Business Continuity Plan
ISO/IEC 27001 Toolkit Version 7 ©CertiKit 2016
Business Continuity Plan [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document The Business Continuity Plan sets out in detail how a particular strategy will be implemented in order to meet the defined requirements. It is intended to be used at the point at which an incident has occurred.
Areas of the standard addressed This document addresses the following sections of the ISO/IEC 27001 standard: Annex A A.17 Information security aspects of business continuity management
General Guidance This template is likely to be used many times to document the various business continuity plans that you will need to cover all of the requirements and strategies you have identified within your organization. For each procedure you should follow the outline headings contained within this template. You may of course add additional headings where appropriate. The intention should be to make these plans as usable as possible since they may be used for the first time in a situation where an unwanted event has occurred, possibly involving loss of life. Regular exercising as defined by the ISO/IEC 27001 standard will of course help in making them familiar to those who may need to invoke them.
Review Frequency We would recommend that this document is reviewed annually or upon significant change to the area to which it relates.
Toolkit Version Number ISO/IEC 27001 Toolkit Version 7 ŠCertiKit 2016.
Version 1
Page 1 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Version 1
Page 2 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
[Replace with your logo]
Business Continuity Plan
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 29
[Insert Classification] ISMS-DOC-A17-2 1 [Insert date]
[Insert date]
Business Continuity Plan [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 29
Date
[Insert date]
Business Continuity Plan [Insert Classification]
Contents 1
PLAN PURPOSE AND SCOPE ................................................................................................................ 8
2
PLAN OBJECTIVES ................................................................................................................................. 9
3
ACTIVATION CRITERIA AND PROCEDURES ................................................................................ 10 3.1 3.2 3.3
4
AS PART OF THE INCIDENT RESPONSE PROCEDURE ............................................................................. 10 LOCALISED ACTIVATION ..................................................................................................................... 10 ACTIVATION PROCEDURE .................................................................................................................... 10
IMPLEMENTATION PROCEDURE .................................................................................................... 11 4.1 OVERVIEW ........................................................................................................................................... 11 4.2 RECOVERY CHECKLISTS ...................................................................................................................... 12 4.2.1 Business Team Recovery Checklist............................................................................................. 12 4.2.2 IT Recovery Team Checklist ....................................................................................................... 13
5
ROLES, RESPONSIBILITIES AND AUTHORITIES ......................................................................... 15 5.1 5.2
6
IT RECOVERY TEAM ............................................................................................................................ 15 BUSINESS RECOVERY TEAM ................................................................................................................ 15
COMMUNICATION REQUIREMENTS AND PROCEDURES ........................................................ 16 6.1 COMMUNICATION PROCEDURES .......................................................................................................... 16 6.1.1 Means of Communication ........................................................................................................... 16 6.1.2 Communication Guidelines ........................................................................................................ 16 6.1.3 Internal Communication ............................................................................................................. 16 6.1.4 External Communication ............................................................................................................ 17 6.1.5 Communication with the Media .................................................................................................. 17
7
INTERNAL AND EXTERNAL INTERDEPENDENCIES AND INTERACTIONS ......................... 18
8
RESOURCE REQUIREMENTS ............................................................................................................. 19
9
INFORMATION FLOW AND DOCUMENTATION PROCESSES .................................................. 20
10
RESTORATION OF NORMAL SERVICE ........................................................................................... 21 10.1 RESTORATION TO NORMAL SERVICE CHECKLISTS ............................................................................... 22 10.1.1 Business Team Checklist ............................................................................................................ 22 10.1.2 IT Team Checklist ....................................................................................................................... 23
