CHANGELOG.md

# Changelog

## [0.1.3] - 2026-05-28
Rewrote frontmatter description to concise 200-500 character trigger metadata for improved agent activation.

## [0.1.0] - 2026-05-27
Initial release. Seven-phase workflow aligned to ISO 22301:2019 clause 8.2.2 and NIST SP 800-34 Rev. 1 Appendix A: Phase 1 scoping (organisation, in-scope entity / business unit / location, BCMS owner, BIA sponsor, regulatory frame — ISO 22301 / NIST 800-34 / FFIEC BCM / DORA / Solvency II / HIPAA Security / OSFI E-21 / APRA CPS 230, BIA cycle — initial / annual / triggered, impact rubric and the corporate risk-tolerance bands, steering-committee roster); Phase 2 process inventory (business processes named with single accountable owner, customer-of-the-process, products / services supported, outputs, peak-period and off-peak posture, regulatory / contractual obligations attached); Phase 3 impact-over-time scoring (per process, across financial, regulatory, contractual / SLA, customer / reputational, life-safety, operational, and workforce dimensions, scored at the corporate impact-time horizons — 0–4h, 4–24h, 1–3d, 3–7d, 1–2w, 2–4w, 4w+ — with the highest dimension setting the row severity); Phase 4 recovery objectives (RTO derived where impact crosses the MTPD-equivalent threshold, MTPD recorded, MBCO defined, RPO derived from data-loss tolerance, WRT for application-recovery hand-off, and the ISO 22301 discipline RTO < MTPD enforced); Phase 5 dependency mapping (upstream-and-downstream applications, data stores, third-party vendors and BPO providers with criticality tier, people / skills, facilities, equipment, utilities, network, identity, key-management, and the cross-process dependency graph that flags shared single points of failure); Phase 6 gap analysis (current recovery capability vs. derived requirement gap per process — current backup posture, replication topology, alternate site, vendor SLA, workforce cross-training, paper / manual workaround feasibility, escalation contact tree); Phase 7 BIA assembly (criticality-tier list — Tier 1 / 2 / 3 / 4 / out-of-scope — DRAFT BIA register, recovery-objective set, dependency map, gap list, BIA-driven recovery-strategy candidate list flagged for the steering committee, validation interview log, and steering-committee review-and-sign-off block) — for the BCMS owner and steering committee's review before any recovery-investment decision, recovery-strategy adoption, contract-tier reassignment of a vendor, or disaster-recovery-test scope change. Never authorises a recovery investment, never approves a recovery strategy, never substitutes for the steering committee's RTO sign-off, never sets a vendor's contractual SLA, and never replaces the IT disaster-recovery test programme.