The document outlines the essentials of a Business Continuity Management System (BCMS) as per ISO 22301:2019, detailing its scope, definitions, and fundamental principles aimed at ensuring organizational resilience against disruptions. It covers structured processes, such as risk assessment and business impact analysis, to identify threats and prioritize recovery strategies. Additionally, it emphasizes the need for clear communication and documented business continuity plans to effectively manage incidents and minimize their impact.

1. AWARENESS ISO 22301:2019
DANANG SURYO WARDHONO | REGISTERED
TRAINER/AUDITOR
081567796679/08112999715

2. Introduction
 Name: Danang Suryo Wardhono ST MM
 Occupation:
 Registered Auditor trainer ISO Series PECB , Trainer/ auditor
management system for certification body LRBA previously
LRQA, Mutu Certification International, Afnor Indonesia,
IAPMO, TUV Rheinland, pusdiklat gadjahmada, NQA
,Sucofindo,Bina Profesi Institute, mutu institute , ITS tekno
sains, WQA, ISQ, etc
 LA IRCA/PECB certified ISO 9K, 14K, 18K, 22K, 22301, 27K,
37k, 45K,50k (waiting result) smk3 auditor, halal, national
assessor (waiting result) BRC version 8 auditor conversion
etc
 Telp/WA: 081567796679, 08112999715
 danangsuryowardhono@gmail.com

3. FILM BCMS

4. MATERI
 SCOPE AND TERMS OF BCMS
 PURPOSE AND BENEFITS OF BCMS
 BCMS FAMILY OF STANDARDS
 CLAUSUL ISO 22301:2019

5. SCOPE
• THIS DOCUMENT SPECIFIES REQUIREMENTS TO PLAN, ESTABLISH, IMPLEMENT,
OPERATE, MONITOR, REVIEW, MAINTAIN AND CONTINUALLY IMPROVE A
MANAGEMENT SYSTEM TO PROTECT AGAINST, REDUCE THE LIKELIHOOD OF
OCCURRENCE, PREPARE FOR, RESPOND TO, AND RECOVER FROM DISRUPTIONS
WHEN THEY ARISE.

6. TERMS AND DEFINITION
• BUSINESS CONTINUITY, CAPABILITY OF AN ORGANIZATION (3.31) TO CONTINUE DELIVERY OF
PRODUCTS AND SERVICES (3.41) WITHIN ACCEPTABLE TIME FRAMES AT PREDEFINED CAPACITY
RELATING TO A DISRUPTION (3.12)
• [SOURCE: ISO 22300:2018, 3.24, MODIFIED.].
• BUSINESS CONTINUITY MANAGEMENT SYSTEM, BCMS, MANAGEMENT SYSTEM (3.25) FOR
BUSINESS CONTINUITY (3.3)
• NOTE 1 TO ENTRY: THE MANAGEMENT SYSTEM INCLUDES ORGANIZATIONAL STRUCTURE,
POLICIES, PLANNING (3.36) ACTIVITIES (3.1), RESPONSIBILITIES, PROCEDURES (3.39),
PROCESSES (3.40) AND RESOURCES
• [SOURCE: ISO 22300:2018, 3.26, MODIFIED]

7. • BUSINESS CONTINUITY PLAN DOCUMENTED INFORMATION (3.13) THAT GUIDES AN
ORGANIZATION (3.31) TO RESPOND TO A DISRUPTION (3.12) AND RESUME, RECOVER AND
RESTORE THE DELIVERY OF PRODUCTS AND SERVICES CONSISTENT WITH ITS BUSINESS
CONTINUITY OBJECTIVES
• [SOURCE: ISO 22300:2018, 3.27, MODIFIED. NOTE 1 TO ENTRY DELETED.]
• BUSINESS IMPACT ANALYSIS PROCESS (3.40) OF ANALYZING THE IMPACT (3.18) OF A
DISRUPTION (3.12) ON THE ORGANIZATION (3.31)
• NOTE 1 TO ENTRY: THE OUTCOME IS A STATEMENT AND JUSTIFICATION OF BUSINESS
CONTINUITY (3.3) REQUIREMENTS (3.45).
• [SOURCE: ISO 22300:2018, 3.29, MODIFIED. NOTE 1 TO ENTRY ADDED.]

8. • INCIDENT EVENT (3.16) THAT CAN BE, OR COULD LEAD TO, A DISRUPTION
(3.12), LOSS, EMERGENCY (3.15) OR CRISIS
• [SOURCE: ISO 22300:2018, 3.111, MODIFIED.]
• DISRUPTION INCIDENT (3.19), WHETHER ANTICIPATED OR UNANTICIPATED,
THAT CAUSES AN UNPLANNED, NEGATIVE DEVIATION FROM THE EXPECTED
DELIVERY OF PRODUCTS AND SERVICES (3.41) ACCORDING TO AN
ORGANIZATION’S (3.31) OBJECTIVES (3.30)
• [SOURCE: ISO 22300:2018, 3.70, MODIFIED.]

9. • CRISIS MANAGEMENT
• HOLISTIC MANAGEMENT (3.135) PROCESS (3.180) THAT IDENTIFIES POTENTIAL IMPACTS (3.107)
THAT THREATEN AN
• ORGANIZATION (3.158) AND PROVIDES A FRAMEWORK FOR BUILDING RESILIENCE (3.192), WITH
THE CAPABILITY FOR
• AN EFFECTIVE RESPONSE THAT SAFEGUARDS THE INTERESTS OF THE ORGANIZATION’S KEY
INTERESTED PARTIES (3.124),
• REPUTATION, BRAND AND VALUE-CREATING ACTIVITIES (3.1), AS WELL AS EFFECTIVELY
RESTORING OPERATIONAL
• CAPABILITIES
• NOTE 1 TO ENTRY: CRISIS MANAGEMENT ALSO INVOLVES THE MANAGEMENT OF PREPAREDNESS
(3.172), MITIGATION (3.146) RESPONSE, AND CONTINUITY (3.49) OR RECOVERY (3.187) IN THE
EVENT OF AN INCIDENT (3.111), AS WELL AS MANAGEMENT OF THE OVERALL PROGRAM
THROUGH TRAINING (3.265), REHEARSALS AND REVIEWS (3.197) TO ENSURE THE PREPAREDNESS,
RESPONSE AND CONTINUITY PLANS STAY CURRENT AND UP-TO-DATE. (ISO 22300:2018)

10. • RECOVERY TIME OBJECTIVE
• RTO PERIOD OF TIME FOLLOWING AN INCIDENT (3.111) WITHIN WHICH A PRODUCT
OR SERVICE (3.181) OR AN ACTIVITY (3.1)
• IS RESUMED, OR RESOURCES (3.193) ARE RECOVERED
• NOTE 1 TO ENTRY: FOR PRODUCTS, SERVICES AND ACTIVITIES, THE RECOVERY TIME
OBJECTIVE IS LESS THAN THE TIME IT WOULD TAKE FOR THE ADVERSE IMPACTS
(3.107) THAT WOULD ARISE AS A RESULT OF NOT PROVIDING A PRODUCT/SERVICE
OR PERFORMING AN ACTIVITY TO BECOME UNACCEPTABLE.
• SOURCE ISO 22300:2018

