BCR-07: Communication

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: BCR-01: Business Continuity Planning, BCR-02: Business Continuity Testing.

Control Statement

Establish communication with stakeholders and participants in the course of business continuity and resilience procedures.

Implementation Guidance

A business continuity and resilience program should:

  1. Communicate the importance of effective business continuity and the consequences of disruptions to all relevant stakeholders.
  2. Communicate the business continuity and resilience policy, objectives, and plans to all relevant stakeholders.
  3. Communicate the roles, responsibilities, authorities, and expected competencies to all relevant stakeholders.
  4. Establish the criteria, thresholds, and indicators to demonstrate when and how business continuity-related communications should be sent, who should send them, and to whom they should be sent.
  5. Establish templates for common communications during a disruption regarding the activation, operation, coordination, and communication of a business continuity response.
  6. Establish the people, technology, and processes required for business continuity communications.
  7. Establish a response structure that will enable timely warnings and communication to relevant stakeholders.

Clear and effective communication channels should remain available to disseminate information to participants and stakeholders, assess and relay damage, and coordinate a recovery strategy. Failed communication often results in failed business continuity efforts. Thorough planning, testing, and exercising communication procedures within the following four phases are essential to support effective business continuity and the viability of critical business operations.

Auditing Guidance

  1. Examine the policy for determining stakeholders and participants.
  2. Determine if the organization has identified stakeholders and participants.
  3. Examine the procedures for communication with identified stakeholders and participants.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.