Docaro

UK Business Continuity Standards And Guidance Map

Created:
This structured dataset maps key UK business continuity standards and guidance, helping you compare requirements, identify relevant frameworks, and plan resilient operations. For practical templates and support, explore our AI Generated Business Continuity Plan for use in the United Kingdom.
Reference Name
Summary
Relevant Planning Area
Organisation Applicability
Example Evidence
Standard
ISO 22301:2019 Security And Resilience - Business Continuity Management Systems
International management system standard for establishing, maintaining and improving business continuity capability.
BCMS scope, leadership, BIA, risk assessment, continuity strategies, exercises and improvement.
All organisations
BCMS policy, BIA records, RTOs, exercise reports, corrective action log and management review minutes.
BS 65000:2022 Organisational Resilience
British Standard code of practice for organisational resilience, including continuity, adaptability and governance.
Resilience governance, culture, leadership, scenario planning and strategic adaptation.
All organisations
Resilience policy, board risk papers, scenario analysis, continuity strategy and improvement roadmap.
Guidance
ISO 22313:2020 Business Continuity Management Systems Guidance
Guidance supporting ISO 22301 implementation and interpretation for continuity management systems.
Detailed BCMS design, BIA methods, risk evaluation, plan maintenance and performance evaluation.
All organisations
Implementation plan, BIA methodology, plan review schedule and internal audit checklist.
Standard
ISO/IEC 27031:2011 ICT Readiness For Business Continuity
Guidance for ICT readiness arrangements that support business continuity objectives.
IT disaster recovery, backup, restore, resilience design and ICT continuity testing.
All organisations
DR runbook, backup policy, restore test records, failover architecture and ICT dependency map.
ISO/IEC 27001:2022 Information Security Management Systems
Information security management standard relevant to cyber resilience and secure recovery.
Cyber incident response, access control, backup, supplier security and recovery controls.
All organisations
Statement of applicability, incident procedure, asset register, backup evidence and supplier controls.
Guidance
NCSC 10 Steps To Cyber Security
UK NCSC guidance covering core cyber risk controls that support operational resilience.
Cyber incident preparation, risk management, monitoring, backups and staff awareness.
All organisations
Cyber risk register, incident escalation plan, training records, backup checks and monitoring procedure.
NCSC Small Business Guide
Practical UK cyber security guidance for smaller organisations, including backup and malware precautions.
Basic cyber resilience, backup routines, device security and incident contacts.
All organisations, Charities
Backup schedule, password policy, device update process and cyber incident contact list.
Cyber Essentials
UK government-backed scheme covering baseline technical controls against common cyber attacks.
Preventive cyber controls, technical assurance and supplier security expectations.
All organisations, Charities
Cyber Essentials certificate, secure configuration records, firewall rules and patching process.
Regulatory Consideration
Civil Contingencies Act 2004
UK framework for emergency preparedness duties on specified responders, including business continuity arrangements.
Emergency preparedness, civil protection, responder duties and public service continuity.
Public sector, Sector-specific
Emergency plan, continuity plan, local resilience forum participation and exercise records.
Civil Contingencies Act 2004 Contingency Planning Regulations 2005
Regulations detailing contingency planning duties for responders under the Civil Contingencies Act.
Risk assessment, emergency planning, warning and informing, cooperation and plan maintenance.
Public sector, Sector-specific
Community risk register input, public warning procedure, plan review log and mutual aid records.
Guidance
Emergency Preparedness Guidance Under The Civil Contingencies Act
Government guidance on implementing civil protection duties, including business continuity management.
Emergency planning, public sector continuity, risk assessment, training and exercising.
Public sector, Sector-specific
Continuity strategy, exercise programme, training records, risk assessments and review minutes.
National Risk Register
UK government assessment of major civil emergency risks relevant to scenario planning.
Scenario selection, risk assessment, severe weather, pandemic, cyber and infrastructure disruption planning.
All organisations, Public sector
Scenario library, risk register mapping, exercise scenario notes and impact assumptions.
Regulatory Consideration
UK General Data Protection Regulation
Requires appropriate security, resilience, restoration and breach response for personal data processing.
Data availability, breach notification, backup restoration and processor continuity controls.
All organisations
Breach procedure, backup tests, processor clauses, DPIAs and incident decision log.
Data Protection Act 2018
UK data protection statute supplementing UK GDPR and supporting enforcement of personal data obligations.
Personal data incident response, governance, accountability and lawful recovery processes.
All organisations
Data protection policy, breach register, recovery access controls and accountability records.
Guidance
ICO Guidance On Security
ICO guidance on protecting personal data, including availability, resilience and incident handling.
Data security, backup, disaster recovery, breach management and supplier controls.
All organisations
Security risk assessment, restore testing records, breach playbook and processor assurance.
Regulatory Consideration
Network And Information Systems Regulations 2018