11. • RECOVERY POINT OBJECTIVE
• RPO POINT TO WHICH INFORMATION (3.116) USED BY AN ACTIVITY (3.1) IS
RESTORED TO ENABLE THE ACTIVITY TO OPERATE ON RESUMPTION
• NOTE 1 TO ENTRY: CAN ALSO BE REFERRED TO AS “MAXIMUM DATA LOSS”.
• SOURCE ISO 22300:2018

12. WHAT IS AN BCMS?
• BUSINESS CONTINUITY IS THE CAPABILITY OF THE ORGANIZATION TO CONTINUE DELIVERY OF PRODUCTS OR
SERVICES AT ACCEPTABLE PREDEFINED LEVELS FOLLOWING A DISRUPTIVE INCIDENT. BUSINESS CONTINUITY
MANAGEMENT (BCM) IS THE PROCESS OF ACHIEVING BUSINESS CONTINUITY AND IS ABOUT PREPARING AN
ORGANIZATION TO DEAL WITH DISRUPTIVE INCIDENTS THAT MIGHT OTHERWISE PREVENT IT FROM ACHIEVING ITS
OBJECTIVES.
• PLACING BCM WITHIN THE FRAMEWORK AND DISCIPLINES OF A MANAGEMENT SYSTEM CREATES A BUSINESS
CONTINUITY MANAGEMENT SYSTEM (BCMS) THAT ENABLES BCM TO BE CONTROLLED, EVALUATED AND
CONTINUALLY IMPROVED.
• ANY INCIDENT, LARGE OR SMALL, NATURAL, ACCIDENTAL OR DELIBERATE HAS THE POTENTIAL TO CAUSE MAJOR
DISRUPTION TO THE ORGANIZATION’S OPERATIONS AND ITS ABILITY TO DELIVER PRODUCTS AND SERVICES.
HOWEVER, IMPLEMENTING BUSINESS CONTINUITY BEFORE A DISRUPTIVE INCIDENT OCCURS, RATHER THAN
WAITING FOR THIS TO HAPPEN WILL ENABLE THE ORGANIZATION TO RESUME OPERATIONS BEFORE UNACCEPTABLE
LEVELS OF IMPACT ARISE.

13. FUNDAMENTAL PRINCIPLES
• A) AWARENESS OF THE NEED FOR BCMS
• B) ASSIGNMENT OF RESPONSIBILITY FOR BCMS
• C) INCORPORATING MANAGEMENT COMMITMENT AND THE INTERESTS OF STAKEHOLDERS
• D) ENHANCING SOCIETAL VALUES
• E) RISK ASSESSMENTS DETERMINING APPROPRIATE CONTROLS TO REACH ACCEPTABLE LEVELS OF
RISK
• F) SECURITY INCORPORATED AS AN ESSENTIAL ELEMENT OF BCMS
• G) ACTIVE PREVENTION AND DETECTION OF BUSINESS CONTINUITY INCIDENTS
• H) ENSURING A COMPREHENSIVE APPROACH TO BUSINESS CONTINUITY MANAGEMENT
• I) CONTINUAL REASSESSMENT OF BUSINESS CONTINUITY AND MAKING OF MODIFICATIONS AS
APPROPRIATE.

14. STEPS:
1. BEING CLEAR ON THE ORGANIZATION’S KEY PRODUCTS AND
SERVICES AND THE ACTIVITIES THAT DELIVER THEM
2. KNOWING THE PRIORITIES FOR RESUMING ACTIVITIES AND THE
RESOURCES THEY REQUIRE
3. HAVING A CLEAR UNDERSTANDING OF THE THREATS TO THESE
ACTIVITIES, INCLUDING THEIR DEPENDENCIES, AND KNOWING
THE IMPACTS OF NOT RESUMING THEM
4. HAVING TRIED AND TRUSTED ARRANGEMENTS IN PLACE TO
RESUME THESE ACTIVITIES FOLLOWING A DISRUPTIVE

15. PURPOSE BCMS
• BY FOCUSING ON THE IMPACT OF DISRUPTION RATHER THAN THE
CAUSE, BUSINESS CONTINUITY IDENTIFIES THOSE ACTIVITIES ON
WHICH THE ORGANIZATION DEPENDS FOR ITS SURVIVAL, AND
ENABLES THE ORGANIZATION TO DETERMINE WHAT IS REQUIRED
TO CONTINUE TO MEET ITS OBLIGATIONS.
• THROUGH BUSINESS CONTINUITY, AN ORGANIZATION CAN
RECOGNIZE WHAT NEEDS TO BE DONE TO PROTECT ITS RESOURCES
(E.G. PEOPLE, PREMISES, TECHNOLOGY AND INFORMATION), SUPPLY
CHAIN, INTERESTED PARTIES AND REPUTATION, BEFORE A
DISRUPTIVE INCIDENT OCCURS. WITH THAT RECOGNITION, THE
ORGANIZATION IS ABLE TO TAKE A REALISTIC VIEW ON THE
RESPONSES THAT ARE LIKELY TO BE NEEDED AS AND WHEN A
DISRUPTION OCCURS, SO THAT IT CAN BE CONFIDENT OF
MANAGING THE CONSEQUENCES AND AVOID UNACCEPTABLE

16. BENEFITS
PROTECTS BUSINESS FROM A RANGE OF THREATS
ENSURES BUSINESS CONTINUITY
MINIMIZES FINANCIAL LOSS
OPTIMIZES RETURN ON INVESTMENTS
INCREASES BUSINESS OPPORTUNITIES

22. BCMS FAMILY STANDART
ISO 22300, SECURITY AND RESILIENCE — VOCABULARY
ISO/IEC 22301, BUSINESS CONTINUITY MANAGEMENT SYSTEMS —
REQUIREMENTS
ISO/IEC 22313, SOCIETAL SECURITY — BUSINESS CONTINUITY MANAGEMENT
SYSTEMS — GUIDANCE

23. CLAUSUL ISO 22301:2019

25. MAIN DIFFERENCE TO OTHER ISO STANDARD
ARE
• 4.2.2 LEGAL AND REGULATORY REQUIREMENTS
• AND CLAUSAL 8

26. CLAUSAL 8 OPERATION
• 8.1 OPERATIONAL PLANNING AND CONTROL
• 8.2 BUSINESS IMPACT ANALYSIS AND RISK ASSESSMENT
• 8.2.1 GENERAL
• 8.2.2 BUSINESS IMPACT ANALYSIS
• 8.2.3 RISK ASSESSMENT
• 8.3 BUSINESS CONTINUITY STRATEGIES AND SOLUTIONS..
• 8.3.1 GENERAL
• 8.3.2 IDENTIFICATION AND SELECTION OF STRATEGIES AND SOLUTIONS
• 8.3.3 RESOURCE REQUIREMENTS
• 8.3.4 IMPLEMENTATION OF SOLUTIONS

27. • 8.4 BUSINESS CONTINUITY PLANS AND PROCEDURES
• 8.4.1 GENERAL.
• 8.4.2 RESPONSE STRUCTURE
• 8.4.3 WARNING AND COMMUNICATION
• 8.4.4 BUSINESS CONTINUITY PLANS
• 8.4.5 RECOVERY
• 8.5 EXERCISE PROGRAMME