11
APPENDIX A – PLAN ACTIVATION CONTACT SHEET ............................................................... 24
12
APPENDIX B – BLANK ACTIVITY LOGGING FORM .................................................................... 25
13
APPENDIX C – BLANK MESSAGE LOGGING FORM .................................................................... 26
14
APPENDIX D – INTERNAL CONTACT TELEPHONE NUMBERS ................................................ 27
15
APPENDIX E – USEFUL EXTERNAL CONTACTS........................................................................... 28
16
APPENDIX F – THE PHONETIC ALPHABET ................................................................................... 29
List of Tables TABLE 1 - BUSINESS TEAM RECOVERY CHECKLIST.............................................................................................. 12 TABLE 2 - IT RECOVERY TEAM CHECKLIST........................................................................................................... 14 TABLE 3 - IT RECOVERY TEAM MEMBERS ............................................................................................................ 15 TABLE 4 - BUSINESS RECOVERY TEAM MEMBERS ............................................................................................... 15 TABLE 5 - PLAN INTERDEPENDENCIES ................................................................................................................. 18 TABLE 6 - PLAN EXTERNAL INTERACTIONS .......................................................................................................... 18 TABLE 7 - PLAN RESOURCE REQUIREMENTS ....................................................................................................... 19
Version 1
Page 6 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
TABLE 8 - BUSINESS TEAM RESTORATION TO NORMAL SERVICE CHECKLIST ...................................................... 22 TABLE 9 - IT TEAM RESTORATION TO NORMAL SERVICE CHECKLIST ................................................................... 23
Version 1
Page 7 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
1 Plan Purpose and Scope This document sets out a detailed plan to provide business continuity in the following situation: A disruptive incident has occurred that significantly affects the major IT systems of [Organization Name] making them unavailable to users. This may be due to hardware or software failure, loss of power, physical damage or some other reason. The purpose of this plan is to recover the IT systems at an alternative location and to provide user access to them. The procedures set out in this document should be used only as guidance when responding to an incident. The exact nature of an incident and its impact cannot be predicted with any degree of certainty and so it is important that a good degree of common sense is used when deciding the actions to take. However it is intended that the plan set out here will prove useful in allowing the correct actions to be taken more quickly and based on more accurate information. All members of staff named in this document will be given a copy which they must have available when required. Contact details will be checked and updated at least three times a year. Changes to contact or other relevant details that occur outside of these scheduled checks should be sent to business.continuity@organization.com as soon as possible after the change has occurred. All personal information collected as part of the business continuity process and contained in this document will be used purely for the purposes of business continuity planning and is subject to relevant data protection legislation.
Version 1
Page 8 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
2 Plan Objectives The objectives of this business continuity plan are to:
Recover the IT systems at an alternative location within a Response Time Objective of 48 hours Ensure that business operations can continue in limited form until IT systems are restored provide a detailed description of how [Organization Name] will respond to a disruptive incident affecting the IT systems covered by this plan Ensure that information security controls remain in place to protect classified information at all times set out who will respond to an incident and how the service continuity plan will be activated describe the facilities that are in place to help with the implementation of the plan define how decisions will be taken with regard to our response to an incident explain how communication within the organization and with external parties will be handled provide contact details for key people and external agencies and suppliers define what will happen once the incident is resolved and the team is stood down
Version 1
Page 9 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
3 Activation Criteria and Procedures There are two main scenarios in which this plan may be activated: 1. In response to a major disruptive incident that has resulted in the organization’s Incident Response Procedure being activated 2. As a recovery for a smaller, more localised event which although not serious enough to result in activation of the Incident Response Procedure, requires action to address its impact 3.1
As Part of the Incident Response Procedure
