20230117 Doc 05.01 Business Continuity Policy Statement

Business Continuity Management Policy Statement

Business Continuity Management Policy

Statement

Document name

Business Continuity Management

Policy Statement

Version number 1.2

Status Choose an item.

Department/Team Planning, Risk & Governance

Relevant policies

Business Continuity Plan and

Incident Management Procedure

Distribution Internal

Author/Owner Joanne Butler

Approved by Louise Byers

Date of sign off 31/1/2022

Review by 31/1/2023

Security classification Official

Key messages

The main objective of this policy is to provide:

• The Intention and direction of the business continuity programme

• Enhance the capability and resilience of the organisation

• Help to ensure continuity of service as is practicable following an

unexpected disruption to normal services.

Does this policy relate to me?

The scope of business continuity programme includes all services provided

by the ICO and includes all ICO office locations. The ICO will undertake a

staged approach to business continuity, focusing on business-critical

areas, corporate risks and priority activities in earlier stages of the

business continuity programme to help mitigate and manage areas of

higher risk.

All members of staff should familiarise themselves with the Policy and

Plan.

Business Continuity Management Policy Statement

Table of contents

1. Introduction ............................................................................. 2

2. Business Continuity Policy Scope ................................................. 3

3. Business Continuity Policy Aims .................................................. 3

4. Goal#1: Business Continuity Governance ..................................... 4

5. Goal#2: Business Continuity Culture ........................................... 5

6. Goal#3: Business Continuity Skills .............................................. 5

7. Goal#4: Business Continuity Approach ......................................... 6

8. Communication and Maintenance ................................................ 7

8. Related Policies and Procedures .................................................. 7

Feedback on this document ............................................................ 8

Version history ............................................................................. 8

1. Introduction

1.1. This business continuity policy statement forms part of the

Information Commissioner’s Office’s (ICO’s) internal control and

corporate governance arrangements and provides the intention

and direction of the business continuity programme. The

Information Commissioner recognises that as a regulator, the

Office has a duty to the public, its employees, partners and

stakeholders to protect and preserve its ability to operate as a

regulator, uphold information rights in the public interest, and to

achieve its long-term ICO25 Plan and enduring objectives .

1.2. Effective business continuity management enhances the capability

and resilience of the organisation and helps to ensure continuity of

service as is practicable following an unexpected disruption to

normal services. In order to achieve this, the ICO recognises the

importance of having effective business continuity management

arrangements in place to ensure the effective identification,

evaluation and management of its business critical services.

1.3. The ICO is committed to providing a business continuity

programme that seeks to protect the welfare of staff, visitors and

contractors and where possible to continue the delivery of services

at acceptable predefined levels, following a disruptive incident.

This policy has the full support of the Information Commissioner

Business Continuity Management Policy Statement

and senior management team. The policy and the adoption of the

business continuity framework, including allocating proportionate

resources to business continuity arrangements, is owned by the

Chief Operating Officer.

2. Business Continuity Policy Scope

2.1. In scope: The scope of the business continuity programme

includes all services provided by the ICO and includes all ICO office

locations. Where an external provider is involved in the delivery of

a service, this supplier and their supply chain will also be included.

This includes the ICO’s supporting information and communication

technology and resources. The ICO will undertake a staged

approach to business continuity, focusing on business-critical

areas, corporate risks and priority activities in earlier stages of the

business continuity programme to help mitigate and manage areas

of higher risk.

2.2. Out of scope: Work will be undertaken within service areas to

determine any business areas or activities that will not be included

in the scope of the business continuity. This will be by exception.

For example, these may be services we provide or products that

we use that are nearing the end of life, or due to be

decommissioned, or are areas of low volume activity that if they

were included in the scope, it would not make best use of the

business continuity resources available.

3. Business Continuity Policy Aims

3.1 The purpose of this policy is to clearly outline the ICO’s

commitment to business continuity management, describe the

business continuity management goals and objectives, and provide

a framework for responding across the organisation. There are 4

goals detailed below which outline the ICO’s approach to business

continuity management

Business Continuity Management Policy Statement

4. Goal#1: Business Continuity Governance

4.1 Business continuity will be embedded into the business

management planning and practices of the ICO so that risk and

resilience is an integral part of decision making, and management.

4.2 Business continuity management will operate under both normal

operating conditions and during business interruption events where

the ICO needs to recover critical activities within predefined time

periods. The following actions will help us to achieve Goal#1:-

o Action: During normal operating times the Director of

Corporate Planning, Risk and Governance is responsible for

the facilitation of business continuity management delivery.