28. 8.2.2 BIA, PROCESS (3.40) OF ANALYZING THE IMPACT
(3.18) OF A DISRUPTION (3.12) ON THE
ORGANIZATION (3.31)
• A) DEFINES IMPACT CATEGORIES AND CRITERIA RELEVANT TO THE ORGANIZATION’S CONTEXT;
• B) USES THESE IMPACT CATEGORIES AND CRITERIA FOR MEASURING IMPACT;
• C) IDENTIFIES ACTIVITIES THAT SUPPORT THE PROVISION OF PRODUCTS AND SERVICES;
• D) ANALYSES THE IMPACTS OVER TIME RESULTING FROM DISRUPTION OF THESE ACTIVITIES;
• E) IDENTIFIES THE TIME WITHIN WHICH THE IMPACTS OF NOT RESUMING ACTIVITIES WOULD
BECOME UNACCEPTABLE TO THE ORGANIZATION;
• NOTE THIS MAY BE REFERRED TO AS MAXIMUM TOLERABLE PERIOD OF DISRUPTION (MTPD)
• F) SETS PRIORITIZED TIMEFRAMES WITHIN THE TIME IDENTIFIED IN E) ABOVE FOR RESUMING
DISRUPTED ACTIVITIES AT A SPECIFIED MINIMUM ACCEPTABLE CAPACITY;
• NOTE THIS MAY BE REFERRED TO AS RECOVERY TIME OBJECTIVE (RTO)
• G) USES THE BUSINESS IMPACTS TO IDENTIFY PRIORITIZED ACTIVITIES;
• H) DETERMINES WHICH RESOURCES ARE NEEDED TO SUPPORT PRIORITIZED ACTIVITIES;
• I) DETERMINES THE DEPENDENCIES AND INTERDEPENDENCIES OF PRIORITIZED ACTIVITIES.

30. BIA

31. THREAT

35. SELF ASSESSMENT BIA
• IS THERE A FORMAL RISK ASSESSMENT PROCESS FOR ANALYZING THE RISK OF
DISRUPTIVE INCIDENTS?
• DOES THIS RISK ASSESSMENT METHOD IDENTIFY RISK TREATMENTS
APPROPRIATE TO BC OBJECTIVES?
• IS THERE EVIDENCE OF PRIORITIZING RISK TREATMENTS WITH COSTS
IDENTIFIED?
• SOURCE BSI SELF ASSESSMENT BIA

36. 8.2.3 RISK ASSESSMENT
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A SYSTEMATIC RISK
ASSESSMENT PROCESS.
• NOTE THIS PROCESS CAN BE MADE IN ACCORDANCE WITH ISO 31000.
• THE ORGANIZATION SHALL:
• A) IDENTIFY RISKS OF DISRUPTION TO THE ORGANIZATION'S PRIORITIZED
ACTIVITIES AND TO THEIR SUPPORTING RESOURCES;
• B) SYSTEMATICALLY ANALYSE RISKS OF DISRUPTION;
• C) EVALUATE RISKS OF DISRUPTION WHICH REQUIRE TREATMENT

37. RISK ASSESMENT

40. 8.3 BUSINESS CONTINUITY STRATEGIES AND
SOLUTIONS
• BUSINESS CONTINUITY
• CAPABILITY OF AN ORGANIZATION (3.158) TO CONTINUE THE DELIVERY OF
PRODUCTS OR SERVICES (3.181) AT ACCEPTABLE PREDEFINED LEVELS
FOLLOWING A DISRUPTION (3.70)
• CONTINUITY
• STRATEGIC AND TACTICAL CAPABILITY, PRE-APPROVED BY MANAGEMENT
(3.135), OF AN ORGANIZATION (3.158) TO PLAN FOR AND RESPOND TO
CONDITIONS, SITUATIONS AND EVENTS (3.82) IN ORDER TO CONTINUE
OPERATIONS AT AN ACCEPTABLE PREDEFINED LEVEL

41. • BASED ON THE OUTPUTS FROM THE BUSINESS IMPACT ANALYSIS AND RISK
ASSESSMENT. THE ORGANIZATION SHALL IDENTIFY AND SELECT BUSINESS
CONTINUITY STRATEGIES THAT CONSIDER OPTION FOR BEFORE, DURING AND
AFTER DISRUPTION.
• 8.3.2 IDENTIFICATION OF STRATEGIES AND SOLUTION
• 8.3.3 SELECTION OF STRATEGIES AND SOLUTIONS
• 8.3.3 RESOURCE REQUIREMENTS
• 8.3.4 IMPLEMENTATION OF SOLUTIONS

42. • THE ORGANIZATION SHALL IDENTIFY AND SELECT APPROPRIATE BUSINESS CONTINUITY STRATEGIES AND
SOLUTIONS TAKING INTO CONSIDERATION THEIR ASSOCIATED COSTS FOR (GOAL FOR BC STRATEGY):
• A) RESPONDING TO DISRUPTIONS;
• B) CONTINUING AND RECOVERING PRIORITIZED ACTIVITIES AND THEIR REQUIRED RESOURCES TO MEET THE
DELIVERY OF PRODUCTS AND SERVICES AT THE AGREED CAPACITY OVER TIME.
• FOR THE PRIORITIZED ACTIVITIES, THE ORGANIZATION SHALL IDENTIFY AND SELECT STRATEGIES AND SOLUTIONS
CONSIDERING BUSINESS CONTINUITY OBJECTIVES AND THE AMOUNT AND TYPE OF RISK THAT THE ORGANIZATION
MAY OR MAY NOT TAKE THAT:
• A) REDUCE THE LIKELIHOOD OF DISRUPTION;
• B) SHORTEN THE PERIOD OF DISRUPTION;
• C) LIMIT THE IMPACT OF DISRUPTION ON THE ORGANIZATION'S PRODUCTS AND SERVICES

46. SELF ASSESSMENT BC STRATEGY
• IS THE BC STRATEGY BASED ON THE OUTPUTS OF THE BIA AND RISK
ASSESSMENT?
• DOES THE BC STRATEGY PROTECT PRIORITIZED ACTIVITIES AND PROVIDE
APPROPRIATE CONTINUITY AND RECOVERY OF THEM, THEIR DEPENDENCIES AND
RESOURCES?
• DOES THE BC STRATEGY PROVIDE FOR MITIGATING, RESPONDING TO AND
MANAGING IMPACTS?
• HAVE PRIORITIZED TIME FRAMES BEEN SET FOR THE RESUMPTION OF ALL
ACTIVITIES?
• HAVE THE BC CAPABILITIES OF SUPPLIERS BEEN EVALUATED?

47. 8.4 BUSINESS CONTINUITY PLANS AND
PROCEDURES
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A STRUCTURE THAT WILL ENABLE TIMELY
WARNING AND COMMUNICATION TO RELEVANT INTERESTED PARTIES. IT SHALL PROVIDES PLANS
AND PROCEDURES TO MANAGE THE ORGANIZATION DURING A DISRUPTION. THE PLANS AND
PROCEDURES SHALL BE USED WHEN REQUIRED TO ACTIVATE BUSINESS CONTINUITY SOLUTIONS.
• THE PROCEDURES SHALL:
• A) BE SPECIFIC REGARDING THE IMMEDIATE STEPS THAT ARE TO BE TAKEN DURING A DISRUPTION;
• B) BE FLEXIBLE TO RESPOND TO CHANGING INTERNAL AND EXTERNAL CONDITIONS OF A
DISRUPTION;
• C) FOCUS ON THE IMPACT OF INCIDENTS THAT POTENTIALLY LEAD TO DISRUPTION;
• D) BE EFFECTIVE IN MINIMIZING IMPACT THROUGH IMPLEMENTATION OF APPROPRIATE SOLUTIONS;
• E) ASSIGN ROLES AND RESPONSIBILITIES FOR TASKS WITHIN IT.