UK cyber resilience rules for operators of essential services and relevant digital service providers.
Essential service continuity, incident reporting, network security and system resilience.
Sector-specific
NIS scope assessment, incident reporting process, resilience controls and competent authority correspondence.
Guidance
NCSC Cyber Assessment Framework
Framework for assessing cyber resilience, widely used for NIS and critical service assurance.
Cyber resilience outcomes, incident response, service protection and recovery assurance.
Public sector, Sector-specific
CAF self-assessment, improvement plan, incident exercises and essential service dependency map.
Regulatory Consideration
Health And Safety At Work etc. Act 1974
Core UK workplace health and safety law relevant to incident response and staff protection.
Emergency response, evacuation, staff safety, welfare and safe recovery operations.
All organisations
Emergency procedures, evacuation drills, risk assessments, first aid arrangements and incident reports.
Management Of Health And Safety At Work Regulations 1999
Requires suitable risk assessment and arrangements for effective health and safety management.
Incident risk assessment, emergency arrangements, competent persons and worker communication.
All organisations
Risk assessments, emergency arrangements, role assignments and staff briefing records.
Regulatory Reform (Fire Safety) Order 2005
Fire safety regime for non-domestic premises in England and Wales, including emergency routes and procedures.
Premises emergency response, evacuation, fire risk controls and site recovery.
All organisations
Fire risk assessment, evacuation plan, drill records, fire marshal list and alarm test log.
Sector Requirement
FCA Operational Resilience Rules
FCA requirements for identifying important business services, impact tolerances and resilience testing.
Important business services, impact tolerances, mapping, scenario testing and remediation.
Financial services
Important business service register, impact tolerances, mapping documents and scenario test reports.
PRA Operational Resilience Supervisory Statement SS1/21
PRA expectations for operational resilience of banks, insurers and designated investment firms.
Board accountability, important business services, impact tolerances, mapping and testing.
Financial services
Self-assessment document, board minutes, service maps, vulnerabilities log and test results.
PRA Outsourcing And Third Party Risk Management SS2/21
PRA expectations for managing outsourcing and third-party risks affecting operational resilience.
Supplier continuity, exit plans, concentration risk, audit rights and service resilience.
Financial services
Outsourcing register, exit plan, supplier BCP reviews, contract clauses and concentration assessment.
NHS England Emergency Preparedness, Resilience And Response Framework
NHS framework for emergency preparedness, resilience and response across health organisations.
Major incident response, service continuity, command structure, surge planning and exercises.
Healthcare
EPRR plan, on-call rota, command arrangements, exercise report and annual assurance return.
NHS Data Security And Protection Toolkit
NHS online self-assessment for data security and protection standards, including continuity controls.
Health data security, cyber resilience, incident reporting and IT recovery evidence.
Healthcare
DSPT submission, cyber incident plan, backup evidence, training records and supplier assurance.
Care Quality Commission Emergency Planning Expectations
CQC safety expectations can require providers to manage foreseeable emergencies and service disruption risks.
Patient and service user safety, staffing disruption, premises failure and emergency procedures.
Healthcare
Continuity plan, emergency staffing plan, clinical risk assessment and incident review records.
Guidance
Department For Education Emergency Planning And Response For Education Settings
DfE guidance for education, childcare and children's social care settings on emergency planning and response.
School closure, safeguarding, communications, lockdown, evacuation and remote education continuity.
Education
Emergency plan, parent communication templates, closure procedure and safeguarding escalation route.
Charity Commission Guidance CC26 Charities And Risk Management
Charity Commission guidance on trustee risk management, relevant to continuity and resilience oversight.
Trustee governance, risk registers, service continuity, reserves and reputational risk.
Charities
Trustee risk register, continuity plan approval, reserves policy and serious incident escalation procedure.
Charity Commission Serious Incident Reporting Guidance
Guidance on reporting serious incidents that may include major service disruption, fraud or cyber events.
Incident escalation, trustee notification, regulator reporting and reputational response.
Charities
Serious incident reporting checklist, trustee decision log and regulator notification records.
Internal Governance
UK Corporate Governance Code
Governance code for premium listed companies, relevant to board oversight of risk and resilience.
Board risk oversight, internal control, assurance, reporting and accountability for resilience.
Sector-specific
Board risk reports, internal control review, resilience KPIs and audit committee minutes.
Regulatory Consideration
Companies Act 2006 Directors' Duties
Directors' statutory duties can support prudent oversight of material continuity and resilience risks.
Board oversight, risk governance, stakeholder impacts and decision records during disruption.
All organisations
Board minutes, risk appetite statement, continuity funding approval and crisis decision log.
Guidance
UK Government Supply Chain Resilience Guidance
Government guidance to help organisations understand and improve supply chain resilience.
