Business Continuity Planning Pack

We built the Business Continuity Planning Pack because engineering teams keep shipping continuity plans that look like PowerPoint slides and fail the first time a ransomware attack hits. You know how to write Terraform. You know how to spin up a cluster. But when the auditor asks for your Business Impact Analysis, you open Excel and type RTO: ASAP. That's not a plan. That's a liability.

NIST SP 800-34 exists to help organizations understand the purpose, process, and format of information system contingency planning development, but most teams treat it as a checkbox exercise ^[1]. You don't have a workflow; you have a folder of Word docs that haven't been updated since 2022. You're also juggling crisis comms and incident response. If you're building crisis protocols manually, check the Automated Crisis Management Protocols Pack to see how we handle detection and classification, but that doesn't solve the core problem: you haven't quantified what actually matters to the business.

The RTO You Can't Back Up

The pain starts when you realize your "plan" is a collection of tribal knowledge and outdated runbooks. You have a disaster recovery strategy for the database, but no Business Impact Analysis (BIA) that defines the Maximum Tolerable Downtime (MTD) for the checkout service. You have recovery procedures for the API gateway, but no risk matrix that maps the threat of a supply-chain compromise to the financial impact of a 4-hour outage.

When you sit down to write the BIA, you hit the wall of ambiguity. How do you quantify reputational damage? What's the RPO for the user session store? You ask the product manager, who says "as fast as possible." You ask the finance lead, who shrugs. You end up with a spreadsheet where RTO is a text field and Impact is a vague adjective. This isn't just annoying; it's structural failure. The NIST framework prescribes specific sections for a complete contingency plan, including an introduction and scope statement, the concept of operations, and detailed procedures ^[7]. Without structured data, you can't generate those sections. You can't map dependencies. You can't prioritize recovery.

We designed this pack to kill the ambiguity. You get a 6-phase workflow that forces the engineering team to define MTD, RTO, and RPO for every critical process. You get YAML templates that enforce schema constraints. You get scripts that validate logic. You stop writing prose and start building a machine-readable continuity strategy.

Why Your Spreadsheet BCP Fails the Auditor

Ignoring the BIA doesn't just make audits painful; it guarantees operational failure. When the outage hits, your recovery sequence is a guess. You spend 4 hours restoring the dev database because it's easier to find, while the checkout service stays down for 12 hours. You missed the RTO. You breached the SLA. You lose customer trust. The board asks why you didn't restore the revenue-generating service first. You have no answer, because your plan didn't rank processes by criticality.

The cost compounds. NIST SP 800-34 provides a seven-step process for the development of a viable Information System Contingency Plan: develop the plan, test the plan, train personnel, conduct exercises, maintain the plan, update the plan, and review the plan ^[6]. If you skip the testing step, or if your risk matrix doesn't map threats to controls, the auditor marks you non-compliant. You get a remediation window you can't meet. You face fines. You face board-level scrutiny.

Worse, your risk assessment is likely static. You calculated residual risk once, six months ago. You haven't mapped existing controls to ISO 27005 or NIST SP 800-30. You don't have a mechanism to recalculate residual risk when you add a new microservice. The auditor asks for evidence of continuous monitoring. You show them a PDF. They ask for the data source. You point to a spreadsheet that hasn't been touched in a quarter. The gap is obvious. The remediation is expensive.

The downstream incidents are real. A missed RTO triggers cascading failures. A broken dependency map means you restore the wrong shard. A lack of recovery resource requirements means you request cloud capacity that isn't approved. You burn through your contingency budget because you didn't model the resource needs in the BIA. This isn't hypothetical. We've seen teams lose 30% of their annual budget to unplanned recovery costs because they treated BCP as a documentation task instead of an engineering workflow.

A Payments Gateway's Recovery Nightmare

Imagine a payments platform processing $2M in transactions daily. They have a DR plan, but no structured BIA. During a simulated drill, the incident commander pulls the recovery runbook. It says "Restore Database." It doesn't say "Restore Database A first, then Database B, then sync payments queue." The team restores the wrong shard. The payment reconciliation service fails. They realize too late that the MTD for the reconciliation service is 30 minutes, but they didn't capture that dependency in the BIA.

The drill fails. The actual risk was hidden because the BIA didn't map upstream/downstream dependencies with MTD/RTO/RPO thresholds. A 2024 analysis of BCP implementation notes that the guide outlines several types, where the Business Continuity Plan focuses on keeping mission-critical operations running during a disruption ^[5]. This team didn't identify which operations were critical. They guessed. And guessing costs money.

The payments platform had a risk matrix, but it was a 5x5 grid with no control mapping. The threat of a DDoS was scored high likelihood, high impact, but the matrix didn't list the WAF controls or the auto-scaling group that mitigates it. The residual risk calculation was wrong. When the DDoS hit, the auto-scaling group triggered, but the WAF rules were outdated. The matrix didn't flag the drift. The team spent 6 hours manually updating rules while transactions queued up. The MTD was 1 hour. They missed it by 5 hours.

The root cause was the same: no validation pipeline. No script to check that controls match threats. No schema to enforce RTO <= MTD. No prioritization logic to tell the team which service to restore first. They had the artifacts, but they lacked the workflow. They had templates, but they lacked the engine.

From Guesswork to ISO 22301-Compliant Continuity

Once you install this pack, you stop guessing. The skill.md orchestrator enforces a complete, auditable continuity planning lifecycle. You run the workflow, and it guides you through Business Impact Analysis, Risk Assessment, Strategy Design, Plan Development, Testing, and Maintenance. Every phase maps to ISO 22301 requirements. You don't have to memorize clauses; the pack references them.

