BCR-05: Documentation

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: BCR-01: Business Continuity Planning, BCR-04: Documentation.

Control Statement

Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically.

Implementation Guidance

The documentation should include but is not limited to:

  1. Administrator and user guides
  2. Database backup and replication guidelines
  3. Architecture diagrams
  4. Incident playbooks

Documentation availability is intended to support successful continuity of the following activities:

  1. Configuring, installing, deploying changes, and operating the system and/or infrastructure.
  2. Effectively using the system’s security and business continuity features.
  3. Using system automation and structured playbooks where available for fast incident recovery.

The documentation should be interconnected and comparable.

Auditing Guidance

  1. Examine the process for determining the documentation required to support business continuity and operational resilience.
  2. Examine the process for developing or acquiring such documentation and maintaining its currency.
  3. Evaluate the process and implementation of identifying stakeholders and making documentation available.
  4. Examine the policy and procedures for evidence of review.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.