Business Continuity and Disaster Recovery Policy

Version: 6.5.1 | Effective Date: August 1, 2020

  • Document Created: July 18, 2020
  • Last Reviewed: December 5, 2024
  • Next Review Date: December 2025
  • Approved By: Chief Technology Officer
  • Policy Owner: Security Officer

6.1 Purpose

This BCDR Policy establishes the framework for maintaining critical business operations during disruptions and recovering systems following disasters to ensure minimal impact to customers and stakeholders.

6.2 Scope

Covers all disruption types (natural disasters, infrastructure failures, cyber incidents, technology failures, public health emergencies), all critical business functions and IT systems, and all personnel with BCDR responsibilities.

6.3 Policy Statements

6.3.1 Recovery Time and Point Objectives

  • Critical Systems (Priority 1): RTO 4 hours, RPO 1 hour (customer-facing applications, authentication, primary databases)
  • Important Systems (Priority 2): RTO 12 hours, RPO 4 hours (internal applications, development environments)
  • Standard Systems (Priority 3): RTO 24 hours (full restoration), RPO 24 hours (administrative systems, archives)

6.3.2 Business Impact Analysis

Comprehensive BIA conducted annually identifying critical functions, assessing potential impacts, determining recovery requirements, and documenting dependencies.

6.3.3 Continuity Strategies

Infrastructure redundancy through geographically distributed cloud data centers, load balancing, database replication, and cloud provider high-availability features. Data protection through regular backups and geographically distributed storage. Alternative work arrangements through remote access infrastructure and cloud-based collaboration tools.

6.3.4 Disaster Recovery Procedures

Activation when disruption exceeds normal incident response capabilities. Process includes situation assessment, backup facility activation, critical system restoration, verification, business operations resumption, remaining system restoration by priority, progress monitoring, and documentation.

6.4 Testing and Exercises

BCDR plans are tested semi-annually through tabletop exercises (semi-annual), functional tests (annual), full-scale exercises (every 2 years), and component testing (quarterly). All tests are documented with lessons learned and improvement actions.

6.5 Compliance

Supports ISO/IEC 27001:2022 (A.5.29, A.5.30), ISO 22301, SOC 2 Type II (A1.2, CC9.1), and NIST SP 800-53 Contingency Planning.

Read Our Reviews