Operational and Systems Continuity

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210
  • Establish, implement, and maintain a pandemic plan., CC ID: 13214
  • Prepare the alternate facility for an emergency offsite relocation., CC ID: 00744
  • Train personnel on the continuity plan., CC ID: 00759
  • Establish, implement, and maintain a business continuity plan testing program., CC ID: 14829


  • App 2-1 Item Number I.5(1): The organization must develop a business continuity policy. App 2-1 Item Number VI.7.2(3): The feasibility of the contingency plan must be assessed and confirmed. This is an IT general control. (App 2-1 Item Number I.5(1), App 2-1 Item Number VI.7.2(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (Art. 32.1.(b), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • (App ¶ 2, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • Business continuity planning ensures that, if a disaster occurs, its consequences for IT services are limited to a level agreed with the customer. With the ever increasing dependency on IT, it is important that IT services are consistently delivered to an agreed level of quality. Every time a servic… (§ 3.4.4, OGC ITIL: Security Management)
  • Disaster recovery plans and continuity plans should be developed by the organization. (¶ 38, ¶ 42, Principle 7, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The organization should ensure the business continuity management policy is appropriate to the scale, nature, geography, complexity, and criticality of the business activities and it must reflect the dependencies, culture, and operating environment. The business continuity program should be communic… (§ 4.2, § 5.3.1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • A documented business continuity management system must be developed, implemented, maintained, and continually improved upon in accordance with sections 3.2 to 3.4. (§ 3.1, BS 25999-2, Business continuity management. Specification, 2007)
  • Information Technology Service Continuity (ITSC) should be carried out with a complete and thorough understanding of the organization's standards, policies, processes, and supporting services for the management of business continuity; corporate governance and management of risk; major incident and c… (§ 4 ¶ 1, § 8.1, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The organization must develop, document, implement, maintain, and continually improve its organizational resilience management system. The organization must develop and maintain a continuity strategic program to ensure controls, processes, and resources are available to meet the organization's criti… (§ 4.1, § 4.3.3 ¶ 5(d), § 4.4.7 ¶ 1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The physical security program should prevent the interruption of operations, therefore disaster plans and contingency plans should be developed. (Pg 1-I-A1, Pg 19-I-8, Protection of Assets Manual, ASIS International)
  • ¶ 13.2 Secure Service Management should be implemented for network security. ¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and opera… (¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • All business functions should have business continuity plans produced, tested, maintained, and updated. The service providers should first identify business priorities and the correct and most cost effective business continuity strategy for their business before producing, using, and testing the bus… (§ 5.11, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • A policy should be implemented for business continuity in the event of an emergency. This policy should address the information security requirements of the organization. (§ 14.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The organization should create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption. Such procedures must be reasonably designed to enable the member to meet its existing obligations to customers. In addition, such procedu… (R 3510, NASD Manual)
  • The program must include the following plans: a strategic plan, prevention plan, migration plan, recovery plan, continuity plan and an emergency operations/response plan. (§, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • All buildings should have a current emergency plan. It should include procedures for fire, weather, and CBR (chemical, biological, and radiological) attacks. (Pg 20, Guidance for Protecting Building Environments from Airborne Chemical, Biological, or Radiological Attacks, NIOSH, May 2002, DHHS (NIOSH) Publication No. 2002-139, May 2002)
  • The organization must include, but not limit, the secure information system recovery and reconstitution procedures to: resetting all system parameters; reestablishing configuration settings; reinstalling system and application software; reinstalling patches; and fully testing the system. (CSR 3.6.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The physical security program should prevent the interruption of operations, therefore disaster plans and contingency plans should be developed. (§ I.A.4.a, The National Strategy to Secure Cyberspace, February 2003)
  • Exam Tier II Obj C.1 Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, a… (Exam Tier II Obj C.1, Exam Tier II Obj E.1, Exam Tier II Obj E.2, Exam Tier II Obj F.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The continuity plan should be written on an organization-wide basis. It should document the procedures and strategies to recover, resume, and maintain critical functions and processes. The continuity plan should include the impact of threats identified during the risk assessment and the Business Imp… (Pg 13, Pg 14, Exam Tier I Obj 2.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should develop a continuity plan for e-banking services. (Pg A-2, Obj 1.5, Obj 4.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should have procedures in place to ensure it can continue operating during emergencies. (Pg 27, FFIEC IT Examination Handbook - Management)
  • The organization's continuity plan should address the telecommunications system and item processing. (Pg 28, Pg C-11, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should have an effective business continuity plan. The service provider's continuity plan should be integrated into the organization's continuity plan. (Pg 25, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The organization should have a continuity plan to manage interruptions to the system. (Pg 36, Exam Tier I Obj 2.3, Exam Tier I Obj 5.5, Exam Tier II Obj 12.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should have business continuity plans in place. (Pg 33, Exam Tier I Obj 2.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization must develop, document, distribute, and continuously update a contingency plan policy that identifies roles, responsibilities, and procedures for the implementation of contingency plan security controls. The contingency planning security controls are not required at the Federal, sta… (§ 5.6.6, Exhibit 4 CP-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Federal information systems must have contingency plans. (§ 3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • This appendix discusses the issues involved in developing contingency plans for LAN environments, including incident response, backup operations, and recovery. (App C, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • Contingency planning directly supports an organization's goal of continued operations. Organizations should practice contingency planning because it makes good business sense. Contingency planning addresses how to keep an organization's critical functions operating in the event of disruptions, both … (§ 3.6, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the contingency planning policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the contingency planning policy and procedures control.… (CP-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)