Notice will be received from the Incident Response Team (IRT) by telephone to the main plan owner (or deputy) if this plan is required to be activated. This will depend upon the incident that has occurred and the scope of its effects. It is likely that this plan will be one of several that will be activated and co-ordination across the various plans will be needed. 3.2
Localised Activation
It will be up to the main plan owner (or deputy) to request of top management that the plan be activated and to inform them once this has been done. 3.3
Activation Procedure
Once the decision has been taken to activate the plan, the plan owner (or deputy) will contact the members of the recovery team using the contact details at Appendix A. They will then be made aware of the nature of the incident and asked to assemble at the primary location specified below. [Enter the address of the primary assembly location] In the event that the primary location is unavailable, the plan owner will request that the team assemble at the alternative location specified below. [Enter the address of the alternative assembly location] An initial briefing will then be held at which the plan owner will:
Explain why the plan has been activated Describe the impact of the incident Outline what needs to be achieved by the team Allocate tasks according to the checklists detailed in the plan Address any questions the team may have Set out the method and frequency of communication within the team
Version 1
Page 10 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
4 Implementation Procedure 4.1
Overview
The plan is to invoke the disaster recovery contract to provide a Mobile Unit at [alternate location] which will have replacement equipment in it. This equipment will be used to recover the following systems:
SRV04 CRM server SRV08 Accounts Server SRV01 file and print server SRV06 backup server
The service provided in these circumstances will be limited to the following major IT services:
CRM Accounts File serving (shared drive etc.) Printing Payroll Limited Phone System
The following IT services will not be available:
Phone system at main site Data query tools Asset Management system Internet access Email Staff time tracking
Version 1
Page 11 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
4.2
Recovery Checklists
The following checklists should be used in conjunction with the more detailed procedures listed as appendices to this document. 4.2.1
Business Team Recovery Checklist
Task
Procedure reference
Target Actual Completion Completion Date/Time Date/Time
Signature
Confirm with Incident Response Team the likely elapsed time before an interim service will be available Communicate with Business Teams to set expectations Divert phones according to procedure at Appendix Allocate manual tasks to appropriate teams Identify key users and ask them to go to the alternative site once the IT Recovery Team has recovered sufficient IT systems Test systems once go-ahead given by IT Recovery Team Table 1 - Business team recovery checklist
Version 1
Page 12 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
4.2.2
IT Recovery Team Checklist
Task
Procedure reference
Target Actual Completion Completion Date/Time Date/Time
Signature
Invoke the Disaster recovery service (see Appendix) Go to the alternative site Establish Recovery Team rota and progress reporting schedule Clear space in the car park at the alternative site and wait for Mobile Unit to arrive Fetch all tapes from the offsite tape store When Mobile Unit arrives, check that the available hardware is correct and complete Plug the servers into the gigabit switch and power them up using power in Mobile Unit Follow the procedures at Appendix to restore data to the relevant servers in the following order: Backup Server Domain Controller Accounts server CRM server File and print server In parallel with the data restores, install 1 x 24 port switch or hub within the office area. Then connect the switch to the gigabit switch in the Mobile Unit. If no 24 port
Version 1
Page 13 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
Task
Procedure reference
Target Actual Completion Completion Date/Time Date/Time
Signature
switches available they can be purchased at local suppliers Install the 15 PCs supplied by the DR supplier within the office area and cable them up Run a cable from the gigabit switch in the Mobile Unit to the 24 port switch in the main office area Complete data restore and perform connectivity testing Liaise with other Recovery Teams to perform user testing Once testing successful, inform Incident Response Team that systems are now available for use Table 2 - IT recovery team checklist
Version 1
Page 14 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
5 Roles, Responsibilities and Authorities 5.1
IT Recovery Team
The IT Recovery Team consists of the following people: Name Person A Person B Person C Person D Person E
Title IT Manager Server Support Technician Network Support Analyst Senior Software Technician Database Analyst
Role In Plan Plan Owner Server Specialist Network Specialist Application Specialist Database Specialist
Table 3 - IT recovery team members
The IT Recovery Team is responsible for:
5.2
Recovering servers, operating systems and any other components upon which the applications are based Restoration of applications and data from backups and the restoration of LAN and WAN links, including the configuration of switches and routers and liaison with external network suppliers. Setup and configuration of the business applications once they have been restored to the server hardware. This will involve liaison with third party application support services.
