UK Business Continuity Policy Template

What is a UK business continuity policy?

Quick answer. A UK business continuity policy is the written framework defining how the organisation maintains critical operations through disruption. Required by ISO 22301, ISO 27001 Annex A.5.29, and the UK Operational Resilience framework for regulated firms.

Business continuity policy operates at three levels. At the strategic level it states leadership commitment, scope (which business functions are in scope), and the organisation's risk appetite for downtime. At the tactical level it defines the Business Impact Analysis (BIA) approach, the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical business service, and the named ownership of the continuity programme. At the operational level it sets out the activation procedure, the named incident management team with deputies, the communication cascade, and the rehearsal cadence (annual full tabletop minimum, plus targeted scenario tests). Without all three levels, the policy is either too aspirational to operationalise or too tactical to satisfy auditors.

Who needs a UK business continuity policy?

Quick answer. Every UK organisation with critical operations or regulated services. Particularly critical for: ISO 22301 candidates, ISO 27001 candidates (Annex A.5.29-30 evidence), FCA/PRA-regulated firms under UK Operational Resilience (active since March 2022), FCA SYSC 15A, EU-facing financial services under DORA (effective January 2025), public-sector contractors, NHS bodies, and any business carrying cyber insurance (insurers increasingly require a tested BCP).

The threshold for a written BCP has fallen significantly since 2022. The Bank of England's Operational Resilience framework, which came fully into force in March 2025, requires UK financial services firms to identify Important Business Services, set Impact Tolerances, and demonstrate the ability to remain within tolerance during severe-but-plausible scenarios. The policy is the foundation document for that evidence. For non-regulated UK SMEs, customer pressure has filled the gap — enterprise B2B contracts increasingly demand a written BCP with named RTO/RPO commitments as a condition of supply. Cyber insurers similarly demand evidence of a tested BCP at renewal, with subrogation rights if no BCP exists at the time of claim. Beyond regulation and insurance, the policy is the operational anchor: an SME without a BCP that loses its primary supplier, suffers a ransomware event, or sees its building made inaccessible has no documented playbook to follow.

What must a UK business continuity policy include?

Quick answer. Eight clauses: leadership statement and scope, Business Impact Analysis methodology, Recovery Time Objectives and Recovery Point Objectives by critical service, named incident management team with deputies, activation criteria and procedure, communication cascade (internal, customers, regulators), rehearsal cadence (annual tabletop minimum plus targeted scenarios), and post-incident review with continuous improvement loop.

• Leadership statement and ISMS/BCMS scope (which business functions, locations, and services are in scope) — description with citation.
• Business Impact Analysis methodology — how critical services are identified, prioritised, and reviewed — description with citation.
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) per critical service — description with citation.
• Named incident management team with deputies (commander, comms lead, technical lead, legal lead) — description with citation.
• Activation criteria and procedure (who declares an incident, severity levels, escalation triggers) — description with citation.
• Communication cascade — internal, customers, suppliers, regulators (ICO 72hr, FCA, NIS2 24hr early warning) — description with citation.
• Rehearsal cadence — annual full tabletop minimum, quarterly scenario tests, named scenario library — description with citation.
• Post-incident review and continuous improvement (lessons learned within 2 weeks of closure, feedback into policy) — description with citation.

How does this map to UK operations regulation?

Quick answer. The policy maps to ISO 22301:2019 Clauses 5-10, ISO 27001:2022 Annex A.5.29 + A.5.30, the Bank of England + FCA Operational Resilience rules (PS21/3, March 2025 full deadline), FCA SYSC 15A, and EU DORA Article 11 for ICT business continuity (effective January 2025).

The four overlapping regimes have different terminology but converge on the same operational requirement: identify critical services, set tolerances, document procedures, test regularly, learn from incidents. ISO 22301 is the gold-standard certification framework. ISO 27001 Annex A.5.29-30 covers ICT continuity within the broader ISMS. The UK Operational Resilience framework (Bank of England SS1/21 + FCA PS21/3) imposes the strictest UK regulatory expectations on financial services. DORA Article 11 applies to UK financial entities serving EU customers. A single well-drafted policy can satisfy all four regimes simultaneously when the scope, RTOs, RPOs, and rehearsal cadence are documented coherently. Cross-reference: this policy works alongside the information security policy, the access control policy (covered inside the information security policy) (for emergency access during incidents), and the incident response plan (which is the operational sibling).

Related UK operations resources

Frequently asked questions