Ready to Start Your Career?

CISSP Study Guide: Business Continuity Planning - Documentation

Cybrary's profile image

By: Cybrary

December 15, 2022

Documentation is a crucial step in the BCP process and carries three important benefits:

  1. Documentation provides a written continuity document for BCP team members to reference in the event of an emergency, and in the absence of senior BCP team members to monitor the process.
  2. Documentation functions as an informational archive of the BCP process that will guide future personnel looking for clarity and purpose of various procedures and implement necessary changes in the plan.
  3. Documentation assists in catching flaws in the plan. It also allows draft documents of the plan to be given to non-BCP team members for a “sanity check.”

Continuity Planning Goals

Statement of Importance: The BCP document should outline the objectives of continuity planning as proposed by the BCP team and senior management. The central goal of BCP is to protect and sustain the continuous operation of the organization in emergency situations. Additional goals can be added in this section specific to the organization’s needs.

Statement of Priorities: The statement of priorities is a result of those priorities officially outlined in the BIA. This includes outlining the functions considered integral to the continued operation of the organization in order of importance. These priorities should also include those functions required for sustained business operations in emergency situations.

Statement of Organizational Responsibility: The statement of organizational responsibility is established by senior management and can be integrated into the statement of importance. Organizational responsibility reiterates the organization’s commitment to Business Continuity Planning and informs employees, vendors, and affiliates of their responsibility to have an active role in assisting with the BCP process.

Statement of Urgency and Timing: The statement of urgency and timing conveys the importance of implementing the BCP and presents the timetable determined by the BCP team and agreed to by senior management. This statement is shaped by emergencies assigned to the BCP process by the organization’s senior management. If urgency and timing is included in the statement of priorities and statement of organizational responsibility, the timetable should be added as a separate document. Otherwise, the timetable and this statement can be placed into the same document.

Risk Assessment and Acceptance/Mitigation

The risk assessment of the BCP documentation reviews the decision-making process performed during the Business Impact Assessment (BIA). It should include a review of all of the risks identified during the BIA as well as the quantitative and qualitative analyses that were done to evaluate these risks. For the quantitative analysis, the actual AV, EF, ARO, SLE, and ALE figures should be included. For the qualitative analysis, the rationale behind the risk analysis should be provided to the reader.

The risk acceptance/mitigation contains the end-result of the strategy development stage of the BCP process. It reviews each risk identified in the risk analysis portion of the document and describes one of two thought processes:

  1. For risks that were deemed acceptable, it should detail why the risk was considered acceptable as well as potential future incidents that might call for reconsideration of this determination.
  2. For risks that were deemed unacceptable, it should detail the provisions and processes put into place to alleviate the risk to the organization’s continued viability.

The Vital Records Program

The BCP documentation should detail a vital records program for the organization. This document specifies the storage of important business records and the methods for producing and storing backup copies of those records.

Emergency Response Guidelines

The emergency response guidelines details organizational and individual responsibilities for prompt response to an emergency situation. ERGs should provide the first employees that encounter an emergency with protocol that should be followed to activate provisions of the BCP that do not automatically activate. ERGs should cover:

  • Prompt response procedures
  • Who is notified
  • Secondary response procedures to activate until the entire BCP team is assembled
Schedule Demo

Let's build your cybersecurity career together

Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.

2,000+learning activities led by highly experienced cybersecurity professionals