Business continuity plan
When an incident takes down your systems or your premises, the difference between a few hours of fright and weeks of chaos is having thought through beforehand what to do. The business continuity plan (BCP) is that script: it identifies which processes cannot stop, how long they can hold out without working and how to keep serving your customers while you recover. It starts with an impact analysis (BIA) that puts the focus where it truly hurts, and ends in clear plans that your team can execute under pressure, without improvising.
Business continuity plan for companies, across Spain.
Why
A continuity plan does not prevent the incident, but it decides whether your company takes it in stride or sinks with it.
Ransomware, a fire, a power cut or a supplier going down. It is not if it happens, it is when.
And under pressure bad decisions are made, time is lost and money is lost. The plan is the script.
The BIA says which process cannot stop and how long it can hold out. The effort goes where it hurts most.
Article 21 of NIS2 and article 11 of DORA require continuity and recovery, and ISO 22301 certifies it. And it has to be proven, good intentions are not enough.
What it includes
A complete business continuity plan to withstand any disruption, not a generic template: designed for your processes and your risks.
It identifies the critical processes, how long they can hold out when stopped and what they depend on, and ranks them in a criticality matrix.
We set a realistic RTO and RPO per process: what the business can absorb without harming itself.
How to keep operating while you recover: alternatives, manual mode, backup sites and suppliers.
Who does what, in what order and with what resources. Written to be used under pressure, not for the drawer.
Who decides, who communicates and who gets notified when everything goes off. No hesitation at the worst moment.
Documented and aligned with ISO 22301, to certify and to demonstrate compliance with NIS2 and DORA.
The heart of the plan
The business impact analysis (BIA) is the foundation of all business continuity management (BCM): without it, any contingency plan protects blindly.
Before writing a single procedure you have to answer one question: if this goes down, what happens to the business? The business impact analysis (BIA) answers it process by process.
It measures how much is lost for every hour stopped, how long it can hold out before the damage becomes serious and which systems, people and suppliers each critical process depends on.
With that picture, the plan stops being theory. You know where to invest first, what to recover before anything else and what can wait. Without a BIA, a plan protects what does not matter and what would sink you in equal measure, and that is not a plan: it is an expense.
The difference
Not all continuity plans are worth it. Most fail on the very day they are truly needed.
A generic template no one has read, with processes that no longer exist and steps no one knows how to execute. It reassures the auditor and no one else.
Specific, per process, with clear roles and tested in an exercise. On the day of the incident the team does not read a new manual: it does what it already rehearsed.
When
If a day without your systems stops your billing, your production or your customer service, you need a plan.
You are an essential or important entity, or a financial entity, and the law requires you to withstand an incident and recover.
More and more contracts and tenders require a continuity plan in order to work with you.
An outage, an attack close by or a supplier that failed. Next time you do not want to improvise.
How we work
An orderly method to build a plan that can truly be executed on the bad day.
BIA and risk analysis: what critical processes there are, how long they hold out and what they depend on.
The target times (RTO and RPO) and the continuity strategies for each critical process.
The executable plans, with their roles, their crisis committee and clear steps to follow.
An exercise that tests the plan and trains the team before the real incident arrives.
Fits with
The continuity plan is the map, but it does not travel alone. Disaster recovery is its technical arm, crisis exercises keep it alive and ready, and ISO 22301 certification proves that it exists and works.
And it rests on the rest of the defense: what the SOC detects and incident response contains is exactly what the plan recovers afterward. You have the full continuity and cyber resilience area.
Questions
The business impact analysis. It looks at each process and answers what happens if it stops: how much is lost, how long it can hold out and which systems, people and suppliers it depends on. It is the foundation on which the entire plan is built.
No. The continuity plan (BCP) looks at the whole business: how to keep serving customers even if something fails. Disaster recovery (DRP) is the technical part of bringing systems and data back up. The DRP is one piece of the BCP, it does not replace it.
The RTO is the target time to get a process running again after an outage. The RPO is how much data you can afford to lose, measured in time. The two set how demanding and costly the recovery of each process should be.
Yes. A well-made continuity plan is the basis for ISO 22301 certification. We leave it documented and aligned with the standard, so that reaching certification is the next step and not starting from scratch.
It is worth it for any size. The plan is scaled to your processes and your risk: an SME can start by protecting what is most critical, with a simple and useful plan, and expand it as it grows.
Yes. An untested plan is a hypothesis. That is why we validate it with a crisis exercise that brings to light what fails before a real incident does, when there is no longer any margin for error.
Would you know what to do tomorrow if your systems went down today?
If the answer is not clear, that is exactly why you need a plan. Let us start with a BIA of what is most critical in your business.
Get in touch