Supplier dependency mapping, alternative sourcing, concentration risk and disruption response.
All organisations
Critical supplier list, supply chain map, alternative supplier options and supplier continuity questionnaires.
Procurement Policy Note 04/21 Supplier Financial Risk
UK public procurement note on assessing supplier financial risk, relevant to continuity of critical contracts.
Supplier failure planning, contract risk, public service continuity and contingency arrangements.
Public sector
Supplier financial assessment, contingency plan, contract exit provisions and monitoring records.
NCSC Cloud Security Guidance
NCSC guidance for assessing and managing cloud security risks, including availability and resilience.
Cloud DR, data location, access control, resilience architecture and provider assurance.
All organisations, Public sector
Cloud risk assessment, shared responsibility matrix, backup design and provider SLA review.
Standard
ISO 22320:2018 Emergency Management Guidelines For Incident Management
Guidance for incident management structures, command, control, coordination and information management.
Crisis management team structure, escalation, situational awareness and decision logging.
All organisations, Public sector
Incident command structure, meeting agenda, situation report template and action log.
ISO 22398:2013 Guidelines For Exercises And Testing
Guidelines for planning, conducting and improving exercises for preparedness and continuity arrangements.
Tabletop exercises, live tests, objectives, evaluation and lessons learned.
All organisations
Exercise plan, inject script, attendance records, evaluation report and improvement actions.
ISO 31000:2018 Risk Management Guidelines
Risk management guidelines supporting continuity risk identification, assessment and treatment.
Continuity risk assessment, risk criteria, treatment plans and risk governance.
All organisations
Risk methodology, continuity risk register, treatment plan and risk review minutes.
Guidance
Government Cyber Security Strategy 2022-2030
UK government strategy for improving public sector cyber resilience and risk management.
Public sector cyber resilience, assurance, incident preparedness and critical service protection.
Public sector
Cyber improvement plan, assurance reports, incident exercise records and critical service mapping.
UK Health Security Agency Pandemic Preparedness Guidance
UKHSA public health guidance can inform infection control and workforce disruption planning.
Pandemic planning, workforce absence, infection controls and public health communications.
All organisations, Healthcare, Education
Pandemic scenario, absence trigger levels, hygiene controls and public health update process.
Regulatory Consideration
Environmental Permitting Regulations 2016
Environmental permitting regime may require incident controls and continuity arrangements for regulated sites.
Site incident response, pollution prevention, regulatory notification and operational recovery.
Sector-specific
Environmental incident plan, spill response procedure, permit conditions map and notification log.
Sector Requirement
Control Of Major Accident Hazards Regulations 2015
COMAH requires major accident prevention and emergency planning for qualifying hazardous sites.
Major incident response, site emergency plans, off-site coordination and recovery priorities.
Sector-specific
COMAH safety report, on-site emergency plan, exercise records and liaison with emergency services.
Bank Of England FMI Operational Resilience Expectations
Supervisory expectations for resilience of financial market infrastructures and critical financial services.
Critical service continuity, recovery time, dependency mapping and severe scenario testing.
Financial services
FMI service map, extreme scenario tests, recovery procedures and regulator submissions.
Telecommunications (Security) Act 2021
UK telecoms security law imposing duties on public telecoms providers to manage security risks.
Telecoms network resilience, security governance, incident management and supplier controls.
Sector-specific
Security plan, telecoms resilience controls, supplier assurance and Ofcom reporting records.
Ofcom Network And Service Resilience Guidance
Ofcom guidance and expectations for security and resilience of communications networks and services.
Network outages, incident reporting, resilience controls and customer communications.
Sector-specific
Network resilience plan, outage response procedure, customer communications and Ofcom notification log.
Internal Governance
Board-Approved Business Continuity Policy
Internal policy setting continuity objectives, roles, authority, review frequency and assurance expectations.
Governance, accountability, plan ownership, approval and review cycles.
All organisations
Approved policy, RACI matrix, annual review record and board or trustee minutes.
Business Impact Analysis Methodology
Internal method for identifying critical activities, impacts, dependencies and recovery priorities.
BIA, RTOs, RPOs, maximum tolerable disruption and critical dependency mapping.
All organisations
BIA templates, completed interviews, critical process register and approved recovery objectives.
Crisis Communications Protocol
Internal protocol for communicating with staff, customers, suppliers, regulators and media during disruption.
Stakeholder communications, approval routes, holding statements and channel resilience.
All organisations
Contact lists, holding statements, approval matrix, regulator notification checklist and message log.
Business Continuity Exercise Programme
Internal schedule for validating continuity plans through tabletop, technical and live exercises.
Testing, validation, training, lessons learned and continual improvement.
All organisations
Exercise calendar, scenario briefs, attendance records, evaluation reports and action tracker.

