DOCU-01

Do you have a well-documented business continuity plan (BCP), with a clear owner, that is tested annually?

Explanation

This question is asking whether your organization has a formal Business Continuity Plan (BCP) that is properly documented, has clear ownership, and is tested at least once a year. A Business Continuity Plan is a documented strategy that outlines how an organization will continue to function during and after an emergency, disaster, or significant business disruption. It includes procedures for maintaining essential business functions, recovering critical systems, and returning to normal operations. This question is being asked in a security assessment because: 1. Business continuity is a critical component of an organization's overall security and risk management strategy. 2. Assessors want to ensure that you have formally planned how to maintain operations during disruptions (whether they're caused by natural disasters, cyberattacks, infrastructure failures, or other incidents). 3. Having a documented plan with clear ownership ensures accountability and prevents confusion during crisis situations. 4. Regular testing validates that the plan actually works and identifies gaps before a real emergency occurs. To best answer this question: - Be specific about your BCP documentation (where it exists, how comprehensive it is) - Identify who owns the BCP (typically a specific role or department) - Describe your testing procedures and frequency (including when the last test occurred) - If possible, mention any standards or frameworks your BCP aligns with (such as ISO 22301) - If your BCP has been validated through actual incidents, briefly mention this as evidence of effectiveness

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive Business Continuity Plan that is formally documented in our internal knowledge base and as a controlled document in our document management system The BCP is owned by our Director of Operations with support from our Business Continuity Committee, which includes representatives from IT, Security, Facilities, and key business units The plan covers scenarios including natural disasters, cyber incidents, infrastructure failures, and pandemic response We conduct a full tabletop exercise annually (most recently completed in March 2023) and perform targeted component testing quarterly After each test, we document lessons learned and update the BCP accordingly The plan was last fully revised in April 2023 following our annual test Our BCP framework aligns with ISO 22301 principles and has been successfully activated twice in the past three years during regional power outages.

Example Response 2

Yes, we have a well-documented Business Continuity Plan that is maintained in our GRC (Governance, Risk, and Compliance) platform Our Chief Information Security Officer is the designated owner of the BCP, with delegated responsibility to our Business Resilience Manager for day-to-day maintenance and testing coordination Our BCP includes detailed recovery procedures for all critical business functions and systems, communication protocols, and role-specific responsibilities We test our BCP annually through a combination of simulation exercises and technical recovery testing Our most recent full-scale test was conducted in November 2022 with participation from executive leadership and all department heads The test identified three minor gaps in our recovery procedures which were addressed and documented in our continuous improvement register Our next scheduled test is planned for Q4 2023.

Example Response 3

No, we currently do not have a fully documented Business Continuity Plan that meets all the requirements in the question While we do have some documented recovery procedures for our core systems and informal contingency plans, these are fragmented across different teams rather than consolidated into a comprehensive BCP Ownership of business continuity activities is currently shared between IT and Operations without a single clear owner We have conducted limited testing of specific recovery procedures, but not a full BCP test within the last year We recognize this as a gap in our security program and have initiated a project to develop a formal BCP with clear ownership and testing protocols We expect to have a documented BCP in place within the next 3 months and will conduct our first formal test within 6 months.

Context

Tab
Organization
Category
Documentation

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron