Back

Take into account external requirements when establishing, implementing, and maintaining the continuity framework.


CONTROL ID
11907
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity framework., CC ID: 00732

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: (4.15 106, Final Report on EBA Guidelines on outsourcing arrangements)
  • Have you determined the scope of your BCMS and did this take into account the external and internal issues, interested parties and any activities performed by other organizations? (Context of the organization ¶ 4, ISO 22301: Self-assessment questionnaire)
  • Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations. Avoid the distraction of recovering less-critical items and ensure response and recovery in line with prioritised business needs, while ensuring that … (DS4.3 Critical IT Resources, CobiT, Version 4.1)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for business resiliency and operational continuity to manage the risks of minor to catastrophic business disruptions. These policies, procedures, processes, and measures must protect t… (BCR-10, Cloud Controls Matrix, v3.0)
  • The organization shall ensure that these applicable legal, regulatory and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its BCMS. (§ 4.2.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the requirements of these interested parties (§ 4.2.1 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • take into account applicable requirements, and (§ 6.2 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish, implement and maintain a procedure(s) to identify, have access to, and assess the applicable legal and regulatory requirements to which the organization subscribes related to the continuity of its operations, products and services, as well as the interests of releva… (§ 4.2.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • includes a commitment to satisfy applicable requirements, (§ 5.3 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • mitigating, responding to and managing impacts. (§ 8.3.1 ¶ 2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • establish BCMS requirements, considering the organization's mission, goals, internal and external obligations, and legal and regulatory responsibilities, (§ 4.3.2 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, activities and resources; (§ 4.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; (§ 4.2.2 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the requirements referred to in 4.2; (§ 4.3.1 ¶ 2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • its mission, goals, and internal and external obligations. (§ 4.3.1 ¶ 2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • take into account applicable requirements (see 4.1 and 4.2); (§ 6.2.1 ¶ 2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization has incorporated its external dependencies and critical business partners into its cyber resilience (e.g., incident response, business continuity, and disaster recovery) strategy, plans, and exercises. (DM.RS-2.1, CRI Profile, v1.2)
  • A business impact analysis (BIA) is the first step in the business continuity planning process and should include the: - Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis; - Identification of the potential impact… (Business Impact Analysis, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Interview management and review the business continuity request information to identify: (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)