[PDF]

Business Continuity Policy 2025v1 PDF Free Download

1 / 16
2 views16 pages

Business Continuity Policy 2025v1 PDF Free Download

Business Continuity Policy 2025v1 PDF free Download. Think more deeply and widely.

Business Connuity Policy 2025v1
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 2 de 16
Table of Contents
1. Introducon. ....................................................................................................................................................................... 3
2. Objecves of the Policy....................................................................................................................................................... 3
3. Scope. ................................................................................................................................................................................. 3
4. Responsibility. ..................................................................................................................................................................... 3
5. Authority. ............................................................................................................................................................................ 3
6. Normave References. ....................................................................................................................................................... 3
7. Pillars of the Policy. ............................................................................................................................................................. 4
8. Objecves of Business Connuity Management System (BCMS)....................................................................................... 4
9. Terms and denions. ........................................................................................................................................................ 4
10. Leadership. ......................................................................................................................................................................... 5
11. Planning. ............................................................................................................................................................................. 6
12. Support. .............................................................................................................................................................................. 7
13. Operaon. ........................................................................................................................................................................... 8
14. Performance evaluaon. .................................................................................................................................................. 13
15. Improvement. ................................................................................................................................................................... 15
16. Change Control and Approval Cycle: ................................................................................................................................ 16
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 3 de 16
1. Introducon.
Teleperformance MAR Business Connuity Policy outlines the principles and procedures for preparing for, responding to,
and recovering from incidents. By following ISO 22301, the organizaon commits to protecng our employees,
customers, and stakeholders, ensuring operaonal stability, and achieving our strategic objecves.
2. Objecves of the Policy.
To establish a framework for Teleperformance MAR to ensure the connuity of its crical business funcons and to
minimize the impact of disrupons.
To support the implementaon, maintenance, and connual improvement of the Business Connuity Management
System (BCMS) in alignment with ISO 22301:2019.
3. Scope.
The guidelines of this policy are mandatory for all Teleperformance MAR employees, including direct and indirect
employees, contractors, subcontractors, and suppliers, who provide support to the organizaon both from the physical
facilies and from teleworking.
4. Responsibility.
Senior Management is responsible for ensuring the resources and support necessary for compliance with this policy.
The BCM Team is responsible for conducng annual reviews of the Business Connuity Management (BCM) including
all documented informaon and related acvies.
Service providers, such as vendors, suppliers, and contractors, must be aware of and comply with the organizaon's
policies.
The communicaon and PR team will ensure communicaon and outreach in physical or digital form within the
organizaon and accessibility to relevant internal and external stakeholders.
Operang unit leaders are responsible for taking this policy into account in all aspects of their crical business funcons
and services.
5. Authority.
Approval: Senior Management
Review and update: Business Connuity Management System (BCMS) Leader
6. Normave References.
ISO 22301:2019 internaonal standard for Business Connuity Management Systems.
ISO 31000:2018 internaonal standard for Risk management
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 4 de 16
GISP 14 - Informaon Security Aspects of Business Connuity Management Policy
ISS.014.001 Business Connuity Management Standard
7. Pillars of the Policy.
Ensuring the connuity of crical business acvies during and aer disrupve incidents.
Meeng legal, regulatory, and contractual obligaons.
Protecng the interests of our customers, employees, shareholders, suppliers, and other stakeholders.
Implemenng a structured and eecve Business Connuity Management System (BCMS) in accordance with ISO
22301:2019 internaonal standard for Business Connuity Management Systems.
Manage risks through the idencaon, assessment, and migaon of threats, as well as the detecon of opportunies
that strengthen organizaonal resilience.
Conducng annual business impact analyses and risk assessments to understand threats and vulnerabilies.
Developing, maintaining, and tesng business connuity strategies, plans, and procedures.
Ensuring sta are trained and aware of their roles and responsibilies in the event of a disrupon.
Connually improving our BCMS through audits, reviews, exercises, and correcve acons.
8. Objecves of Business Connuity Management System (BCMS).
Idenfy crical acvies and their dependencies.
Assess risks and impacts associated with disrupons.
Establish eecve response, recovery, and restoraon strategies.
Perform quarterly tesng to demonstrate the extent to which strategies and plans are complete, current, and accurate.
Minimize downme and maintain an acceptable level of service.
