Difference between plans

Juliano,

The difference is the following:
- Business continuity plan is a top-level plan with some general guidelines and responsibilities
- Incident response plan describes how to initially respond to various incidents - e.g. earthquake, fire, bomb threat, etc.
- Recovery plans are used to describe how individual activities/departments will be recovered if their operations have been disrupted. This plan can be used for both business side of your organization, but also for IT department - for Disaster Recovery Plan.

This article may also help you: Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

The ISO 22301 incident plan seems to have a physical bent to it - responding to power, HVAC, hardware issues at the data center. It seems like we need a separate a "security incident plan" where the detection, isolation, remediation and recovery steps are more at the technical and logical levels such as a response to a DOS attack for example if malware were to cause our servers to fail to operate. It seems like a single plan would be way too long if it were to cover everything from a blade in a server to fail to operate and need to be replaced to an infected virtual machine server needing to be disposed of and be replaced with a fresh copy. It seems these would be two completely separate plans as the types of response as well as the types of expertise required would be wildly divergent. Am I missing something or making the job of writing the plan(s) too complex? It seems like the planning and response for a "security incident" would be much more important (and much more likely to be executed) than the "incident response plan" involving earthquake, fire, bomb threat, etc. However it seems like ISO 22301 is more concerned with the latter (physical) type of incident.

ISO 22301 doesn't really tell you which kind of incidents you need to address in the Incident response plan - such a plan needs to address all the major risks identified during your risk assessment. Therefore, if you consider the risk of DOS attacks likely, you should include it in your Incident response plan.

I agree with you that if you want to have several of very detailed incident response procedures in this Incident response plan, it would become too long and therefore unreadable - in such case you could have such incident response procedures as separate documents.

However, I wouldn't recommend such an approach for a smaller, not even for a mid-sized company - too many detailed plans can create counter-effect for companies of this size.