Back

Align business continuity objectives with the business continuity policy.


CONTROL ID
12408
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include business continuity objectives in the Strategic Information Technology Plan., CC ID: 06496

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In determining the recovery time and recovery point objectives for each function, financial entities shall take into account whether it is a critical or important function and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed … (Art. 12.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • When developing business continuity and exit plans, firms should define the objectives of the plan, including what would constitute successful business continuity or a successful exit in both stressed and non-stressed scenarios, by reference to measurable criteria such as costs, functionality, time,… (§ 10.23, SS2/21 Outsourcing and third party risk management, March 2021)
  • be consistent with the business continuity policy, (§ 6.2 ¶ 2 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organization; (§ 5.1 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • provides a framework for setting business continuity objectives; (§ 5.2.1 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall establish business continuity objectives at relevant functions and levels. (§ 6.2.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • be consistent with the business continuity policy; (§ 6.2.1 ¶ 2 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • be updated as appropriate. (§ 6.2.1 ¶ 2 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall use the process for analysing business impacts to determine business continuity priorities and requirements. The process shall: (§ 8.2.2 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the need for changes to the BCMS, including the policy and objectives; (§ 9.3.2 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • A financial institution's business continuity planning process should reflect the following objectives: - The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components; - Business conti… (Business Continuity Planning Process, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Alignment of BCM elements with the entity's strategic goals and objectives. (II.A Action Summary ¶ 2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Information relative to the volume and importance of the retail payment system activity to the institution's overall operation. (App A Tier 2 Objectives and Procedures E.1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Cyber resiliency techniques and associated implementation approaches are employed to achieve mission or business objectives. The relative priorities of cyber resiliency goals and objectives are determined by the mission or business objectives. The selection of specific cyber resiliency techniques an… (3.1.1 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • To be effective and to ensure that personnel fully understand the organization's contingency planning requirements, the contingency plan must be based on a clearly defined policy. The contingency planning policy statement should define the organization's overall contingency objectives and establish … (§ 3.1 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))