Ensure eecve internal and external communicaon during incidents.
Meet applicable compliance obligaons.
9. Terms and denions.
Business Connuity Management Systems (BCMS): A comprehensive structure that guides organizaons in idenfying
potenal threats, assessing their impact on crical business funcons, and formulang strategies to minimize disrupon
and facilitate a swi recovery.
Acvity: A set of one or more tasks with a dened output.
Audit: Systemac, independent, and documented process for obtaining audit evidence and evaluang it objecvely to
determine the extent to which the audit criteria are fullled.
Business Connuity: Capability of an organizaon to connue the delivery of products and services within acceptable
me frames at predened capacity during a disrupon.
Business Connuity Plan: Documented informaon that guides an organizaon to respond to disrupon and resume,
recover and restore the delivery of products and services consistent with its business connuity objecves.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 5 de 16
Business Impact Analysis: Process of analyzing the impact over me of a disrupon on the organizaon.
Competence: ability to apply knowledge and skills to achieve intended results.
Connuous Improvement: Recurring acvity to enhance performance.
Disrupon: Any incident whether ancipated or unancipated, that causes an unplanned, negave deviaon from the
expected delivery of products and services according to an organizaon’s objecves.
Impact: Outcome of a disrupon aecng objecves.
Incident: Event that can be, or could lead to, a disrupon, loss, emergency, or crisis.
Priorized Acvity: Acvity to which urgency is given to avoid unacceptable impacts on the business during a disrupon.
Risk: Is any potenal event that could interrupt an organizaon's crical operaons, aecng its ability to deliver
essenal products or services.
Process: Set of interrelated or interacng acvies which transform inputs into outputs.
Product And Service Output or Outcome: provided by an organizaon to interested pares.
Requirement: Need or expectaon that is stated, generally implied or obligatory.
Resource: All assets (including plant and equipment), people, skills, technology, premises, and supplies and informaon
(whether electronic or not) that an organizaon must have available to use, when needed, to operate and meet its
objecve.
Top Management: Person or group of people who directs and controls an organizaon at the highest level.
10. Leadership.
10.1 Leadership and commitment.
10.1.1 Top management shall demonstrate leadership and commitment with respect to the BCMS by:
a) ensuring the BCMS is eecvely established and aligned with the organizaon’s context.
b) facilitang the integraon of BCMS requirements into the organizaon’s exisng processes.
c) guaranteeing the availability of necessary resources to support the BCMS.
d) promong awareness of the BCMS and communicang its signicance and requirements.
e) ensuring the BCMS delivers its intended results.
f) leading and encouraging all relevant stakeholders to acvely contribute to BCMS’s eecveness.
g) fostering a culture of connual improvement within the BCMS framework.
10.2 Policy.
10.2.1 The business connuity policy shall:
a) be appropriate for the purpose of the organizaon.
b) provide a solid framework for seng business connuity objecves.
c) include a clear commitment to meeng applicable requirements.
d) consider the connuous improvement of the BCMS.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 6 de 16
10.2.2 The Policy shall be communicated and readily available as documented informaon to interested pares, as
appropriate.
10.3 Roles, responsibilies, and authories.
10.3.1 Senior management shall ensure that responsibilies and authories for relevant funcons are assigned and
communicated to interested pares, as appropriate.
10.3.2 Senior management shall ensure that the BCMS complies with the requirements of this policy.
10.3.1. The BCMS leader shall report on the performance of the BCMS to senior management.
11. Planning.
11.1 Acons to address risks and opportunies.
11.1.1 Determining risks and opportunies.
11.1.1.1 The organizaon shall consider the requirements and determine the risks and opportunies that need to be
addressed.
11.1.1.2 The organizaon shall give assurance that the BCMS delivers its intended results.
11.1.1.3 The organizaon shall prevent, or reduce, undesired eects.
11.1.1.4 The organizaon shall achieve connual improvement within the BCMS framework.
11.1.2 Addressing risks and opportunies.
11.1.2.1 The organizaon shall plan acons to address these risks and opportunies.
11.1.2.2 The organizaon shall integrate and implement these acons into its BCMS processes and evaluate their
eecveness.
