/
Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery

ID

S24

Version

1.2.5

Type

Overarching Standard

Status

Effective

Effective Date

Nov 27, 2025

Contracting Vehicle(s)

 

Introduction

Ensures that Suppliers Solutions are supported by robust business continuity plans and disaster recovery measures.

This Standard is in place to ensure that services can be maintained in the event of disruptions to normal business. Suppliers will need to ensure that they have taken appropriate steps to remove, reduce, or mitigate the likelihood of events detrimentally impacting the levels of services that are provided. 

The Authority's Business Continuity and Disaster Recovery Standards have been developed to help Suppliers understand the minimum expectations that the Authority have for the maturity, scope and context of an organisation’s Business Continuity Management System (BCMS).

The BCMS is a management process that establishes, implements, operates, monitors, reviews, maintains and improves the organisation’s business continuity and should include organisational structure, policies and planning activities, responsibilities, procedures, processes and resources within its framework.

Baseline Assurance Standard Requirements

The Baseline Assurance Standard (BAS) provides a proportionate, risk-based assurance approach for Solutions; balancing safety against efficiency by combining a minimum set of essential Requirements from the DSIC Overarching Standards. Completing the BAS is the first step to achieving full assurance with the Overarching Standards allowing Supplier Solutions to be published on the Buying Catalogue. Upon meeting this Standard, Solutions are required to meet any remaining Further Requirements in the Overarching Standard as applicable to the Contracting Vehicle within a period of 12 months.

All Baseline Assurance Requirements can be found here. Each Solution will be assigned a category of A, B or C that determines the level of assurance applied to that Solution. See the relevant category column to understand the assurance required for each Requirement. For information on Solution Categories see Solution Categories for Assurance in DSIC.

The following table of Requirements are the Requirements in the Baseline Assurance Standard related to the Business Continuity and Disaster Recovery Standard.

Applicable Contracting Vehicle(s)

ID

Requirement

Level

Category A

Category B

Category C

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

  • Community Pharmacy Clinical Services

BC-DR-1

Business Continuity Management System (BCMS) - methodology

The Supplier’s organisation and the services provided will be underpinned by a robust Business Continuity Management System (BCMS).

The Supplier must meet or exceed its recovery time objective, be fully accountable and responsible for its BCMS operational business continuity and IT Service Continuity Plans and supporting procedures for all services delivered to its Service Recipients.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Business Continuity Plans with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) defined.

  • IT Service Continuity Plans with RTOs and RPOs defined.

  • Current ISO certifications and scope covered.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

The BCMS methodology, processes, standards and resources associated to the BCMS will utilise the relevant provisions of ISO/IEC 22301, ISO/IEC 27031, ISO/IEC 27001 and other good industry practice such as the Business Continuity Institute Good Practice Guidelines.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Business Continuity Plans with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) defined.

  • IT Service Continuity Plans with RTOs and RPOs defined.

  • Current ISO certifications and scope covered.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

The BCMS methodology, processes, standards and resources associated to the BCMS will utilise the relevant provisions of ISO/IEC 22301, ISO/IEC 27031, ISO/IEC 27001 and other good industry practice such as the Business Continuity Institute Good Practice Guidelines.

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Business Continuity Plans with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) defined.

  • IT Service Continuity Plans with RTOs and RPOs defined.

  • Current ISO certifications and scope covered.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

The BCMS methodology, processes, standards and resources associated to the BCMS will utilise the relevant provisions of ISO/IEC 22301, ISO/IEC 27031, ISO/IEC 27001 and other good industry practice such as the Business Continuity Institute Good Practice Guidelines.

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

  • Community Pharmacy Clinical Services

BC-DR-16

Test and Exercise Programme - Business Continuity Test

The Supplier will undertake a business continuity test at least annually in order to validate the effectiveness of its business continuity strategies. The Authority may wish to witness the test.
If requested, the Supplier must comply and provide full access and visibility of the execution of the test, including access to documentation and the execution of procedures throughout the whole test.

