Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures. Review and update the policies and procedures at least annually.
Determine the impact of business disruptions and risks to establish criteria for developing business continuity and operational resilience strategies and capabilities.
Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite.
Establish, document, approve, communicate, apply, evaluate and maintain a business continuity plan based on the results of the operational resilience strategies and capabilities.
Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically.
Exercise and test business continuity and operational resilience plans at least annually or upon significant changes.
Establish communication with stakeholders and participants in the course of business continuity and resilience procedures.
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.
Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters. Update the plan at least annually or upon significant changes.
Exercise the disaster response plan annually or upon significant changes, including if possible local emergency authorities.
Supplement business-critical equipment with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards.