident Response Team (IRT) and assign specific roles.
 Communication:
o Stakeholder Notifications:
 Provide regular updates to employees, customers, and partners about recovery progress.
 Designate a spokesperson for external communications to ensure consistency.
o Internal Communication Channels:
 Utilize platforms like Microsoft Teams, Slack, or other collaboration tools for team
updates.
 Send alerts via email and SMS for critical announcements.

Post-Recovery Actions
  Evaluate the impact of the disaster and document all damages, losses, and downtime.
 Assess business continuity gaps and vulnerabilities revealed during the disaster.
 Conduct an in-depth investigation to determine the root cause of the disaster (e.g., cyberattack,
equipment failure).
 Update preventive measures and recovery procedures based on findings.
 Review the disaster recovery plan after each incident and incorporate lessons learned.
 Update the plan to ensure it is aligned with evolving technologies and potential threats.
 Ensure compliance with regulatory and legal requirements for disaster recovery and data
protection.
 Submit required reports to authorities, as necessary, particularly in cases involving data breaches
or other regulated data types.

Form A – Immediate Action Checklist

To be completed by the Senior Employee at the incident site
Action Notes

If necessary:
 Follow Evacuation Procedures
 Call emergency services
Maintain a record of all emergency actions taken.
Assess the situation and level of response required. Can
it be dealt with as a day-to-day management issue or
does the business continuity plan need to be invoked?
Communications:
 Advise staff of the immediate implications for them
and service provision
 Advise staff of the immediate requirements to deal
with the situation, including temporary
accommodation etc. if required.
 If necessary, advise key partners / suppliers.
 If necessary, speak to the local press.
If necessary, allow all staff to contact home to advise
they are safe?
If necessary, arrange for the premises to be secured?
If necessary, use signage to advise the move to a
temporary location
 Temporary Accommodation
 Is the available accommodation sufficient for the
needs of all the business-critical processes or is
additional alternative space required?
 Do you need to arrange for replacement equipment
to be ordered?
 Do you have access to all essential systems or
records?
 Arrange for telephones and post to be re-directed to
your new location.
Working at home and Non-Business Critical Staff
 If available space is at a premium, consider allowing
suitable individuals to work from home
 Non-essential staff should be sent home or
reallocated to support business critical processes.
 Make sure those sent home are aware of when to
make contact to check on progress or when to return
to work.

Form B – Plan Summary

Identified Risk Recovery Option Evaluation Criteria Possible Further Action
Loss of IT / Data
Loss of Hard Data / Paper
Records

 Maintain the availability of critical services.

 Minimize disruption to operations.
 Protect organizational assets and data.
 Ensure timely recovery and continuity of business functions.

Continuity Strategies
Implement Remote Work Capabilities
  Provide IT Support and Project Management teams with the necessary technology for
remote work. This includes laptops, secure VPN access, and collaboration tools such as
Slack, Microsoft Teams, or Zoom.
Use Cloud Services
 Utilize cloud service providers like AWS, Azure, or Google Cloud for data backup and
application hosting. This allows for scalable storage solutions and eliminates the need for
physical infrastructure.
 Conduct regular tests of backup and recovery processes to ensure that data can be
restored quickly and effectively.
Resource Planning
1. Allocate Resources and Budget
 Assess current infrastructure to determine what needs upgrading or replacing. This includes
servers, networking equipment, and backup solutions.
 Allocate financial resources for ongoing cloud service subscriptions and investments in
cybersecurity measures.
2. Cross-Training Personnel
 Create a comprehensive training program that ensures employees are familiar with
multiple roles within the organization (e.g., having software developers trained in IT
support).
 Implement drills that simulate various disaster scenarios to test the effectiveness of
cross-training and the organization’s response.