48. SELF ASSESSMENT BCP
• HAVE BC PROCEDURES BEEN PUT IN PLACE TO MANAGE A DISRUPTIVE INCIDENT,
AND HAVE CONTINUITY ACTIVITIES BASED ON RECOVERY OBJECTIVES BEEN
IDENTIFIED IN THE BIA?
• ARE THE BUSINESS CONTINUITY PROCEDURES DOCUMENTED?
• HAVE INTERNAL AND EXTERNAL COMMUNICATION PROTOCOLS BEEN
ESTABLISHED AS PART OF THESE PROCEDURES?
• SOURCE BSI SELF ASSESSMENT ISO 22301

49. 8.4.2 RESPONSE STRUCTURE
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A STRUCTURE
IDENTIFYING ONE OR MORE TEAMS RESPONSIBLE FOR RESPONDING TO
DISRUPTIONS
• FOR EACH TEAM THERE SHALL BE:
• A) IDENTIFIED PERSONNEL AND THEIR ASSOCIATES WITH THE NECESSARY
RESPONSIBILITY, AUTHORITY AND COMPETENCE TO PERFORM THEIR
DESIGNATED ROLE;
• B) DOCUMENTED PROCEDURES TO GUIDE THEIR ACTIONS (SEE 8.4.4) INCLUDING
THOSE FOR THE ACTIVATION, OPERATION, COORDINATION AND
COMMUNICATION OF THE RESPONSE.

50. SELF ASSESSMENT INCIDENT RESPONSE
STRUCTURE (IRS)
• IS THERE THE MANAGEMENT STRUCTURE AND TRAINED PERSONNEL IN PLACE
TO RESPOND TO A DISRUPTIVE INCIDENT?
• DOES THE IRS AND ASSOCIATED PROCEDURES INCLUDE THRESHOLDS,
ASSESSMENT, ACTIVATION, RESOURCE PROVISION AND COMMUNICATION?
• DO THE PEOPLE IN YOUR IRS HAVE THE NECESSARY COMPETENCY TO PERFORM
THEIR DUTIES, AND HAVE YOU KEPT RECORDS TO DEMONSTRATE THEIR
COMPETENCE?

51. 8.4.3 WARNING AND COMMUNICATION
• 8.4.3.1 THE ORGANIZATION SHALL DOCUMENT AND MAINTAIN PROCEDURES FOR:
• A) COMMUNICATING INTERNALLY AND EXTERNALLY TO RELEVANT INTERESTED PARTIES, INCLUDING WHAT, WHEN, WITH WHOM AND HOW TO
COMMUNICATE;
• NOTE THE ORGANIZATION MAY DOCUMENT AND MAINTAIN PROCEDURES FOR HOW, AND UNDER WHAT CIRCUMSTANCES, THE ORGANIZATION
COMMUNICATES WITH EMPLOYEES AND THEIR EMERGENCY CONTACTS.
• B) RECEIVING, DOCUMENTING AND RESPONDING TO COMMUNICATIONS FROM INTERESTED PARTIES, INCLUDING ANY NATIONAL OR REGIONAL
RISK ADVISORY SYSTEM OR EQUIVALENT;
• C) ENSURING AVAILABILITY OF THE MEANS OF COMMUNICATION DURING A DISRUPTION;
• D) FACILITATING STRUCTURED COMMUNICATION WITH EMERGENCY RESPONDERS;
• E) DETAILS OF THE ORGANIZATION'S MEDIA RESPONSE FOLLOWING AN INCIDENT, INCLUDING A COMMUNICATIONS STRATEGY;
• F) RECORDING DETAILS OF THE DISRUPTION, ACTIONS TAKEN AND DECISIONS MADE
• THE COMMUNICATION AND WARNING PROCEDURES SHALL BE EXERCISED AS PART OF THE ORGANIZATION’S EXERCISE PROGRAMME REFERRED TO
IN 8.5.

52. SELF ASSESSMENT INCIDENT
COMMUNICATIONS AND WARNINGS
1. IS THERE A PROCEDURE FOR DETECTING AND MONITORING INCIDENTS?
2. IS THERE A PROCEDURE FOR MANAGING INTERNAL COMMUNICATIONS AND EXTERNAL COMMUNICATIONS FROM
INTERESTED PARTIES DURING A DISRUPTIVE INCIDENT?
3. IS THERE A PROCEDURE FOR RECEIVING AND RESPONDING TO WARNINGS FROM OUTSIDE AGENCIES AND
EMERGENCY RESPONDERS?
4. IS THERE A STRUCTURE TO COMMUNICATE WITH EMERGENCY RESPONDERS AND OTHER AUTHORITIES DURING
AN INCIDENT, OR FOR RESPONDING ORGANIZATIONS ARE COMMUNICATIONS INTEROPERABLE WITH OTHERS?
5. IS THERE A PROCEDURE FOR RECORDING VITAL INFORMATION ABOUT THE INCIDENT, ACTIONS TAKEN AND
DECISIONS MADE?
6. IS THERE A PROCEDURE FOR ISSUING ALERTS AND WARNINGS IF APPROPRIATE?
7. ARE THE ORGANIZATION’S COMMUNICATION AND WARNING SYSTEMS REGULARLY EXERCISED, AND RECORDS
KEPT OF THE RESULTS?

53. 8.4.4 BUSINESS CONTINUITY PLANS
• 8.4.4.1 THE BUSINESS CONTINUITY PLANS SHALL PROVIDE GUIDANCE AND INFORMATION THAT WILL ASSIST THE TEAMS TO RESPOND TO A
DISRUPTION AND ASSIST THE ORGANIZATION WITH RESPONSE AND RECOVERY.
• COLLECTIVELY, THE BUSINESS CONTINUITY PLANS SHALL CONTAIN:
• A) DETAILS OF THE ACTIONS THAT THE TEAMS WILL TAKE IN ORDER TO CONTINUE OR RECOVER PRIORITIZED ACTIVITIES WITHIN PREDETERMINED
TIMEFRAMES AND TO MONITOR THE EFFECTS OF THE DISRUPTION AND THE ORGANIZATION’S RESPONSE TO IT;
• B) REFERENCE TO THE PRE-DEFINED THRESHOLD AND PROCESS FOR ACTIVATING THE RESPONSE;
• C) PROCEDURES TO ENABLE THE DELIVERY OF PRODUCTS AND SERVICES AT AGREED CAPACITY TO INTERESTED PARTIES;
• D) DETAILS TO MANAGE THE IMMEDIATE CONSEQUENCES OF A DISRUPTION GIVING DUE REGARD TO:
• 1) THE WELFARE OF INDIVIDUALS;
• 2) PREVENTION OF FURTHER LOSS OR UNAVAILABILITY OF PRIORITIZED ACTIVITIES;
• 3) PROTECTION OF THE ENVIRONMENT;
• E) A PROCESS FOR STANDING DOWN ONCE THE INCIDENT IS OVER.

