Back

Establish, implement, and maintain a continuity framework.


CONTROL ID
00732
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Establish and maintain the scope of the continuity framework., CC ID: 11908
  • Take into account external requirements when establishing, implementing, and maintaining the continuity framework., CC ID: 11907
  • Include Quality Management in the continuity framework., CC ID: 12239
  • Establish and maintain a system continuity plan philosophy., CC ID: 00734
  • Establish, implement, and maintain continuity roles and responsibilities., CC ID: 00733
  • Coordinate continuity planning with other business units responsible for related continuity plans., CC ID: 01386
  • Include continuity wrap-up procedures and continuity normalization procedures during continuity planning., CC ID: 00761
  • Monitor disaster forecasting organizations for when disaster events are discovered., CC ID: 06373
  • Evaluate all possible continuity risks and impacts as a part of the continuity framework., CC ID: 06374


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The development of the business continuity plan must involve all stakeholders; top management must approve the plan. (App 2-1 Item Number I.5(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O7: The organization shall establish a unit for disaster prevention and control. (O7, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization should develop recovery strategies, plans, and arrangements for all offshore components, if they become unavailable for an extended period of time due to a man-made disaster, a natural disasters, and/or a financial failure. (Attach B ¶ 16, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In addition to the requirements in the EBA SREP Guidelines (para 279 - 281) competent authorities should assess whether the institution has an appropriate framework in place for identifying, understanding, measuring and mitigating ICT availability and continuity risks. (Title 3 3.3.4(a) 53., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Based on the business impact analysis, a uniform framework for planning the business continuity and business plan is introduced, documented and applied in order to ensure that all plans (e. g. of the different sites of the cloud provider) are consistent. The planning depends on established standards… (Section 5.14 BCM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • In order to be effective, the organization must implement a business continuity management program that is appropriate for its complexity and size. (Security Policy No. 7 ¶ 4 Bullet 2, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization should implement a business continuity plan for program operations, including information system(s)(electronic and paper) that identifies which systems and processes must be maintained and the effect an outage would have on the organization's program. (CORE - 14(a), URAC Health Utilization Management Standards, Version 6)
  • Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT continge… (DS4.1 IT Continuity Framework, CobiT, Version 4.1)
  • Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements. Communicate changes in procedures and responsibilities clearly and in a timely manner. (DS4.4 Maintenance of the IT Continuity Plan, CobiT, Version 4.1)
  • Business continuity plans should be concise and contain the elements stated in sections 8.3.2 to 8.3.6 and sections 8.7.2 to 8.7.5. (§ 8.3.1, § 8.7.1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • IT policy statements should include, but not be restricted to defining overall business continuity planning requirements (ensure all business aspects are considered when a disaster or disruption occurs, not just the IT elements). (§ 5.3.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Business continuity plans should identify the potential sources of disruption; critical applications and processes, along with the acceptable downtime levels; acceptable response and recovery times; locations and storage mechanisms for backups; data back up frequency; alternate sites; equipment and … (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization must have a Statement of Applicability to define the strategic weighting of preparedness, emergency management, security management, crisis management, disaster management, and business continuity management, based on a risk assessment and impact analysis. (§ 4.1.1 ¶ 4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The information security function should provide proactive support for the development of the organization's Business Continuity program. (CF.01.02.04f, The Standard of Good Practice for Information Security)
  • The Business Continuity Management team should establish a Business Continuity program to support the organization's Business Continuity strategy. (CF.20.02.01, The Standard of Good Practice for Information Security)
  • Each Business Continuity Plan should be developed in conjunction with business representatives. (CF.20.05.03, The Standard of Good Practice for Information Security)
  • The information security function should provide proactive support for the development of the organization's Business Continuity program. (CF.01.02.04f, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity Management team should establish a Business Continuity program to support the organization's Business Continuity strategy. (CF.20.02.01, The Standard of Good Practice for Information Security, 2013)
  • Each Business Continuity Plan should be developed in conjunction with business representatives. (CF.20.05.03, The Standard of Good Practice for Information Security, 2013)
  • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business… (BCR-01, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for business resiliency and operational continuity to manage the risks of minor to catastrophic business disruptions. These policies, procedures, processes, and measures must protect t… (BCR-10, Cloud Controls Matrix, v3.0)
