Store an up-to-date copy of the continuity plan at the alternate facility.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Disseminate and communicate the continuity plan to interested personnel and affected parties., CC ID: 00760

There are no implementation support Controls.


  • Copies of the BCP document should be stored at locations separate from the primary sites. A summary of key steps to take in an emergency should be made available to senior management and other key personnel and kept by them in multiple locations (e.g. office, home, briefcase or AI’s website). (6.2.5, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The organization should store copies of the recovery plan at an off-site location that is away from the primary site. (Attach B ¶ 13, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • All components required to enact the recovery plans would typically be located at a sufficient distance from the operational site(s) so that they are not impacted by the same disaster. This includes: recovery sites and hardware; backups of data/information and software; and copies of the recovery pl… (Attachment B ¶ 13, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The service continuity plans, contact lists, and the Configuration Management Database shall be accessible, even when access to normal service locations is not possible. (§ 6.3.2 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Duplicate disaster recovery plans, procedures, and other essential information should be kept off site at an easily accessible location. (§ 5.3.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The service continuity plan(s) and list of contacts shall be accessible when access to the normal service location is prevented. (§ 8.7.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Copies of the contingency plan shall be stored off-site. (App A § 5 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must store several copies of the contingency plan off-site at different locations, including the homes of key staff members. (CSR 5.7.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Contact information for the continuity plan should be maintained at an offsite location. The continuity plan and the recovery procedures should be maintained at the alternate site and the offsite storage locations. (Pg 33, Pg G-11, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (SC-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Are the Business Continuity plans and the recovery procedures maintained in a secure way at the alternate site and the offsite storage location? (IT- Business Continuity Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • A copy of the contingency plan should be stored at the alternate site and with back-up media. (§ 3.6 ¶ 3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))