ISO 15999-1 recommends that a business continuity policy (BCP) be established that is appropriate for the size, culture, and complexity of the organization. It may include:
• General information on the organization, such as its location, mission, etc.
• The objective and scope of the policy, including its limitations and exceptions.
• The main requirements of the policy, including legal and contractual requirements that the business continuity program should adhere to.
• The methodology to be used and the organization's approach towards managing its risks.
• Any activities that the organization should carry out to implement the program.
• The main roles and responsibilities, including the main executive sponsors of the program.
• The resources that will be assigned to implement the program.
• Any related laws, standards, or other documents that the policy may reference.
• General guidelines to ensure the culture of business continuity are disseminated throughout the organization.
The policy's objectives may express the organization's concern with risks that may interrupt services and its intention to proactively implement a continuity management program, aiming at the general protection of its human resources, brand, reputation, lines of business, and stakeholder interests. The scope of the policy may declare, for example, that the organization will be as prepared as possible to respond to certain types of disasters (power outages, earthquakes, floods, failures in critical equipment, or unavailability of supplies). Ideally it also lists the limitations and exclusions, specifying what will not be covered by the business continuity program, including, for example, disasters that cannot be reasonably anticipated.
The policy should define the person or group of people responsible for implementing the business continuity program (BCP). This person or group should have the authority and the required skills to implement and maintain the system. As organizational changes to the IT structure, staff, processes, installations, technologies, suppliers, and others may impact plans already established – which, in this case, will require revisions and updates –, it's important that the BCP be integrated with the organization's existing change management processes.
The policy may also mention criteria for accepting risks analyzed in the context of business continuity, as well as determine how the internal audit processes of the BCP will be carried out. In relation to the BCP sponsors, the standards recommend that the policy be signed by a high-level manager or director. It is essential that upper management demonstrate its support for the program.
Once prepared and signed off by upper management, the policy should be disseminated to all internal and external stakeholders, who should in turn provide attestation that they have read and understood the policy. The policy should be revised and updated periodically or whenever there are any relevant changes.
The Knowledge module can be used to register this policy as an authoritative document and publish it. Once published, people and groups should be included in the audience of the document, which will then be available in the Documents section of the Home module. Note that any files attached to the policy will also be visible by the audience. For details on publishing authoritative documents and specifying an audience for them, see Chapter 8: Knowledge -> Compliance Knowledge -> Authoritative Documents.