Back

Establish, implement, and maintain a business continuity policy.


CONTROL ID
12405
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a business continuity program., CC ID: 13210

This Control has the following implementation support Control(s):
  • Include compliance requirements in the business continuity policy., CC ID: 14237
  • Include coordination amongst entities in the business continuity policy., CC ID: 14235
  • Include management commitment in the business continuity policy., CC ID: 14233
  • Include the scope in the business continuity policy., CC ID: 14231
  • Include roles and responsibilities in the business continuity policy., CC ID: 14190
  • Disseminate and communicate the business continuity policy to interested personnel and affected parties., CC ID: 14198
  • Include the purpose in the business continuity policy., CC ID: 14188


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The Board of Directors and senior management of AIs have the ultimate responsibility for business continuity planning and the effectiveness of their BCP. The senior management should establish policies, standards and processes for business continuity planning, which should be endorsed by the Board. … (2.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • has business resilience, continuity control environment policies and standards and operational controls which include: (Title 3 3.3.4(a) 54.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organization; (§ 5.1 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Top management shall establish a business continuity policy that: (§ 5.2.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • be available as documented information; (§ 5.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the need for changes to the BCMS, including the policy and objectives; (§ 9.3.2 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Up-to-date and reflective of the current business environment. (App A Objective 2:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • An information security and business continuity risk management function(s) exists within the institution. (Domain 1: Assessment Factor: Risk Management, RISK MANAGEMENT PROGRAM Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Determine whether the board of directors approved policies and management established and implemented policies, procedures, and responsibilities for an enterprise-wide business continuity program, including the following: (App A Objective 12:9, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Contingency planning policy [FedRAMP Assignment: at least annually]; and (CP-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Contingency planning policy [FedRAMP Assignment: at least every 3 years]; and (CP-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Contingency planning policy [FedRAMP Assignment: at least every 3 years]; and (CP-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • Contingency planning policy [TX-RAMP Assignment: at least every 3 years]; and (CP-1b.1., TX-RAMP Security Controls Baseline Level 1)
  • A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., TX-RAMP Security Controls Baseline Level 2)
  • Contingency planning policy [TX-RAMP Assignment: at least every 3 years]; and (CP-1b.1., TX-RAMP Security Controls Baseline Level 2)