Business Continuity Policy
Document Number: ISMS-POL-BCP-01
Classification: L1 — Policy (Domain)
Version: 0.1.2
Effective Date: February 18, 2026
Author: Lucas Shin — Security Director
Approved By: Richard — CISO
Next Review Date: February 2027
Parent Policy: Information Security Policy (ISMS-POL-ISP-01)
1. Purpose
This policy defines the business continuity and resilience requirements for Cybercraft to ensure that critical business functions can continue during and recover from disruptions — including personnel loss, system failures, and security incidents.
As a 3–5 person SMB, Cybercraft's primary continuity risks are key person dependency and cloud service availability, rather than traditional physical disaster scenarios. This policy is designed to be proportionate and operationally sustainable.
2. Scope
2.1 Applicable Systems and Services
- Microsoft 365 tenant (email, Teams, SharePoint, OneDrive) — Cybercraft's primary business platform
- SaaS tools on the Approved SaaS Register (Notion, Slack, Jira, etc.)
- Client engagement data stored within Cybercraft's M365 environment
- BYOD devices used by personnel to access Cybercraft systems
2.2 Applicable Personnel
- All Cybercraft employees, contractors, and directors
- Particular focus on key person roles where single points of failure exist
2.3 Out of Scope
- Client-side business continuity (responsibility of the client)
- Physical office continuity (Cybercraft operates as a fully remote organisation)
3. Key Person Risk
3.1 Risk Assessment
Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 4 — single Security Director dependency:
Cybercraft's most significant continuity risk is key person dependency. The following roles represent single points of failure:
| Role | Person | Critical Functions | Risk Level |
|---|---|---|---|
| Security Director | Lucas | All Intune/CA configuration, compliance monitoring, incident response, device enrollment/offboarding, policy maintenance, log review | 🔴 Critical — No backup personnel |
| CEO | Farah | Business operations, client relationships, financial management, contract authority | 🔴 Critical — No backup personnel |
| CISO | Richard | Policy approval, risk acceptance, escalation decisions, strategic security direction | 🟡 High — Security Director can escalate to CEO as interim |
3.2 Mitigation Measures
| Mitigation | Description | Owner |
|---|---|---|
| Documentation | All security procedures documented in L3 procedures with sufficient detail for a competent replacement to execute | Lucas |
| Admin Account Separation | Dedicated admin account (admin.lucas) credentials stored in a secure, accessible location known to CISO and CEO | Lucas / Richard |
| Break-Glass Account | Emergency admin account with Global Admin privileges, stored offline (printed credentials in a sealed envelope or secure vault), accessible by CEO and CISO only | Lucas / Farah / Richard |
| Cross-Training | CISO (Richard) maintains basic familiarity with Intune dashboard, CA policies, and selective wipe procedures | Lucas / Richard |
| Runbook | Emergency operations runbook covering: device block, selective wipe, account disable, CA policy bypass, and incident escalation | Lucas |
4. Emergency Policy Deviation
4.1 When Emergency Deviations Apply
Derived from BYOD Security Policy (ISMS-POL-BYOD-01) Section 7.1:
When a temporary operational need requires deviation from established security policies — for example:
- The Security Director is unavailable and a critical security action is needed
- A system outage prevents normal access control enforcement
- A security incident requires immediate actions that conflict with standing policy
4.2 Emergency Deviation Process
| Step | Action | Owner |
|---|---|---|
| 1 | Identify the business-critical need and the policy deviation required | Any personnel |
| 2 | Attempt to contact Security Director → CISO → CEO (in escalation order) | Any personnel |
| 3 | If no response within 2 hours and action is critical: CEO or CISO may authorise emergency deviation using break-glass procedures | Farah / Richard |
| 4 | All emergency actions must be documented — who, what, when, why | Person taking action |
| 5 | Post-incident review within 72 hours to assess deviation impact and restore normal controls | Lucas / Richard |
5. Data Backup and Recovery
5.1 M365 Data Protection
| Data Type | Native Protection | 3rd-Party Backup (AFI Backup) | Retention |
|---|---|---|---|
| Exchange Online (email) | Microsoft native retention + litigation hold capability | ✅ AFI Backup — automated backup | Native: default retention policy / AFI: policy-defined retention |
| SharePoint / OneDrive | Version history (up to 500 versions), recycle bin (93 days) | ✅ AFI Backup — automated backup | Native: 93 days recycle bin + version history / AFI: policy-defined retention |
| Teams chat and channels | Retained in Exchange Online (compliance) | ✅ AFI Backup — automated backup | Native: default retention policy / AFI: policy-defined retention |
Note: Cybercraft uses AFI Backup as a third-party M365 backup solution to supplement Microsoft's native retention capabilities. AFI Backup provides automated backup of Exchange Online, SharePoint, OneDrive, and Teams data to an independent infrastructure, ensuring recovery capability beyond Microsoft's native retention limits. Backup scope and retention settings are reviewed annually or upon significant platform changes.
