Question 1

How long does a BCDR engagement take?

Accepted Answer

Scope-dependent — typically a few weeks to several months. The drivers are the number of critical processes in scope, the maturity of your existing plans (revising is faster than starting from scratch), and how quickly stakeholder workshops can be scheduled. We do not commit to a fixed week-count without seeing the BIA scope first.

Question 2

Do we need ISO 22301 certification?

Accepted Answer

Not for the programme to be valuable. Many organisations build a 22301-aligned BCMS without seeking external certification — the programme is the point, the certificate is optional. Where customers, regulators, or contracts require certification, we structure the programme so it is audit-ready from day one rather than retrofitted later.

Question 3

What is the difference between business continuity and disaster recovery?

Accepted Answer

BC is the business-process view: how do we keep delivering critical services through a disruption. DR is the technical view: how do we restore IT systems after they fail. They are complementary. ISO 22301 covers BC; ISO/IEC 27031:2025 covers ICT readiness for BC. Most engagements deliver both because the dependencies run in both directions.

Question 4

How do RTOs and RPOs actually get set?

Accepted Answer

Through the BIA. RTO is the maximum acceptable downtime for a process; RPO is the maximum acceptable data loss. Both are agreed with the process owner against business impact, then stress-tested for affordability against the recovery strategy. A 4-hour RTO and a 4-week RTO have very different price tags. The point of the BIA is to make that trade-off explicit.

Question 5

How often should we test BCDR plans?

Accepted Answer

At least annually, and after material change. ISO 22301:2019 requires periodic exercise as part of the management-system requirements, and most regulators expect annual cadence at a minimum. We typically split: a leadership tabletop annually, and technical recovery drills more frequently for the highest-criticality systems.

Question 6

Do you cover ICT readiness specifically, or is that a separate piece of work?

Accepted Answer

Both. ISO/IEC 27031:2025 (the current revision, replacing the 2011 edition) covers ICT readiness for business continuity — the technical layer of plans, recovery infrastructure, and testing. We deliver this as an integrated part of a wider 22301 BCMS, or as a standalone uplift if a 22301 BCMS is already in place and the gap is on the ICT side.

Question 7

How does this connect to incident response?

Accepted Answer

An IR engagement responds to a security incident; a BCDR programme responds to a business-process disruption. The two overlap when an incident causes a disruption — e.g. a ransomware event triggering both. We deliberately scope IR retainers and BCDR programmes so the activation pathways are coherent rather than duplicating each other. See the security incident response service for the IR side.

Question 8

What about UK regulatory drivers?

Accepted Answer

UK GDPR Article 32 includes availability and resilience as required attributes of personal-data processing — BCDR is a practical control. Financial-services firms are increasingly subject to operational-resilience expectations from the FCA and PRA, and EU-regulated activity may fall under DORA (Regulation (EU) 2022/2554). We map programme outputs to the regulatory framework that applies, rather than building generic plans and retrofitting compliance.

Question 9

Will the programme document include actual recovery procedures?

Accepted Answer

Yes. The plan authoring stage produces runbooks with explicit triggers, roles, decision points, and checklists. The plan is designed to be picked up and used by a substitute responder under pressure. We deliberately do not produce 80-page binder plans nobody reads — short, usable runbooks beat comprehensive shelfware every time.

Question 10

Can you run a tabletop exercise without doing a full programme first?

Accepted Answer

Yes. Stand-alone tabletops are a valid engagement on their own — usually a half-day or full-day session against an existing plan or a defined scenario. They surface plan gaps fast and give leadership a realistic view of what response would actually look like. Output is a written exercise report with prioritised improvement actions.

ISO 22301-aligned BCDR. Plans you can actually use.

What we mean by BCDR

What we do

Business Impact Analysis

RTO / RPO definition

Plan authoring

Tabletop exercises

How a programme runs

Scoping call

Business Impact Analysis

Strategy & plan authoring

Tabletop exercise

Review & maintenance

The five-stage programme

Why 1 Sequence Cyber

Standards-aligned, certification-ready

Integrated with the wider security programme

Frequently asked questions

Ready to scope a BCDR programme?

ISO 22301-aligned BCDR. Plans you can actually use.

What we mean by BCDR

What we do

Business Impact Analysis

RTO / RPO definition

Plan authoring

Tabletop exercises

How a programme runs

Scoping call

Business Impact Analysis

Strategy & plan authoring

Tabletop exercise

Review & maintenance

The five-stage programme

Business Impact Analysis (BIA)

Strategy & RTO/RPO definition

Plan authoring

Tabletop exercises & live testing

Review & continuous improvement

Why 1 Sequence Cyber

Standards-aligned, certification-ready

Integrated with the wider security programme

Frequently asked questions

How long does a BCDR engagement take?

Do we need ISO 22301 certification?

What is the difference between business continuity and disaster recovery?

How do RTOs and RPOs actually get set?

How often should we test BCDR plans?

Do you cover ICT readiness specifically, or is that a separate piece of work?

How does this connect to incident response?

What about UK regulatory drivers?

Will the programme document include actual recovery procedures?

Can you run a tabletop exercise without doing a full programme first?

Ready to scope a BCDR programme?