Approve the continuity plan requirements before documenting the continuity plan.

Systems Continuity


This Control directly supports the implied Control(s):
  • Document all supporting information in the continuity plan, such as purpose, scope, and requirements., CC ID: 01371

There are no implementation support Controls.


  • Having performed the business impact analysis and formulated the recovery strategies, individual critical business and support functions should have established the minimum BCP requirements for the provision of essential business and technology services levels. To avoid any unnecessary arguments and… (3.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Development of contingency plans and review of any plans of significant importance should obtain the approval of management. (P73.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • However, if no backup centers are established, it is necessary to consolidate a business continuity system by use of another alternative method carefully considering the impact on society due to failures, and management should approve the system. (P74.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • During the recovery process, the FI should follow the established disaster recovery plan that has been tested and approved by management. The FI should avoid deviating from the plan as untested recovery measures could exacerbate the incident and prolong the recovery process. In exceptional circumsta… (§ 8.2.3, Technology Risk Management Guidelines, January 2021)
  • bear the overall responsibility for setting and approving the digital operational resilience strategy as referred to in Article 6(8), including the determination of the appropriate risk tolerance level of ICT risk of the financial entity, as referred to in Article 6(8), point (b); (Art 5.2. ¶ 2(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures. Review and update the policies and procedures at least annually. (BCR-01, Cloud Controls Matrix, v4.0)
  • Determine whether the institution maintains an adequate and up-to-date enterprise-wide business continuity plan. Determine whether the board oversees implementation and approves policies related to business continuity planning. (App A Objective 3:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The ISCP Coordinator should coordinate frequently with associated internal and external organizations and system POCs to ensure that impacts caused by changes within any organization will be reflected in the contingency plan. Strict version control must be maintained by requesting old plans or plan … (§ 3.6 ¶ 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))