Back

Disseminate and communicate the continuity plan to interested personnel and affected parties.


CONTROL ID
00760
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Store an up-to-date copy of the continuity plan at the alternate facility., CC ID: 01171


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Copies of the BCP document should be stored at locations separate from the primary sites. A summary of key steps to take in an emergency should be made available to senior management and other key personnel and kept by them in multiple locations (e.g. office, home, briefcase or AI’s website). (6.2.5, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • App 2-1 Item Number I.5(4): The organization must ensure all necessary personnel have been briefed on the business continuity plan and fully understand it. App 2-1 Item Number VI.7.2(5): The organization must communicate and inform all concerned departments of the contents of the contingency plan an… (App 2-1 Item Number I.5(4), App 2-1 Item Number VI.7.2(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization shall keep essential sections of contingency plans at disaster headquarters, backup sites, and individual sites, and they should be accessible to every employee. (O65.7, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization shall notify all personnel and contractors working on the premises of the responsible individuals and departments, accountability, evacuation routes, and other required information for disaster prevention. (O7.3(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Essential sections of contingency plans should be kept in the disaster headquarters, individual sites, and backup sites, and the essential sections should be accessible to every employee at any time. (P73.5., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • be documented and made available to the business and support units and readily accessible in the event of an emergency; (3.7.3 84(b), Final Report EBA Guidelines on ICT and security risk management)
  • Accessibility and comprehensibility of the plans for persons who have to take action in line with these plans (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • For a Business Continuity Management program to be effective, employees must receive communication to become aware of the program and to know what their responsibility is. (security Policy No. 7 ¶ 4 Bullet 5, HMG Security Policy Framework, Version 6.0 May 2011)
  • Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and available to appropriately authorised interested parties when and where needed. Attention should be paid to making the plans accessible under all disaster scenarios. (DS4.7 Distribution of the IT Continuity Plan, CobiT, Version 4.1)
  • All changes to the business continuity plan should be distributed to appropriate personnel with the use of a formal distribution plan that is maintained and kept up to date. (§ 8.3.5 ¶ 2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • Business continuity plans should be accessible to anyone who has responsibilities in the plans. Updated, amended, or changed plans should be distributed to all key personnel. (§ 8.3.1, § 9.4 ¶ 2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • Procedure documentation should be readily available to all points of the organization. Incident management team members should have a copy located where they will always have access to it. This documentation will likely contain confidential and/or sensitive information, so it must be held securely. … (§ 8.4.6 ¶ 2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The organization must ensure procedures have been developed, implemented, and maintained for ensuring a relevant version of the documentation is available at points of use. (§ 4.4.5 ¶ 2(d), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The format of the emergency plan should make it easy to distribute the plan to all individuals who have emergency responsibilities. (Revised Volume 3 1-I-10, Protection of Assets Manual, ASIS International)
  • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business… (BCR-01, Cloud Controls Matrix, v3.0)
  • Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically. (BCR-05, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a business continuity plan based on the results of the operational resilience strategies and capabilities. (BCR-04, Cloud Controls Matrix, v4.0)
  • - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes… (§ 5.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The BCMS policy shall - be available as documented information, - be communicated within the organization, - be available to interested parties, as appropriate, - be reviewed for continuing suitability at defined intervals and when significant changes occur. (§ 5.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization. (§ 6.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • on what it will communicate, (§ 7.4 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • when to communicate, (§ 7.4 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall - communicate the results of management review to relevant interested parties, and - take appropriate action relating to those results. (§ 9.3 ¶ 6, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall determine the need for internal and external communications relevant to the BCMS including (§ 7.4 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity performance; (§ 7.3 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • be communicated; (§ 6.2.1 ¶ 2 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Service providers and organizations should keep duplicate copies of disaster recovery plans, disaster/failure procedures, and other essential information that includes details of how to contact staff and the access points for the emergency services. Organizations and service providers should keep du… (§ 5.3.4, § 5.8.1, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. The specifications should include the following information, as appropriate: – scope and schedule of backups; – backup methods and data formats, including encryption, if relevan… (§ 12.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The appropriate sections of the plans must be made available to those individuals who have been assigned specific tasks and responsibilities and to other stakeholders, as required. (§ 5.8.3.9, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be: - Bas… (Business Continuity Plan Development, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Timely distribution of revised plans to personnel. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:9 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Staff access to key documentation (plans, procedures, and forms); and (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 7, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution's continuity plans, inc… (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Plans: How the institution conducts Testing 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether the institution has a copy of the TSPs' BCP and incorporates it, as appropriate, into their plans. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The continuity plan should be distributed to all employees and the department managers of all critical units. The department managers should review their portions of the continuity plan to ensure the procedures are comprehensive and complete. . (Pg 13, Pg 22, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • When the continuity plan is updated, it should be redistributed to all personnel. (Pg 28, Pg D-7, Exam Tier I Obj 4.6, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Determine whether emergency procedures are posted throughout the institution. (Exam Tier II Obj F.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • Obtain the institution's written contingency and business continuity plans for Obtain the institution's written contingency and business continuity plans for partial or complete failure of the systems and/or communication lines between the bank and correspondent bank, service provider, CHIPS, Federa… (Exam Tier II Obj 10.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., FedRAMP Security Controls High Baseline, Version 5)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., FedRAMP Security Controls Low Baseline, Version 5)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Due to the fact that the Information System Contingency Plan (ISCP) contains potentially sensitive operational and personnel information, it should be marked accordingly and its distribution should be controlled. The ISCP Coordinator should maintain a record of the number of copies of the plan and w… (§ 3.6 ¶ 3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Copies of the contingency plan should be distributed to recovery personnel for storage. (§ 3.6 ¶ 3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizational records and documents should be examined to ensure the contingency plan is distributed to all personnel involved in the operation of the contingency plan. (CP-1.1, CP-2.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Because the ISCP contains potentially sensitive operational and personnel information, its distribution should be marked accordingly and controlled. Typically, copies of the plan are provided to recovery personnel for storage. A copy should also be stored at the alternate site and with the backup me… (§ 3.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization must distribute the contingency plan to key contingency personnel, identified by name and/or role, and to organizational units. (App F § CP-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency personnel}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency roles}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented organizational key contingency elements}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency personnel}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency roles}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented organizational key contingency elements}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency personnel}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency roles}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented organizational key contingency elements}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency personnel}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented key contingency roles}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization distributes copies of the contingency plan to {organizationally documented organizational key contingency elements}. (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Ensure primary and alternate communication capabilities exist for internal and external reporting of appropriate security events and information. (Table 1: Communication Enhanced Security Measures Cell 1, Pipeline Security Guidelines)
  • Each covered entity shall ensure that current copies of the plans or relevant portions therein are distributed or are otherwise accessible, including during a cybersecurity event, to all employees necessary to implement such plans. (§ 500.16 Incident Response and Business Continuity Management (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., TX-RAMP Security Controls Baseline Level 1)
  • Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; (CP-2b., TX-RAMP Security Controls Baseline Level 2)