Back

Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework.


CONTROL ID
12242
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish and maintain the scope of the continuity framework., CC ID: 11908

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should formulate a formal strategy for communication with key external parties (e.g. regulators, investors, customers, counterparties, business partners, service providers, the media and other stakeholders). The strategy needs to set out to which parties AIs should communicate in the event of a … (4.7.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Defined communication channels, roles and responsibilities including the notification of the customer (Section 5.14 BCM-03 Basic requirement ¶ 1 Bullet 4, Cloud Computing Compliance Controls Catalogue (C5))
  • Establish communication with stakeholders and participants in the course of business continuity and resilience procedures. (BCR-07, Cloud Controls Matrix, v4.0)
  • with whom to communicate. (§ 7.4 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - recei… (§ 7.4 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • with whom to communicate; (§ 7.4 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the intended recipients of the communication; in some cases, a list should be maintained (e.g. for communicating changes to services or crisis); (§ 7.4 Guidance ¶ 3(n), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Personnel to be notified should be clearly identified in the contact lists appended to the plan. This list should identify personnel by their team position, name, and contact information (e.g., home, work, cell phone, email addresses, and home addresses). An entry may resemble the following format: (§ 4.2.2 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Because the ISCP contains potentially sensitive operational and personnel information, its distribution should be marked accordingly and controlled. Typically, copies of the plan are provided to recovery personnel for storage. A copy should also be stored at the alternate site and with the backup me… (§ 3.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))