Principle
|
The Member Organization should perform a business impact analysis and risk assessment for all relevant activities to determine the business continuity, and disaster recovery requirements and improvements.
|
Objective
|
To ensure that each Member Organization has Identified and prioritized their business processes along with key dependencies, and identified adequate controls in order to fulfill their business, regulatory, legal and compliance requirements with regards to business continuity
|
Control considerations
|
| 1. | Methodology for BIA and RA should be defined, approved, implemented and maintained.
|
| 2. | The Member Organization should periodically perform a Business Continuity risk assessment. It should include, but not limited to:
|
| | a. | Identify potential internal and external threats, Including single point of failures that may cause disruption to critical activities as determined in the BIA considering people, process, technology and premises
|
| | b. | Assess and prioritize potential risks by evaluating potential threats based on their operational impact and probability of occurrence
|
| | c. | Select required controls to manage identified risks
|
| | d. | Define treatment plan and implement BCM controls
|
| 3. | The Member Organization should identify and prioritize the activities (Le., products, services, business functions and processes) by performing BIA to determine the following but no limited to:
|
| | a. | The potential impact of business disruptions for each prioritized business function and processes, including but not restricted to financial, operational, customer, legal and regulatory impacts
|
| | b. | The recovery time objectives (RTOs), recover/ point objectives (RPOs) and maximum Acceptable Outage (MAO)
|
| | c. | The internal and external interdependencies
|
| | d. | Supporting recovery resources
|
| 4. | The BCM committee should endorse the prioritized list, BIA results, RA and the defined RTOs, RPOs and MAOs.
|
| 5. | Risk assessment results should be communicated to the BCM committee
|
| 6. | The BIA and RA should be updated annually and when major changes occur (such as change in structure and organization of people, process, technology, suppliers and locations).
|
| 7. | The risk assessment should include risks associated with overall organization as well as data centers (primary and alternative), which are not owned by the Member Organization (e.g., consider the timeframe needed to relocate to a new site and accordingly, It should Include a sufficient timeframe in the contractual agreement)
|
| 8. | Capability of vendors, suppliers and service providers to support and maintain service levels for prioritized activities during disruptive incidents should be assessed at least on a yearly basis.
|
| 9. | Member Organizations should ensure that RTOs are adequately defined for payment systems, customer related services, etc. considering the high availability of these operations and minimum disruption in the event of disaster.
|
