Establish and maintain a system continuity plan philosophy.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity framework., CC ID: 00732

This Control has the following implementation support Control(s):
  • Define the executive vision of the continuity planning process., CC ID: 01243
  • Include a pandemic plan in the continuity plan., CC ID: 06800


  • An overall philosophy toward continuity planning is discussed. "A comprehensive approach to risk management will therefore consider risk treatments both proactively. by designing and implementing controls to prevent risk events occurring. and reactively. by mitigating the consequences of such events… (Pg 16, Pg 17, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The Information Technology Service Continuity (ITSC) strategy should be aligned with the organization's business goals and its corporate strategy, and it should have an agreed upon defined service level to allow for specific service levels that can be measured, analyzed, and improved. (§ 5.2 ¶ 3(a), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • One should identify the organization's existing business strategy, business objectives, legal and regulatory requirements and understand how a continuity strategy will support these objectives. The impact of organizational strategies on business continuity strategy is examined. Ideally, strategies … (Stage 1.1 Review, Stage 2.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Visible support for business continuity management (BCM) and the emergency management program must be displayed by senior management. This can be accomplished by defining a group responsible for BCM and governance management, best practices coordination, knowledge sharing, consulting, and cross-busi… (§ 5.1.A ¶ 1, § 5.1.B ¶ 1, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization must define the scope of the organizational resilience management system in terms of preserving and protecting the organization's integrity. The organization should consider the following actions when developing, implementing, and maintaining procedures for preparing for and respond… (§ 4.1.1 ¶ 3, § 4.4.7 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • An emergency management plan should define what an emergency is; define the personnel responsible for specific tasks before, during, and after emergencies; and provide procedures for moving normal operations into and out of emergency situations. The 4 elements of comprehensive emergency management a… (Revised Volume 3 1-I-6, Protection of Assets Manual, ASIS International)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including the goals and objectives of the organization from a Business Continuity perspective. (CF.20.01.04e, The Standard of Good Practice for Information Security)
  • The Business Continuity strategy should be based on a sound understanding of the organization, including the goals and objectives of the organization from a Business Continuity perspective. (CF.20.01.04e, The Standard of Good Practice for Information Security, 2013)
  • The system should allow users the ability to rollback (undo) some or all tasks that have been performed within predetermined limits, such as a time limit, a certain number of operations, or a certain number of characters. (§ 11.10, § F.10, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • be developed based on stated assumptions and an analysis of interdependencies, and (§ 8.4.1 ¶ 3 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization must have a documented program for program management that includes program goals, objectives, and a method for evaluating the program. (§ 4.1(2), Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • The organization should have or create a contingency policy before developing an IT systems contingency plan. The contingency policy is a high level statement that tells what management wants to do to address emergencies and to recover from a disruption or emergency. (App A § 3 ¶ 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • System Security Officers (SSOs) and management must be able to show how the organization responds to disruptions and disasters to limit damage; protect lives and sensitive data; circumvent safeguards; and minimize the impact on Medicare operations. (CSR 5.2.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization should formulate achievable security goals that conform to the Federal Acquisition Regulations, the Defense Federal Acquisition Regulations, and other relevant DoD policy. The specific sector security goals must respond to validated requirements for improving security. (§ 1.3.2, Defense Industrial Base Information Assurance Standard)
  • Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery … (Exam Tier I Obj 10.2 (Testing Strategy), FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Glossary ties the definition of the contingency plan directly to the organization's management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failure, or disaster. These … (Glossary, Federal Information System Controls Audit Manual (FISCAM), February 2009)