Back

Include the continuity strategy in the continuity plan.


CONTROL ID
13189
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a continuity plan., CC ID: 00752

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Have the policy and objectives for the BCMS, which are compatible with the context and strategic direction of the organization, been established and communicated? (Leadership ¶ 2, ISO 22301: Self-assessment questionnaire)
  • Does the BC strategy protect prioritized activities and provide appropriate continuity and recovery of them, their dependencies and resources? (Operation ¶ 11, ISO 22301: Self-assessment questionnaire)
  • firm or group-wide business continuity plans and exit strategies. Systemic wholesale branches should, however, take reasonable steps to develop local business continuity, contingency planning, and exit strategies (if available) covering any activities or services which they provide that could impact… (§ 3.19 Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recove… (DS4.2 IT Continuity Plans, CobiT, Version 4.1)
  • Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite. (BCR-03, Cloud Controls Matrix, v4.0)
  • Based on the outputs from the business impact analysis and risk assessment, the organization shall identify and select business continuity strategies that consider options for before, during and after disruption. The business continuity strategies shall be comprised of one or more solutions. (§ 8.3.1 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • evaluate the suitability, adequacy and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans and procedures; (§ 8.6 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • update of the business impact analysis, risk assessment, business continuity strategies and solutions, and business continuity plans; (§ 9.3.3.1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitorin… (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Development of BCM strategies. (II.A Action Summary ¶ 2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The board and senior management should develop effective strategies to meet resilience and recovery objectives. Effective oversight generally includes guidelines to achieve defined business continuity objectives. (IV Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Create contingency strategies; (§ 3 ¶ 1 (4), NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Organizations are required to adequately mitigate the risk arising from use of information and information systems in the execution of mission/business processes. The challenge for organizations is in implementing the right set of security controls. Guided by the RMF and in accordance with FIPS 199 … (§ 3.4 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))