The validation pipeline catches errors before you ship. scripts/validate-bcp.sh parses your BIA and risk YAML files. It enforces schema constraints via jq/yq. It verifies RTO <= MTD. It checks required ISO 22301 fields. If your plan is broken, it exits non-zero (exit 1). You can't merge a PR with a failed validation. This is the difference between a plan that passes the audit and a plan that doesn't.

The prioritization engine removes the guesswork. scripts/bia-prioritizer.py reads your BIA YAML data and calculates weighted criticality scores using RTO/RPO/impact multipliers. It ranks processes by recovery priority. It outputs a machine-readable report. When the outage hits, the incident commander doesn't guess. They run the prioritization report. They restore Process A, then Process B. They hit the RTO.

The templates are production-grade. templates/bia-worksheet.yaml has structured fields for process criticality, upstream/downstream dependencies, MTD/RTO/RPO thresholds, impact categories (financial, operational, regulatory, reputational), and recovery resource requirements. templates/risk-matrix.yaml maps threats to business processes with likelihood/impact scoring, existing controls, residual risk calculation, and ISO 27005/NIST SP 800-30 control mapping fields. You get templates/recovery-strategy.md for activation criteria, incident command roles, step-by-step restoration procedures, failover/failback protocols, communication trees, and post-incident review sections. You get templates/test-plan.yaml supporting tabletop, simulation, and full-interruption drills, with scenario definitions, success criteria, participant roles, data collection fields, and post-exercise corrective action tracking.

The references are canonical. references/iso-22301-requirements.md embeds clauses 4-10, mandatory documentation requirements, audit checkpoints, and leadership/continuity policy directives. references/bia-and-risk-methodology.md defines MTD, RTO, RPO, impact severity tiers, risk appetite thresholds, and assessment frameworks with calculation formulas and prioritization logic. You get validators/bia-schema.json to enforce strict structure, including required fields, data types, numeric ranges for RTO/RPO/MTD, and constraint rules that trigger validation failures when violated.

This isn't just a BCP pack. It integrates with your broader governance stack. If you need to go deeper into recovery execution, pair this with the Disaster Recovery Playbook Pack to automate the actual failover steps. For broader governance, link this to the Risk Management Pack to ensure your risk appetite thresholds align with your BIA results. Your recovery procedures feed directly into the Runbook & Playbook Pack for operational execution. And for the audit trail, connect to the Internal Audit Automation Pack to ingest evidence automatically. For full regulatory coverage, integrate with the Regulatory Compliance Pack to map BCP controls to GDPR, SOC2, or HIPAA requirements.

What's in the Business Continuity Planning Pack

• skill.md — Orchestrator skill that defines the 6-phase BCP workflow, maps ISO 22301 alignment, and explicitly references every other file by relative path (templates/bia-worksheet.yaml, templates/risk-matrix.yaml, templates/recovery-strategy.md, templates/test-plan.yaml, references/iso-22301-requirements.md, references/bia-and-risk-methodology.md, scripts/validate-bcp.sh, scripts/bia-prioritizer.py, examples/enterprise-bia.yaml, validators/bia-schema.json) to ensure the agent follows a complete, auditable continuity planning lifecycle.
• templates/bia-worksheet.yaml — Production-grade BIA template with structured fields for process criticality, upstream/downstream dependencies, MTD/RTO/RPO thresholds, impact categories (financial, operational, regulatory, reputational), and recovery resource requirements aligned with ISO 22301 clause 8.2.
• templates/risk-matrix.yaml — 5x5 risk assessment worksheet mapping threats to business processes, with likelihood/impact scoring, existing controls, residual risk calculation, and ISO 27005/NIST SP 800-30 control mapping fields for governance compliance.
• templates/recovery-strategy.md — Structured recovery plan template covering activation criteria, incident command roles, step-by-step restoration procedures, failover/failback protocols, communication trees, and post-incident review sections for audit readiness.
• templates/test-plan.yaml — Exercise design template supporting tabletop, simulation, and full-interruption drills, with scenario definitions, success criteria, participant roles, data collection fields, and post-exercise corrective action tracking.
• references/iso-22301-requirements.md — Canonical ISO 22301:2019 reference embedding clauses 4-10, mandatory documentation requirements, audit checkpoints, and leadership/continuity policy directives extracted from the standard's official structure.
• references/bia-and-risk-methodology.md — Authoritative BIA methodology reference defining MTD, RTO, RPO, impact severity tiers, risk appetite thresholds, and assessment frameworks (ISO 27005, NIST RMF) with calculation formulas and prioritization logic.
• scripts/validate-bcp.sh — Executable bash validator that parses BIA and risk YAML files, enforces schema constraints via jq/yq, verifies RTO ≤ MTD, checks required ISO 22301 fields, and exits non-zero (exit 1) on structural or logical failures.
• scripts/bia-prioritizer.py — Executable Python script that reads BIA YAML data, calculates weighted criticality scores using RTO/RPO/impact multipliers, ranks processes by recovery priority, and outputs a machine-readable prioritization report.
• examples/enterprise-bia.yaml — Realistic enterprise BIA example containing 4 business processes with realistic dependencies, RTO/RPO values, impact classifications, and recovery resource allocations to demonstrate template usage and validation.
• validators/bia-schema.json — JSON Schema enforcing strict structure for BIA worksheets, including required fields, data types, numeric ranges for RTO/RPO/MTD, and constraint rules that trigger validation failures when violated.

Lock Your Recovery Strategy Before the Next Outage

Stop shipping "ASAP" recovery times. Stop guessing which service to restore first. Stop failing audits because your risk matrix doesn't map controls to threats. Upgrade to Pro to install the Business Continuity Planning Pack. Run the validator. Prioritize your processes. Ship a plan that survives the audit.