Back

Review and prioritize the importance of each business process.


CONTROL ID
11689
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define and prioritize critical business functions., CC ID: 00736

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For the first two phases, clear responsibilities should be established and activities prioritised. A recovery tasks checklist should be developed and included in the BCP. It is recognised that certain tasks involved in the full recovery phase may depend on the nature of the disaster concerned and th… (4.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The organization must determine the acceptable recovery time for and priority for each business process. (App 2-1 Item Number VI.7.1(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Indicates that key business processes should be ranked in order of their importance to the organization. When determining rank, consider such issues as: failure to meet statutory obligations for service delivery failure to meet key stakeholder expectations loss of cash flows essential to business op… (Pg 34, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • For determining the protection needs of the business processes, first the importance of the individual business processes for the organisation should be examined. This should be the basis for considering the dependences between business processes and applications, and how the correspondingly resulti… (§ 8.2.3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Has top management taken responsibility for the effectiveness of the BCMS and have they communicated the importance of an effective BCMS? (Leadership ¶ 1, ISO 22301: Self-assessment questionnaire)
  • Does the BIA enable prioritization of timeframes for resuming each activity (Recovery Time Objectives) and have minimum levels for resuming activities that have been identified? (Operation ¶ 8, ISO 22301: Self-assessment questionnaire)
  • The security profile shall contain important details about business processes and information, including their level of importance to the organisation (eg very low to very high or mission critical, business operational or business administrative). (CF.12.01.04a, The Standard of Good Practice for Information Security)
  • The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about critical business processes (ranked in order … (CF.20.02.02b, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about business processes and information, including their level of importance to the organisation (eg very low to very high or mission critical, business operational or business administrative). (CF.12.01.04a, The Standard of Good Practice for Information Security, 2013)
  • The Business Continuity program should determine the individual business environments to be supported by Business Continuity plans and arrangements by identifying and recording relevant details (e.g., in a central Business Continuity risk register) about critical business processes (ranked in order … (CF.20.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Verify that the application will only process business logic flows for the same user in sequential step order and without skipping steps. (11.1.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly. (11.1.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes… (§ 5.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • use this analysis to identify prioritized activities; (§ 8.2.2 ¶ 1 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, consultation, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits; (§ 9.2.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The entity shall discuss measures to address business continuity risks, including an identification of critical business operations and redundancies or other measures implemented to enhance resilience of the system or to reduce impact, including insurance against loss. (TC-TL-550a.2. 2, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • The organization has prioritized monitoring of systems according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. (DM.BE-2.2, CRI Profile, v1.2)
  • The organization has prioritized monitoring of systems according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. (DM.BE-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Internal systems and business processes. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:7 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The last step of the Business Impact Analysis is to develop recovery priorities. To effectively establish recovery priorities, the business process criticality, tolerable downtime, outage impacts, and system resources should be taken into consideration; the result will be an information system recov… (§ 3.2.3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The ISCP Coordinator should next analyze the supported mission/business processes and with the process owners, leadership and business managers determine the acceptable downtime if a given process or specific system data were disrupted or otherwise unavailable. Downtime can be identified in several … (§ 3.2.1 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))