5.2 SaaS Data
- Each approved SaaS tool on the register should have a documented data export capability
- Critical SaaS data (e.g., Notion workspace, project management data) should be exported quarterly as part of the evidence retention cycle
- Export responsibility: Security Director
5.3 BYOD Device Data
- Corporate data on BYOD devices is logically isolated (managed volume on macOS, Work Profile on Android)
- If a device is lost or destroyed, corporate data is recoverable from M365 cloud services — no local-only data should exist
- User is responsible for personal data backup on their own device
6. Emergency Contact Chain
| Priority | Contact | Role | Capabilities |
|---|---|---|---|
| 1 | Lucas Shin | Security Director | Full technical control — Intune, CA, Entra ID, incident response |
| 2 | Richard | CISO | Policy decisions, risk acceptance, break-glass authorisation, basic Intune operations |
| 3 | Farah | CEO | Business decisions, break-glass authorisation, external communications |
| 4 | Jeff | Group Chairman | Cross-tenant escalation (HVT/TT), strategic decisions |
Contact details are maintained in a separate Emergency Contact Register stored both in SharePoint and offline (printed copy held by CEO and CISO).
7. Service Availability
7.1 Dependency on Microsoft 365
Cybercraft's operations are heavily dependent on Microsoft 365 availability. In the event of a prolonged M365 outage:
- Communication fallback: Personal email and phone for urgent matters
- File access: Local cached copies in managed apps (limited, read-only for recent files)
- Client communication: Direct phone/personal email with clients as needed
- Recovery: Resume normal operations once M365 services are restored
7.2 Acceptable Downtime
- Email/Teams: Maximum 24 hours before fallback communication is activated
- SharePoint/OneDrive: Maximum 48 hours — work can continue with locally cached files
- SaaS tools (Notion, Jira): Maximum 72 hours — not immediately business-critical
8. Roles and Responsibilities
| Role | Person | Responsibilities |
|---|---|---|
| CEO | Farah | Executive sponsor, business continuity decision authority, external communications during crisis, break-glass holder |
| CISO | Richard | Policy approval, emergency deviation authorisation, break-glass holder, cross-training participant |
| Security Director | Lucas | BCP maintenance, runbook creation, key person risk mitigation, backup procedures, emergency contact register |
| All Personnel | All staff | Know the emergency contact chain, report disruptions promptly, follow emergency deviation procedures |
9. Compliance Mapping
| ISO 27001 Control | Requirement | Covered By |
|---|---|---|
| A.5.29 | Information security during disruption | Section 4 (Emergency policy deviation) + Section 7 (Service availability) |
| A.5.30 | ICT readiness for business continuity | Section 5 (Data backup and recovery) + Section 7 (Service availability) |
| A.8.13 | Information backup | Section 5 (Data backup — M365 native + AFI Backup + SaaS export) |
| A.8.14 | Redundancy of information processing facilities | Section 7 (M365 cloud-based redundancy + fallback communications) |
10. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-02-18 | Lucas Shin | Initial release — key person risk analysis, emergency deviation procedures, data backup strategy, emergency contact chain. Incorporates continuity elements from BYOD Security Policy. |
| 0.1.1 | 2026-02-20 | Lucas Shin | L2 policy reordering (renumbered). Updated cross-reference document numbers to reflect new P-numbering scheme. |
| 0.1.2 | 2026-02-20 | Lucas Shin | Updated §5.1: Added AFI Backup as 3rd-party M365 backup solution (Exchange, SharePoint/OneDrive, Teams). Removed "no third-party backup" note. Updated A.8.13 compliance mapping reference. |
Review Schedule
- Quarterly: Emergency contact register verification, break-glass account test
- Annually: Full BCP review, key person risk reassessment, backup strategy evaluation
- Ad-hoc: After any business disruption, personnel change in key roles, or significant platform change
[End of Policy Document]