Security’s Role in BCP/DRP Management and Response

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Security’s Role in BCP/DRP Management and Response Policy

Updated: 17 July 2025

Business Continuity Planning and Disaster Recovery Planning are critical for any organization and should be built, funded, exercised, and tested. Security and Safety functions are always a support function for BC/DR programs. This policy addresses two areas: Security’s role in the organization’s overall BC/DR program, and the BC/DR plan for the Security function itself as a business function.

Reality: BC/DR functions reporting into a CSO/CISO/Security leader do occur, but generally BC/DR is a very separate and distinct function with its own team, skills, training, and budget.

  • I will report security incidents, concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as possible and safe; if they are not available and I feel unsafe, I will contact law enforcement.
  • Security Supporting the Business:
    • I will ensure the security team members I oversee are trained and available to support the various roles we play in supporting the organization’s BC/DR program (planning and response).
    • I will ensure that the security functions I oversee have integration, planning, and response procedures and budget to support the organization’s BC/DR program (planning and response).
    • I will not interfere with the non-security roles of BC/DR (planning and response).
    • I will prioritize security and safety response during BC/DR planning and response support needs of the business.
    • I will notify the BC/DR leaders of any potential or actual BC/DR impacts due to actual or likely security incidents that I or our team discovers.
    • I will ensure all my security operational work considers impacts on the business’s BC/DR program and potential events/incidents.
  • Security Functional BC/DR:
    • I will ensure all my security operational work considers impacts on the security function/department’s ability to be resilient to business continuity threats and disasters.
    • I will ensure the security functions I oversee have an up-to-date Business Impact Analysis (BIA) on each of my functions, systems, applications, and physical and electronic infrastructure.
    • I will ensure the security functions I oversee have up-to-date BC/DR plans that are integrated into the overall organization’s BC/DR program.
    • I will ensure our security BC/DR program meets or exceeds industry standards (e.g., DRII) for planning, equipping, exercising, and testing.
    • I will ensure all security asset inventory is maintained and audited.
    • I will ensure all interdependencies the security function depends on — inside the security team, our supply chain, and the rest of the organization — are documented, tested, prioritized, and have appropriate continuity plans.

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.