What Does a Business Continuity Plan Typically Include?

by | Jan 28, 2021 | Security | 0 comments

With the recent SolarWinds and Malwarebytes security breaches gaining more and more visibility across IT departments and the media alike, it’s more critical than ever that organizations take a comprehensive look at their security posture. Two areas of proactive planning that every company should have in their incident response plan are solid business continuity and disaster recovery plans.

While the two are often used synonymously, a business continuity plan (BCP) goes into far greater detail about the types of potential threats a business can encounter, and acts as a roadmap, outlining thorough steps to restore operational functionality as quickly as possible.

But what does a business continuity plan typically include? We’ve compiled a list of 10 topics your business continuity plan should address.

Potential Threat Analysis

A thorough analysis of any potential threats that could impact your organization should be conducted at the start of the business continuity planning process. Events like natural disasters, loss of access to critical business assets, and global pandemics are all topics that may be considered when developing a business continuity plan.

Responsibilities Matrix

Create a list of staff and detail the functions they will be responsible for if an emergency situation should arise. Instructions outlining who will be responsible for what in the event of a disaster will allow your teams to quickly jump into action without having to meet and delegate roles should such an event occur, saving precious time and energy.

Emergency Contact Information

Keep an up-to-date list of important contacts and how they can be reached if normal communication methods are down. This list should include those responsible for carrying out specific actions in the business continuity plan, senior leadership, and external resources like emergency services, utility companies, building maintenance, etc.

Disaster Recovery Teams

Develop a team of resources that will be responsible for carrying out specific portions of the business continuity plan. These teams, sometimes referred to as the Disaster Recovery Teams (DRT), will be responsible for implementing the BCP and restoring operational functionality to the organization once the threat has been minimized.

Offsite Backup Storage

Having copies of your business data in an offsite location is critical. In the event of a natural disaster, equipment failure, or security breach, you won’t have to rely on backups stored at your primary location to restore functionality. Include detailed instructions about what is being backed up offsite and how the DRT can recover the information in your BCP.

Alternative Power Arrangements

Physical threats like natural disasters or equipment malfunctions can impact the electrical power within an organization. Having an alternate source of power like a generator will allow the restoration of some business functions while the primary power source is fixed. Organizations should consider the cost of implementing such backup power solutions and include information about how to assess whether implementing a secondary power solution makes sense in a given situation.

Backup Communication Strategy

Detailed plans outlining how business communication will continue during a disaster should be included in the BCP. This plan should include how to reach key resources, methods of alternative communication (such as alternate email addresses and cell phone numbers), and anything else that might impact communications while the primary methods (like office phones and email) are unavailable.

Alternative Locations for Operation

Plans for an alternative working location in the event your building becomes inaccessible should also be included in your BCP. Renting a temporary workspace, having employees work remotely, or setting up a hot site in another region to transfer key business functions to are all things to consider when drafting this section of the plan.

Secondary Ways of Accessing Business Applications

Having a way to access key business resources like telephony, email, and your proprietary applications is essential to restoring operations as quickly as possible. Your BCP should identify what resources are critical, how to switch over to the secondary applications during a disaster, and how to switch back to the primary applications once they’ve been restored.

Recovery Phase Operations

The final component to include in your business continuity plan is an outline of what will be done once operations are restored and the business has entered the recovery phase of the disaster. This part of the plan should include how damage will be assessed, any recovery costs, and how to transition management from the DRT to functional area managers.


Having a business continuity plan is just one component of a strong incident response plan. To learn more about the fundamentals of incident response management, read our blog on incident response planning or contact us today.

Contact Us