This Control has the following implementation support Control(s):
Involve auditors in reviewing and testing the business continuity program., CC ID: 13211
Establish, implement, and maintain a business continuity policy., CC ID: 12405
Establish, implement, and maintain a business continuity testing policy., CC ID: 13235
Establish, implement, and maintain a continuity framework., CC ID: 00732
Establish, implement, and maintain a continuity plan., CC ID: 00752
Establish, implement, and maintain organizational facility continuity plans., CC ID: 02224
Establish, implement, and maintain system continuity plan strategies., CC ID: 00735
Disseminate and communicate the continuity plan to interested personnel and affected parties., CC ID: 00760
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
An institution should ensure that its business continuity is not compromised by outsourcing arrangements, in particular, of the operation of its critical systems as stipulated under the Technology Risk Management Notice. An institution should adopt the sound practices and standards contained in the … (5.7.1, Guidelines on Outsourcing)
Financial institutions should establish a sound business continuity management (BCM) process to maximise their abilities to provide services on an ongoing basis and to limit losses in the event of severe business disruption in line with Article 85(2) of Directive 2013/36/EU and Title VI of the EBA G… (3.7 77, Final Report EBA Guidelines on ICT and security risk management)
business continuity management; (Art. 16.1(c), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
quickly, appropriately and effectively respond to, and resolve, all ICT-related incidents in a way that limits damage and prioritises the resumption of activities and recovery actions; (Art. 11.2.(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
ensure the continuity of critical or important functions, through business continuity plans and response and recovery measures, which include, at least, back-up and restoration measures; (Art. 16.1. ¶ 2(f), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Ensuring proper regular operations including appropriate safeguards for planning and monitoring the capacity, protection against malware, logging and monitoring events as well as handling vulnerabilities, malfunctions and errors. (Section 5.6 Objective, Cloud Computing Compliance Controls Catalogue (C5))
Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically. (BCR-05, Cloud Controls Matrix, v4.0)
Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures. Review and update the policies and procedures at least annually. (BCR-01, Cloud Controls Matrix, v4.0)
These evaluations shall be conducted at planned intervals, after an incident or activation, and when significant changes occur. (§ 8.6 ¶ 2, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
Top management shall review the organization's BCMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. (§ 9.3.1 ¶ 1, ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
make changes to the BCMS, if necessary. (§ 10.1.2 e), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
undertake evaluations through reviews, analysis, exercises, tests, post-incident reports and performance evaluations; (§ 8.6 ¶ 1 b), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
Organization is capable of operating critical business functions in the face of cyber-attacks and continuously enhance its cyber resilience. (DM.RS-1, CRI Profile, v1.2)
The organization executes its recovery plans, including incident recovery, disaster recovery and business continuity plans, during or after an incident to resume operations. (RC.RP-1.1, CRI Profile, v1.2)
The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. (PR.IP-9.1, CRI Profile, v1.2)
Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (§ 164.308(a)(7)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Determine whether management established a crisis or emergency management process. Verify whether the BCP addresses the following: (App A Objective 8:13, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
Management adequately considers and implements resilience as part of the entity's risk mitigation strategy for AIO. (III.F, "Resilience") (App A Objective 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Ensures the entity's business strategy and reliance on business functions drive the design for the entity's resilience. (App A Objective 8:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Management should develop and implement service and support processes. These processes should be designed to support an entity's strategic goals and objectives by preventing issues, ensuring continuous reliability and resilience, and supporting users (e.g., business lines, personnel, and customers). (VI.C Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to saf… (V Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance. (T0044, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Establish alternative processing, exploitation and dissemination pathways to address identified issues or problems. (T0681, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