See Business Continuity and Disaster Recovery Testing for guidance.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of a summary of the Supplier's approach to testing their BCMS and associated plans and procedures.

  • Recent Test Plans and Test Reports.

  • A recording of the test.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of a summary of the Supplier's approach to testing their BCMS and associated plans and procedures.

  • Recent Test Plans and Test Reports.

  • A recording of the test.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of a summary of the Supplier's approach to testing their BCMS and associated plans and procedures.

  • Recent Test Plans and Test Reports.

  • A recording of the test.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

  • Community Pharmacy Clinical Services

BC-DR-16A

Test and Exercise Programme - IT Service Continuity

The Supplier will undertake Disaster Recovery testing of the system at least annually. The testing must demonstrate that, in the event of an incident impacting availability, the system can be maintained and recovered within the Recovery Time Objective and that data can be restored within the Recovery Point Objective in the event of an incident. The Authority may wish to witness the test. If requested, the Supplier must comply and provide full access and visibility of the execution of the test, including access to documentation and the execution of procedures throughout the whole test and the resolution of any issues that occur during the Testing window.

See Business Continuity and Disaster Recovery Testing for guidance.

MUST

Full Assessment

Supporting evidence could include:

  • Provision of a summary of the Supplier's approach to testing their IT Service Continuity Plans and procedures.

  • Recent Test Plans and Test Reports.

  • A recording of the test with narrative overview.

  • Live Witness Test.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of a summary of the Supplier's approach to testing their IT Service Continuity Plans and procedures.

  • Recent Test Plans and Test Reports.

  • A recording of the test with narrative overview.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of a summary of the Supplier's approach to testing their IT Service Continuity Plans and procedures.

  • Recent Test Plans and Test Reports.

  • A recording of the test with narrative overview.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

  • Community Pharmacy Clinical Services

BC-DR-20

BCM & IT Service Continuity Management (ITSCM) Coverage

The BCDR Plan must set out the method(s) of recovering or updating data collected, or which ought to have been collected, during a failure or disruption to ensure that there is no more than the accepted amount of data loss and to preserve data integrity.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Backup policies.

  • Backup schedules.

  • Backup Test Plans.

  • Business Continuity Plans with RTOs and RPOs defined.

  • IT Service Continuity Plans with RTOs and RPOs defined.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Backup policies.

  • Backup schedules.

  • Backup Test Plans.

  • Business Continuity Plans with RTOs and RPOs defined.

  • IT Service Continuity Plans with RTOs and RPOs defined.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Backup policies.

  • Backup schedules.

  • Backup Test Plans.

  • Business Continuity Plans with RTOs and RPOs defined.

  • IT Service Continuity Plans with RTOs and RPOs defined.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Further Requirements

Suppliers must complete assurance for these Requirements in addition to Requirements in the Baseline Assurance Standard in order to achieve full compliance with the BCDR Standard. Suppliers can complete these at the same time as Requirements within the Baseline Assurance Standard or following the publication on the Buying Catalogue subject to meeting the timelines laid out by the Authority.

Applicable Contracting Vehicle(s)

ID

Requirement

Level

Category A

Category B

Category C

Applicable Contracting Vehicle(s)

ID

Requirement

Level

Category A

Category B

Category C

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

BC-DR-3

BCMS - Maintenance

Adequate staffing, facilities and technology resource will be deployed to establish, maintain and improve the organisation’s BCMS. This will need to be detailed as part of the BCMS submission.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Resource overview and details of relevant qualifications, courses undertaken, membership to professional bodies such as the Business Continuity Institute.

  • Details of Business Continuity Training provided to staff within the organisation.

  • Continual Service Improvement Programme overview.

  • Details of any software toolsets and how they are used to support and manage the BCMS.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Resource overview and details of relevant qualifications, courses undertaken, membership to professional bodies such as the Business Continuity Institute.

  • Details of Business Continuity Training provided to staff within the organisation.

  • Continual Service Improvement Programme overview.

  • Details of any software toolsets and how they are used to support and manage the BCMS.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Resource overview and details of relevant qualifications, courses undertaken, membership to professional bodies such as the Business Continuity Institute.

