Back

Report changes in the continuity plan to senior management.


CONTROL ID
12757
CONTROL TYPE
Communicate
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The BCP function should submit regular reports to the Board and senior management on the testing of its BCP. Any major changes to the BCP should also be reported to the senior management. (2.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) should be reflected in the plan immediately and reported to senior management. (6.2.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Test results should be documented and any identified deficiencies resulting from the tests should be analysed, addressed and reported to the management body. (3.7.4 90, Final Report EBA Guidelines on ICT and security risk management)
  • Notify each person or group with a defined role in the recovery plan of the updates to the recovery plan based on any documented lessons learned. (CIP-009-6 Table R3 Part 3.1 Requirements 3.1.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Recovery Plans for BES Cyber Systems CIP-009-6, Version 6)
  • Review board minutes to determine whether management periodically reports to the board on the status of BCM. (App A Objective 12:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether reports include a written BCM presentation, including the BIA, risk assessment, BCP, exercise and test results, and identified issues. (App A Objective 12:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that management documents, tracks, and resolves any changes when updating the BCP and the exercise and testing program(s). Furthermore, verify that management maintains appropriate version control of key BCM documents. (App A Objective 11:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Because senior leadership is often aware of issues and gaps, recommended cyber resiliency solutions will need to be characterized in terms of how and how well the solutions address the issues and gaps, as well as in terms of other benefits that the recommended solutions provide (e.g., improved stabi… (3.2.2.2 ΒΆ 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)