Avast Academy Security Business Business Continuity Plan (BCP): What Is It and How to Make One

Business Continuity Plan (BCP): What Is It and How to Make One

A business continuity plan is a key step for ensuring that businesses can minimize the losses relating to a data breach, cyberattack, or other disasters. This article looks at why business continuity planning matters, how to develop a BCP, and how to improve and review your plan.

Written by Avast Business Team
Published on December 15, 2021

What is a business continuity plan?

A business continuity plan (BCP) outlines a process to prevent and recover from a range of potential threats in the event of an unexpected incident such as a cyberattack, identity theft, or a data breach. It allows a quick reaction, and minimizes impact and recovery times.

Hamburguer menu icon

This Article Contains:

    In order for it to be effective, a BCP should be extremely detailed with short-term and long-term planning, covering every area of the business that could be affected. This should include assets, personnel, business processes, and partners/customers.

    As disaster recovery planning’s main focus is on IT recovery, it should be included as part of the BCP and provide a clear roadmap for maintaining operations in multiple scenarios.

    Why does business continuity planning matter?

    Having a plan means you can respond quickly and decisively, minimizing disruption — which is key to maintaining customer confidence in the face of a crisis. For this reason, business continuity planning is vital to businesses of all sizes.

    Disruptions of any kind, from software failures to fires, will severely impact productivity and increase costs. If best practices are not followed by all members of staff, cybersecurity threats from IoT, spoofing and weak passwords also have the potential to cause significant disruption.

    While the financial loss will be higher for larger businesses, the impact on companies with smaller margins could be catastrophic, as the cumulative cost of fines or penalties, recovery expenses, and loss of business could rapidly add up. For both, losing customer trust must be avoided wherever possible — some losses cannot be covered by insurance.

    While a business continuity plan cannot anticipate events, a holistic approach can ensure that there is clear guidance to keep things moving, protect sensitive data, and retain customers during a crisis of any type.

    How to develop your business continuity plan

    Before producing a business continuity plan, it is important to assess your business and its processes. From a security perspective, identifying vulnerabilities will help you to make existing security measures more robust as well as identify which threats are most likely to occur. Similarly, taking the time to review existing processes could help to identify new efficiencies.

    Implementing an OPSEC (operational security) process at this point can help to identify weak points in data security and inform the creation of your BCP.

    Illustration of a business continuity plan document with connecting lines to various technologies and processes.Business continuity plans (BCPs) bring together the various teams, risks, strategies and training that may be associated with an incident into a single process document.

    What should be included in a business continuity plan?

    While the requirements will vary between organizations, the key components of an effective business continuity plan are as follows:

    1. Create a planning team

    The size of the team will depend on your organization’s scale but should include managers from every department. In addition, leaders should be identified for key aspects such as IT, facilities, finance, and HR.

    The team’s tasks will be to develop the plan, provide clear direction and training to staff, and test and review, ensuring that the measures outlined remain the most effective strategy.

    2. Identify risks

    The first task of the team is to conduct a business impact analysis (BIA). This analysis provides an ideal starting point as it will help you to identify and prioritize specific risks to security, finances, operations, etc.

    Conducting a BIA can be a complicated process, but the result will be a valuable document that identifies the key risks to your business and how they would be impacted by a range of potential disruptions.

    3. Mitigate risks

    Having identified the risks, the next step is to review existing processes to identify changes that can be made to reduce the impact of an issue. This could include:

    • Reviewing fire safety

    • Implementing revised IT backup processes and cloud security

    • Increasing staff training

    • Preparing contingency suppliers

    • Updating cybersecurity policy and tools

    4. Create continuity strategies

    Simply knowing about risks is not enough. If disaster strikes, swift and decisive action will be required to minimize the impact and expedite recovery.

    Continuity strategies should provide clear guidance on how to ensure operations can continue at an acceptable level during the recovery period. Key questions should be answered with specific instructions and information to ensure there is clarity in the approach. These should include:

    • Are there clear instructions for accessing data backups?

    • Is the contact information for key personnel and suppliers up to date?

    • Which tasks could be outsourced?

    • Is there an effective WFH policy?

    • Are manual processes in place if internet access is unavailable?

    5. Implement and train

    The continuity plan will evolve alongside the business and must remain a live document that is regularly updated. To identify where improvements are required, you should ensure regular testing of processing and systems.

    Staff should be trained on general processes, with individuals assigned key roles — in the same way that you identify fire marshals or first-aiders.


    While the level of detail will vary depending on the size of the company and the departments involved, the following example shows the steps that need to be taken in the case of a data breach:

    • Confirm the nature of the attack

    • Inform all staff immediately

    • Identify what has been compromised

    • Urgently prevent further damage

    • Change affected passwords and remove access permissions

    • Repair data and restore from backups

    • Call in external support

    • Identify how the breach happened

    • Notify customers and clients as required

    • Determine the impact and cost of the breach

    • Evaluate and strengthen security as required

    • Review response and adjust BCP

    • Provide updated training for staff

    All of these steps should have specific guidance in the BCP.

    How to test your business continuity plan

    Don’t wait until disaster strikes to find out if your BCP is adequate. The best way to know if it will be effective is to implement regular and rigorous testing. Objectives should be measured and compared against previous tests to identify and fix weak spots that could be vulnerable to ransomware or zero-day attacks.

    The frequency of testing varies, but many companies will test their business continuity plans up to four times per year. Due to the broad and detailed nature of a BCP, there are multiple ways to test. The most simple testing method is for the planning team to analyse the existing plan, identifying weak points and areas that require updates due to company changes (contact details, suppliers, etc.).

    As part of this, the person responsible for a certain aspect, such as cybersecurity, can present the elements of their plan to the team for critical review before being re-assessed, using a selection of the most pertinent disaster scenarios.

    Simulation tests should also be performed on an annual basis to determine how well the plans hold up in a real-world scenario. This could include evacuation drills and exercises to build confidence in the continuity processes. Simulations should include staff from outside the planning team to bring in fresh eyes to identify areas that require more clarity or other aspects that might otherwise have been overlooked.

    Improving and reviewing your business continuity plan

    In addition to the revisions made during the testing process, feedback from each department will help to strengthen your overall plan by providing a specialized perspective on policies and processes. Depending on the company structure, this stage could be conducted following the periodic testing or be implemented during the review process.

    For a business continuity plan to be effective long-term, it has to be supported. If it becomes a quarterly task for department heads, it will not be adopted correctly and could fail to provide continuity of service should a crisis occur.

    Instead, all members of staff should be trained to understand their role and the importance of rapid response to limiting the impact. Through familiarity with emergency processes, staff will feel safer and more able to respond positively and proactively to any situation.

    Keep your business secure

    Protect against an unexpected cyberattack using next-gen business antivirus by Avast Business — providing proactive solutions to protect against advanced cyberattacks and ransomware.

    Get tailored business security with Avast's next-gen business antivirus


    Get tailored business security with Avast's next-gen business antivirus

    Avast Business Team