UK Business Continuity Standards And Guidance Map
Created:
This structured dataset maps key UK business continuity standards and guidance, helping you compare requirements, identify relevant frameworks, and plan resilient operations. For practical templates and support, explore our AI Generated Business Continuity Plan for use in the United Kingdom.
Reference Name | Summary | Relevant Planning Area | Organisation Applicability | Example Evidence |
|---|---|---|---|---|
Standard | ||||
ISO 22301:2019 Security And Resilience - Business Continuity Management Systems | International management system standard for establishing, maintaining and improving business continuity capability. | BCMS scope, leadership, BIA, risk assessment, continuity strategies, exercises and improvement. | All organisations | BCMS policy, BIA records, RTOs, exercise reports, corrective action log and management review minutes. |
BS 65000:2022 Organisational Resilience | British Standard code of practice for organisational resilience, including continuity, adaptability and governance. | Resilience governance, culture, leadership, scenario planning and strategic adaptation. | All organisations | Resilience policy, board risk papers, scenario analysis, continuity strategy and improvement roadmap. |
Guidance | ||||
ISO 22313:2020 Business Continuity Management Systems Guidance | Guidance supporting ISO 22301 implementation and interpretation for continuity management systems. | Detailed BCMS design, BIA methods, risk evaluation, plan maintenance and performance evaluation. | All organisations | Implementation plan, BIA methodology, plan review schedule and internal audit checklist. |
Standard | ||||
ISO/IEC 27031:2011 ICT Readiness For Business Continuity | Guidance for ICT readiness arrangements that support business continuity objectives. | IT disaster recovery, backup, restore, resilience design and ICT continuity testing. | All organisations | DR runbook, backup policy, restore test records, failover architecture and ICT dependency map. |
ISO/IEC 27001:2022 Information Security Management Systems | Information security management standard relevant to cyber resilience and secure recovery. | Cyber incident response, access control, backup, supplier security and recovery controls. | All organisations | Statement of applicability, incident procedure, asset register, backup evidence and supplier controls. |
Guidance | ||||
NCSC 10 Steps To Cyber Security | UK NCSC guidance covering core cyber risk controls that support operational resilience. | Cyber incident preparation, risk management, monitoring, backups and staff awareness. | All organisations | Cyber risk register, incident escalation plan, training records, backup checks and monitoring procedure. |
NCSC Small Business Guide | Practical UK cyber security guidance for smaller organisations, including backup and malware precautions. | Basic cyber resilience, backup routines, device security and incident contacts. | All organisations, Charities | Backup schedule, password policy, device update process and cyber incident contact list. |
Cyber Essentials | UK government-backed scheme covering baseline technical controls against common cyber attacks. | Preventive cyber controls, technical assurance and supplier security expectations. | All organisations, Charities | Cyber Essentials certificate, secure configuration records, firewall rules and patching process. |
Regulatory Consideration | ||||
Civil Contingencies Act 2004 | UK framework for emergency preparedness duties on specified responders, including business continuity arrangements. | Emergency preparedness, civil protection, responder duties and public service continuity. | Public sector, Sector-specific | Emergency plan, continuity plan, local resilience forum participation and exercise records. |
Civil Contingencies Act 2004 Contingency Planning Regulations 2005 | Regulations detailing contingency planning duties for responders under the Civil Contingencies Act. | Risk assessment, emergency planning, warning and informing, cooperation and plan maintenance. | Public sector, Sector-specific | Community risk register input, public warning procedure, plan review log and mutual aid records. |
Guidance | ||||
Emergency Preparedness Guidance Under The Civil Contingencies Act | Government guidance on implementing civil protection duties, including business continuity management. | Emergency planning, public sector continuity, risk assessment, training and exercising. | Public sector, Sector-specific | Continuity strategy, exercise programme, training records, risk assessments and review minutes. |
National Risk Register | UK government assessment of major civil emergency risks relevant to scenario planning. | Scenario selection, risk assessment, severe weather, pandemic, cyber and infrastructure disruption planning. | All organisations, Public sector | Scenario library, risk register mapping, exercise scenario notes and impact assumptions. |
Regulatory Consideration | ||||
UK General Data Protection Regulation | Requires appropriate security, resilience, restoration and breach response for personal data processing. | Data availability, breach notification, backup restoration and processor continuity controls. | All organisations | Breach procedure, backup tests, processor clauses, DPIAs and incident decision log. |
Data Protection Act 2018 | UK data protection statute supplementing UK GDPR and supporting enforcement of personal data obligations. | Personal data incident response, governance, accountability and lawful recovery processes. | All organisations | Data protection policy, breach register, recovery access controls and accountability records. |
Guidance | ||||
ICO Guidance On Security | ICO guidance on protecting personal data, including availability, resilience and incident handling. | Data security, backup, disaster recovery, breach management and supplier controls. | All organisations | Security risk assessment, restore testing records, breach playbook and processor assurance. |
Regulatory Consideration | ||||
Network And Information Systems Regulations 2018 | UK cyber resilience rules for operators of essential services and relevant digital service providers. | Essential service continuity, incident reporting, network security and system resilience. | Sector-specific | NIS scope assessment, incident reporting process, resilience controls and competent authority correspondence. |
Guidance | ||||