Business Recovery Team
The members of the Business Recovery Team will depend upon the areas affected and may include: Name Person A Person B Person C Person D
Title Sales Manager Financial Controller Buying Manager Operations Manager
Role in Plan Business Recovery Business Recovery Business Recovery Business Recovery
Table 4 - Business recovery team members
The Business Recovery Team is responsible for:
Managing the establishment of manual business procedures until such time as the required IT systems are recovered Testing of systems once the IT Team has given the go ahead
Version 1
Page 15 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
6 Communication Requirements and Procedures All requests for information from the media or other sources should be referred to the Incident Response Team by telephone on +xx xxx xxx xxxx. 6.1
Communication Procedures
It is vital that effective communications are maintained between all parties involved in the incident response. 6.1.1
Means of Communication
The primary means of communication during an incident will be telephone, both landline and mobile. In the event of telephone communications being unavailable provision may be made for the use of radio communications, although the usable range of such equipment should be assessed. Email should not be used unless telephone and equivalent alternatives are unavailable. 6.1.2
Communication Guidelines
The following guidelines should be followed in all communications:
Be calm and avoid lengthy conversation Internal team members should refer information requests to the IRT If the call is answered by someone other than the contact: Ask if the contact is available elsewhere If they cannot be contacted leave a message to contact you on a given number Do not provide details of the Incident Always document call time details, responses and actions
All communications should be clearly and accurately recorded using the form at Appendix C to this document. 6.1.3
Internal Communication
Calls to the command centre should use the main number which is:
+xx xxx xxx xxxx Eight lines are available for incoming calls. If there is no answer a message may be left. If the call is urgent the caller should both leave a message and call back as well as trying alternative methods of communication if available. If leaving a message, ensure you leave:
Version 1
Page 16 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
Your name Your number Your organization The name of the person the message is for The message
Details of the incident should not be given when leaving a message. 6.1.4
External Communication
Depending on the incident there may be a variety of external parties that will be communicated with during the course of the response. It is important that the information released to third parties is managed so that it is timely and accurate. Calls that are not from agencies directly involved in the incident response (such as the media) should be passed to the member of the IRT responsible for communications. Emergency responders such as the police, fire and ambulance services will be well practised in incident handling and will have their own structured methods for communication and every effort should be made to comply with these. A listing of the phonetic alphabet used by the emergency services is at Appendix F. 6.1.5
Communication with the Media
In general the communication strategy with respect to the media will be to issue regular updates via top management. No members of staff should give an interview with the media unless this is preauthorised by the IRT.
Version 1
Page 17 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
7 Internal and External Interdependencies and Interactions This business continuity plan is part of a set of plans that has been created to address a variety of potential situations affecting [Organization Name]. Depending on the nature and scope of the incident that has occurred, it may be necessary to co-ordinate the execution of this plan with that of others. The key business continuity plans that may have an interdependency with this plan are as follows: Document Plan title reference Plan001 Loss of Access to Building A Plan003 Emergency home working [List all relevant business continuity plans]
Plan Description
Plan Owner
Move key business Person A activities to alternate site Allow key staff to access Person B IT systems from home
Table 5 - Plan interdependencies
Contact details for the above plan owners can be found at Appendix D. If the Incident Response Procedure has been activated, communication should initially be channelled through the IRT. This plan also depends upon the following external interactions: External Agency Emergency services
Disaster Recovery Supplier
Dependency Permission to allow key staff to leave site and attend alternative site Ability to deliver contracted equipment within target timescale
Comments Depends on type of incident
May depend upon commitments to other customers in a widespread incident
[List all relevant external dependencies]
Table 6 - Plan external interactions
Version 1
Page 18 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
8 Resource Requirements The resources required to implement this business continuity plan are as follows: Resource
Quantity Source
Comments
Mobile computer room facility 4 x HP ML370 servers
1
DR supplier
Contract in place
4
DR supplier
Contract in place
1 x LTO2 tape drive
1
DR supplier
Contract in place
Gigabit switch
1
DR supplier
Contract in place
15 200 sq ft
DR supplier Alternative location Stored at alternative location Car park at alternative location Tape store
Contract in place Agreed with Facilities Management Agreed with Facilities Management
Desktop PCs Office space with desks and chairs Cabling
50 lengths
Car park space
15 spaces
Back-up tapes
10 approx
Agreed with Facilities Management Most recent backups only
Table 7 - Plan resource requirements
These resources will need to be made available in order for the plan to be completed in a timely fashion. Requests for further resources (or issues with the identified resources) should be escalated to the Incident Response Team (if the Incident Response Procedure has been activated) or via normal management channels.
Version 1
Page 19 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
9 Information Flow and Documentation Processes During an incident response it is vital that information flows effectively around the response teams and that certain processes are followed to ensure that actions and messages are recorded correctly. If the Incident Response Procedure has been activated then regular updates on the situation should be given to the IRT. The frequency of these updates will be specified by the IRT Team Leader, although significant events should be communicated immediately (see section 6.1 – Communication Procedures). Within the local recovery teams for this business continuity plan, the plan owner will decide how often progress updates should be given and is responsible for coordination between the IT Recovery and Business Recovery teams. Actions that are decided upon as a result of progress meetings should be recorded using the template form at Appendix B.
