What is a business continuity plan?

On a Wednesday afternoon, a ransomware group encrypts a regional law firm’s file servers. By 3 pm, staff cannot open client documents. By 5 pm, the managing partner is fielding calls from clients asking why their matters are on hold.

Without a business continuity strategy in place, the firm has no answer to the most basic question: when will we be back to normal operations?

The answer to that question should be written down before the question is ever asked.

A business continuity roadmap is the document that gives you that answer.

If you are reading this because a cyber incident is happening right now and you do not know what to do, contact Zensec immediately.

What is a business continuity plan?

A business continuity plan (BCP) is a documented set of processes and procedures that allow an organisation to ensure business continuity and recover quickly when something goes wrong. It identifies critical business functions, defines how those functions will be maintained or restored during a disruption, and assigns clear roles and responsibilities so that the right people know what to do without waiting to be told.

The disruptions a BCP must account for are wide-ranging: supply chain disruptions, power outages, natural disasters, and system failures. But in the current threat landscape, cyber attacks are the disruption most likely to test an organisation’s continuity plan. Ransomware, data breaches, and the sudden loss of access to cloud infrastructure can halt normal business processes in minutes, and recovery without a plan in place can take weeks rather than hours.

According to the UK Cyber Security Breaches Survey 2025, only 32% of UK businesses have a formal business continuity plan that addresses cyber security. Among small businesses, the figure improved to 53%, up from 44% the year before, but it still leaves the majority of organisations exposed. Research also shows that one-third of businesses affected by a cyber attack now take more than a month to fully recover, up from 24% the year before. Time spent without a clear roadmap is time that costs money, customers, and reputation.

Why business continuity planning matters for cyber threats specifically

Most people understand the concept of a continuity plan in the context of fires or floods. A cyber attack feels different because there is no visible damage, no physical site to evacuate. But the impact on business operations can be just as severe, and in some ways harder to manage, because the scope of what has been compromised is often unclear at the outset.

When a threat actor gains access to systems, the organisation faces several simultaneous challenges: understanding what has been affected, stopping further damage, restoring access, managing communications, and meeting legal obligations, all at the same time. Without a BCP in place, these efforts become disconnected, slow, and reactive. A business continuity plan creates a coordinated response from the start.

The factsheet published by business resilience bodies makes the stakes clear: 93% of companies that experience significant data loss are out of business within 5 years, and 43% of businesses hit by major disruptions never reopen.

The key components of a business continuity strategy

There are multiple factors that make business continuity planning important, and you have to consider them when creating a strategy. This includes performing a full risk assessment, assessing the potential impact of a breach, and establishing recovery priorities.

Business Impact Analysis

The business impact analysis (BIA) is the foundation of effective continuity planning. Before writing any recovery strategies, an organisation needs to understand which of its functions are most critical, what would happen if those functions went down, and for how long the business can operate without them.

The BIA maps essential operations to the people, systems, data, and suppliers that support them, and flags the points of failure that would have the greatest impact. It is also the stage where potential threats and risks are assessed: what could cause a disruption, how likely it is, and what it would cost.

Business recovery objectives

Two metrics come directly from the BIA and shape every subsequent decision in the plan. The recovery time objective (RTO) is the maximum acceptable period of downtime for a given function: how long the business can survive without it. The recovery point objective (RPO) is how much data loss the business can tolerate, expressed as a point in time. If your RPO for a critical system is four hours, you need backups that are no more than four hours old.

Getting these numbers right requires honest input from across the business, not just from IT. Finance, operations, legal, and customer-facing teams all need to contribute their view of what constitutes acceptable recovery time for the functions they depend on.

Recovery strategies

With the BIA complete and recovery objectives set, the plan documents the specific recovery strategies for each critical function. For cyber incidents, this means defining how affected systems will be restored, where clean backups are held, who has authority to trigger a system rebuild, and what manual workarounds exist if systems cannot be brought back quickly. The goal is to ensure business operations can continue, even in a degraded state, while full recovery proceeds.

Recovery priorities are explicit in a well-structured plan: which functions come first, which can wait, and what the sequence of returning affected systems to normal looks like.

Continuity team and roles

The plan must identify a continuity team with named individuals and documented responsibilities. Crisis management under pressure is not the moment for ambiguity about who is in charge. Key stakeholders from IT, senior leadership, legal, communications, and, where relevant, human resources, should all have defined roles before a disruptive event occurs.

The plan should also include contact details for external partners, such as your cybersecurity provider, legal advisers, and cyber insurance provider, stored in a format that remains accessible even if your internal systems are unavailable. Printed copies are not a relic; they are a practical safeguard.

Communications plan

A communications plan addresses who gets told what, and when. Internally, that means keeping the board, senior leadership, and staff informed with accurate and timely updates on incident status. Externally, it covers when and how to notify customers, what message to give, how to handle press enquiries, and what public relations considerations apply.

For any business handling personal data, the communications plan must also account for legal obligations under UK GDPR. If a data breach is likely to present a risk to individuals, it must be reported to the ICO within 72 hours.

Disaster recovery plan

A disaster recovery plan is closely related to the BCP, but it isn’t the same thing. Where the BCP covers the full scope of business continuity across people, processes, and communication, the disaster recovery plan focuses specifically on restoring IT systems and critical data. The two documents should be interlinked, with the disaster recovery plan sitting as a technical layer within the broader continuity framework.

For many organisations, this is where professional support makes the most practical difference. Zensec’s disaster recovery services are designed to ensure that when systems fail, whether from a ransomware attack, a hardware failure, or another unexpected disruption, recovery is structured, rapid, and aligned to the recovery objectives the business has set.

Testing and maintaining the plan

A business continuity plan that has never been tested is a document, not a capability. Regular testing, through tabletop exercises, simulated incidents, or full recovery drills, surfaces the gaps between what the plan assumes and what actually happens. It also ensures that the continuity team knows their roles well enough to execute them under pressure.

The plan should be regularly reviewed as the business changes: when new systems are introduced, key personnel leave, suppliers change, or the threat landscape shifts. ISO 22301, the international standard for business continuity management systems, provides a recognised framework for organisations that want to embed continuity planning into their governance in a structured, auditable way.

The businesses that navigate cyber incidents with the least disruption are almost always the ones that invested in continuity planning before they needed it. The plan will not prevent every disruption. What it does is ensure that when something goes wrong, you already know what to do next.