  • is appropriate to the purpose of the organization, (§ 5.3 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • provides a framework for setting business continuity objectives, (§ 5.3 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by - establishing a business continuity policy, - ensuring that BCMS objectives and plans are established, - establishing roles, respo… (§ 5.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. (§ 5.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this International Standard. (§ 4.4 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish, implement, maintain and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this document. (§ 4.4 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the integrity of the BCMS; (§ 6.3 ¶ 2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • A framework should be implemented to ensure all continuity plans are consistent and to identify priorities for testing and maintenance. Each plan should state when the plan should be activated and who is responsible for each part. When new equipment or processes are added to the system, the plan sho… (§ 14.1.4, ISO 27002 Code of practice for information security management, 2005)
  • The organization has an enterprise-wide cyber resilience (including business continuity, and incident response) strategy and program. (DM.RS-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Every member should develop a systems continuity plan and disclose a summary of that plan to its customers. Members and member organizations must also designate and notify the Exchange of a senior officer whose assumes the responsibility of approving and annually reviewing all plans. (R 3510, NASD Manual)
  • The organization must have a documented program for program management that includes an executive policy; program goals, objectives, and an evaluation method; program plan and procedures; authorities, regulations, legislation, and/or industry codes of practice; program budget, project schedule, and … (§ 4.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • § 3.4 ¶ 1: CMS business partners shall develop and document an IT systems contingency plan. The contingency plan must describe the implemented arrangements and the steps to take to continue operations. The contingency plan shall be reviewed annually, reviewed whenever new systems are planned, revi… (§ 3.4 ¶ 1, App A § 4.1 ¶ 1, App A § 11, CMS Business Partners Systems Security Manual, Rev. 10)
  • Contingency plans must include all of the items listed in the CMS business partners Systems Security Manual, Appendix B and the organization must provide annual contingency plan training. (CSR 5.2.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a … (§242.1001(a)(2)(v), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The organization will have a contingency plan to protect its IT systems which includes a full IT disaster recovery plan to prepare for any unforeseen incidents. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
  • Policies and procedures shall be developed and implemented, as needed, to respond to emergencies and other events that may damage any systems that contain electronic protected health information. (§ 164.308(a)(7)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Coordinated plans of action should be cooperatively developed to prevent, deter, and mitigate the adverse effects of terrorist attacks or natural disasters and ensure the continuity of business by having resilient, diverse communications capability in place. The plans should also identify how to res… (§ 5.1 ¶ 4 thru ¶ 5, Defense Industrial Base Information Assurance Standard)
  • Contingency planning is a key element of cybersecurity. Without adequate contingency planning and training, agencies may not be able to effectively handle disruptions in service and ensure business continuity. OMB, through the Federal Information Security Management Act requirements and with assista… (§ I.A.4.a, The National Strategy to Secure Cyberspace, February 2003)
  • Verify that appropriate policies, standards, and processes address business continuity planning issues including: (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The adequacy of corporate contingency planning and business resumption for data centers, networks, service providers, and business units. Consider the adequacy of offsite data and program backup and the adequacy of business resumption testing. (TIER II OBJECTIVES AND PROCEDURES C.1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • States that the continuity plan should include additional measures for a possible pandemic. It should include a preventive program to monitor for potential outbreaks and educating employees; a strategy for how to recover from a wave and prepare for future waves; a framework of procedures, facilities… (Pg D-2, Pg D-3, Exam Tier I Obj 2.5, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Is the Business Continuity Plan or Disaster Recovery Plan appropriate for the Credit Union's size and complexity? (IT - Business Continuity Q 3, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Define the organizational framework of the contingency plan. (§ 4.7.1 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Information system contingency planning includes organizational and business process continuity, incident management, and disaster recovery planning. A suite of plans should be used to prepare the response, recovery, and continuity activities for disruptions. This section describes the purposes and … (§ 2.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) (ID.BE-5, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Resilience requirements to support delivery of critical services are established. (ID.BE-5, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure a contingency plan has been developed, disseminated throughout the organization, and reviewed and approved by senior personnel and that specific responsibilities and actions are defined for the implementation of the contingency plan c… (CP-2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization must develop and implement a Continuity Of Operations security policy. (SG.CP-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented Contingency Planning policy that includes the scope, purpose, roles, responsibilities, compliance, management commitment, and coordination amongst entities. (App F § CP-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)