During business interruption events a Gold, Silver and Bronze

response team structure will be stood up in accordance with

the Business Continuity Plan.

o Action: We will ensure that the Commissioner is able to rely

on adequate three lines of defence functions. This will be

done through the management of business continuity risk

and ensuring resilience at a local level, and at a corporate

level through the Risk and Governance team. Monitoring,

assurance and challenge is provided through the Risk and

Governance Board, and independent oversight is undertaken

by the Audit and Risk Committee and through internal audit

reviews.

o Action: We will ensure that managers take ownership and

are accountable for Directorate level business continuity risks

and resilience. The local response structure will be closely

aligned with the existing management structure but will be

flexible and capable of responding to the disruptive situation

that arises.

o Action: We will deploy adequate resources to develop,

implement, maintain and improve the ICO’s business

continuity management framework.

Business Continuity Management Policy Statement

5. Goal#2: Business Continuity Culture

5.1 A strong business continuity culture is one that integrates business

continuity awareness and practice into business-as-usual activities

and organisational culture. Business Continuity is a specialism

within the ICO’s risk management procedures and aims to ensure

that mitigation measures are proportionate, and that business

continuity resources concentrate on areas with single points of

failure areas and unacceptable risk levels. The following actions

will help us to achieve Goal#2:-

o Action: We will communicate clear and appropriate

escalation procedures ensuring everyone understands the

role they have to play in maintaining resilience.

o Action: We will promote a culture of innovation in the ICO

and we will consider business continuity risks and impacts as

we implement changes.

o Action: We will embed business continuity within the

organisation so that it becomes part of business planning,

management and business as usual.

6. Goal#3: Business Continuity Skills

6.1 We will ensure that staff have the skills and knowledge they need

to fulfil their business continuity and resilience responsibilities. The

following actions will help us to achieve Goal#3:-

o Action: We will ensure that all staff recognise an incident

and how to report it to the relevant area, that they

understand relevant business continuity plans and associated

roles and responsibilities.

o Action: We will engender a continuous improvement mind-

set towards the way we manage business continuity, align it

with the Business Continuity Institute’s Good Practice

Guidelines, and implement lessons learned from testing and

incidents.

o Action: We will ensure that appropriate business continuity

training and learning opportunities are provided.

Business Continuity Management Policy Statement

o Action: We will ensure that managers lead by example with

a combination of positive attitudes, behaviours and activities

to create an environment where continuity and resilience is

considered in all we do.

7. Goal#4: Business Continuity Approach

7.1 The ICO will follow the Business Continuity Institute’s Good

Practice Guidelines (2018) which builds on ISO 22301:2012

requirements by defining what individuals need to know about the

key stages in developing, implementing and managing a successful

business continuity programme. The following actions will help us

to achieve Goal#4:-

o Action: We will establish a framework for building ICO wide

resilience with the capability of an effective response that

safeguards the welfare of our staff, visitors and contractors

and seeks to minimise disruption to the interests of ours

stakeholders.

o Action: We will maintain a business-wide risk and impact

analysis program and an aligned corporate business

continuity plan and localised business continuity plans.

o Action: We will minimise the risk of disruptive incidents to

the ICO through collaboration with relevant ICO specialisms

to establish the necessary controls to reduce risk within the

relevant risk appetite (e.g. risk management, information

security, physical security, health and safety).

o Action: We will establish appropriate business continuity

targets and solutions for prioritised business areas, services

and activities that protect the successful delivery of the ICO’s

corporate and regulatory strategies.

o Action: We will validate the business continuity plan with the

use of exercises to an agreed schedule and review the plan

following the resolution of any disruptive incidents.

Business Continuity Management Policy Statement

8. Communication and Maintenance

8.1 Where and when appropriate the ICO will communicate to our

customers, partners, suppliers, employees, and to DCMS and other

government departments our commitment and information related

to business continuity management. Our communication response

during an incident will be guided by senior management working

with the ICO’s Communication Teams.

8.2 We will maintain close relationships with governments, local

communities and other interested parties and where possible

actively support and participate in community resilience and

response efforts if required.

8.3 Once approved, the policy will be communicated to staff and held

in the ICO’s policy and procedures library for reference.

8.4 The Risk and Governance Team will continue to develop the

business continuity processes and procedures required to deliver

the business continuity management framework and will support

and coordinate business continuity planning across departments.

This will include the establishment, maintenance and

improvements to a corporate business continuity plan. The team

will ensure the exercise of the plan at least once annually and will

provide regular reports on progress against the business continuity

programme to the Risk and Governance Board.

9. Related Policies and Procedures

9.1 Related policies include but are not limited to the following:-

• Business Continuity Plan and Incident Management

• Risk Management Policy and Appetite Statement

• IT Disaster Recovery Plan

• Information Security Policy

• Security Incident Management Policy

• Health and Safety Policy

• Fraud Awareness Policy and Response Plan

Business Continuity Management Policy Statement

Feedback on this document

If you have any feedback on this document, please click this link to

provide it.

Version history

Version Changes made Date Made by

1.1

Annual Review bringing in

line with ICO25

2.0