Establish, implement, and maintain Recovery Time Objectives for all in scope services.

Systems Continuity


This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system continuity plan strategies., CC ID: 00735

There are no implementation support Controls.


  • Determine that the service provider has in place satisfactory business continuity plans ("BCP") that are commensurate with the nature, scope and complexity of the outsourcing arrangement. Outsourcing agreements should contain BCP requirements on the service provider, in particular, recovery time obj… (5.7.2 (a), Guidelines on Outsourcing)
  • Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, and resumption procedures. Ensure that the business understands IT recovery times and th… (DS4.8 IT Services Recovery and Resumption, CobiT, Version 4.1)
  • There shall be a defined and documented method for determining the impact of any disruption to the organization that must incorporate the following: - Identify critical products and services - Identify all dependencies, including processes, applications, business partners, and third party service … (BCR-09, Cloud Controls Matrix, v3.0)
  • be monitored and updated as appropriate. (§ 6.2 ¶ 2 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • shorten the period of disruption; (§ 8.3.2 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Determine whether the testing strategy articulates management's assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery … (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Testing Strategy 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels. For financial institutions and service providers with complex retail payment operati… (Business Continuity Planning, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)