NCSC Cyber Assessment Framework | Framework for assessing cyber resilience, widely used for NIS and critical service assurance. | Cyber resilience outcomes, incident response, service protection and recovery assurance. | Public sector, Sector-specific | CAF self-assessment, improvement plan, incident exercises and essential service dependency map. |
Regulatory Consideration | ||||
Health And Safety At Work etc. Act 1974 | Core UK workplace health and safety law relevant to incident response and staff protection. | Emergency response, evacuation, staff safety, welfare and safe recovery operations. | All organisations | Emergency procedures, evacuation drills, risk assessments, first aid arrangements and incident reports. |
Management Of Health And Safety At Work Regulations 1999 | Requires suitable risk assessment and arrangements for effective health and safety management. | Incident risk assessment, emergency arrangements, competent persons and worker communication. | All organisations | Risk assessments, emergency arrangements, role assignments and staff briefing records. |
Regulatory Reform (Fire Safety) Order 2005 | Fire safety regime for non-domestic premises in England and Wales, including emergency routes and procedures. | Premises emergency response, evacuation, fire risk controls and site recovery. | All organisations | Fire risk assessment, evacuation plan, drill records, fire marshal list and alarm test log. |
Sector Requirement | ||||
FCA Operational Resilience Rules | FCA requirements for identifying important business services, impact tolerances and resilience testing. | Important business services, impact tolerances, mapping, scenario testing and remediation. | Financial services | Important business service register, impact tolerances, mapping documents and scenario test reports. |
PRA Operational Resilience Supervisory Statement SS1/21 | PRA expectations for operational resilience of banks, insurers and designated investment firms. | Board accountability, important business services, impact tolerances, mapping and testing. | Financial services | Self-assessment document, board minutes, service maps, vulnerabilities log and test results. |
PRA Outsourcing And Third Party Risk Management SS2/21 | PRA expectations for managing outsourcing and third-party risks affecting operational resilience. | Supplier continuity, exit plans, concentration risk, audit rights and service resilience. | Financial services | Outsourcing register, exit plan, supplier BCP reviews, contract clauses and concentration assessment. |
NHS England Emergency Preparedness, Resilience And Response Framework | NHS framework for emergency preparedness, resilience and response across health organisations. | Major incident response, service continuity, command structure, surge planning and exercises. | Healthcare | EPRR plan, on-call rota, command arrangements, exercise report and annual assurance return. |
NHS Data Security And Protection Toolkit | NHS online self-assessment for data security and protection standards, including continuity controls. | Health data security, cyber resilience, incident reporting and IT recovery evidence. | Healthcare | DSPT submission, cyber incident plan, backup evidence, training records and supplier assurance. |
Care Quality Commission Emergency Planning Expectations | CQC safety expectations can require providers to manage foreseeable emergencies and service disruption risks. | Patient and service user safety, staffing disruption, premises failure and emergency procedures. | Healthcare | Continuity plan, emergency staffing plan, clinical risk assessment and incident review records. |
Guidance | ||||
Department For Education Emergency Planning And Response For Education Settings | DfE guidance for education, childcare and children's social care settings on emergency planning and response. | School closure, safeguarding, communications, lockdown, evacuation and remote education continuity. | Education | Emergency plan, parent communication templates, closure procedure and safeguarding escalation route. |
Charity Commission Guidance CC26 Charities And Risk Management | Charity Commission guidance on trustee risk management, relevant to continuity and resilience oversight. | Trustee governance, risk registers, service continuity, reserves and reputational risk. | Charities | Trustee risk register, continuity plan approval, reserves policy and serious incident escalation procedure. |
Charity Commission Serious Incident Reporting Guidance | Guidance on reporting serious incidents that may include major service disruption, fraud or cyber events. | Incident escalation, trustee notification, regulator reporting and reputational response. | Charities | Serious incident reporting checklist, trustee decision log and regulator notification records. |
Internal Governance | ||||
UK Corporate Governance Code | Governance code for premium listed companies, relevant to board oversight of risk and resilience. | Board risk oversight, internal control, assurance, reporting and accountability for resilience. | Sector-specific | Board risk reports, internal control review, resilience KPIs and audit committee minutes. |
Regulatory Consideration | ||||
Companies Act 2006 Directors' Duties | Directors' statutory duties can support prudent oversight of material continuity and resilience risks. | Board oversight, risk governance, stakeholder impacts and decision records during disruption. | All organisations | Board minutes, risk appetite statement, continuity funding approval and crisis decision log. |
Guidance | ||||
UK Government Supply Chain Resilience Guidance | Government guidance to help organisations understand and improve supply chain resilience. | Supplier dependency mapping, alternative sourcing, concentration risk and disruption response. | All organisations | Critical supplier list, supply chain map, alternative supplier options and supplier continuity questionnaires. |
Procurement Policy Note 04/21 Supplier Financial Risk | UK public procurement note on assessing supplier financial risk, relevant to continuity of critical contracts. | Supplier failure planning, contract risk, public service continuity and contingency arrangements. | Public sector | Supplier financial assessment, contingency plan, contract exit provisions and monitoring records. |
NCSC Cloud Security Guidance | NCSC guidance for assessing and managing cloud security risks, including availability and resilience. | Cloud DR, data location, access control, resilience architecture and provider assurance. | All organisations, Public sector | Cloud risk assessment, shared responsibility matrix, backup design and provider SLA review. |
Standard | ||||
