Back

Review and prioritize the importance of each business unit.


CONTROL ID
01165
CONTROL TYPE
Systems Continuity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define and prioritize critical business functions., CC ID: 00736

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites should be sufficiently distanced to avoid being affected by the same disaster (e.g. they should be on separate o… (5.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • In developing contingency plans, the organization shall evaluate business operations priorities for continuing operations during an emergency. (O65.3(2), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • a comprehensive analysis of dependencies between the critical business processes and supporting systems; (Title 3 3.3.4(a) 54.a(i), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Activities may be categorized by their priority for recovery. The activities whose loss has the greatest impact in the shortest time period and would need to be recovered the fastest may be termed critical activities. The organization may focus the planning on these critical activities, but should a… (§ 6.3, BS 25999-1, Business continuity management. Code of practice, 2006)
  • While developing the Information Technology Service Continuity (ITSC) strategy or plan, each process and its respective business department or function should be ranked according to its business criticality. (§ 7 ¶ 1, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • A review should be performed to identify the organization's critical infrastructure (e.g., by liaising with senior executives, the Business Continuity Management team, and specialist business functions, such as operational risk and internal audit). (CF.08.03.03a, The Standard of Good Practice for Information Security)
  • The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about major business areas throughout the organizat… (CF.20.02.02a, The Standard of Good Practice for Information Security)
  • A review should be performed to identify the organization's critical infrastructure (e.g., by liaising with senior executives, the Business Continuity Management team, and specialist business functions, such as operational risk and internal audit). (CF.08.03.03a, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about major business areas throughout the organizat… (CF.20.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Review the BIA to determine whether the prioritization of business functions is reasonable. Consider management's ability to do the following: (App A Objective 4:4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Every department, system, and process should be analyzed to determine how they will respond to a disruption and how they will recover from the disruption. The business objectives and critical operations should be prioritized to ensure the organization can maintain customer service at an acceptable l… (Pg 5, Pg D-6, Exam Tier I Obj 3.2, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (SC-1.3, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization identifies critical information system assets supporting essential missions and business functions. (CP-2(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)