11.2 Business connuity objecves and planning to achieve them.
11.2.1 Establishing business connuity objecves.
11.2.1.1 The organizaon shall establish business connuity objecves.
11.2.1.2 The organizaon shall be consistent with the business connuity policy.
11.2.1.3 The organizaon shall measure the performance of the BCMS.
11.2.1.4 The organizaon shall consider applicable requirements.
11.2.1.5 The organizaon shall communicate the policy.
11.2.1.6 The organizaon shall annually update or review the policy.
11.2.1.7 The organizaon shall retain documented informaon on the BCMS.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 7 de 16
11.2.2 Determining business connuity objecves.
11.2.2.1 The organizaon shall plan the BCMS acvies.
11.2.2.2 The organizaon shall allocate the necessary resources.
11.2.2.3 The organizaon shall dene who will be responsible.
11.2.2.4 The organizaon shall review and evaluate the results.
11.3 Planning changes to the business connuity management system.
11.3.1 When the organizaon determines the need for changes to the BCMS, these shall be carried out in a planned
manner and considering:
a) The purpose of the changes and their potenal consequences.
b) The integrity of the BCMS and services.
c) The availability of resources in the organizaon.
12. Support.
12.1 Resources.
12.1.1 The organizaon shall determine and provide the resources needed for the establishment, implementaon,
maintenance, and connual improvement of the BCMS.
12.2 Competence.
12.2.1 Employees must be competent in their intended roles. To achieve this, the organizaon shall:
a) determine the necessary competence of employees assigned to the BCMS.
b) retain appropriate documented informaon as evidence of competence.
c) promote regular training in Business Connuity.
12.3 Awareness.
12.3.1 Employees doing work under the organizaon’s control shall be aware of: a) the business connuity policy.
b) their contribuon to the eecveness of the BCMS.
c) support the connuous improvement of the BCMS.
d) the implicaons of not conforming with the BCMS requirements.
e) their own role and responsibilies before, during and aer disrupons.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 8 de 16
12.4 Communicaon.
12.4.1 The organizaon shall determine the internal and external communicaons relevant to the BCMS, including:
a) on what it will communicate.
b) when to communicate.
c) with whom to communicate.
d) how to communicate.
e) who will communicate.
12.5 Documented informaon.
12.5.1 The organizaon shall develop and maintain the documented informaon required for the BCMS.
12.5.2 When creang and updang documented informaon the organizaon shall follow the internal procedure: IGPC-
01.
12.5.3 The documented informaon required by the BCMS and by this document shall be controlled to ensure compliance
with the internal procedure: IG-PC-01.
13. Operaon.
13.1 Operaonal planning and control.
13.1.1 The organizaon shall plan, implement, and control the processes needed to meet requirements, and to implement
the acons determined by:
a) dening criteria for process execuon.
b) applying controls to processes in alignment with the established criteria.
c) maintaining documented informaon as needed, to ensure condence that processes are performed as intended.
d) managing planned changes and assessing the impact of unintended changes, taking correcve acons to minimize any
negave eects when necessary.
e) ensuring that outsourced processes and the supply chain are eecvely controlled.
13.2 Business impact analysis and risk assessment.
13.2.1 General.
13.2.1.1 The organizaon shall implement and maintain systemac processes for analyzing the business impact and
assessing the risks of disrupon.
13.2.1.2 The organizaon shall review the business impact analysis and risk assessment at planned intervals and when
there are signicant changes within the organizaon or the context in which it operates.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 9 de 16
13.2.2 Business impact analysis.
13.2.2.1 The organizaon shall use the process for analyzing business impacts to determine business connuity priories
and requirements. The process shall:
a) dene the types of impacts and the assessment criteria relevant to the organizaon’s specic context.
b) idenfy the key acvies that support the delivery of products and services.
c) apply the dened impact types and criteria to evaluate the eects of disrupons over me on these acvies.
d) determine the me frame within which the organizaon would consider the impacts of not resuming acvies to be
unacceptable.
e) establish priorized recovery me frames within the idened limits to resume disrupted acvies at a minimum
acceptable level.
f) use the results of this analysis to idenfy and priorize crical acvies.
g) idenfy the resources required to support these priorized acvies.
h) determine the dependencies and interdependencies of priorized acvies, including those involving partners and
suppliers.