54. BUSINESS CONTINUITY PLAN SHALL HAS
1. PURPOSE AND SCOPE, AND OBJECTIVES;
2. ROLES, RESPONSIBILITIES OF THE TEAM THAT WILL IMPLEMENT THE PLAN;
3. ACTIONS AND RESOURCES TO IMPLEMENT THE SOLUTIONS;
4. SUPPORTING INFORMATION NEEDED TO ACTIVATE (INCLUDING ACTIVATION CRITERIA),
OPERATE, COORDINATE AND COMMUNICATE THE TEAM’S ACTIONS;
5. INTERNAL AND EXTERNAL INTERDEPENDENCIES;
6. RESOURCE REQUIREMENTS;
7. REPORTING REQUIREMENTS.
• EACH PLAN SHALL BE USABLE AND AVAILABLE AT THE TIME AND PLACE AT WHICH IT IS
REQUIRED

55. SELF ASSESSMENT BUSINESS CONTINUITY
RESPONSE AND RECOVERY PLANS
1. ARE THERE DOCUMENTED PLANS/PROCEDURES FOR RESTORING BUSINESS OPERATIONS AFTER AN INCIDENT?
2. DO THESE PLANS REFLECT THE NEEDS OF THOSE WHO WILL USE THEM?
3. DO THE PLANS DEFINE ROLES AND RESPONSIBILITIES?
4. DO THE PLANS DEFINE A PROCESS FOR ACTIVATING THE RESPONSE?
5. DO THE PLANS CONSIDER THE MANAGEMENT OF THE IMMEDIATE CONSEQUENCES OF A DISRUPTION, IN PARTICULAR THE WELFARE OF
INDIVIDUALS, OPTIONS FOR RESPONSE AND FURTHER LOSS PREVENTION?
6. DO THE PLANS DETAIL HOW TO COMMUNICATE WITH THE VARIOUS INTERESTED PARTIES DURING THE DISRUPTION?
7. DO THE PLANS CONTAIN DETAILS ON HOW PRIORITIZED ACTIVITIES WILL BE CONTINUED OR RECOVERED WITHIN PREDETERMINED TIME
FRAMES?
8. IS THERE A PLANNED MEDIA RESPONSE TO AN INCIDENT?
9. DO THE PLANS INCLUDE A PROCEDURE FOR STANDING DOWN THE RESPONSE?
10. DOES EACH PLAN CONTAIN THE ESSENTIAL INFORMATION TO USE IT EFFECTIVELY?

56. 8.4.5 RECOVERY
• THE ORGANIZATION SHALL HAVE DOCUMENTED PROCESSES TO RESTORE AND
RETURN BUSINESS ACTIVITIES FROM THE TEMPORARY MEASURES ADOPTED TO
SUPPORT NORMAL BUSINESS REQUIREMENTS DURING AND AFTER A DISRUPTION.

57. SELF ASSESSMENT EXERCISING AND TESTING
1. HAVE BUSINESS CONTINUITY PROCEDURES BEEN TESTED TO ENSURE THEY ARE CONSISTENT WITH YOUR BC
OBJECTIVES?
2. DO TOP MANAGEMENT “ACTIVELY ENGAGE” IN TESTING AND EXERCISING THE BCMS?
3. ARE THE TEST EXERCISES CLEARLY DEFINED, CONSISTENT WITH THE SCOPE OF THE BCMS AND BUSINESS
CONTINUITY OBJECTIVES, AND BASED ON APPROPRIATE SCENARIOS?
4. WILL THE TEST EXERCISES THAT HAVE BEEN CONDUCTED OVER TIME VALIDATE THE WHOLE OF THE
ORGANIZATION’S BUSINESS CONTINUITY ARRANGEMENTS?
5. ARE THE TEST EXERCISES DESIGNED TO MINIMIZE THE RISK OF DISRUPTION TO OPERATIONS?
6. HAVE FORMAL POST-EXERCISE REPORTS BEEN PRODUCED FOR THE CONDUCTED TESTS?
7. ARE THE OUTCOMES OF EXERCISES REVIEWED TO ENSURE THEY LEAD TO IMPROVEMENT?
8. ARE TEST EXERCISES UNDERTAKEN AT PLANNED INTERVALS, AND WHEN SIGNIFICANT CHANGES OCCUR IS THIS
PROCESS DOCUMENTED WITHIN THE BCMS?

58. 8.5 EXERCISE PROGRAMME
• THE ORGANIZATION SHALL IMPLEMENT AND MAINTAIN A PROGRAM OF EXERCISING AND TESTING TO VALIDATE
OVER TIME THE EFFECTIVENESS OF ITS BUSINESS CONTINUITY STRATEGIES AND SOLUTIONS.
• THE ORGANIZATION SHALL CONDUCT EXERCISES AND TESTS THAT:
• A) ARE CONSISTENT WITH ITS BUSINESS CONTINUITY OBJECTIVES;
• B) ARE BASED ON APPROPRIATE SCENARIOS THAT ARE WELL PLANNED WITH CLEARLY DEFINED AIMS AND
OBJECTIVES;
• C) DEVELOP TEAMWORK, COMPETENCE, CONFIDENCE AND KNOWLEDGE FOR THOSE WHO HAVE ROLES TO
PERFORM IN RELATION TO DISRUPTIONS;
• D) TAKEN TOGETHER OVER TIME VALIDATE THE WHOLE OF ITS BUSINESS CONTINUITY STRATEGIES;
• E) PRODUCE FORMALIZED POST-EXERCISE REPORTS THAT CONTAIN OUTCOMES, RECOMMENDATIONS AND
ACTIONS TO IMPLEMENT IMPROVEMENTS;
• F) ARE REVIEWED WITHIN THE CONTEXT OF PROMOTING CONTINUAL IMPROVEMENT;
• G) ARE PERFORMED AT PLANNED INTERVALS AND WHEN THERE ARE SIGNIFICANT CHANGES WITHIN THE
ORGANIZATION OR THE CONTEXT IN WHICH IT OPERATES.
• THE ORGANIZATION SHALL ACT ON THE RESULTS OF ITS EXERCISING AND TESTING TO IMPLEMENT CHANGES
AND IMPROVEMENTS

59. SHORT-TERM GOALS AND PERFORMANCE
OBJECTIVES SHOULD BE ESTABLISHED AND
INCLUDE THE FOLLOWING:
• (1) RECOVERY OF CRITICAL OR TIME-SENSITIVE PERSONNEL, SYSTEMS,
OPERATIONS, RECORDS, AND EQUIPMENT
• (2) AGREED-UPON PRIORITIES FOR RESTORATION AND MITIGATION
• (3) LENGTH OF DOWNTIME ACCEPTABLE BEFORE RESTORATION TO A MINIMAL
LEVEL IS REQUIRED
• (4) MINIMAL ACCEPTABLE LEVEL OF RESOURCES NEEDED TO PROVIDE FOR THE
RESTORATION OF FACILITIES, PROCESSES, PROGRAMS, SERVICES, AND
INFRASTRUCTURE

60. CERTIFICATIO
N

62. INTERRELATION ISO 27001
• A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
• A.17.1 INFORMATION SECURITY CONTINUITY
• OBJECTIVE: INFORMATION SECURITY CONTINUITY SHALL BE EMBEDDED IN THE
ORGANIZATION’S BUSINESS CONTINUITY MANAGEMENT SYSTEMS.
• A.17.1.1 PLANNING INFORMATION SECURITY CONTINUITY
• CONTROL
• THE ORGANIZATION SHALL DETERMINE ITS REQUIREMENTS FOR INFORMATION
SECURITY AND THE CONTINUITY OF INFORMATION SECURITY MANAGEMENT IN
ADVERSE SITUATIONS, E.G. DURING A CRISIS OR DISASTER.

