BCR-01: Business Continuity Management Policy and Procedures

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: BCR-07: Equipment Maintenance, BCR-10: Policy, BCR-11: Retention Policy, GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures. Review and update the policies and procedures at least annually.

Implementation Guidance

The policies should include defined roles and responsibilities supported by regular workforce training. The policies should:

  1. Be appropriate to the organization’s purpose.
  2. Provide a framework for setting business continuity objectives.
  3. Include a commitment to satisfy applicable requirements and continual improvement.
  4. Include organizational risk appetite and tolerance to facilitate appropriate planning, delivery, and support of capabilities in the event of a business disruption.
  5. Take guidance from industry standards, such as ISO 22300.

Auditing Guidance

  1. Examine policy and procedures for adequacy, approval, communication, and effectiveness as applicable to business continuity and resilience.
  2. Examine policy and procedures for evidence of review at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.