Explain any exclusions to the scope of the continuity framework.
CONTROL ID 12236
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish and maintain the scope of the continuity framework., CC ID: 11908
This Control has the following implementation support Control(s):
Refrain from including exclusions that could affect business continuity., CC ID: 12740
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The institution should consider worst case scenarios in its business continuity plans. Some examples of these scenarios are unavailability of service provider due to unexpected termination of the outsourcing agreement, liquidation of the service provider and wide-area disruptions that result in coll… (5.7.4, Guidelines on Outsourcing)
When defining the scope, the organization shall document and explain exclusions; any such exclusions shall
not affect the organizationâs ability and responsibility to provide continuity of business and operations that meet
the BCMS requirements, as determined by business impact analysis or risk as… (§ 4.3.2 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
variations to the scope of the BCMS; (§ 9.3 ¶ 4 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
When defining the scope, the organization shall document and explain exclusions. They shall not affect the organization's ability and responsibility to provide business continuity, as determined by the business impact analysis or risk assessment and applicable legal or regulatory requirements. (§ 4.3.2 ¶ 2, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
