T9.1.1 - INFORMATION SYSTEMS CONTINUITY PLANNING POLICY Implementation Guidance
The entity shall establish an information systems continuity planning policy.
Back to T9.9.1 - P4 - INFORMATION SYSTEMS CONTINUITY PLANNING POLICY
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
An entity should determine whether the continuity of information security is captured within the BCM process or within the (IT) disaster recovery management (DRM- process. Information security requirements should be determined when planning for business continuity and disaster recovery.
In the absence of formal business continuity and disaster recovery planning, information security management should assume that information security requirements remain the same in adverse situations, compared to normal operational conditions. Alternatively, an organization could perform a business impact analysis (BIA- for information security aspects to determine the information security requirements applicable to adverse situations.
The process of including information security in the business continuity management should bring together the following key elements of business continuity management:
- A. Understanding the risks the entity is facing in terms of likelihood and impact in time, including an identification and prioritization of critical business processes
- B. Identifying all the assets involved in critical business processes
- C. Understanding the impact which interruptions caused by information security incidents are likely to have on the business (it is important that solutions are found that will handle incidents causing smaller impact, as well as serious incidents that could threaten the viability of the entity), and establishing the business objectives of information systems
- D. Considering the purchase of suitable insurance which may form part of the overall business continuity process, as well as being part of operational risk management
- E. Identifying and considering the implementation of additional preventive and mitigating controls
- F. Identifying sufficient financial, organizational, technical, and environmental resources to address the identified information security requirements
- G. Ensuring the safety of personnel and the protection of information systems and organizational property
The process should bring together the following key elements of business continuity management:
- A. Formulating and documenting business continuity plans addressing information security requirements in line with the agreed business continuity strategy;
- B. Regular testing and updating of the plans and processes put in place;
- C. Ensuring that the management of business continuity is incorporated in the entity’s processes and structure; responsibility for the business continuity management process should be assigned at an appropriate level within the entity.
Back to T9.9.1 - P4 - INFORMATION SYSTEMS CONTINUITY PLANNING POLICY
