Free Business Continuity Plan Template (ISO 22301)
A business continuity plan is what keeps you operating when something goes wrong — an outage, a cyber incident, a supplier failure. This free template is aligned to ISO 22301 and gives you the structure to respond and recover quickly. Tailor the [Customize] points to your organization.
Any organization that can't afford prolonged downtime — and anyone pursuing ISO 22301, ISO 27001 or NIS2, all of which expect documented, tested continuity arrangements.
Template
Business Continuity Plan
ISO 22301:2019 §8.4
1. Purpose & Scope
This plan enables ✎ Company Name to continue and recover its critical activities following a disruptive incident. It covers ✎ the locations, services and systems in scope and supports the organization's recovery objectives.
2. Roles & Activation
The plan is activated by ✎ role, e.g. the Incident Manager when a disruption threatens critical activities. The continuity team comprises ✎ list roles. An up-to-date contact list (including out-of-hours) is maintained at ✎ location.
3. Critical Activities & Recovery Objectives
Critical activities and their targets (from the Business Impact Analysis):
- ✎ Activity 1 — RTO ✎ e.g. 4 hours, RPO ✎ e.g. 1 hour.
- ✎ Activity 2 — RTO [Customize], RPO [Customize].
Activities are recovered in priority order.
4. Response Procedures
On activation: confirm and assess the incident; protect people and safety first; notify the continuity team; and implement immediate containment. Decisions and actions are logged throughout.
5. Recovery Procedures
Recover critical activities using the agreed strategies, for example ✎ failover to secondary site / restore from backups / invoke alternative supplier. Verify data integrity and service functionality before returning to normal operations.
6. Communications
Keep staff, customers and (where required) regulators informed using pre-agreed channels and templates. ✎ name the spokesperson and approval step for external communications.
7. Testing, Maintenance & Review
This plan is exercised at least ✎ annually (e.g. a tabletop or failover test), and updated after exercises, incidents or significant change. It is reviewed at least annually. Approval and version history are recorded.
✎ Highlighted items are placeholders — replace them with your organization's details.
Generate a tailored Business Continuity Plan instantly with CompliWiseAI
Skip the placeholders — get a version written for your company's industry, size, country and risk level, ready to review and export.
How to customize this template
- Base your critical activities and RTO/RPO targets on a real Business Impact Analysis — guessing undermines the plan.
- Keep the contact list current and accessible offline; a plan you can't reach during an outage is useless.
- Tailor the recovery strategies to what you actually have (backups, failover, alternative suppliers).
- Run a tabletop exercise at least annually and record the outcome — testing is an ISO 22301 requirement.
- Assign a named spokesperson and an approval step for external communications.
What an auditor looks for
- •Are critical activities and recovery objectives (RTO/RPO) defined and based on a BIA?
- •Are activation, roles and contacts clearly documented?
- •Have the arrangements been exercised, with results recorded?
- •Is the plan reviewed and kept current?
Frequently asked questions
What's the difference between a BCP and a disaster recovery plan?+
A business continuity plan covers the whole organization's critical activities; a disaster recovery plan is narrower, usually focused on restoring IT systems and data. The DR plan supports the BCP.
What are RTO and RPO?+
Recovery Time Objective is how quickly an activity must be restored; Recovery Point Objective is how much data loss is tolerable. Both come from your Business Impact Analysis.
How often should I test the plan?+
At least annually, typically with a tabletop exercise, plus after any major change. ISO 22301 requires you to exercise and evaluate your arrangements.