TL;DR

A 4-page business continuity policy template, sufficient to pass ISO 27001:2022 audit and satisfy NIS2 Article 21. Markdown, editable, ready to sign.

Policy structure

The policy has 7 sections:

1. Purpose and scope
2. Regulatory references
3. Definitions (RTO, RPO, MTPD)
4. Roles and responsibilities
5. Activation procedures
6. Testing and maintenance
7. Approval and review

The template

`markdown

Business Continuity Policy

Version: 1.0 Approval date: [date] Approved by: [name] [role] Next review: [date + 12 months]

1. Purpose and scope

This policy defines the objectives, roles and procedures to ensure business continuity of critical processes and ICT systems of [Company] in the event of disruption, disaster or security incident.

Applies to all ICT systems supporting the critical business processes listed in the attached Business Impact Analysis.

2. Regulatory references

• ISO/IEC 27001:2022, controls A.5.30, A.8.13, A.8.14
• ISO 22301:2019
• D.Lgs. 138/2024 (NIS2)
• EU Regulation 2016/679 (GDPR), article 32

3. Definitions

• RTO (Recovery Time Objective): maximum acceptable time between

interruption and service restoration.

• RPO (Recovery Point Objective): maximum acceptable amount of

data loss, expressed in time.

• MTPD (Maximum Tolerable Period of Disruption): maximum duration

beyond which the impact is unacceptable.

4. Roles and responsibilities

• CISO: manages the DR plan and drills.
• CIO/IT Manager: ensures technical execution.
• Crisis Manager (appointed in writing): coordinates response

during incidents.

• All employees: comply with operational procedures.

5. Activation procedures

The DR plan is activated by the Crisis Manager upon notification of:

• critical hardware or software failure;
• confirmed cyber attack;
• physical disaster (fire, flood);
• prolonged unavailability of a critical supplier.

Technical procedures are documented in DR runbooks for each critical service (annex 1).

6. Testing and maintenance

• Tabletop drill: annual.
• Technical walkthrough: semi-annual.
• Partial failover: quarterly.
• Full failover: annual.

Each drill is documented with a report including measured times, issues found and corrective actions.

The DR plan is reviewed at least annually, and after any significant infrastructure change.

7. Approval and review

Approved by company management. Reviewed at least once per year. Deviations are reported to the CISO within 5 working days.

Signature: ____________________ Date: ____________________ `

How to adapt it

• fill in [Company] and [date];
• insert specific details in the attached runbooks;
• have the CEO or equivalent sign.

Audit-ready in 30 minutes.

FAQ

Should it be integrated with the general security policy?

It can be standalone or a chapter of the ISMS policy. Both accepted.

Are attachments needed?

Yes: the BIA, per-service DR runbooks, supplier SLA contracts.

For BIA, Business Impact Analysis. For A.5.30, Annex A.5.30.