Business Continuity

Keep operating
when things go wrong.

A Business Continuity Plan describes how your organisation keeps functioning during a disruption. DEFION builds plans that also work for the most likely scenario: a cyber incident.

Request a BCP engagement Review existing BCP

What is a Business Continuity Plan?

A Business Continuity Plan (BCP) is the playbook for a crisis: which processes are critical, what are the alternatives, who makes the decisions and how do you communicate with customers and employees? DEFION builds BCPs that always include cyber scenarios, because ransomware encrypting your entire IT environment is the scenario most organisations are least prepared for.

The Service

A plan that works in practice

The team works with your organisation to build a BCP that not only looks good on paper but also works in practice. It starts with mapping your critical processes and their dependencies. Then continuity strategies are defined for each process: how do we continue if system X fails?

A BCP at DEFION always includes a cyber component. Traditional BCPs focus on physical disruptions, but the most likely disruption for most organisations is a cyber incident. The plan includes specific scenarios for ransomware, data breaches and full IT failure.

The plan is tested and exercised. A BCP sitting in a drawer is worthless. The team facilitates tabletop exercises that validate the plan and prepare the team for what can really happen.

Why it matters

Without a BCP, every crisis becomes chaos

  • No cyber scenarios in traditional BCPs

    Many organisations have plans for fire and flooding, but not for ransomware encrypting their entire IT environment. NIS2 requires specifically including cyber incidents in your continuity planning.

  • Nobody knows which processes are truly critical

    Without a formal BIA, you do not know which processes must be restored first. In a crisis, this leads to uncoordinated recovery actions where the wrong things are started first.

  • Crisis communication is underestimated

    Who communicates with customers? When? What do you say when you do not have all the details? Without a communication playbook, information vacuums develop that amplify reputational damage.

Scope

What the BCP covers

Critical business processes and dependencies
RTO and RPO per process
Continuity strategies per critical process
Cyber scenarios (ransomware, data breach, IT failure)
Communication plan (internal, external, customers)
Roles and responsibilities (crisis team)
Supplier dependencies and alternatives
Test plan and exercise programme
Methodology

From BIA to validated plan

01

Business Impact Assessment

Identification of critical processes, dependencies and impact scenarios. The BIA is the foundation of the BCP.

02

Risk analysis

Which threats can disrupt continuity: cyber, physical and supplier? Prioritisation based on probability and impact.

03

Strategy definition

Continuity strategies per process and scenario: alternative locations, manual procedures, supplier switches.

04

Plan development

Documentation of the BCP with playbooks per scenario. Communication protocols, contact lists and escalation paths.

05

Validation via tabletop

Tabletop exercise with the crisis team. The plan is walked through, improvement points are identified.

06

Maintenance

Annual review and update. Direct adjustments at significant changes. Periodic retesting to ensure currency.

What You Receive

Deliverables

  • Business Continuity Plan (complete document)
  • Business Impact Assessment report
  • Continuity strategies per critical process
  • Crisis team composition and contact list
  • Communication playbook
  • Test plan
  • Facilitated tabletop exercise for validation
For Whom

Suitable for

Organisations without a formal BCP

You know you need a plan but have nothing on paper yet. This engagement builds the complete foundation.

Companies with an outdated BCP without cyber scenarios

You have a plan but it does not include ransomware or IT failure scenarios. This engagement modernises the existing plan.

Organisations with NIS2, DORA or ISO 22301 requirements

All three require demonstrable continuity measures including cyber scenarios. This engagement delivers the required documentation.

Board members who are personally liable

Under NIS2, board members are personally liable for continuity measures. A current BCP is the foundation.

Frequently Asked Questions

FAQ

How long does setting up a BCP take?
Typically 6 to 12 weeks, depending on the size and complexity of the organisation. The Business Impact Assessment is the foundation and takes the first 2 to 4 weeks. Strategy definition, plan development and tabletop validation follow.
Who needs to be involved in a BCP engagement?
All departments that execute critical processes: IT, operations, finance, HR, communications and the board. A BCP is not an IT project but an organisation-wide programme. Without involvement from all stakeholders, the plan is incomplete and unworkable.
How do we keep the BCP current?
Through annual reviews, exercises and updates at significant changes (new systems, reorganisation, new location). The team can set up a maintenance programme so the BCP always reflects reality.
Can you review our existing BCP?
Yes. If you already have a BCP, the team assesses whether it is current, complete and workable. Specific attention goes to cyber scenarios, which are often missing from traditional BCPs. You receive a gap analysis and improvement plan.
How does this relate to ISO 22301 certification?
The BCP engagement follows ISO 22301 structure and principles. It is directly usable as the basis for an ISO 22301 certification track. If you want to pursue certification, the team advises on the additional steps needed.
Business Impact Assessment

More information →
Disaster Recovery Plan

More information →
DDoS Test

More information →

Ready to make your organisation
resilient?

Start a BCP engagement or have your existing plan reviewed. Know within weeks what you are missing.

Request a BCP engagement Schedule a call