63. • A.17.1.2
• IMPLEMENTING INFORMATION SECURITY CONTINUITY
• CONTROL
• THE ORGANIZATION SHALL ESTABLISH, DOCUMENT, IMPLEMENT AND MAINTAIN PROCESSES, PROCEDURES AND CONTROLS
TO ENSURE THE REQUIREDLEVEL OF CONTINUITY FOR INFORMATION SECURITY DURING AN ADVERSE SITUATION.
• A.17.1.3
• VERIFY, REVIEW AND EVALUATE INFORMATION SECURITY CONTINUITY
• CONTROL
• THE ORGANIZATION SHALL VERIFY THE ESTABLISHED AND IMPLEMENTED INFORMATION SECURITY CONTINUITY CONTROLS
AT REGULAR INTERVALS IN ORDER TO ENSURE THAT THEY ARE VALID AND EFFECTIVE DURING ADVERSE
• SITUATIONS.

67. ISO 22301 MANDATORY DOCUMENTS
• LIST OF LEGAL, REGULATORY AND OTHER REQUIREMENTS (CLAUSE 4.2.2) – LISTS EVERYTHING YOU NEED TO COMPLY WITH.
• SCOPE OF THE BCMS AND EXPLANATION OF EXCLUSIONS (CLAUSE 4.3) – DEFINES WHERE YOUR BCMS WILL BE IMPLEMENTED.
• BUSINESS CONTINUITY POLICY (CLAUSE 5.2) – DEFINES MAIN RESPONSIBILITIES, AND THE INTENT OF THE MANAGEMENT.
• BUSINESS CONTINUITY OBJECTIVES (CLAUSE 6.2) – DEFINES MEASURABLE OBJECTIVES THAT ARE TO BE ACHIEVED WITH
BUSINESS CONTINUITY.
• COMPETENCIES OF PERSONNEL (CLAUSE 7.2) – DEFINES KNOWLEDGE AND SKILLS NEEDED.
• BUSINESS CONTINUITY PLANS AND PROCEDURES (CLAUSE 8.4) – INCLUDES PLANS AND PROCEDURES FOR RESPONSE,
COMMUNICATION, RECOVERY (INCLUDING DISASTER RECOVERY PLANS), RESTORE AND RETURN ACTIVITIES.
• DOCUMENTED COMMUNICATION WITH INTERESTED PARTIES (CLAUSE 8.4.3.1) – THESE COULD BE EMAILS, BUT ALSO
OFFICIAL COMMUNICATION FROM SOURCES SUCH AS GOVERNMENT AGENCIES AND OTHERS.
• RECORDS OF IMPORTANT INFORMATION ABOUT THE DISRUPTION, ACTIONS TAKEN AND DECISIONS MADE (CLAUSE 8.4.3.1)
– NORMALLY THESE RECORDS ARE DONE THROUGH MINUTES OR BY FILLING OUT CHECKLISTS OF PERFORMED ACTIVITIES.

68. • DATA AND RESULTS OF MONITORING AND MEASUREMENT (CLAUSE 9.1.1) – THIS IS THE EVALUATION ON WHETHER
YOUR BCMS MET THE OBJECTIVES.
• INTERNAL AUDIT PROGRAM (CLAUSE 9.2)
• RESULTS OF INTERNAL AUDIT (CLAUSE 9.2) – NORMALLY, THIS IS THE INTERNAL AUDIT REPORT.
• RESULTS OF MANAGEMENT REVIEW (CLAUSE 9.3) – USUALLY, THIS IS IN THE FORM OF MINUTES OR PERHAPS
DOCUMENTED DECISIONS.
• NATURE OF NONCONFORMITIES AND ACTIONS TAKEN (CLAUSE 10.1) – THIS IS A DESCRIPTION OF
NONCONFORMITIES, AND THEIR CAUSE.
• RESULTS OF CORRECTIVE ACTIONS (CLAUSE 10.1) – THIS IS A DESCRIPTION OF WHAT HAS BEEN DONE TO
ELIMINATE THE CAUSE OF A NONCONFORMITY.
• SOURCE ADVISERA HTTPS://ADVISERA.COM/27001ACADEMY/KNOWLEDGEBASE/MANDATORY-DOCUMENTS-
REQUIRED-BY-ISO-22301/

69. COMMONLY USED NON-MANDATORY BCMS
DOCUMENTS AND RECORDS
• PROCEDURE FOR IDENTIFICATION OF APPLICABLE LEGAL AND REGULATORY REQUIREMENTS
(CLAUSE 4.2.2)
• IMPLEMENTATION PLAN FOR ACHIEVING THE BUSINESS CONTINUITY OBJECTIVES (CLAUSE 6.2)
• TRAINING AND AWARENESS PLAN (CLAUSES 7.2 AND 7.3)
• PROCEDURE FOR CONTROL OF DOCUMENTED INFORMATION (CLAUSE 7.5)
• CONTRACTS AND SERVICE LEVEL AGREEMENTS (SLAS) WITH SUPPLIERS AND OUTSOURCING
PARTNERS (CLAUSE 8.1)
• PROCESS FOR BUSINESS IMPACT ANALYSIS AND RISK ASSESSMENT (CLAUSE 8.2.1)
• RESULTS OF BUSINESS IMPACT ANALYSIS (CLAUSE 8.2.2)
• RESULTS OF RISK ASSESSMENT (CLAUSE 8.2.3)

70. • STRATEGIES AND SOLUTIONS FOR BUSINESS CONTINUITY (CLAUSE 8.3.3)
• INCIDENT SCENARIOS (CLAUSE 8.5)
• EXERCISE AND TESTING PLANS (CLAUSE 8.5)
• POST-EXERCISE REPORTS (CLAUSE 8.5)
• RESULTS OF POST-INCIDENT REVIEW (CLAUSE 8.6)
• METHODS FOR MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION (CLAUSE 9.1.1)
• PROCEDURE FOR INTERNAL AUDIT (CLAUSE 9.2)
• PROCEDURE FOR CORRECTIVE ACTION (CLAUSE 10.1)
• SOURCE ADVISERA HTTPS://ADVISERA.COM/27001ACADEMY/KNOWLEDGEBASE/MANDATORY-DOCUMENTS-
REQUIRED-BY-ISO-22301

71. DIFFERENCE ISO 22301:2012 TO 22301:2019
• • THE 2019 EDITION IS SIGNIFICANTLY LESS DETAILED AND PRESCRIPTIVE THAN ITS PREDECESSOR.
HOWEVER,
IN THE PROCESS OF REMOVING THE DETAIL AND PROVIDING LESS DIRECTION, THE STANDARD
PLACES GREATER EMPHASIS ON THE SKILLS AND COMPETENCE OF THOSE INDIVIDUALS WHO ARE
RESPONSIBLE FOR DESIGNING AND IMPLEMENTING THE MANAGEMENT SYSTEM PROCESSES. THERE
ARE NO SUBSTANTIAL CHANGES IN THE PROCESSES THAT MAKE UP A BUSINESS CONTINUITY
MANAGEMENT SYSTEM (BCMS) AND THE SAME END RESULTS ARE REQUIRED.
• • CLAUSE 6.1.2 NOW MAKES IT CLEAR THAT THE RISKS (AND OPPORTUNITIES) THAT NEED TO BE
ADDRESSED RELATE TO THE EFFECTIVENESS OF THE BCMS, AS OPPOSED TO THE RISKS OF
DISRUPTION, WHICH ARE ADDRESSED BY CLAUSE 8.2.3. THE SAME RELATIONSHIP IS INTENDED IN
OTHER STANDARDS SUCH AS ISO 27001 AND IF YOU ARE IMPLEMENTING A BCMS, YOU WILL NEED
TO WORK OUT HOW TO MEET THE REQUIREMENTS OF THIS CLAUSE.
• SOURCE: HTTPS://WWW.URMCONSULTING.COM/2019/12/10/ISO-223012019-RELEASED-5-KEY-
CHANGES/

