Establish, implement, and maintain organizational facility continuity plans.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Identify telecommunication facilities critical to the continuity of operations., CC ID: 12732
  • Install and maintain redundant telecommunication feeds for critical assets., CC ID: 00726
  • Install and maintain redundant power supplies for critical facilities., CC ID: 06355
  • Implement redundancy in life-safety systems., CC ID: 02228
  • Include bomb threat procedures and bomb procedures in the organizational facility continuity plan., CC ID: 02229


  • The organization must develop measures for preventing facility failure and to recover quickly in the event of a failure. This is an IT general control. (App 2-1 Item Number IV.10(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization shall create an operation manual for each facility to prevent erroneous operations and handle disasters or failures expeditiously and properly. (O76.3(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • location and building facilities that provide a level of protection from natural and man-made threats. This includes diversity of access to key utility services such as power and telecommunications, as well as fall-back mechanisms where access to the key utility service has failed (e.g. generators, … (46(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • For regulated institutions that have critical system components (processing and/or data) located offshore, sound practice would involve the development of recovery strategies, plans and associated arrangements, to address the scenario where the component located offshore becomes unavailable for an u… (Attachment B ¶ 16, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Precautions against the failure of supply services such as power, cooling or network connections are taken by means of suitable safeguards and redundancies in coordination with safeguards for operational reliability. Power and telecommunication supply lines which transport data or supply information… (Section 5.5 PS-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization must verify that all locations where system assets, including cryptographic items, and information are stored have developed Business Continuity plans and Disaster Recovery plans. (Mandatory Requirement 49, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must develop counter-terrorist contingency plans that state the procedures to follow in the event of an incident or imminent terrorist threat. The plans should be a part of the organization's continuity plan. (Security Policy No. 6 ¶ 11, HMG Security Policy Framework, Version 6.0 May 2011)
  • Government agencies that are assessed as a high or medium risk for terrorist attacks must have a counter-terrorist contingency plan. The plan must deter or minimize the impact of a hostile interest or attack and must include details of the protective security measures for each response level; how to… (Mandatory Requirement 67, HMG Security Policy Framework, Version 6.0 May 2011)
  • Contingency planning or disaster recovery planning, including responding to security incidents should be considered in physical and environmental security. This planning should include the coordination and logistics of the full scope of business activities. A plan that has not been successfully test… (§ 5.3.4 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The organization should develop international contingency plans to respond to specific events, identify personnel responsibilities during and after the event, and develop a corporate emergency response team. The plan should include 3 stages: alert, preparing for evacuation, and evacuation. The plan … (Pg 23-VI-15, Pg 23-VI-16, Protection of Assets Manual, ASIS International)
  • physical infrastructure such as buildings, workplaces or other facilities and associated utilities; (§ 8.3.4 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Procedures shall be established (and implemented as needed) to allow the facility to be accessed during an emergency to restore lost data under the disaster recovery plan and emergency mode operations plan. The covered entity shall assess these procedures to determine if it is a reasonable and appro… (§ 164.310(a)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Facilities; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institution's own facilities. (TIER I OBJECTIVES AND PROCEDURES BCP - Hardware, Back-up and Recovery Issues Objective 6:3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Address personnel, processes, technology, and facility issues. (IV Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether there are established performance benchmarks and standards for the IT function and whether they serve to help management identify problem areas, particularly in system or data center availability, operating conditions, response times, and error rates. (App A Objective 13:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Implement a contingency plan based upon a standard methodology. (§ 4.7.1 Bullet 4, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Business continuity plans should be in place before a bank implements new technology. (¶ 39, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)