The core documents of the ISO22301 standard for a Business Continuity Management System (BCMS) are the Business Continuity Plan, the Disruption Plan and Disaster Recovery Plan. Other standards, such as ISO14001 for Environmental and ISO27001 for Information Security have elements of business continuity that require these documents too.
Many organisations find it difficult to differentiate between the plans. So let’s look at the differences between them. While these plans have similar goals—to maintain operations and ensure the organisation’s long-term success—there are distinct differences between them which we outline below.
A Business Continuity Plan
A Business Continuity Plan (BCP) is a document that describes your organisation’s strategies, processes, and procedures to ensure that essential business functions can continue during and after a disruption or crisis. A BCP provides an overall framework for managing and responding to disruptions and includes policies, procedures, and strategies for different stages of a disruption or crisis and how your organisation will return to normal operations.
A Disruption Plan
Disruption plans, on the other hand, are focused on mitigating the impact of a specific disruption on your organisation. These plans typically include the actions that your organisation can take to minimise the effects of the disruption and ensure your organisation is able to continue to operate as close to normal as possible in the face of the disruption. Disruption plans may involve contingency plans, such as moving to an emergency site, alternate sources of supply, and other strategies designed to minimise the impact of a disruption on your organisation. They also document the steps that need to be taken to recover from the disruption along with the time constraints determined by the organisation for the return to ‘business as normal’.
Disaster Recovery Plan
Disaster recovery plans (DRP) are a reactive approach that is specifically geared towards recovering your organisation’s critical IT infrastructure and systems after a disaster or disruptive event. The DRP aims to minimise the downtime and loss of data by providing a plan for restoring IT systems and infrastructure to their pre-disaster state. It typically includes backup and recovery procedures, offsite data storage, disaster recovery site location, and testing procedures.
Key documents for ISO22301 and ISO27001
ISO22301 places importance on operating and maintaining your processes, capabilities and response actions and plans to ensure your organisation will survive disruptive events. It goes on to define the Business Continuity Plan as: ‘a document that guides an organisation to respond to a disruption and resume, recover and restore the delivery of your products and services in line with your business continuity objectives’.
What ISO22301 does not define are Disruption or Disaster Recovery plans. ISO22301 and other standards such as ISO27001, refer to business continuity procedures. These procedures are your specific actions to be taken in the event of a particular type of disruption. So effectively they are your Disruption and Disaster Recovery plans, the difference being that Disaster Recovery Plans are focused on your IT assets and resources.
Summary
In summary, while a Business Continuity Plan is a comprehensive plan that outlines your organisation’s strategies for managing and responding to disruptions, the Disruption Plan and Disaster Recovery Plan are narrower plans that focus on managing a specific disruption or event. All of these plans are important components of your organisation’s overall resilience and ability to recover from disruptions.
These plans, when in place, need to be updated and reviewed as new risks or potential disruptions emerge, and as your organisation’s needs change. This is a requirement of the ISO22301 Business Continuity Management System should you decide to go for certification and is also a key component of the ISO27001 and ISO14001 standards.
