Back

Monitor and evaluate business continuity management system performance.


CONTROL ID
12410
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

This Control has the following implementation support Control(s):
  • Record business continuity management system performance for posterity., CC ID: 12411


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy set out in Article 6(8). They shall map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-a… (Art. 13.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Have you determined what needs to be monitored and measured, when, by whom, the methods to be used, and when the results will be evaluated? (Performance evaluation ¶ 1, ISO 22301: Self-assessment questionnaire)
  • - the setting of performance metrics appropriate to the needs of the organization, - monitoring the extent to which the organization’s business continuity policy, objectives and targets are met, - performance of the processes, procedures and functions that protect its prioritized activities, - mon… (§ 9.1.1 ¶ 5, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • ensuring that the BCMS achieves its intended outcome(s); (§ 5.1 ¶ 1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • give assurance that the BCMS can achieve its intended outcome(s); (§ 6.1.1 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • be monitored; (§ 6.2.1 ¶ 2 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall evaluate the BCMS performance and the effectiveness of the BCMS. (§ 9.1 ¶ 3, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • information on the BCMS performance, including trends in: (§ 9.3.2 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • undertake evaluations through reviews, analysis, exercises, tests, post-incident reports and performance evaluations; (§ 8.6 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • evaluating performance and, as necessary, revising the planned response, including after testing and, in particular, after the occurrence of emergency situations; (§ 8.2 ¶ 1 d), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Monitor implementation of CPRP based on key performance indicators in SPRP and produce regular situation report (Pillar 1 Step 2 Action 5, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Evaluate implementation and effectiveness of case management procedures and protocols (including for pregnant women, children, immunocompromised), and adjust guidance and/or address implementation gaps as necessary (Pillar 7 Step 3 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Regularly monitor and evaluate the effectiveness of readiness and response measures at points of entry, and adjust readiness and response plans as appropriate (Pillar 4 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Evaluating continuity performance. (App A Objective 2:2d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Assessment of the business continuity program effectiveness. (App A Objective 3:5f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The board and senior management should engage internal audit or independent personnel to review and validate the design and operating effectiveness of the BCM program. Audit should report to the board and provide an assessment of management's ability to manage and control risks related to continuity… (II.B Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The board should establish expectations for management's business continuity reporting, regularly monitor business continuity and resilience activities, and provide credible challenges to management. (IX Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Understanding business continuity operating results and performance. (App A Objective 2:4e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The board regularly monitors strategy, security, and resilience activities. (App A Objective 2:13b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ongoing monitoring and evaluation capabilities (e.g., monitoring for indicators of an APT). (App A Objective 8:2f Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)