Back to Trust Hub
ISO 22301

Business Continuity Policy

Comprehensive Business Continuity Management System (BCMS) policy ensuring organizational resilience, disaster recovery, and continuity of critical operations.

Policy Owner

COO

Approved By

CEO / Board

Effective Date

Q2 2026+

Review Cycle

Annual

1. Policy Statement

CUI Labs is committed to ensuring business continuity and operational resilience in the face of disruptions. This Business Continuity Policy establishes our framework for preventing, preparing for, responding to, and recovering from incidents that could impact critical business functions.

We recognize that our customers, partners, and stakeholders depend on the continuous availability of our services. Business continuity is not optional—it is a strategic imperative that protects our reputation, revenue, and regulatory standing.

Commitment: CUI Labs commits to maintaining Recovery Time Objectives (RTO) of less than 4 hours and Recovery Point Objectives (RPO) of less than 1 hour for all critical systems and services.

2. Business Continuity Objectives

Minimize Disruption

Reduce impact of incidents on critical business functions and customer services

Target: <4hr downtime

Protect Stakeholders

Ensure safety of employees, customers, and partners during crises

Zero harm objective

Maintain Compliance

Meet regulatory and contractual obligations during and after disruptions

100% compliance

Preserve Reputation

Protect brand reputation through transparent crisis communication

24hr notification

3. Governance & Roles

Business Continuity Manager

  • Overall accountability for BCMS implementation and maintenance
  • Coordinate business impact analysis (BIA) and risk assessments
  • Lead BC testing, exercises, and continuous improvement
  • Report BC posture to executive leadership quarterly

Crisis Management Team (CMT)

  • Activate during major incidents (Severity 1 or crisis-level events)
  • Make strategic decisions on response and recovery
  • Coordinate cross-functional response efforts
  • Manage stakeholder communication and media relations

Business Unit Owners

  • Identify critical business functions and dependencies
  • Develop and maintain business continuity plans (BCPs)
  • Participate in BC testing and exercises
  • Execute recovery procedures during incidents

4. Business Impact Analysis (BIA)

CUI Labs conducts annual Business Impact Analysis to identify critical business functions, assess potential impacts of disruptions, and determine recovery priorities.

Critical Business Functions

QNSP Production Services

RTO

<2 hours

RPO

<30 min

Impact

Critical

Customer Support

RTO

<4 hours

RPO

<1 hour

Impact

High

Development & Deployment

RTO

<8 hours

RPO

<4 hours

Impact

Medium

Finance & Payroll

RTO

<24 hours

RPO

<8 hours

Impact

Medium

BIA Review: Business impact analysis is reviewed annually or following significant business changes (new products, acquisitions, regulatory changes).

5. Risk Assessment

CUI Labs identifies and assesses threats that could disrupt critical business functions, including natural disasters, cyber attacks, infrastructure failures, and pandemics.

Natural Disasters

  • Earthquakes
  • Floods
  • Typhoons
  • Power outages

Technical Failures

  • Data center outage
  • Network failure
  • Hardware failure
  • Software bugs

Human Threats

  • Cyber attacks
  • Insider threats
  • Pandemics
  • Supply chain disruption

6. Business Continuity Strategies

Infrastructure Resilience

  • Multi-region cloud infrastructure (AWS, Azure, GCP across 3+ regions)
  • Automated failover and load balancing
  • Redundant critical systems (N+1 configuration)
  • Geographic diversity (no single point of failure)

Data Protection

  • Daily automated backups (encrypted, immutable)
  • Multi-region backup replication (3-2-1 rule)
  • Monthly backup restoration testing
  • 90-day backup retention (longer for compliance data)

Alternative Work Arrangements

  • Remote work capabilities (VPN, cloud collaboration tools)
  • Alternative office locations (if primary site unavailable)
  • Mobile device management and secure access

Supplier Continuity

  • Critical supplier BC assessment (annual)
  • Alternative supplier identification
  • Contractual BC requirements for key vendors

7. Incident Response & Crisis Management

Incident Classification

Severity 1 (Critical)

Complete service outage or data breach affecting >1000 customers

CMT activation within 15 minutes

Severity 2 (High)

Partial service degradation or limited data exposure

Incident team activation within 1 hour

Severity 3 (Medium)

Minor service impact or isolated incidents

Standard incident response within 4 hours

Crisis Communication

  • Internal: Status page, Slack alerts, email updates
  • Customers: Email notification within 1 hour (Sev 1)
  • Regulators: As required by law (PDPA 72hr, GDPR 72hr)
  • Media: Approved spokesperson only (CEO/CMO)

8. Disaster Recovery

Disaster Recovery Plans (DRPs) detail technical procedures for restoring IT systems and infrastructure following major disruptions.

Recovery Procedures

  • 1. Assess damage and declare disaster
  • 2. Activate DR team and alternate site
  • 3. Restore from backups (priority order)
  • 4. Verify data integrity and functionality
  • 5. Resume operations and notify stakeholders
  • 6. Conduct post-incident review

Recovery Priorities

  • Priority 1: Customer-facing services (QNSP)
  • Priority 2: Authentication and access control
  • Priority 3: Customer support systems
  • Priority 4: Development and CI/CD
  • Priority 5: Internal business systems

9. Testing & Exercises

Regular testing ensures BC plans remain effective and personnel are prepared to execute them under pressure.

Tabletop Exercises

Quarterly

Discussion-based scenarios with CMT and key stakeholders

Simulation Exercises

Bi-annual

Realistic incident simulations with time pressure and decision-making

Full DR Test

Annual

Complete failover to alternate site with actual system restoration

Backup Restoration

Monthly

Verify backup integrity by restoring to test environment

Lessons Learned: All tests and exercises are followed by after-action reviews to identify improvements and update BC plans accordingly.

10. Training & Awareness

General Awareness

  • • Annual BC awareness training (all staff)
  • • Emergency contact information
  • • Evacuation procedures
  • • Incident reporting channels

Role-Specific Training

  • • CMT: Crisis decision-making, media training
  • • DR Team: Technical recovery procedures
  • • BC Coordinators: Plan maintenance, testing
  • • All: Participation in exercises

11. Policy Review & Continuous Improvement

This policy and associated BC plans are reviewed annually or following significant incidents, organizational changes, or test results.

Review Triggers

  • • Annual scheduled review
  • • Post-incident reviews (actual incidents)
  • • Post-exercise lessons learned
  • • Significant business changes (M&A, new products)
  • • Regulatory or compliance changes

12. Related Policies & Documents

Information Security PolicyRisk Management FrameworkQuality Management PolicyOH&S Policy

Document ID

POL-BC-001

Version

1.0

Classification

Internal