13.2.3 Risk assessment.
13.2.3.1 The organizaon shall implement and maintain a risk assessment process.
13.2.3.2 The organizaon shall idenfy the risks of disrupon to the organizaon’s priorized acvies and to their
required resources.
13.2.3.3 The organizaon shall analyze and evaluate the idened risks.
13.2.3.4 The organizaon shall determine which risks require treatment.
13.3 Business connuity strategies and soluons.
13.3.1 General.
13.3.1.1 Based on the outputs from the business impact analysis and risk assessment, the organizaon shall idenfy and
select business connuity strategies that consider opons for before, during and aer disrupon. The business
connuity strategies shall be comprised of one or more soluons.
13.3.2 Idencaon of strategies and soluons.
13.3.2.1 Idencaon shall be based on the extent to which strategies and soluons:
a) fulll the requirements to sustain and restore priorized acvies within the dened me frames and agreed capacity
levels.
b) safeguard the organizaon’s crical acvies.
c) minimize the likelihood of operaonal disrupons.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 10 de 16
d) reduce the duraon of any disrupons that occur.
e) migate the impact of disrupons on the organizaon’s products and services.
f) ensure the availability of sucient and appropriate resources.
13.3.3 Selecon of strategies and soluons.
13.3.3.1 Selecon shall be based on the extent to which strategies and soluons:
a) comply with the requirements to maintain and restore priorized acvies within the designated me frames and
agreed capacity levels.
b) consider the level and nature of risk the organizaon is willing or unwilling to accept.
c) evaluate the related costs and benets in decision-making.
13.3.4 Resource requirements.
13.3.4.1 The organizaon shall determine the resource requirements to implement the selected business connuity
soluons. The types of resources considered shall include, but not be limited to:
a) Personnel.
b) informaon and data.
c) physical infrastructure such as buildings, workplaces, or other facilies.
d) crical ulies such as energy, water, network access.
e) equipment and consumables.
13.3.5 Implementaon of soluons.
13.3.5.1 The organizaon shall implement and maintain selected business connuity soluons so they can be acvated
when needed.
13.4 Business connuity plans and procedures.
13.4.1 General.
13.4.1.1 The organizaon shall implement and maintain a response structure that will enable mely warning and
communicaon to relevant interested pares.
13.4.1.2 The organizaon shall idenfy, and document business connuity plans and procedures based on the output of
the selected strategies and soluons.
13.4.1.3 The procedures shall:
a) develop plans and procedures to guide the organizaon’s response during a disrupon.
b) acvate business connuity soluons when necessary.
c) clearly outline the immediate acons to be taken in the event of disrupon.
d) remain adaptable to evolving internal and external condions during a disrupon.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 11 de 16
e) address the potenal impacts of incidents that could lead to operaonal disrupons.
f) eecvely reduce disrupon impacts through the implementaon of suitable soluons.
g) dene roles and responsibilies for execung tasks within the plans.
13.4.2 Response structure.
13.4.2.1 The organizaon shall implement and maintain a structure, idenfying one or more teams responsible for
responding to disrupons.
13.4.2.2 The roles and responsibilies of each team and the relaonships between the teams shall be clearly stated.
13.4.2.3 Collecvely, the teams shall be competent to:
a) evaluate the nature, scope, and potenal impact of disrupon.
b) compare the impact against predened thresholds to determine if a formal response is warranted.
c) iniate an appropriate business connuity response when necessary.
d) plan and coordinate the necessary response acons.
e) establish response priories, with the health & safety of people as the highest priority.
f) connuously monitor both the disrupon and the eecveness of the organizaon’s response.
g) deploy business connuity soluons as required.
h) communicate eecvely with relevant stakeholders, authories, and the media.
13.4.2.4 For each team there shall be:
a) personnel, along with designated alternates, must be idened and assigned with the appropriate responsibility,
authority, and competence to fulll their specic roles.
b) documented procedures must be in place to guide their acons, including protocols for acvaon, operaon,
coordinaon, and communicaon during the response.
13.4.3 Warning and communicaon.
13.4.3.1 The organizaon shall document and maintain procedures for:
a) communicate internally and externally with relevant stakeholders, specifying what informaon will be shared, when,
with whom, and through which channels.
b) receive, document, and respond to communicaons from interested pares, including alerts from naonal or regional
risk advisory systems or their equivalents.
c) ensure communicaon tools and channels remain operaonal during a disrupon.
d) support structured and coordinated communicaon with emergency response teams.
e) outline the organizaon’s media response following an incident, including a dened communicaon strategy.
f) maintain records of the disrupon, including acons taken and decisions made.
