ICT Readiness for Business Continuity Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
|
---|---
Document Type| Policy
Document #| SP-ICT BC-014
Owner| Head of Human Resource and Admin; Chief Network Officer
Classification| Confidential (Class 2 — Private Data)
Version| V1.1
Issue Date| 04/09/2025
Review Cycle| Annual
Authorised By| Yassir Pasha
Document Information¶
| Field | Details |
|---|---|
| Document # | SP-ICT BC-014 |
| Document Title | ICT Readiness for Business Continuity |
| Version | V1.1 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 27/03/2021 |
| Issue Date | 05/09/2025 |
| Document Owner | Head of Human Resource and Admin, Chief Network Officer |
| Author(s) | Simpaisa |
| Purpose | To ensure the readiness of ICT systems, infrastructure, and processes to support uninterrupted business operations during disruptions or disaster scenarios |
| Authorised By | Yassir Pasha |
Reviewed By Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Office |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs · Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 05/09/2025 | Simpaisa | As per ISO 27001:2022 | Yassir Pasha |
1 Introduction¶
1.1 Scope¶
The Cybersecurity Resilience Aspects of Business Continuity Management Procedure apply to all projects, teams, tools, and stakeholders to ensure a structured, efficient, and authorised approach to maintaining cybersecurity resilience during disruptions.
1.2 Purpose¶
The purpose of this procedure is to ensure projects are executed securely, efficiently, and in compliance with organisational standards, enhancing cybersecurity resilience, mitigating risks, and ensuring business continuity.
2 Cybersecurity Resilience Aspects of Business Continuity Management¶
At Simpaisa, Cybersecurity Resilience within Business Continuity Management (BCM) follows a structured approach to ensure operational continuity, data protection, and rapid recovery from disruptions. The process integrates cybersecurity measures across all phases, from risk assessment to recovery, aligning with industry standards and regulatory requirements. Depending on the organisation's needs, a combination of proactive security controls and responsive recovery strategies is implemented. Cyber resilience practices, including threat monitoring, incident response, secure backups, and disaster recovery planning, are embedded within BCM to mitigate risks, minimise downtime, and safeguard critical assets against evolving cyber threats.
2.1 Information Security for Business Continuity¶
-
Identify and classify critical assets, including cloud services, email platforms, endpoint infrastructure, and on-premises systems, ensuring prioritised protection with encryption, multi-factor authentication (MFA), and access restrictions.
-
Enhance system resilience through redundancy, secure backups, failover solutions, and disaster recovery planning, ensuring business continuity for critical operations.
-
Maintain continuous threat monitoring using FortiGuard Unified Threat Protection and Security Information and Event Management (SIEM) to detect, analyse, and respond to security threats in real time.
-
Establish a structured incident response plan integrating security measures with business continuity to address cyber incidents and operational disruptions.
-
Conduct security awareness training, and third-party risk assessments to ensure preparedness for security threats and supplier-related risks.
-
Enforce network segmentation, access controls, and periodic reviews of business continuity security measures to align with evolving threats and regulatory requirements.
2.2 Information Security During Disruption¶
-
Activate emergency cybersecurity measures, including incident response protocols, to prevent unauthorised access and data compromise.
-
Enforce strict access controls on affected cloud services, email platforms, endpoints, and network infrastructure, ensuring only authorised personnel can access critical systems.
-
Secure remote access through encrypted VPN tunnels, multi-factor authentication (MFA), and endpoint security controls to maintain operational continuity.
-
Monitor, detect, and contain cyber threats using FortiGuard Unified Threat Protection, Security Information and Event Management (SIEM), and real-time threat intelligence to prevent escalation.
-
Coordinate with internal teams, external service providers, and regulatory authorities to ensure a secure and efficient recovery process, maintaining compliance with security and business continuity.
-
Conduct post-incident analysis and update security policies, controls, and response procedures based on lessons learned to strengthen resilience against future disruptions.
2.3 Disaster Recovery Plan (DRP)¶
-
Conduct a preliminary incident assessment to evaluate impact, document findings, and support rapid decision-making.
-
Establish an incident response team with defined roles, responsibilities, and authority to coordinate secure recovery efforts.
-
Maintain geo-redundant backup storage with encryption and strict access controls to protect cloud data, email records, and critical IT infrastructure.
-
Implement automated failover mechanisms to restore essential services with minimal downtime while securing unaffected infrastructure.
-
Conduct disaster recovery drills, including tabletop exercises, failover testing, backup restoration, and cybersecurity incident simulations such as phishing or DDoS attacks, to validate recovery plans, improve response strategies, and address emerging risks.
-
Integrate cybersecurity measures into the DRP, including incident detection, containment, and mitigation to prevent further compromise.
-
Maintain comprehensive documentation of recovery processes, escalation procedures, and contact points for effective response coordination.
2.4 Response Plan for Cybersecurity Incidents¶
-
Utilise FortiGuard Unified Threat Protection and Endpoint Detection and Response (EDR) solutions such as Microsoft Defender or Kaspersky to detect, analyse, and alert security anomalies across cloud services, email platforms, and endpoints.
-
Establish a structured incident response process, including containment, eradication, recovery, and post-incident review, to minimise impact and enhance security resilience.
-
Isolate affected user accounts, email systems, and endpoints to prevent unauthorised access, data leakage, and further compromise.
-
Apply security patches, revoke compromised credentials and implement additional controls to mitigate vulnerabilities and prevent recurrence.
-
Securely restore email, cloud data, and endpoint configurations from verified backups while ensuring data integrity.
-
Conduct a post-incident review, document findings, and update security policies, procedures, and awareness training to strengthen cybersecurity defences.
-
Maintain clear escalation procedures, predefined roles, and communication protocols to ensure a coordinated and efficient response.
2.5 Compliance & Enforcement¶
-
All personnel are required to comply with this cybersecurity resilience procedure to ensure business continuity and disaster recovery readiness.
-
Any non-compliance or failure to implement security measures will result in corrective actions, including disciplinary measures where applicable.
-
Compliance will be monitored through access logs, security alerts from FortiGuard Unified Threat Protection and EDR solutions (e.g., Microsoft Defender, DataDog), backup integrity verification, disaster recovery drills, endpoint security enforcement, remote access audits, and incident response effectiveness.