ISO 22320:2018 Emergency Management Guidelines For Incident Management | Guidance for incident management structures, command, control, coordination and information management. | Crisis management team structure, escalation, situational awareness and decision logging. | All organisations, Public sector | Incident command structure, meeting agenda, situation report template and action log. |
ISO 22398:2013 Guidelines For Exercises And Testing | Guidelines for planning, conducting and improving exercises for preparedness and continuity arrangements. | Tabletop exercises, live tests, objectives, evaluation and lessons learned. | All organisations | Exercise plan, inject script, attendance records, evaluation report and improvement actions. |
ISO 31000:2018 Risk Management Guidelines | Risk management guidelines supporting continuity risk identification, assessment and treatment. | Continuity risk assessment, risk criteria, treatment plans and risk governance. | All organisations | Risk methodology, continuity risk register, treatment plan and risk review minutes. |
Guidance | ||||
Government Cyber Security Strategy 2022-2030 | UK government strategy for improving public sector cyber resilience and risk management. | Public sector cyber resilience, assurance, incident preparedness and critical service protection. | Public sector | Cyber improvement plan, assurance reports, incident exercise records and critical service mapping. |
UK Health Security Agency Pandemic Preparedness Guidance | UKHSA public health guidance can inform infection control and workforce disruption planning. | Pandemic planning, workforce absence, infection controls and public health communications. | All organisations, Healthcare, Education | Pandemic scenario, absence trigger levels, hygiene controls and public health update process. |
Regulatory Consideration | ||||
Environmental Permitting Regulations 2016 | Environmental permitting regime may require incident controls and continuity arrangements for regulated sites. | Site incident response, pollution prevention, regulatory notification and operational recovery. | Sector-specific | Environmental incident plan, spill response procedure, permit conditions map and notification log. |
Sector Requirement | ||||
Control Of Major Accident Hazards Regulations 2015 | COMAH requires major accident prevention and emergency planning for qualifying hazardous sites. | Major incident response, site emergency plans, off-site coordination and recovery priorities. | Sector-specific | COMAH safety report, on-site emergency plan, exercise records and liaison with emergency services. |
Bank Of England FMI Operational Resilience Expectations | Supervisory expectations for resilience of financial market infrastructures and critical financial services. | Critical service continuity, recovery time, dependency mapping and severe scenario testing. | Financial services | FMI service map, extreme scenario tests, recovery procedures and regulator submissions. |
Telecommunications (Security) Act 2021 | UK telecoms security law imposing duties on public telecoms providers to manage security risks. | Telecoms network resilience, security governance, incident management and supplier controls. | Sector-specific | Security plan, telecoms resilience controls, supplier assurance and Ofcom reporting records. |
Ofcom Network And Service Resilience Guidance | Ofcom guidance and expectations for security and resilience of communications networks and services. | Network outages, incident reporting, resilience controls and customer communications. | Sector-specific | Network resilience plan, outage response procedure, customer communications and Ofcom notification log. |
Internal Governance | ||||
Board-Approved Business Continuity Policy | Internal policy setting continuity objectives, roles, authority, review frequency and assurance expectations. | Governance, accountability, plan ownership, approval and review cycles. | All organisations | Approved policy, RACI matrix, annual review record and board or trustee minutes. |
Business Impact Analysis Methodology | Internal method for identifying critical activities, impacts, dependencies and recovery priorities. | BIA, RTOs, RPOs, maximum tolerable disruption and critical dependency mapping. | All organisations | BIA templates, completed interviews, critical process register and approved recovery objectives. |
Crisis Communications Protocol | Internal protocol for communicating with staff, customers, suppliers, regulators and media during disruption. | Stakeholder communications, approval routes, holding statements and channel resilience. | All organisations | Contact lists, holding statements, approval matrix, regulator notification checklist and message log. |
Business Continuity Exercise Programme | Internal schedule for validating continuity plans through tabletop, technical and live exercises. | Testing, validation, training, lessons learned and continual improvement. | All organisations | Exercise calendar, scenario briefs, attendance records, evaluation reports and action tracker. |
Which UK Standards Should A Business Continuity Plan Refer To?
ISO 22301 and BS 65000 are the main UK-recognised continuity management references for most organisations. A practical plan should show governance, business impact analysis, recovery priorities, exercises and continual improvement, not just emergency contact lists.
Which UK Legal Duties Can Affect Business Continuity Planning?
Continuity planning is not governed by one universal UK statute, but legal duties arise from context. Key examples include UK GDPR and the Data Protection Act 2018 for resilient personal data processing, NIS Regulations for relevant digital and essential services, FCA and PRA operational resilience rules for financial services, and health and safety law for incident response arrangements.
What Evidence Helps Demonstrate A Credible UK Continuity Plan?
- Business impact analysis: documented critical activities, maximum tolerable disruption, recovery time objectives and dependencies.
- Incident governance: named roles, escalation thresholds, decision logs and crisis communication routes.
- IT disaster recovery: backup schedules, restore tests, cyber incident playbooks and supplier recovery commitments.
- Testing and assurance: exercise reports, lessons learned, board review minutes and improvement actions.
- Sector mapping: regulated organisations should map plan content to the relevant regulator or framework, such as FCA, PRA, NHS England, DfE, Charity Commission or local resilience guidance.

