Back

Include the organization's business products and services in the scope of the continuity framework.


CONTROL ID
12235
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish and maintain the scope of the continuity framework., CC ID: 11908

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Financial institutions should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimise their impact on ICT service delivery. These procedures should include the following measures: (3.4.4 36, Final Report EBA Guidelines on ICT and security risk management)
  • There shall be a defined and documented method for determining the impact of any disruption to the organization that must incorporate the following: - Identify critical products and services - Identify all dependencies, including processes, applications, business partners, and third party service … (BCR-09, Cloud Controls Matrix, v3.0)
  • identify products and services and all related activities within the scope of the BCMS, (§ 4.3.2 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • take account of the minimum level of products and services that is acceptable to the organization to achieve its objectives, (§ 6.2 ¶ 2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • identify products and services to be included in the BCMS. (§ 4.3.2 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • procedures to enable the delivery of products and services at agreed capacity; (§ 8.4.4.2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. (DM.ED-4.5, CRI Profile, v1.2)
  • The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. (DM.ED-4.5, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Considering resilience in business functions and the design of existing operations and new products and services. (App A Objective 2:3e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the plan reflects the entity's current products, business processes, and third- party service providers. (App A Objective 8:2c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management effectively provides secure customer access to financial services and plans for potential interruptions in service. Review whether management does the following: (App A Objective 6.25, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should do the following: - Develop and maintain policies and procedures to securely offer and strengthen the resilience of remote financial services, if the institution offers such services. - Plan for actions that adversely affect the availability of remote banking services to customer… (II.C.16 Customer Remote Access to Financial Services, FFIEC Information Technology Examination Handbook - Information Security, September 2016)