Business Continuity Plan (Public Summary)
Version: 1.3
Status: Approved
Last modified: April 2025
Next Review Date: October 2025
ISO Statement
oboloo is actively aligning with ISO/IEC 27001:2022 and ISO 22301:2019, and has implemented this Business Continuity Plan (BCP) in accordance with relevant controls, including ISO 27001 Annex A.17 (Information Security Aspects of Business Continuity Management) and ISO 22301 Annex A (Business Continuity Controls).
This public summary outlines oboloo’s approach to ensuring the resilience of critical operations during unexpected disruptions.
Purpose
Business continuity is a key component in any modern business. It aims to make provision for exceptional events such as infrastructure failures, cyber incidents, supply chain or service disruptions, and staff unavailability (including pandemic or strike).
The following information details the plans that oboloo Limited will implement in the case of any exceptional event impacting its operations.
Purpose
This Business Continuity Plan (BCP) outlines the procedures and measures oboloo Limited will follow to ensure the continuation of critical business functions during unforeseen events. The plan covers all company operations, with particular attention to infrastructure, data centres, and staff located in the UK/EU and US.
The BCP applies to all employees, contractors, and third-party service providers engaged by oboloo Limited.
Critical Business Functions and Recovery Objectives
oboloo Limited has identified the following as critical business functions: – Core platform operations and client services – Data management and security – Communication with clients and partners
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical function are established and regularly reviewed to ensure minimal disruption and data loss.
Recovery Time Objective (RTO): 2.5 hours
Recovery Point Objective (RPO): 6 hours
Cloud Infrastructure: Hosted in multi-region environments with automatic failover and regular backups
Business Continuity Testing: Conducted twice per year to verify failover capability and response efficiency
Communication: Incident status updates are communicated to customers and stakeholders during continuity events
Roles and Responsibilities
The crisis management team consists of [Not available on public version] and [Not available on public version] as primary Points of Contact (POC), responsible for plan invocation, escalation, and coordination during a business continuity event.
All staff are required to be familiar with their roles and responsibilities as outlined in this plan.
Invocation Criteria and Escalation Flow
The BCP will be invoked in the event of infrastructure failure, cyber incident, supply chain or service disruption, or staff unavailability that significantly impacts business operations.
| Event | Escalation Contact | Action |
| Infrastructure Failure | [Not available on public version] | Assess impact, initiate failover to backup systems |
| Cyber Incident | [Not available on public version] | Isolate affected systems, notify stakeholders, engage IT security |
| Supply Chain/Service Disruption | [Not available on public version] | Contact alternative suppliers, communicate with clients |
| Staff Unavailability | [Not available on public version] | Activate remote work protocols, reassign critical tasks |
Dependencies and Third-Party Contingency
oboloo Limited relies on data centres located in the UK/EU and US. Each location maintains redundant systems and regular data backups to ensure continuity.
Third-party service providers are required to maintain their own business continuity plans and provide assurance of contingency measures.
Procedures
| Event | Risk Reduction / Solution | Remarks |
| Infrastructure Failure | Failover to backup servers and data centres in alternate locations; regular data backups | Servers/data centres in UK/EU and US |
| Cyber Incident | Immediate isolation of affected systems; incident response protocols; regular security training | Continuous monitoring and testing |
| Supply Chain/Service Disruption | Maintain list of alternative suppliers; regular review of service level agreements | Critical suppliers identified and reviewed |
| Staff Unavailability | Remote work capability for all staff; cross-training for critical roles | Pandemic/strike protocols in place |
Review and Testing
The BCP will be reviewed and tested at least twice annually, or following any major change to business operations or after an actual business continuity event.
Training and awareness sessions will be conducted for all staff to ensure preparedness.
Regulatory and Insurance Considerations
oboloo Limited’s BCP demonstrates to regulators and insurers that the Company is actively managing business risks and is prepared to survive a range of extraordinary events.
Local Considerations
In the event of severe weather or other local emergencies, staff will operate remotely as required, in accordance with government guidance.
ISO/IEC 27001 Annex A Mapping
| Objective Area | ISO/IEC 27001 Control Ref | Description |
|---|---|---|
|
Business Continuity Planning
|
A.17.1.1
|
Development and maintenance of continuity plans
|
|
Recovery Objectives
|
A.17.1.2
|
Defined recovery time and data recovery objectives
|
|
Continuity Testing
|
A.17.1.3
|
Regular testing and improvement of continuity capabilities
|
ISO 22301:2019 Annex A Mapping (Business Continuity Management)
| ISO 22301 Clause | Control Area | Mapped Section(s) in BCP |
|---|---|---|
|
A.5
|
Leadership & Roles
|
Section 4 – Roles & Responsibilities
|
|
A.6
|
Planning
|
Section 1 & 2 – Introduction and Scope
|
|
A.7
|
Support (Resources, Awareness)
|
Section 9 – Review and Training
|
|
A.8
|
Operational Planning and Control
|
Section 8 – Procedures and Risk Reduction
|
|
A.8.4
|
Business Impact Analysis (BIA)
|
Section 3 – Critical Functions (implicit BIA)
|
|
A.8.5
|
Continuity Strategy
|
Sections 5–8 – Invocation, Escalation, Mitigation
|
|
A.8.6
|
Continuity Plans and Procedures
|
Section 8 – Specific Event Response Plans
|
|
A.8.7
|
Testing and Exercising
|
Section 9.1 – Annual Testing
|
|
A.8.8
|
Evaluation of Continuity Capability
|
Section 9.2 – Training and Preparedness
|
|
A.9
|
Performance Evaluation
|
Section 9 – Testing, review, and lessons learned
|
|
A.10
|
Improvement
|
Section 9.2 – Continuous improvement
|
Review and Update of the Methodology
Bi-Annual Review: This Business Continuity Plan is reviewed every 6 months and following BCP test results, incidents, or changes in infrastructure.
Document Control
Version: 1.3
Date: April 2025
Description: Public summary format finalised and continuity metrics clarified
Previous Versions:
-
Version 1.2 (December 2024): Public summary introduced
-
Version 1.1 (October 2024): Initial internal version scoped for ISO preparation