Most organisations commissioning a business continuity plan refresh are trying to fix the same issue:
the plan exists, but it won’t hold up under a real incident.
That gap is getting wider. Cyber incidents now drive most major disruptions, yet incident response and business continuity are still designed separately. When systems go down, teams are left bridging that gap in real time.
The outcome is predictable: delays, confusion, and improvised decisions under pressure.
If you want a different result, start with the scope of work.
A good Statement of Work (SOW) defines what will actually change — how services operate, how decisions are made, and how the plan is proven. A weak one delivers a tidy document and the same risk.
What a BCP refresh SOW needs to do
A SOW should clearly define scope, deliverables, responsibilities and success criteria.
For a business continuity plan refresh, that means three things:
- integrating cyber incident response and continuity
- producing usable, operational documentation
- generating testing evidence
If those aren’t written into the scope, they won’t happen.
Core SOW structure
1. Objectives and scope
Define:
- in-scope services, sites and teams
- what “acceptable recovery” looks like
- clear exclusions
If the scope says “review and update the BCP”, you are buying activity, not outcomes.
2. Integrated cyber and continuity response
The SOW should require alignment between:
- incident response triggers and BCP activation
- cyber containment decisions and business recovery priorities
- roles across IT, security, operations and communications
Most organisations fail because these are owned separately and never joined up.
3. Deliverables (what you actually get)
This is where most SOWs fall short.
If you don’t define operational deliverables, you get a document, not readiness.
A practical set should include:
- service-level continuity plans
- cyber incident playbooks
- recovery runbooks
- role cards and escalation routes
- contact lists and communication templates
Everything should be usable under pressure.
4. Manual workarounds and operating without systems
This is the biggest gap in most plans.
Cyber incidents rarely fail because IT does nothing. They fail because the business cannot operate while systems are down.
Outages can last hours or days. During that time, the organisation still needs to function.
Your SOW should require:
- defined “minimum viable service” for critical activities
- manual or offline workarounds
- clear prioritisation (what continues, pauses, or stops)
- realistic capacity limits for manual work
- fallback options for key dependencies
This is not about perfect continuity.
It is about keeping the organisation moving while recovery happens.
5. Governance and ownership
Define:
- plan ownership and update responsibilities
- decision rights during an incident
- escalation thresholds
- how cyber and continuity governance align
In a crisis, unclear governance slows everything down.
6. Documentation standards
Set expectations for usability:
- clear navigation
- visible decision points
- consistency across plans
Plans need to work for people under pressure, not auditors.
7. Testing and exercise evidence
Testing is what turns a plan into something real.
Without it, you are relying on assumptions.
Your SOW should require:
- defined scenarios (including cyber-triggered disruption)
- structured walkthroughs or simulations
- captured actions and improvements
- documented evidence
No testing, no proof.
8. Quality checklist and acceptance criteria
Define what “good” looks like upfront.
A usable plan should demonstrate:
- clear scope and governance
- defined roles and decisions
- realistic recovery timelines
- integration between cyber and business response
- usable documentation
- evidence of testing
If those aren’t met, the work isn’t complete.
Common failure points
Across most refresh projects:
- scope too vague
- no link between cyber events and business response
- deliverables focus on documents, not actions
- manual workarounds missing
- testing deferred
All of these start at SOW stage.
What good looks like
A proper business continuity plan refresh should leave you with:
- clear, service-level plans
- integrated cyber and business response
- defined manual ways of working during outages
- tested scenarios with evidence
- teams who understand what to do
If you don’t have those, the refresh hasn’t done its job.
Final thought
The biggest risk in a BCP refresh is not effort.
It is a scope that allows the wrong outcome.
Define deliverables, governance, manual workarounds, and testing evidence upfront, and you get a plan that works.
Leave it vague, and you get a document that sits on a shelf.