  • Details of Business Continuity Training provided to staff within the organisation.

  • Continual Service Improvement Programme overview.

  • Details of any software toolsets and how they are used to support and manage the BCMS.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

BC-DR-5

BCMS - Leadership

Leadership at top management level and in other relevant management roles will be identified to enable the necessary governance, escalation and direction for the BCMS.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Policy documents such as a Business Continuity Policy, demonstrating sponsorship/ownership of Business Continuity at top management level.

  • Exercise Programme demonstrating top management participation.

  • Management reviews/Internal audits of BCMS.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Policy documents such as a Business Continuity Policy, demonstrating sponsorship/ownership of Business Continuity at top management level.

  • Exercise Programme demonstrating top management participation.

  • Management reviews/Internal audits of BCMS.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Policy documents such as a Business Continuity Policy, demonstrating sponsorship/ownership of Business Continuity at top management level.

  • Exercise Programme demonstrating top management participation.

  • Management reviews/Internal audits of BCMS.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

BC-DR-6

BCMS - Protection

The BCMS will be able to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from the full range of incidents, up to and including a potential or actual crisis.

See the Business Continuity Institute for the Good Practice Guidelines.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of risk assessment matrix (or document - depending upon format used by the Supplier).

  • Risk assessments of assets within the BCMS scope.

  • Risk treatment approaches for the identified risks.

  • Risk Management Policy.

  • Incident Management Process/Plan.

  • Crisis Management Process/Plan.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of risk assessment matrix (or document - depending upon format used by the Supplier).

  • Risk assessments of assets within the BCMS scope.

  • Risk treatment approaches for the identified risks.

  • Risk Management Policy.

  • Incident Management Process/Plan.

  • Crisis Management Process/Plan.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Provision of risk assessment matrix (or document - depending upon format used by the Supplier).

  • Risk assessments of assets within the BCMS scope.

  • Risk treatment approaches for the identified risks.

  • Risk Management Policy.

  • Incident Management Process/Plan.

  • Crisis Management Process/Plan.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

BC-DR-8

Infrastructure & Service-based Threat Assessments

Infrastructure and service-based threat assessments will be undertaken on a regular basis to proactively identify risks to delivery of services within or across organisation and service location boundaries.

must

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Risk assessments of all in-scope infrastructure assets.

  • Risk treatment approaches for the identified risks.

  • Controls selected to manage the identified risks.

  • Solution design documents.

  • IT Service Continuity Plans/Availability Plans.

  • Asset Lists with criticality identified.

  • Provision of fully populated risk assessment matrix that provides evidence that a full risk assessment has taken place.

  • Risk Management Policy.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Risk assessments of all in-scope infrastructure assets.

  • Risk treatment approaches for the identified risks.

  • Controls selected to manage the identified risks.

  • Solution design documents.

  • IT Service Continuity Plans/Availability Plans.

  • Asset Lists with criticality identified.

  • Provision of fully populated risk assessment matrix that provides evidence that a full risk assessment has taken place.

  • Risk Management Policy.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Risk assessments of all in-scope infrastructure assets.

  • Risk treatment approaches for the identified risks.

  • Controls selected to manage the identified risks.

  • Solution design documents.

  • IT Service Continuity Plans/Availability Plans.

  • Asset Lists with criticality identified.

  • Provision of fully populated risk assessment matrix that provides evidence that a full risk assessment has taken place.

  • Risk Management Policy.

Alternatively, instead of Self-certification, provide the BCMS methodology document detailing how the Requirement is met with supporting evidence as detailed above. 

  • GP IT Futures

  • Tech Innovation

  • DFOCVC

BC-DR-10

Business Continuity (BC) Plans - Identify interdependencies between stakeholders

Interdependencies between stakeholders, including outside organisations and third parties, will be identified within the BC Plan and have appropriate plans in place to cover disruption to the supply chain.

MUST

Self-certification with Supporting Evidence

Supporting evidence could include:

  • Business Impact Analysis identifying third party dependencies.

  • Supply Chain Continuity programme.