BCR-09: Impact Analysis

Control Statement

There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following:

  • Identify critical products and services
  • Identify all dependencies, including processes, applications, business partners, and third party service providers
  • Understand threats to critical products and services
  • Determine impacts resulting from planned or unplanned disruptions and how these vary over time
  • Establish the maximum tolerable period for disruption
  • Establish priorities for recovery
  • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
  • Estimate the resources required for resumption