Which UK Standards Should A Business Continuity Plan Refer To?

ISO 22301 and BS 65000 are the main UK-recognised continuity management references for most organisations. A practical plan should show governance, business impact analysis, recovery priorities, exercises and continual improvement, not just emergency contact lists.

Which UK Legal Duties Can Affect Business Continuity Planning?

Continuity planning is not governed by one universal UK statute, but legal duties arise from context. Key examples include UK GDPR and the Data Protection Act 2018 for resilient personal data processing, NIS Regulations for relevant digital and essential services, FCA and PRA operational resilience rules for financial services, and health and safety law for incident response arrangements.

What Evidence Helps Demonstrate A Credible UK Continuity Plan?

  • Business impact analysis: documented critical activities, maximum tolerable disruption, recovery time objectives and dependencies.
  • Incident governance: named roles, escalation thresholds, decision logs and crisis communication routes.
  • IT disaster recovery: backup schedules, restore tests, cyber incident playbooks and supplier recovery commitments.
  • Testing and assurance: exercise reports, lessons learned, board review minutes and improvement actions.
  • Sector mapping: regulated organisations should map plan content to the relevant regulator or framework, such as FCA, PRA, NHS England, DfE, Charity Commission or local resilience guidance.
UK Business Continuity Standards and Guidance Map
Want to Generate Your own Business Continuity Plan?
Docaro AI can help you write your own Business Continuity Plan for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

A UK Business Continuity Standards And Guidance Map is a structured reference that helps organisations identify relevant UK standards, regulations, sector guidance and good-practice sources for business continuity and disaster recovery planning.
Show All FAQs

You Might Also Be Interested In

Business Continuity Plan Section Catalogue
Explore United Kingdom business continuity plan sections to structure resilient planning, response, and recovery documentation.
Business Disruption Scenario Catalogue
United Kingdom business disruption scenarios to support continuity planning, risk assessment, and operational resilience.
Business Impact Analysis Function Register
United Kingdom Business Impact Analysis Function Register for identifying critical functions and supporting continuity planning.
Recovery Objectives and Planning Metrics
Explore recovery objectives and planning metrics for the United Kingdom to improve business continuity, resilience, and recovery planning.
Business Continuity Roles and Responsibilities Register
UK business continuity roles and responsibilities register for clear ownership, governance, and response planning.
Business Continuity Communications Matrix
United Kingdom business continuity communications matrix for roles, contacts, escalation paths, and crisis response planning.
United Kingdom Business Continuity Plan Scope Decision Tree
United Kingdom guide to choosing the right business continuity plan scope with a practical decision tree.
Critical Dependencies and Resources Register
Critical Dependencies and Resources Register for the United Kingdom to support business continuity, resilience, and recovery planning.
Business Continuity Testing and Exercise Methods
United Kingdom guide to business continuity testing and exercise methods that strengthen resilience and recovery readiness.
Business Continuity Plan Maintenance Schedule
United Kingdom guide to business continuity plan maintenance schedules, reviews, updates, and compliance readiness.
United Kingdom RTO and RPO Decision Tree for Business Continuity Planning
United Kingdom RTO and RPO decision tree to guide recovery targets, continuity priorities, and disaster recovery planning.
United Kingdom Disaster Recovery Plan Activation Decision Tree
United Kingdom disaster recovery activation decision tree for assessing incidents, escalation triggers and response actions.

References and Information Sources