Understanding IT Business Continuity Plan

A business continuity plan in information technology is a documented plan indicating how a business will continue to operate if IT operation is affected by adverse conditions, such as a storm, fire, interruptions or malicious damage. Such a plan typically explains how the business would operate at the time of disaster and recover from disaster.

In December 2006, the British Standards Institution (BSI) released an independent standard for BCP — BS 25999-1. Prior to the introduction of BS 25999, BCP professionals relied on information security standard BS 7799, which only peripherally addressed BCP to improve an organization’s information security procedures. BS 25999’s applicability extends to all organizations. In 2007, the BSI published BS 25999-2 “Specification for Business Continuity Management”, which specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS).

Which one you need? Business Continuity or Disaster Recovery?

If you ask me, I would prefer to have a Business Continuity Plan that includes a disaster recovery with a smooth fail-over and fail-back option and a service continuity procedures as if disaster never happened.

Most organization will presume that they have Symantec/CommVault/Veeam Backup which protect them from disaster hence they have a disaster recovery plan. This is not the case “Disaster Recovery Plan” or “Business Continuity Plan” does not mean having just only a backup product and presume you have it all.

Note! Disaster Recovery is just part of Business Continuity. My previous post on disaster recovery plan differentiate between disaster recovery and business continuity.


  • To ensure maximum possible service levels are maintained
  • To ensure a smooth recovery from interruptions as quickly as possible
  • To minimize the likelihood and impact (risk) of interruptions
  • To minimize IT/IS service desk intervention with end user in the event of disaster

Identifying Risk (Example):

Create a spreadsheet and a database of business application, systems, network and other assets that likely be impacted by an event. Here is a sample spread sheet.

List of Assets Disaster/Event Priority Action ID Responsibility Procedure Document ID Mitigation Procedure Document ID
Microsoft Exchange Server Medium EXCH0001 Exchange Admin IT-EXCH-DR-001 IT-EXCH-BC-001

Technology Acquisition as BC Plan (Example):

Technology Provider Purpose Contract Reference Warranty & Support
Smart Host Symantec Backup MX and email archive up to 30 days XX-SS-XX 3 Years
Site Recovery Manager VMware Infrastructure Fail-over & Fail-back XX-SS-XX 3 Years
Storage Replication EMC Infrastructure Fail-over & Fail-back XX-SS-XX 3 Years
Data Backup EMC Bare Metal Instant Recovery XX-SS-XX 3 Years
SQL Cluster Microsoft Active-Active cluster Enterprise Agreement 3 Years
SharePoint Cluster Microsoft Active-Active cluster Enterprise Agreement 3 Years

Risk Work Sheet (Example):

Risk Loss of Building
Probability Low
Impact High
Likely Scenario Fire
  • Auto-activate infrastructure failover to DR Site
  • Auto-activate cloud based smart host for Microsoft messaging
  • Automatically failover clustered telephony to DR site
  • Auto-answering machine and voice mail continue to operate via smart host and Lync services
  • Clustered core switch continue to operate in DR site
  • End user continue to operate seamlessly
Responsibility List of onsite engineer

List of on call Engineer

Service Delivery Manager

Operation Manager

Mitigation Test controlled fail-over

Test clustered systems and network

Monitor health of the systems and network

Resources List of documents and location where they stored

Third Party Contact (Example):

Technology Vendor Technical Support
Microsoft Exchange Microsoft 132058
IPVPN Provider Company X Xxxxxx
Smart Host Symantec Xxxxxx

IT Contact List (Example):

Name Designation Contact Number Email Address
Mr. X XX 12345678

Business Continuity Document: A Business Continuity Plan contain the following information. An example is shown below.

  1. Title
  2. Sub-Title
  3. Corporate Logo
  4. Document history.
  5. Corporate Copyright Info
  6. Table of Content
  7. Executive Summary
  8. Introduction
  9. Terminology
  10. Roles and responsibilities.
  11. Risk Management Plan
  12. Business Impact Analysis
  13. Incident Response Plan
  14. Plan activation.
  15. Communication Procedures
  16. Logic Diagram
  17. Recovery Plan
  18. Test & Evaluate
  19. Appendixes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.