BCR-09: Impact Analysis

Control Family:

Business Continuity Management & Operational Resilience

CSF v1.1 References:

ID.AM-5
ID.BE-1
ID.BE-3
ID.BE-5
ID.RA-4
ID.RA-5
ID.SC-5
PR.DS-4
PR.IP-9
DE.AE-4
RS.AN-2
RS.AN-4

PF v1.0 References:

ID.BE-P1
ID.BE-P2
ID.RA-P4
PR.PO-P7
PR.DS-P4

Control Statement

There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following:

Identify critical products and services
Identify all dependencies, including processes, applications, business partners, and third party service providers
Understand threats to critical products and services
Determine impacts resulting from planned or unplanned disruptions and how these vary over time
Establish the maximum tolerable period for disruption
Establish priorities for recovery
Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
Estimate the resources required for resumption

Control Statement

Related Controls

NIST Special Publication 800-53 Revision 5

NIST Special Publication 800-53 Revision 4