Want to Generate Your own Business Continuity Plan?
Docaro AI can help you write your own Business Continuity Plan for use in the United Kingdom in minutes.
FAQs
A UK Business Continuity Standards And Guidance Map is a structured reference that helps organisations identify relevant UK standards, regulations, sector guidance and good-practice sources for business continuity and disaster recovery planning.
Show All FAQs
You Might Also Be Interested In

Explore United Kingdom business continuity plan sections to structure resilient planning, response, and recovery documentation.

United Kingdom business disruption scenarios to support continuity planning, risk assessment, and operational resilience.

United Kingdom Business Impact Analysis Function Register for identifying critical functions and supporting continuity planning.

Explore recovery objectives and planning metrics for the United Kingdom to improve business continuity, resilience, and recovery planning.

UK business continuity roles and responsibilities register for clear ownership, governance, and response planning.

United Kingdom business continuity communications matrix for roles, contacts, escalation paths, and crisis response planning.

United Kingdom guide to choosing the right business continuity plan scope with a practical decision tree.

Critical Dependencies and Resources Register for the United Kingdom to support business continuity, resilience, and recovery planning.

United Kingdom guide to business continuity testing and exercise methods that strengthen resilience and recovery readiness.

United Kingdom guide to business continuity plan maintenance schedules, reviews, updates, and compliance readiness.

United Kingdom RTO and RPO decision tree to guide recovery targets, continuity priorities, and disaster recovery planning.

United Kingdom disaster recovery activation decision tree for assessing incidents, escalation triggers and response actions.