BCR-03: Business Continuity Strategy

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: BCR-04: Documentation, BCR-06: Equipment Location, BCR-08: Equipment Power Failures, BCR-09: Impact Analysis, BCR-10: Policy.

Control Statement

Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite.

Implementation Guidance

Business continuity and operational resilience strategies should:

  1. Be developed by both cloud service providers and cloud service consumers with consideration of acceptable limits regarding risk appetite and tolerance.
  2. Cover all aspects of business continuity and resilience planning—taking inputs from assessed impact and risks—to consider activities for before, during, and after a disruption.
  3. Account for the unavailability of all relevant components required to operate the business “as usual” or in a disrupted mode (in parts or total) during a disruption.
  4. Cover all actions required to continue and recover prioritized activities within identified timeframes and aligned with organizational risk appetite and tolerance (including the invocation of continuity plans and crisis management capabilities).
  5. Cover all activities within the defined scope to protect prioritized activities, reduce disruption likelihood, and limit cloud capability disruption through adequate resourcing.
  6. Include detailed solutions and measures for each strategy.

Auditing Guidance

  1. Determine if the organization has established a risk appetite.
  2. Determine if the organization has established strategies to reduce impact of business disruptions, within the organization’s risk appetite.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.