Back

Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework.


CONTROL ID
11907
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity framework., CC ID: 00732

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: (4.15 106, Final Report on EBA Guidelines on outsourcing arrangements)
  • Have you determined the scope of your BCMS and did this take into account the external and internal issues, interested parties and any activities performed by other organizations? (Context of the organization ¶ 4, ISO 22301: Self-assessment questionnaire)
  • Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations. Avoid the distraction of recovering less-critical items and ensure response and recovery in line with prioritised business needs, while ensuring that … (DS4.3 Critical IT Resources, CobiT, Version 4.1)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for business resiliency and operational continuity to manage the risks of minor to catastrophic business disruptions. These policies, procedures, processes, and measures must protect t… (BCR-10, Cloud Controls Matrix, v3.0)
  • The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS. (§ 4.2.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the requirements of these interested parties (§ 4.2.1 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • take into account applicable requirements, and (§ 6.2 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of releva… (§ 4.2.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • includes a commitment to satisfy applicable requirements, (§ 5.3 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • mitigating, responding to and managing impacts. (§ 8.3.1 ¶ 2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • establish BCMS requirements, considering the organization's mission, goals, internal and external obligations, and legal and regulatory responsibilities, (§ 4.3.2 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, activities and resources; (§ 4.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; (§ 4.2.2 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the requirements referred to in 4.2; (§ 4.3.1 ¶ 2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • its mission, goals, and internal and external obligations. (§ 4.3.1 ¶ 2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • take into account applicable requirements (see 4.1 and 4.2); (§ 6.2.1 ¶ 2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization has incorporated its external dependencies and critical business partners into its cyber resilience (e.g., incident response, business continuity, and disaster recovery) strategy, plans, and exercises. (DM.RS-2.1, CRI Profile, v1.2)
  • A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact… (Business Impact Analysis, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Interview management and review the business continuity request information to identify: (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • To be effective and to ensure that personnel fully understand the organization's contingency planning requirements, the contingency plan must be based on a clearly defined policy. The contingency planning policy statement should define the organization's overall contingency objectives and establish … (§ 3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • As information system contingency plans are developed during the Initiation phase of the SDLC, they should be coordinated with related organization-wide policies and programs, including information system security, physical security, human resources, system operations, and emergency preparedness fun… (§ 3.1 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Operational requirements; (§ 3.6 ¶ 2 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • This chapter discusses the key elements that compose the ISCP. As described in Chapter 3, ISCP development is a critical step in the process of implementing a comprehensive contingency planning program. The plan contains detailed roles, responsibilities, teams, and procedures associated with restori… (§ 4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Contingency considerations discuss technical requirements or factors to complement the contingency solution. (§ 5.5 ¶ 1 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • This chapter complements the process and framework guidelines presented in earlier sections by discussing technical contingency planning considerations for specific types of information systems. The information presented in this section will assist the reader in selecting, developing, and implementi… (§ 5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Development/Acquisition Phase. As initial concepts evolve into information system development, specific contingency solutions may be determined. As in the Initiation phase, technical contingency planning considerations in this phase should reflect system and operational requirements. The design shou… (Appendix F ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Personnel safety and evacuation during and after a disruption are typically addressed in an OEP. Personnel should be aware of their physical security and exit procedures and should practice these procedures during regular fire drill exercises. OEPs and ISCPs may include instructions for securing off… (Appendix D Subsection 1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))