BCR-04: Business Continuity Planning

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain a business continuity plan based on the results of the operational resilience strategies and capabilities.

Implementation Guidance

All relevant business continuity plans should be developed consistently to address priorities for operational resilience, testing, maintenance, and information security requirements. Business continuity plans should be accessible and available to those with the need-to-know and include the following elements:

  1. Defined purpose and scope, aligned with relevant dependencies.
  2. Assigned roles and responsibilities (i.e., review, update, and approval).
  3. Defined lines of communication, roles, and responsibilities.
  4. Detailed recovery procedures, manual workaround, and reference information.
  5. Method for plan invocation.

The plans should be tested and reviewed at planned intervals (e.g., annually or upon significant organizational or environmental changes).

Auditing Guidance

  1. Examine the policy for adequacy, approval, communication, and effectiveness as applicable to planning, delivery, and support of the organization's application security capabilities.
  2. Evaluate if the organization’s operational resilience strategies and capabilities are used as an input for the policy and implementation.
  3. Examine policy and procedures for evidence of review.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.