Business Continuity and Disaster Recovery Policy

The Business Continuity and Disaster Recovery Policy establishes the mandatory controls, processes, and responsibilities for sustaining or recovering the organization’s critical business operations and ICT services during and after disruptive incidents. It provides a structured framework to protect life, ensure operational stability, uphold legal and customer commitments, and safeguard the organizational reputation by embedding resilience through proactive planning and validated recovery capabilities. This policy applies to all organizational units, information systems, business processes, personnel, and third-party services deemed critical or essential based on the results of a Business Impact Analysis (BIA). The scope is comprehensive, covering natural and man-made disruptions such as cyberattacks, infrastructure failures, data center outages, pandemics, and vendor service interruptions. It sets the foundational expectations for planning, ongoing testing, and continuous improvement of Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs), ensuring that obligations toward regulatory, contractual, and industry standards are met. Key objectives of the policy include guaranteeing business operation continuity via predefined and tested procedures, minimizing potential operational, reputational, and legal impacts, and assuring timely recovery within defined Recovery Time and Point Objectives (RTOs and RPOs). It assigns clear accountability across the enterprise: executive management, business continuity and IT disaster recovery leads, department heads, information security officers, and the crisis response team each have defined roles for strategy, planning, execution, and communication. The policy mandates the establishment of a unified Business Continuity Management System (BCMS) in line with ISO 22301 and ISO/IEC 27001 requirements. It demands an annual BIA for all critical units, development and approval of BCPs/DRPs, and the maintenance of accurate documentation, escalation flows, and contact lists. Plans must include manual workarounds, alternate site activation, crisis communication, and supply chain contingency strategies. Regular testing, including annual resilience assessments, tabletop exercises, and simulated failovers, is compulsory to review effectiveness, dependencies, and readiness posture. The policy also addresses the integration of continuity planning with security and incident response, ensuring no compromise on information security controls during recovery. Exception management, risk evaluation, and escalation protocols are defined, while compliance monitoring and disciplinary measures for non-compliance ensure policy enforcement. This policy is strictly aligned with leading global standards and regulatory frameworks, supporting due diligence in operational resilience and auditability for legal or contractual obligations.