Question 1

What is emergency documentation according to BSI 200-4?

Accepted Answer

Emergency documentation under BSI Standard 200-4 encompasses all documents required for Business Continuity Management (BCM). This includes the emergency handbook with alerting and escalation plans, the Business Impact Analysis (BIA) with RTO and RPO definitions, business continuity plans, recovery plans, and an emergency preparedness concept. BSI Standard 200-4 defines three maturity levels (Reactive, Build-up, Standard), each with different documentation requirements.

Question 2

What should an emergency handbook contain?

Accepted Answer

An emergency handbook per BSI 200-4 includes: alerting plans with escalation levels and contact lists, definition of the Special Crisis Organization (BAO), immediate actions for various emergency scenarios, communication plans for internal and external stakeholders, recovery plans for critical business processes and IT systems, and references to RTO/RPO from the Business Impact Analysis. BSI provides a free Word template as a starting aid.

Question 3

Is emergency documentation mandatory under NIS-2?

Accepted Answer

Yes. Since December 2025, Business Continuity Management is mandatory under the NIS-2 Directive for affected organizations across the EU. The directive explicitly requires maintenance of operations, backup management, and crisis management. BSI-200-4-compliant emergency documentation demonstrably fulfills this requirement. ISO 27001 Annex A also requires documented BCM procedures in controls A.5.29 and A.5.30.

Question 4

How do you create a Business Impact Analysis (BIA) for emergency documentation?

Accepted Answer

The BIA is the foundation of emergency documentation under BSI 200-4. It follows four steps: 1) Identify and prioritize critical business processes, 2) Conduct damage analysis (financial, reputational, regulatory), 3) Define time parameters — MTPD (maximum tolerable period of disruption), RTO (Recovery Time Objective), and RPO (Recovery Point Objective), 4) Identify resource dependencies (IT systems, personnel, service providers, premises). BIA results determine priorities across all emergency and recovery plans.

Question 5

What is the difference between BSI 200-4 and ISO 22301 for emergency documentation?

Accepted Answer

BSI Standard 200-4 is the German implementation guide for BCM, aligned with ISO 22301 but offering three entry levels (Reactive, Build-up, Standard) instead of a single requirement level. BSI 200-4 provides concrete templates (emergency handbook, BIA, preparedness concept) and is closely integrated with IT-Grundschutz. ISO 22301 is the international certification standard requiring a complete BCMS with documented PDCA cycle. For German organizations, starting with BSI 200-4 and progressing to ISO 22301 certification is recommended.

Question 6

How often must emergency documentation be updated and tested?

Accepted Answer

BSI 200-4 requires at least annual review and update of all emergency documentation. Additionally, emergency plans must be reviewed after every relevant organizational or technical change. Tests and exercises (tabletop exercises, simulations, full tests) should occur at least once per year. Results must be documented and fed back as lessons learned. For NIS-2 obligated organizations, auditors check documentation currency and exercise records.

Question 7

How does ADVISORI support emergency documentation creation?

Accepted Answer

ADVISORI supports the entire BCM documentation process: from initial Business Impact Analysis through creation of emergency handbooks, alerting plans, and recovery plans to exercise planning and execution. We work according to BSI 200–4 and ISO

22301 and deliver audit-proof documentation that also meets NIS-2 requirements. Our experience across financial services, critical infrastructure, and industry ensures your emergency documentation is not only compliant but practically usable in a real emergency.