Business Continuity Plan (Public Summary)
Version: 1.3
Status: Approved
Last modified: April 2025
Next Review Date: October 2025
ISO Statement
oboloo Limited is actively aligning with ISO/IEC 27001:2022 and ISO 22301:2019 and has implemented this Business Continuity Plan (BCP) in accordance with relevant controls, including:
ISO/IEC 27001 Annex A.17 – Information Security Aspects of Business Continuity Management
ISO 22301 Annex A – Business Continuity Controls
This document outlines how oboloo will ensure the resilience of its critical operations during unexpected disruptions.
Introduction
Business continuity is a key component in any modern organisation. It ensures that operations can continue, and recovery can be achieved, during events such as infrastructure failure, cyber incidents, natural disasters, supply chain breakdowns, or major workforce unavailability.
This BCP outlines oboloo’s strategy and response for managing such events and demonstrates our commitment to operational resilience, regulatory compliance, and stakeholder confidence.
Definitions
BCP: Business Continuity Plan — the documented process to ensure continued operation during a disruption.
BIA: Business Impact Analysis — the process of assessing the effects of an interruption.
RTO: Recovery Time Objective — the target time within which a process must be restored.
RPO: Recovery Point Objective — the maximum tolerable amount of data loss measured in time.
Critical Functions: Business operations deemed essential to oboloo’s continued service delivery.
Who We Are and How to Contact Us
This BCP is issued by oboloo Limited, a company registered in England and Wales (Company Number: 12420854), with its trading address at:
7 Bell Yard, London, England, WC2A 2JR
For questions or further information, contact us at:
📧 hello@oboloo.com
Acceptance of Terms
All oboloo personnel and relevant contractors are expected to comply with this BCP. By participating in operations or services governed by this policy, you accept your role in ensuring business continuity and resilience.
Changes to This Policy
This BCP is reviewed bi-annually and after any actual incident or significant change to operations or infrastructure. Updates are communicated to staff and stakeholders as appropriate.
Related Policies
This BCP should be read alongside:
Information Security Policy
Access Control Policy
Incident Response Plan
Risk Management Policy
Backup Policy
Purpose
This BCP aims to:
Ensure continued delivery of critical services during and after a disruptive incident.
Minimise impact on customers, staff, and partners.
Comply with ISO/IEC 27001 and ISO 22301 standards.
Protect the company’s data, operations, and reputation.
Scope
This plan applies to:
All oboloo Limited business units, services, and support functions.
All personnel involved in managing, supporting, or delivering services.
Critical infrastructure and third-party services that support operations.
All operational locations in the UK/EU and US.
BCP Process
Impact Assessment & BIA: Identify critical functions and assess the impact of potential disruptions.
Risk Analysis: Evaluate vulnerabilities and threats to people, data, and infrastructure.
Continuity Strategy: Define RTO and RPO per function and outline recovery methods.
RTO: 2.5 hours
RPO: 6 hours
Crisis Management Team: A designated team is responsible for activating, coordinating, and escalating BCP responses.
Testing: Bi-annual testing of BCP elements (failover, DR, incident response).
Training: Awareness sessions and readiness drills for all staff.
Response Procedures by Scenario
| Event | Risk Reduction / Solution | Remarks |
|---|---|---|
| Infrastructure Failure | Failover to alternate data centres; regular data backups | UK/EU & US hosted with redundancy |
| Cyber Incident | Isolation of affected systems; activate IRP; ongoing security monitoring | Tested twice/year |
| Supply Chain Disruption | Pre-vetted alternative suppliers; SLA review | Critical supplier list maintained |
| Staff Unavailability | Remote work capability; cross-trained staff | Pandemic/strike ready |
| Data Loss | Real-time file server backup; daily incremental & weekly full backups | Backup policy enforced |
| Loss of Building Access | Secure remote access via VPN; 24/7 building support | Local emergency protocol |
| Telecoms Failure | Backup VOIP/ISP lines; mobile contact options | Comms continuity maintained |
| Flood/Burglary | Equipment positioning; on-site response protocols | Safeguards and incident procedures in place |
Severe Weather and Local Emergencies
In the event of adverse weather, local hazard, or civil restriction, all staff are expected to operate remotely and follow government and company guidance. Secure access protocols support remote work without impacting availability.
Roles and Responsibilities
[Redacted for public version]
Internally, the Crisis Management Team includes leadership from operations, technology, and information security. They are responsible for activating the plan, internal and external communications, and coordinating resolution activities.
Review and Testing
The BCP is tested twice per year, including failover and scenario testing.
Following each test or actual incident, lessons learned are incorporated into the next review.
Staff training is delivered during onboarding and through regular refresher sessions.
ISO/IEC 27001 Annex A Mapping
| Objective Area | ISO/IEC 27001 Control Ref | Description |
|---|---|---|
|
Business Continuity Planning
|
A.17.1.1
|
Development and maintenance of continuity plans
|
|
Recovery Objectives
|
A.17.1.2
|
Defined recovery time and data recovery objectives
|
|
Continuity Testing
|
A.17.1.3
|
Regular testing and improvement of continuity capabilities
|
ISO 22301:2019 Annex A Mapping (Business Continuity Management)
| ISO 22301 Clause | Control Area | Mapped Section(s) in BCP |
|---|---|---|
|
A.5
|
Leadership & Roles
|
Section 4 – Roles & Responsibilities
|
|
A.6
|
Planning
|
Section 1 & 2 – Introduction and Scope
|
|
A.7
|
Support (Resources, Awareness)
|
Section 9 – Review and Training
|
|
A.8
|
Operational Planning and Control
|
Section 8 – Procedures and Risk Reduction
|
|
A.8.4
|
Business Impact Analysis (BIA)
|
Section 3 – Critical Functions (implicit BIA)
|
|
A.8.5
|
Continuity Strategy
|
Sections 5–8 – Invocation, Escalation, Mitigation
|
|
A.8.6
|
Continuity Plans and Procedures
|
Section 8 – Specific Event Response Plans
|
|
A.8.7
|
Testing and Exercising
|
Section 9.1 – Annual Testing
|
|
A.8.8
|
Evaluation of Continuity Capability
|
Section 9.2 – Training and Preparedness
|
|
A.9
|
Performance Evaluation
|
Section 9 – Testing, review, and lessons learned
|
|
A.10
|
Improvement
|
Section 9.2 – Continuous improvement
|
Review and Update of the Methodology
Review Frequency: Twice annually or following any major change or incident.
Method: Reviewed by senior leadership and information security.
Distribution: Internal and public summary versions maintained.
Document Control
Version: 1.3
Date: April 2025
Description: Public summary format finalised and continuity metrics clarified
Previous Versions:
-
Version 1.2 (December 2024): Public summary introduced
-
Version 1.1 (October 2024): Initial internal version scoped for ISO preparation