13.4.3.2 Where applicable, the following addional measures should be considered and implemented:
a) nofy stakeholders who may be aected by an actual or potenal disrupon.
b) ensure eecve coordinaon and communicaon among mulple responding organizaons.
c) conduct regular exercises of the warning and communicaon procedures as part of the organizaon’s overall exercise
program.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 12 de 16
13.4.4 Business connuity plans.
13.4.4.1 The organizaon shall document and maintain business connuity plans and procedures. The business connuity
plans shall provide guidance and informaon to assist teams to respond to a disrupon and to assist the organizaon
with response and recovery.
13.4.4.2 The business connuity plans shall clearly outline the acons that teams will undertake to:
a) maintain or restore priorized acvies within the established me frames.
b) monitor both the disrupon’s impact and the eecveness of the organizaon’s response.
c) Comply with predened thresholds and the procedures for iniang the response.
d) Follow guidelines and procedures to ensure the delivery of products and services at the agreed capacity levels.
e) manage the immediate consequences of the disrupon, with aenon to individual well-being, prevenon of further
losses or interrupons to crical acvies, and migaon of environmental impacts.
13.4.4.3 Each plan shall include:
a) the purpose, scope, and objecves of the plan.
b) dened roles and responsibilies of the team responsible for execung the plan.
c) specic acons required to implement the planned soluons.
d) acvaon criteria, supporng informaon, operaon, coordinaon, and communicaon of the team’s acvies.
e) idencaon of internal and external interdependencies.
f) required resources to support plan execuon.
g) reporng protocols and requirements.
h) dened process for deacvang or standing down the plan.
i) the plans must be readily accessible and usable by all interested pares.
13.4.5 Recovery.
13.4.5.1 The organizaon shall have documented processes to restore and return business acvies from the temporary
measures adopted during and aer a disrupon.
13.5 Exercise program.
13.5.1. The organizaon shall implement and maintain a program of exercising and tesng to validate over me the
eecveness of its business connuity strategies and soluons.
13.5.2. The organizaon shall conduct exercises and tests that:
a) align with the organizaon’s business connuity objecves.
b) are based on well-designed scenarios with clearly dened goals and objecves.
c) enhance teamwork, build competence and condence, and increase the knowledge of interested pares.
d) validate the eecveness of business connuity strategies and soluons over me.
e) generate formal post-exercise reports that include outcomes, recommendaons, and acons for improvement. f)
are reviewed in the context of driving connual improvement.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 13 de 16
g) are conducted at scheduled intervals and in response to signicant organizaonal or contextual changes.
13.5.3. The organizaon must act on the ndings from exercises and tests to implement necessary changes and
improvements.
13.6 Evaluaon of business connuity documentaon and capabilies.
13.6.1 The organizaon shall:
a) assess the suitability, adequacy, and eecveness of its business impact analysis, risk assessments, strategies, soluons,
plans, and procedures.
b) perform reviews of the BCMS through, analyses, exercises, tesng, and post-incident evaluaons.
c) evaluate the business connuity capabilies of relevant partners and suppliers.
d) ensure compliance with applicable legal and regulatory requirements, industry best pracces, and alignment with the
organizaon’s business connuity policy and objecves.
e) annually update documentaon and procedures based on evaluaon outcomes.
f) conduct annual evaluaons, following incidents, BCP/DRP acvaons, or when signicant changes occur.
14. Performance evaluaon.
14.1 Monitoring, measurement, analysis, and evaluaon.
14.1.1 The organizaon shall:
a) idenfy what aspects of the Business Connuity Management System (BCMS) need to be monitored and measured.
b) dene the methods for monitoring, measurement, analysis, and evaluaon to ensure accurate and reliable results.
c) dene the frequency of the monitoring acvies and the personnel responsible for performing them.
d) maintain appropriate documented informaon as evidence of monitoring and outcomes.
e) annually assess the performance and eecveness of the BCMS.
