Principle
|
The Member Organization should define, approve and Implement BCP for their critical activities. The compliance with BCP should be monitored, and the effectiveness should be measured and periodically evaluated.
|
Objective
|
To ensure that the Member Organization has the capability to identify and clearly define the actions to be taken, and resources which are needed to enable the organization in managing a disruptive interruption and to come back to a position where normal business processes can resume
|
Control considerations
|
| 1. | A BCP should be defined, approved, implemented and maintained in readiness for use during disruptive incidents, to enable the Member organization to continue delivering its important and urgent activities, at an acceptable pre-defined level.
|
| 2. | The member organization should define, approve and implement procedures for responding to disruptive incidents. The procedures should collectively include:
|
| | a. | Key resources (e.g., people, equipment, facilities, technologies)
|
| | b. | Defined roles, responsibilities and authorities for stakeholders
|
| | c. | A process to manage the immediate consequences of a disruptive incident and escalation procedures
|
| | d. | A process to continue the critical activities within predetermined recovery objectives (RTO, RPO and MAO)
|
| | e. | A process to resume the Member Organization's operations to business-as-usual once the incident is resolved
|
| | f. | Guidelines for communicating with employees, relevant third-parties and emergency contacts
|
| | g. | Process for including relevant cyber security requirements, if any, within the business continuity planning
|
| 3. | The compliance with the BCP should be monitored.
|
| 4. | The effectiveness of the BCPs should be measured and periodically evaluated.
|
| 5. | The BCM Manager and BCM coordinators are responsible to maintain and keep the BCPs and arrangements up-to-date.
|
| 6. | The Member Organization should have sufficient alternative business workspace(s) where it can relocate the required resources to deliver the critical processes required as per predefined recovery objectives in the BIA.
|
| 7. | The alternative business workspace(s) should have clear demarcation of the sitting arrangement for different business units.
|
| 8. | The Member Organization should implement sufficient logical, physical and environmental security controls in order to support the same level of access and security in case the alternative location needs to be activated.
|
| 10. | For all critical activities, as determined by the BIA, the Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis.
|