72. • • THE REQUIREMENTS FOR CONDUCTING THE PIVOTAL BUSINESS IMPACT ANALYSIS (BIA) ARE NOW
CLEARER. THE RELATIONSHIP BETWEEN UNACCEPTABLE IMPACT, MAXIMUM TOLERABLE PERIOD OF
DISRUPTION AND PRIORITIZED TIMEFRAMES FOR ACTIVITY RESUMPTION IS DEFINED AS WELL AS
USING THE BIA TO IDENTIFY ‘PRIORITIZED ACTIVITIES’. THE 2012 EDITION REQUIRED PRIORITIZED
TIMEFRAMES SIMPLY TO CONSIDER IMPACT. IT SHOULD BE NOTED THAT THERE IS NO SPECIFIC
REQUIREMENT WITH THE 2019 VERSION TO DOCUMENT THE BIA PROCESS.
• • A KEY ASSURANCE PROCESS, EVALUATION OF PROCEDURES, SPECIFICALLY REQUIRES THE
SUITABILITY, ADEQUACY AND EFFECTIVENESS OF BIAS AND RISK ASSESSMENTS TO BE EVALUATED.
THIS WAS PREVIOUSLY ONLY AN IMPLICIT REQUIREMENT IN THE NAME OF EFFECTIVENESS, BUT
POINTS TO THE KEY ROLE PLAYED BY BIAS AND RISK ASSESSMENTS.
• • THE CONCEPT OF MINIMUM ACTIVITY LEVELS HAS SHIFTED, FROM THE NEED TO IDENTIFY
MINIMUM LEVELS OF PRODUCTS AND SERVICES AND MINIMUM ACCEPTABLE LEVELS OF ACTIVITY,
THE LINKING OF WHICH IS IMPLICIT, TO THE MINIMUM ACCEPTABLE CAPACITY OF RESUMED
ACTIVITIES.

73. NFPA 1600:2019

74. NFPA 1600 2019
• CHAPTER 5 PLANNING ................................
• 5.1 PLANNING AND DESIGN PROCESS. .........................
• 5.2 RISK ASSESSMENT. ...............................................
• 5.3 BUSINESS IMPACT ANALYSIS (BIA). ......................
• 5.4 RESOURCE NEEDS ASSESSMENT. ...........................
• CHAPTER 6 IMPLEMENTATION ……………………….... .
• 6.1 COMMON PLAN REQUIREMENTS .. ...... ............. .
• 6.2 PREVENTION. .......................................................
• 6.3 MITIGATION. ........................................................

75. • 6.4 CRISIS MANAGEMENT.
..........................................
• 6.5 CRISIS COMMUNICATIONS AND PUBLIC
INFORMATION. ..........
• 6.6 WARNING, NOTIFICATIONS, AND
COMMUNICATIONS. ........
• 6.7 OPERATIONAL PROCEDURES.
.................................

76. PREVENTION STRATEGY INCLUDE THE
FOLLOWING:
• (1) ONGOING HAZARD IDENTIFICATION
• (2) THREAT ASSESSMENT
• (3) RISK ASSESSMENT
• (4) ANALYSIS OF IMPACTS
• (5) OPERATIONAL EXPERIENCE, INCLUDING INCIDENT
ANALYSIS
• (6) INFORMATION COLLECTION AND ANALYSIS
• (7) INTELLIGENCE AND INFORMATION SHARING
• (8) REGULATORY REQUIREMENTS

77. MITIGATION STRATEGIES CAN INCLUDE THE
FOLLOWING:
• (1) USE OF APPLICABLE BUILDING CONSTRUCTION STANDARDS
• (2) HAZARD AVOIDANCE THROUGH APPROPRIATE LAND USE
PRACTICES
• (3) RELOCATION, RETROFITTING, OR REMOVAL OF STRUCTURES
AT RISK
• (4) REMOVAL OR ELIMINATION OF THE HAZARD
• (5) REDUCTION OR LIMITATION OF THE AMOUNT OR SIZE OF THE
HAZARD
• (6) SEGREGATION OF THE HAZARD FROM THAT WHICH IS TO BE
PROTECTED

78. • (9) PROVISION OF PROTECTIVE SYSTEMS OR EQUIPMENT FOR BOTH CYBER
RISKS AND PHYSICAL RISKS
• (10) ESTABLISHMENT OF HAZARD WARNING AND COMMUNICATION
PROCEDURES
• (11) REDUNDANCY OR DIVERSITY OF ESSENTIAL PERSONNEL, CRITICAL
SYSTEMS, EQUIPMENT, INFORMATION, OPERATIONS, OR MATERIALS
• (12) ACCEPTANCE/RETENTION/TRANSFER OF RISK (INSURANCE
PROGRAMS)
• (13) PROTECTION OF COMPETITIVE/PROPRIETARY INFORMATION

79. 6.9 EMERGENCY OPERATIONS/RESPONSE
PLAN.
• 6.9.1* EMERGENCY OPERATIONS/RESPONSE PLANS SHALL DEFINE RESPONSIBILITIES FOR CARRYING OUT SPECIFIC ACTIONS
IN AN EMERGENCY.
• 6.9.2* THE PLAN SHALL IDENTIFY ACTIONS TO BE TAKEN TO PROTECT PEOPLE, INCLUDING PEOPLE WITH DISABILITIES AND
OTHER ACCESS AND FUNCTIONAL NEEDS, INFORMATION, PROPERTY, OPERATIONS, THE ENVIRONMENT, AND THE ENTITY.
• 6 9.3* THE PLAN SHALL IDENTIFY ACTIONS FOR INCIDENT STABILIZATION.
• Δ 6.9.4* THE PLAN SHALL INCLUDE THE FOLLOWING:
• (1) PROTECTIVE ACTIONS FOR LIFE SAFETY IN ACCORDANCE WITH 6.9.2
• (2) WARNING, NOTIFICATIONS, AND COMMUNICATION IN ACCORDANCE WITH SECTION 6.6
• (3) CRISIS COMMUNICATION AND PUBLIC INFORMATION IN ACCORDANCE WITH SECTION 6.5
• (4) RESOURCE MANAGEMENT IN ACCORDANCE WITH 6.8.7
• (5) DONATION MANAGEMENT IN ACCORDANCE WITH 6.8.9

80. NFPA 1600 2019, CONTINUITY PLANS SHALL
IDENTIFY AND DOCUMENT THE FOLLOWING:
• (1) STAKEHOLDERS THAT NEED TO BE NOTIFIED
• (2) PROCESSES THAT MUST BE MAINTAINED
• (3) ROLES AND RESPONSIBILITIES OF THE INDIVIDUALS
IMPLEMENTING THE CONTINUITY STRATEGIES
• (4) PROCEDURES FOR ACTIVATING THE PLAN, INCLUDING
AUTHORITY FOR PLAN ACTIVATION
• (5) CRITICAL AND TIME-SENSITIVE TECHNOLOGY,
APPLICATION SYSTEMS, AND INFORMATION
•

81. • (6) SECURITY OF INFORMATION
• (7) ALTERNATIVE WORK SITES
• (8) WORKAROUND PROCEDURES
• (9) VITAL RECORDS
• (10) CONTACT LISTS
• (11) REQUIRED PERSONNEL

82. • (12) VENDORS AND CONTRACTORS SUPPORTING
CONTINUITY
• (13) RESOURCES FOR CONTINUED OPERATIONS
• (14) MUTUAL AID OR PARTNERSHIP AGREEMENTS
• (15) ACTIVITIES TO RETURN CRITICAL AND TIME-SENSITIVE
PROCESSES TO THE ORIGINAL STATE
• 6.10.1.3 CONTINUITY PLANS SHALL BE DESIGNED TO MEET
THE RTO AND RPO.
• 6.10.1.4 CONTINUITY PLANS SHALL ADDRESS SUPPLY
CHAIN DISRUPTION.

