Document the concept of operations in the continuity plan, including a line of succession.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


  • Is there an Incident Response Structure (IRS) which details the management structure and trained personnel in place to respond to a disruptive incident? (Operation ¶ 19, ISO 22301: Self-assessment questionnaire)
  • The organization should develop an action plan that includes a structured checklist of tasks and actions in priority order. This plan should highlight how to activate the business continuity plan; who is responsible for activating the business continuity plan; the procedures for making the decision … (§ 8.7.2, § 8.7.5 ¶ 2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The business continuity management policy must make reference to or include the scope, including exclusions and limitations, and objectives of the business continuity. (§, BS 25999-2, Business continuity management. Specification, 2007)
  • Business continuity plans should identify personnel responsibilities and individuals accountable for the continuity process. (§ 5.2 (Business Continuity) ¶ 3, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization should include the procedures, along with who has authority, to declare an emergency, initiate emergency procedures, activate plans, assess the damage, and make financial decisions when it develops its incident prevention, preparedness, and response procedures. (§ 4.4.7 ¶ 3(g), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically. (BCR-05, Cloud Controls Matrix, v4.0)
  • The plans must have objectives that are clearly stated and identify functional roles and responsibilities of external and internal agencies, organizations, departments, and positions; lines of authority; resource requirements and logistics support; how to manage an incident, and how to manage commun… (§ 5.8.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • The organization should consider how to organize the contingency plan. It should in a logical order, first detailing what the user will want to know or do first. The contingency plan should include an understandable and useful table of contents. (App A § 3 ¶ 11, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must document the emergency processing priorities and they must be approved by the appropriate program and data processing managers. (CSR 5.5.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Staff and management succession plans; (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Defining business continuity roles, responsibilities, and succession plans. (App A Objective 2:5a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The concept of operations section may include a system description (information system architecture, location(s), and other important technical considerations); an overview of the three phases (Activation and Notification, Recovery, and Reconstitution); and roles and responsibilities (an overall str… (§ 4.1 ¶ 3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The Continuity of Operations plan must define the roles and responsibilities of assigned individuals, along with their contact information, and their duties to restore the system after a disruption or failure. (SG.CP-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop a contingency plan and it must address contingency roles and responsibilities and include assigned individuals and their contact information. (App F § CP-2.a Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)