Nominet Business Continuity Policy

v4.8 published 15 September 2022

Overview

Nominet’s Business Continuity Management System (BCMS) has been designed to help Nominet prepare for and cope with the effects of an emergency or crisis.  It has been developed in line with the requirements of ISO22301 in order to meet the recovery and business continuity needs of the business.  Nominet is committed to the continual improvement of the BCMS to ensure it remains effective and fit-for-purpose.

Business Continuity Objectives

• to provide Nominet and its subsidiaries with an effective framework for minimising the impact of a disruptive event so that critical operations can be maintained with minimal service interruptions or disruption to users through deploying well-prepared and managed response activity;
• to protect Nominet’s reputation for high availability services by ensuring the resilience of critical assets and data through a co-ordinated approach to business continuity management and service recovery;
• to understand the critical functions and activities of Nominet and its subsidiaries and maintain the capability to resume these operations within agreed recovery timeframes; and
• to minimise the commercial impact of any Business Continuity incident.

Scope

The BCMS covers our Minerva House office and the following core services:

• TLD DNS services (including all zonefiles)
• nominet.uk and nominet.org.uk domains and services hosted on them
• Registry systems (Data Escrow, Dragon, EPP, Online Services, WHOIS))
• DNS services including the Protective Domain Name Service (PDNS), PSN DNS and DNSSEC
• DNS monitoring and analysis services; NTX platform
• Customer services; Telephony and Helpdesk Services for all customers
• Nominet’s internal operations systems supporting; Finance, collaboration and productivity

Integration of Business Continuity within Business Operations

• All business continuity activity will be performed to support the strategic organisational objectives with regards to operations, revenues, customers and reputation.
• Our change management process will consider the implications of any change on our business continuity programme.

Business Continuity Capability & Planning

• We will conduct a risk assessment as often as necessary and at least annually to identify risks that could adversely affect the business.
• We will identify our mission critical activities by performing a business impact analysis and we will define recovery time objectives for each mission critical activity.
• We will develop business continuity strategies that provide for the continuity of the mission critical activities within the designated recovery time objectives.  These strategies should include a description of how to provide the resources required to carry out the mission critical activities, including, but not limited to, staff, IT requirements, vital records, specialised equipment, dependencies (e.g. suppliers, vendors, partners, other business processes within Nominet) and working space.
• We will identify, train, and empower members of staff to deal with business continuity matters.
• We will define crisis management and emergency response procedures to manage a crisis or incident and document these in our crisis management and business continuity plans.
• We will document all business continuity strategies and recovery plans, pre-planned actions, advance arrangements, organisation and activation procedures.
• We will carry out business continuity exercises as often as necessary, and at a minimum we will deliver one table-top and one physical test exercise annually.
• We will maintain and update the contents of our BC Operations Manual, Business Impact Analysis, Business Continuity Plan and Crisis Management Plan whenever there is a significant change to our business operations.
• We will review the BCMS annually to ensure it remains fit for purpose.

Responsibility for implementing Business Continuity

• Department managers are responsible for maintaining business continuity in their team area and implementing the business continuity policies within their team.
• The Board is responsible for oversight and scrutiny of business continuity strategies and organisation.
• Department managers are responsible for keeping their sections of the Business Continuity Plan and Crisis Management Plan fit for purpose at all times.  Changes are made through the Business Continuity Planning Team (BCPT) that meets quarterly to review the business continuity materials and any business continuity activity.  Significant changes are presented to the Leadership Team for approval.
• The Leadership Team together with the managers in their departments will identify the members of their team who will join the Business Recovery Team in the event of an incident.
• Relevant BCPT members will review the results of business continuity exercises and incidents to assess the adequacy of our plans and to ensure that any risks identified are understood by the business.
• The Leadership Team will review the BCMS annually to assess its adequacy and effectiveness.