Back

Establish and maintain the scope of the continuity framework.


CONTROL ID
11908
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity framework., CC ID: 00732

This Control has the following implementation support Control(s):
  • Identify all stakeholders critical to the continuity of operations., CC ID: 12741
  • Include network security in the scope of the continuity framework., CC ID: 16327
  • Explain any exclusions to the scope of the continuity framework., CC ID: 12236
  • Include the organization's business products and services in the scope of the continuity framework., CC ID: 12235
  • Include business units in the scope of the continuity framework., CC ID: 11898
  • Include information security continuity in the scope of the continuity framework., CC ID: 12009
  • Include affected party’s needs and interests in the scope of the continuity framework., CC ID: 12698
  • Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework., CC ID: 12242


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • CSIRTs shall rely on an infrastructure the continuity of which is ensured. To that end, redundant systems and backup working space shall be available. (ANNEX I ¶ 1(1)(c)(iii), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Restoration procedures, manual temporary solutions and reference information (by taking the prioritisation into account for the recovery of cloud infrastructure components and services as well as orienting to customers) (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 5, Cloud Computing Compliance Controls Catalogue (C5))
  • Have you determined the needs and expectations of interested parties that are relevant to the BCMS? Do you review these on a regular basis? (Context of the organization ¶ 3, ISO 22301: Self-assessment questionnaire)
  • Have you determined the scope of your BCMS and did this take into account the external and internal issues, interested parties and any activities performed by other organizations? (Context of the organization ¶ 4, ISO 22301: Self-assessment questionnaire)
  • Is there a formal process for determining continuity objectives based on understanding the impact of disruptive incidents? (Operation ¶ 7, ISO 22301: Self-assessment questionnaire)
  • A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business… (BCR-01, Cloud Controls Matrix, v3.0)
  • The organization shall determine the boundaries and applicability of the BCMS to establish its scope. (§ 4.3.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • define the scope of the BCMS in terms of and appropriate to the size, nature and complexity of the organization. (§ 4.3.2 ¶ 1 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. (§ 4.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its BCMS. (§ 4.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the external and internal issues referred to in 4.1; (§ 4.3.1 ¶ 2 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • variations to the scope of the BCMS; (§ 9.3.3.1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. (A.17.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. (§ 17.1.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Considering resilience in business functions and the design of existing operations and new products and services. (App A Objective 2:3e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Addresses resilience in operations to prevent data loss, protect sensitive customer information from unauthorized disclosure or manipulation, minimize disruption to service delivery, and prevent the loss of situational awareness of the entity's operations. Evaluate whether this operational resilienc… (App A Objective 8:2f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)