Information Security

Dansk

 Information Security Risk assessment Business continuity plan

Business continuity plan

Here you will find information to help you design a business continuity plan that you can activate in the event of an IT systems failure.

We rely on our IT systems and services for many of our daily operations at the university. But how can we ensure that we can continue with our operations when these IT systems and services are unavailable?

It’s good to think about this before the problem arises.

When IT systems and services are unavailable

Aarhus University has made every effort to ensure that staff and students always have access to the IT support they require, but unforeseeable events can result in IT systems and services being unavailable for a period of time.

In the event of an IT systems failure at AU, an emergency response procedure is initiated that deals with the technical issues. But for the most important IT systems and services, it can help to have local continuity plans in place for how individual units/departments can continue their critical operations and processes during these periods of IT downtime.

Recommendations for a business continuity plan

There is no formal requirement to document your answers to the following questions, but we recommend that you consider them when designing your business continuity plan.

1. Scope

  • How much is affected? Is it possible to continue working in another system?
  • If all IT systems and services are unavailable, which tools should you use?

2. Practical matters

  • WHO?
    • Who decides whether your business continuity plan should be activated/terminated?
    • Who needs to be informed? And how?
  • WHEN?
    • How long do you expect the IT systems and services to be unavailable?
    • What is the acceptable downtime for these IT systems and services? (for acceptable downtimes, please see the risk assessment template)
  • WHAT?
    • Which tasks should you prioritise in these situations, and which tasks can wait?
    • What can you do to stay ahead of these types of situations? (for example, could you have printed templates for standard tasks?)
  • HOW?
    • What do you do on a practical level if/when IT systems and services are unavailable, and which tools should you use for this? (for example, pen and paper, mobile phones)
    • Who should do what?
    • What can you do to ensure that everybody knows their own role and responsibility in the business continuity plan, and does this require regular training?

3. Returning to digital systems

Once the IT systems and services are restored, it’s important to return to digital operations in a way that ensures no information gets lost. So you need to have a procedure in place for how your unit/department moves from the business continuity plan back to digital operations.

It’s important that your business continuity plan is reviewed and improved on an ongoing basis, so follow up on what worked and what didn’t work while the IT systems were down. 

Do you need help?

Contact the Information Security Unit, if you have questions, comments or need help. 

Depending on the system classification, you may be required to conduct a business continuity plan as well as a risk assessment:

  • Type A: A risk assessment and a business contingency plan are required. 
  • Type B: A risk assessment is required, but not necessarily a business contingency plan. 
  • Type C: A risk assessment and a business contingency plan are not necessarily required.

Based on assessments of risk, we recommend that individual units consider whether it could be beneficial to have supplementary business continuity plans at local level.

Revised 07.11.2023
-
informationssikkerhed