A Business Continuity Plan (BCP) is only useful if it works in real life—not just on paper.
What Is a Business Continuity Plan?
A Business Continuity Plan (BCP) is a structured document that outlines how your organisation will continue operating during and after a disruption.
Unlike reactive disaster recovery plans, a BCP is proactive.
It focuses on maintaining essential business functions—such as communications, service delivery, finance, or IT access—regardless of whether the disruption is due to a fire, cybersecurity threats such as a cyberattack, vendor failure, or even a pandemic.
A strong BCP:
- Identifies critical business functions
- Sets acceptable downtime limits (e.g. Recovery Time Objectives)
- Outlines roles, responsibilities, and communication paths
- Includes fallback systems or procedures
- Is tested, reviewed, and updated regularly
Whether you’re a tech-heavy business or one that operates largely offline, a well-structured BCP helps protect your people, processes, and partners when the unexpected happens.
At OIT, we don’t create BCPs for customers—we believe you must design a plan that reflects your actual operations, limitations, and recovery goals.
What we do instead is work with you to assess how your IT systems support your BCP, highlight risks, suggest alternatives, and ensure your recovery timelines are realistic.
This article is part of our effort to share that understanding and help you build a plan that holds up—both during audits and during real-world incidents.
ISO 27001:2022 and Business Continuity Planning
ISO 27001:2022 treats continuity as part of information security. But it does not prescribe any fixed Recovery Time Objective (RTO) or Service Recovery Time Objective (SRTO).
You decide these figures—but you must be able to meet them, and justify them based on:
- Your organisation’s goals
- What your documented policies commit to
- Applicable legal and regulatory requirements
Transferable Across Frameworks
Although this article focuses on ISO 27001:2022, the BCP and risk management strategies discussed here are widely applicable.
Whether you’re aligning with MAS TRM, ISO 22301, NIST, SOC 2, or COBIT, the same core principles apply:
- Know what functions matter
- Set realistic recovery timelines
- Document fallback options
- Test and refine continuously
A strong BCP framework improves resilience across any compliance regime.
For finance teams in Singapore, this often involves bridging ISO 27001:2022 and MAS TRM so global standards and local requirements complement each other rather than compete.
Our BCP and Risk Management Framework
Here’s how you can approach your plan:
- Set the Context
Identify your business goals and critical services. - Maintain a Risk Register
Evaluate threats across Confidentiality, Integrity, and Availability (CIA). - Apply Risk Treatments
For each risk, decide whether to Accept, Reduce, Avoid, or Transfer it. - Set RTOs per Function
Determine what can realistically be recovered within 2, 4, or 24 hours. - Write Activation & Response Procedures
Include triggers, contact trees, escalation steps, and fallback workflows. - Test, Measure & Improve
Simulate disruptions, review outcomes, and close any response gaps.
Example: 5 Core Business Functions with Sample RTOs
| # | Your Business Function | Output | CIA Priority | Suggested RTO |
|---|---|---|---|---|
| 1 | Customer Service | Support & Comms | High Availability | 4 h |
| 2 | Core Ops | Product Delivery | High Integrity | 8 h |
| 3 | Finance | Billing & Payroll | Moderate Confidentiality | 24 h |
| 4 | Sales & Marketing | Leads & CRM | Moderate Availability | 24 h |
| 5 | IT Services | Infra & Access | High CIA | 2 h |
5 Disruption Scenarios and Example Plans
| Scenario | Immediate Impact | Example BCP Actions |
|---|---|---|
| 1. Serviced Office Inaccessible (e.g. fire) | Loss of physical workspace | Remote access plan; pre-arranged alternate worksite |
| 2. Extended Power/Internet Outage | Loss of digital access | Cloud desktop failover; mobile connectivity (5G routers) |
| 3. CRM or SaaS Failure | Inaccessible sales platform | Secondary tenant; export data for offline access |
| 4. Illness/Team Disruption | 50% capacity drop | Prioritise functions; rotate shifts |
| 5. Cyberattack (e.g. ransomware) | Locked systems | Isolate network; restore via offline or immutable backups |
✅ Tip: As long as your BCP allows a business function to resume within its stated RTO, you’ve met the objective—no failure recorded.
What About IT-Heavy or IT-Light Companies?
Every company uses IT differently.
That’s why continuity strategies vary:
- Some light-IT businesses build manual comms procedures into their BCP
- Others with heavier IT dependence plan for alternate platforms, failovers, or redundant access
This makes it even more important to involve your IT partners when drafting your plan.
How OIT Supports Your Business Continuity Plan
We don’t build your BCP—but we make sure our services fit into it.
Here’s how we help:
- Review how our systems align with your BCP goals
- Help assess IT risk levels (confidentiality, integrity, availability)
- Recommend reliable cloud alternatives (e.g. Microsoft 365, hosted VoIP)
- Support escalation channels with IT vendors you rely on
- Suggest fallback communications methods in case of on-site failure
- Advise on realistic 24-hour RTOs for IT recovery and support reachability
Example:
If your business function is “access to critical operational documents”, we suggest:
- Storing documents in a cloud-based DMS (Document Management System) like SharePoint or Google Workspace, with proper access controls
- Enabling offline sync for key folders so staff can continue work without internet
- Maintaining regular automated backups to an independent storage platform
- Restricting access via role-based permissions to preserve confidentiality during a disruption
- Implementing multi-factor authentication to reduce the risk of unauthorised access during incidents
Final Thoughts
Creating a strong BCP isn’t about having a perfect document—it’s about preparing your team to react effectively when it counts.
At OIT, we believe that you must own your BCP. Our job is to make sure our IT systems don’t become a point of failure—and to support your recovery goals with clarity, speed, and insight.
If you’re designing or reviewing your Business Continuity Plan, and want to ensure your IT stack supports your strategy, let’s talk.
📩 Reach out for a no-obligation IT continuity review.
