BCM-001 Business Continuity Plan
Description
A documented Business Continuity Plan (BCP) identifies the organisation's critical services, recovery priorities, and the procedures required to maintain or restore operations during a disruption. The BCP includes recovery roles, communication protocols, and escalation paths. It is reviewed and updated at least annually.
Rationale
Without a tested plan, disruption response is improvised and slow. A maintained BCP is the foundational document that all continuity activities reference.
Framework Mappings (5)
| BCR-01 | Business Continuity Management Policy and Procedures | full |
| BCR-03 | Business Continuity Strategy | full |
| BCR-04 | Business Continuity Planning | full |
| BCR-05 | Documentation | full |
| CP-2 | Contingency Plan | full |
Evidence (2)
Documented Business Continuity Plan identifying critical services, recovery priorities, roles, communication protocols, and escalation paths.
Example: Business Continuity Plan document (version-controlled, formally approved by senior management or board, dated within the last 12 months) with named roles, escalation contact list, and critical service register
Test: Request the current BCP document. Verify: (1) critical services are identified and prioritised; (2) recovery roles and responsibilities are named with current contact information; (3) communication and escalation protocols are documented; (4) the document has been reviewed and approved within the last 12 months; (5) the document was updated following the last BCP test or significant incident.
BCP review record showing the plan was formally reviewed and updated within the last 12 months.
Example: BCP review sign-off record or document version history showing the last review date, reviewer name, change summary, and approver sign-off
Test: Request the BCP version history and most recent review record. Verify: (1) a formal review was conducted within the last 12 months; (2) a named approver signed off the current version; (3) any changes from the prior review are documented.
Questions (2)
Does your organisation have a documented Business Continuity Plan (BCP) that identifies critical services, recovery priorities, roles, communication protocols, and escalation paths, reviewed at least annually?
The BCP should be formally approved by senior management, version-controlled, and updated following any significant incident or organisational change.
When was the Business Continuity Plan last formally reviewed and approved?
Annual review is the minimum requirement. A review triggered by a significant incident or major organisational change within the review period also satisfies this requirement.