Establish, implement, and maintain a business continuity policy.
CONTROL ID 12405
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a business continuity program., CC ID: 13210
This Control has the following implementation support Control(s):
Include compliance requirements in the business continuity policy., CC ID: 14237
Include coordination amongst entities in the business continuity policy., CC ID: 14235
Include management commitment in the business continuity policy., CC ID: 14233
Include the scope in the business continuity policy., CC ID: 14231
Include roles and responsibilities in the business continuity policy., CC ID: 14190
Disseminate and communicate the business continuity policy to interested personnel and affected parties., CC ID: 14198
Include the purpose in the business continuity policy., CC ID: 14188
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The Board of Directors and senior management of AIs have the ultimate responsibility for business continuity planning and the effectiveness of their BCP. The senior management should establish policies, standards and processes for business continuity planning, which should be endorsed by the Board. … (2.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
has business resilience, continuity control environment policies and standards and operational controls which include: (Title 3 3.3.4(a) 54.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
approve, oversee and periodically review the implementation of the financial entity's ICT business continuity policy and ICT response and recovery plans, referred to, respectively, in Article 11(1) and (3), which may be adopted as a dedicated specific policy forming an integral part of the financial… (Art. 5.2. ¶ 2(e), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to: (Art. 11.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
ensure the continuity of the financial entity's critical or important functions; (Art. 11.2.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Financial entities shall regularly review their ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests carried out in accordance with the first subparagraph and recommendations stemming from audit checks or supervisory reviews. (Art. 11.6. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
set out communication and crisis management actions that ensure that updated information is transmitted to all relevant internal staff and external stakeholders in accordance with Article 14, and report to the competent authorities in accordance with Article 19. (Art. 11.2.(e), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
As part of the ICT risk management framework referred to in Article 6(1) and based on the identification requirements set out in Article 8, financial entities shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral p… (Art. 11.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organization; (§ 5.1 ¶ 1 a), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
Top management shall establish a business continuity policy that: (§ 5.2.1 ¶ 1, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
be available as documented information; (§ 5.2.2 ¶ 1 a), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
the need for changes to the BCMS, including the policy and objectives; (§ 9.3.2 ¶ 1 e), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes:
- Establishing policy by determining how the institution will manage and control identified risks;
- Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
Up-to-date and reflective of the current business environment. (App A Objective 2:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
An information security and business continuity risk management function(s) exists within the institution. (Domain 1: Assessment Factor: Risk Management, RISK MANAGEMENT PROGRAM Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Determine whether the board of directors approved policies and management established and implemented policies, procedures, and responsibilities for an enterprise-wide business continuity program, including the following: (App A Objective 12:9, FFIEC Information Technology Examination Handbook - Management, November 2015)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Contingency planning policy [FedRAMP Assignment: at least annually]; and (CP-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Contingency planning policy [FedRAMP Assignment: at least every 3 years]; and (CP-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Contingency planning policy [FedRAMP Assignment: at least every 3 years]; and (CP-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., FedRAMP Security Controls High Baseline, Version 5)
Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (CP-1c.1., FedRAMP Security Controls High Baseline, Version 5)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (CP-1c.1., FedRAMP Security Controls Low Baseline, Version 5)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (CP-1c.1., FedRAMP Security Controls Moderate Baseline, Version 5)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Develop the contingency planning policy; (§ 3 ¶ 1 (1), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
To be effective and to ensure that personnel fully understand the organization's contingency planning requirements, the contingency plan must be based on a clearly defined policy. The contingency planning policy statement should define the organization's overall contingency objectives and establish … (§ 3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Contingency policies; (§ 3.6 ¶ 5 Bullet 9, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
[Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: (CP-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (CP-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Contingency planning policy [Assignment: organization-defined frequency]; and (CP-1b.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Business continuity and disaster recovery (BCDR) plan. BCDR plans shall be reasonably designed to ensure the availability and functionality of the covered entity's information systems and material services and protect the covered entity's personnel, assets and nonpublic information in the event of a… (§ 500.16 Incident Response and Business Continuity Management (a)(2), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., TX-RAMP Security Controls Baseline Level 1)
Contingency planning policy [TX-RAMP Assignment: at least every 3 years]; and (CP-1b.1., TX-RAMP Security Controls Baseline Level 1)
A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (CP-1a.1., TX-RAMP Security Controls Baseline Level 2)
Contingency planning policy [TX-RAMP Assignment: at least every 3 years]; and (CP-1b.1., TX-RAMP Security Controls Baseline Level 2)