14.2 Internal audit.
14.2.1 General.
14.2.1.1 The organizaon shall conduct annual BCMS internal audits to validate compliance with:
a) the ISO 22301:2019 internaonal standard for Business Connuity Management Systems.
b) the organizaon’s global and local requirements for Business Connuity Management Systems.
c) the requirements of this policy.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 14 de 16
14.2.2 Audit program.
14.2.2.1 The organizaon shall:
a) develop, implement, and maintain an audit program that outlines the frequency, methods, responsibilies, planning
requirements, and reporng.
b) request formal approval from senior management to conduct the audit process.
c) dene the audit criteria and scope for each audit process.
d) consider the signicance of the processes involved and the outcomes of previous audits.
e) select qualied auditors and conduct audits in a manner that ensures objecvity and imparality.
f) ensure audit ndings are communicated to senior management.
g) maintain documented evidence of the audit program’s implementaon and the results of each audit process.
h) take correcve acons in a mely manner to address idened nonconformies and their root causes.
i) include follow-up acvies to verify the eecveness of correcve acons and document the results of these
vericaons.
14.3 Management review.
14.3.1 General.
14.3.1.1 Top management shall review the organizaon’s BCMS, at planned intervals, to ensure its connuing suitability,
adequacy, and eecveness.
14.3.2 Management review input.
14.3.2.1 The management review shall include consideraon of:
a) the status of acons idened during previous management reviews.
b) changes in internal and external factors relevant to the BCMS.
c) idened nonconformies and the eecveness of correcve acons.
d) results from monitoring, measurement, and evaluaons.
e) ndings from internal and external audits.
f) feedback received from interested pares.
g) the need for updates to the BCMS, including its policy and objecves.
h) opportunies for improvement to the BCMS performance and eecveness.
i) insights from business impact analyses and risk assessments.
j) outcomes from evaluaons of business connuity documentaon and capabilies.
k) risks or issues that were not suciently addressed in previous risk assessments.
l) lessons learned and acons taken in response to near-misses and actual disrupons.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 15 de 16
14.3.3 Management review output.
14.3.3.1 The output of the annual management review shall include decisions related to connual improvement
opportunies and any need for changes to the BCMS to improve its eciency and eecveness, including the following:
a) reviews to the scope of the BCMS.
b) reviews to business impact analysis, risk assessment, connuity strategies and soluons, and BCP/DRP.
c) review procedures and controls in response to internal or external factors that may aect the BCMS.
d) dened methods for measuring the eecveness of implemented controls.
e) retenon of documented evidence as part of the management reviews.
f) communicaon of the results of the management review to relevant interested pares.
g) appropriate acons taken based on the ndings of the review.
15. Improvement.
15.1 Nonconformity and correcve acon.
15.1.1 The organizaon shall determine opportunies for improvement and implement necessary acons to achieve the
intended outcomes of its BCMS.
15.1.2 The organizaon shall address nonconformies through the following acons:
a) provide an adequate response to the nonconformity.
b) implement the necessary correcve acons.
c) evaluate the eecveness of the correcve acons taken.
d) manage any resulng consequences.
e) assess the need for further acons to eliminate the root cause(s) of the nonconformity to prevent recurrence or
occurrence.
f) determine whether similar nonconformies exist or could potenally arise.
g) make the necessary changes to the Business Connuity Management System (BCMS).
15.1.3 The organizaon shall retain documented informaon as evidence of:
a) the nature of the nonconformies and any subsequent acons taken.
b) the results of any correcve acon.
15.2 Connual improvement.
15.2.1 The organizaon shall pursue connual improvement of the Business Connuity Management System (BCMS) to
enhance its suitability, adequacy, and eecveness, using both qualitave and quantave performance indicators.
15.2.2 The organizaon shall consider the results of analyses, evaluaons, and management reviews to idenfy and
address any needs or opportunies for improvement related to the business or the BCMS.
PUBLIC TP
It may be shared internally and to third pares without addional authorizaon from the owner of the informaon.
Business Connuity Policy
Código: SI-PO-05
Version: 1
Capacity: 7.4 Informaon Security
Página: 16 de 16
16. Change Control and Approval Cycle:
Date
Descripon
Approval Cycle
10/06/2025
Document creaon.
Created: Liliana Villar - Senior Informaon Security Analyst.
Reviewed: Luis Gonzalez - Informaon Security Manager.
Approved: Claudio Esteves - Chief Informaon Oce.