83. STRATEGIES FOR DISRUPTION OR LOSS OF
OPERATIONAL SITE, SUCH AS THE
FOLLOWING
• (A) TRANSFER OF WORKLOAD AND STAFF TO A SURVIVING SITE
• (B) ALTERNATE SITE CONTRACTED THROUGH A COMMERCIAL
RECOVERY VENDOR.
• (C) RECIPROCAL AGREEMENT OR MUTUAL AID AGREEMENT WITH A
SIMILAR ENTITY.
• (D) DEDICATED ALTERNATE SITE BUILT BY THE ENTITY TO SUPPORT
RECOVERY.
• (E) MOBILE FACILITY — GENERALLY, A TRAILER OR MOBILE HOME THAT
HAS BEEN EQUIPPED TO SUPPORT OPERATIONAL RECOVERY. THESE
CAN BE OWNED OR CONTRACTED FOR THROUGH A VENDOR.
• (F) REMOTE ACCESS/WORK FROM HOME

84. • (G) RESOURCES ACQUIRED AT THE TIME OF DISRUPTION — THIS WOULD BE USED FOR
LESS TIME-SENSITIVE OPERATIONS.
• (H) CUSTOMER SERVICE OR PRODUCT PRIORITY — FOCUSES OPERATIONAL CAPACITY
ON SPECIFIC HIGH-VALUE CUSTOMERS OR HIGH-PROFIT PRODUCTS OR SERVICES.
• (I) FINISHED GOODS BUYBACK.
• (J) UTILIZED TO RECOVER ALREADY DELIVERED INVENTORY FROM OTHER
CUSTOMERS TO MEET THE DEMANDS OF CUSTOMERS WHO UTILIZE “JUST IN TIME.”
• (K) RELOCATION OF STAFF TO A SURVIVING SITE THAT HAS ADDITIONAL CAPACITY.
• (L) STOCKPILE CRITICAL EQUIPMENT AND INVENTORY TO BE AVAILABLE AT TIME OF
DISASTER.

85. THIRD-PARTY (I.E., VENDOR
PROVIDED/EXTENDED ENTERPRISE)
RECOVERY STRATEGY OPTIONS, SUCH AS
THE FOLLOWING
• (A) MULTIPLE SOURCING — THE ENTITY BUYS THE SAME OR SIMILAR
PRODUCT OR SERVICE FROM MULTIPLE VENDORS TO PREVENT SUPPLY CHAIN
DISRUPTION SHOULD ONE OF THEM EXPERIENCE A DISRUPTION.
• (B) ALTERNATE SOURCING — TO IDENTIFY ANOTHER SOURCE FOR A
PRODUCT OR SERVICE SHOULD THE CURRENT VENDOR EXPERIENCE A
DISRUPTION.
• (C) SERVICE LEVEL AGREEMENT — ESTABLISHED SERVICE LEVEL AGREEMENTS
WITH THE THIRD PARTY WITH PENALTIES FOR NONPERFORMANCE.
• (D) INSOURCE (DO NOT OUTSOURCE) — TO IDENTIFY INTERNAL RESOURCES
THAT CAN PROVIDE SERVICE OR PRODUCT.

86. TECHNICAL RECOVERY ALTERNATIVES, SUCH
AS THE FOLLOWING:
• (A) COMMERCIAL VENDOR (HOT SITE)
• (B) RESOURCES ACQUIRED AT TIME OF DISRUPTION
• (C) QUICK-SHIP EQUIPMENT
• (D) DUAL DATA CENTER WITH ACTIVE/ACTIVE DATA CENTERS MUST GENERALLY BE W—
THIS STRATEGY REQUIRES THAT THE ENTITY HAS ACCESS TO TWO DATA CENTER
ENVIRONMENTS THAT ARE ALWAYS FULLY OPERATIONAL AND ARE EITHER OWNED BY THE
ENTITY OR LEASED WHERE THEY CAN LOAD BALANCE TIME-SENSITIVE APPLICATIONS
BETWEEN TWO GEOGRAPHIC LOCATIONS. THE DATA THAT SUPPORTS THE APPLICATIONS IN
EACH CENTER NEEDS TO BE REPLICATED TO THE OTHER DATA CENTER TO FACILITATE
RECOVERY AND TO PREVENT SIGNIFICANT DATA LOSS.
• (F) OUTSOURCING WITH A SERVICE LEVEL AGREEMENT (E.G., CLOUD COMPUTING) — AN
ENTITY CAN HAVE SOME OR ALL OF THIS TECHNOLOGY ENVIRONMENT HOSTED IN THE
“CLOUD.” THIS WOULD LIKELY PREVENT THE ENTITY’S OPERATIONS AND THE TECHNOLOGY
ENVIRONMENT FROM BEING IMPACTED BY THE SAME DISRUPTION. THE REQUIREMENTS FOR
RECOVERY OF THE TECHNOLOGY ENVIRONMENT ARE ESTABLISHED WITH THE CLOUD
VENDOR.

87. • (G) STOCKPILED EQUIPMENT — THE ENTITY COULD STORE THE
EQUIPMENT NEEDED FOR RECOVERY ON-SITE IN THEIR
RECOVERY LOCATION.
• (H) MANUAL WORKAROUNDS OR ALTERNATE SYSTEMS — THE
ENTITY COULD USE MANUAL WORKAROUNDS SUCH AS A
MANUAL CALL LOG OR ALTERNATE SYSTEMS SUCH AS
SPREADSHEETS INSTEAD OF THE GENERAL LEDGER SYSTEM
UNTIL THE TECHNOLOGY ENVIRONMENT IS RECOVERED.

88. BACKUP STRATEGIES FOR RECORDS/RECORD
MANAGEMENT, SUCH AS THE FOLLOWING:
• (1) IDENTIFICATION OF RECORDS (HARD COPY OR ELECTRONIC)
VITAL TO CONTINUE THE OPERATIONS OF THE ENTITY
• (2) BACKUP OF RECORDS ON A FREQUENCY NECESSARY TO MEET
PROGRAM GOALS AND OBJECTIVES
• (3) VALIDATION OF THE INTEGRITY OF RECORDS BACKUP
• (4) IMPLEMENTATION OF PROCEDURES TO: STORE, RETRIEVE, AND
RECOVER RECORDS ON-SITE OR OFF-SITE
• (5) PROTECTION OF RECORDS

89. THANK YOU