Version 1
Page 20 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
10 Restoration of Normal Service Once this plan has been implemented and the servers recovered at the alternate location, a decision will need to be made about how long this situation will be required for. This will depend upon a number of factors including the extent of the damage to the primary site and how long it will be before the infrastructure required to house the servers is back in place. Top management should decide when a restoration of normal service should be attempted based on advice from all involved parties. It is likely that this will be done over a period of low business activity e.g. a weekend or bank holiday. The checklists on the following pages should be used to move the IT services back to their original location (or permanent replacement location). These checklists are based on the assumption that the required hardware and network connectivity has been replaced and is fully operational at the primary site before work begins.
Version 1
Page 21 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
10.1 Restoration to Normal Service Checklists The following checklists should be used in conjunction with the more detailed procedures listed as appendices to this document. 10.1.1 Business Team Checklist
Task
Procedure reference
Target Actual Completion Completion Date/Time Date/Time
Signature
Confirm with IT team the likely length of any outages whilst the restoration takes place Communicate with Business Teams to set expectations Divert phones according to procedure at Appendix Allocate manual tasks to appropriate teams if required Test systems once go-ahead given by IT Team Table 8 - Business team restoration to normal service checklist
Version 1
Page 22 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
10.1.2 IT Team Checklist
Task
Procedure reference
Target Actual Completion Completion Date/Time Date/Time
Signature
Inform the Disaster recovery service of the intention to vacate their equipment Go to the primary site Establish Team rota and progress reporting schedule Fetch all tapes from the offsite tape store Check that the available hardware is correct and complete Follow the procedures at Appendix to restore data to the relevant servers in the following order: Backup Server Domain Controller Accounts server CRM server File and print server Complete data restore and perform connectivity testing Liaise with other Recovery Teams to perform user testing Once testing successful, inform the business that systems are now available for use Table 9 - IT team restoration to normal service checklist
Version 1
Page 23 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
11 APPENDIX A – Plan Activation Contact Sheet The following table should be used to record successful and unsuccessful initial contact with members of the team: Name
Role in Plan
Office Number
Home Number
Mobile Number
Person A
Team Leader
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person B
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person C
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person D
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person E
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person F
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person G
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Person H
Xxx xxx xxx
Xxx xxx xxx
Xxx xxx xxx
Version 1
Page 24 of 29
Date/Time
Outcome (Contacted/No Ans /Msg Left /Unreachable)
ETA (if contacted)
[Insert date]
Business Continuity Plan [Insert Classification]
12 APPENDIX B – Blank Activity Logging Form Major Incident:
Date
Time
Location:
Action
Incident Team Leader:
By
Comments
Signature
Sheet No.:
Version 1
Page 25 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
13 APPENDIX C – Blank Message Logging Form Major Incident:
Date
Time
Location:
Caller
Incident Team Leader:
Caller’s number
Message for
Message
Sheet No.:
Version 1
Page 26 of 29
[Insert date]
Business Continuity Plan [Insert Classification]
14 APPENDIX D – Internal Contact Telephone Numbers The following table shows the telephone numbers of key internal personnel: Name
Version 1
Title
Department
Role in Plan
Page 27 of 29
Telephone Number
Email address
[Insert date]
Business Continuity Plan [Insert Classification]
15 APPENDIX E – Useful External Contacts The following table shows the contact details of agencies and people who may be useful depending on the nature of the incident: Name
Version 1
Title
Organization
Address
Page 28 of 29
Telephone Number
[Insert date]
Business Continuity Plan [Insert Classification]
16 APPENDIX F – The Phonetic Alphabet In order to ensure that messages are understood correctly, the phonetic alphabet should be used when spelling out words and numbers.
Phonetic Alphabet A – Alpha
B – Bravo
C – Charlie
D – Delta
E – Echo
F – Foxtrot
G – Golf
H – Hotel
I – India
J – Juliet
K – Kilo
L – Lima
M – Mike
N – November
O – Oscar
P – Papa
Q – Quebec
R – Romeo
S – Sierra
T – Tango
U – Uniform
V – Victor
W – Whiskey
X – X-ray
Y – Yankee
Z – Zulu
0 - Zero
1 – Wun
2 – Two
3 - Tree
4 – Fower
5 – Fife
6 – Six
7 – Seven
8 - Ait
9 – Niner
Version 1
Page 29 of 29
[Insert date]