T9.2.1 - DEVELOPING INFORMATION SYSTEMS CONTINUITY PLANS

Back to T9.2.1 - P3 - DEVELOPING INFORMATION SYSTEMS CONTINUITY PLANS

Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.

The continuity planning process should consider the following:

• A. Identification and agreement of all responsibilities and continuity procedures
• B. Identification of the acceptable loss of information and services
• C. Implementation of the procedures to allow recovery and restoration of business operations and availability of information in required time-scales; particular attention needs to be given to the assessment of internal and external business dependencies and the contracts in place
• D. Operational procedures to follow pending completion of recovery and restoration
• E. Documentation of agreed procedures and processes
• F. Appropriate education of staff in the agreed procedures and processes, including crisis management
• G. Testing and updating of the plans

The planning process should focus on the required business objectives, e.g. restoring of specific communication services to customers in an acceptable amount of time. The services and resources facilitating this should be identified, including staffing, non-information processing resources, as well as fallback arrangements for information systems. Such fallback arrangements may include arrangements with third parties in the form of reciprocal agreements, or commercial subscription services.

If alternative temporary locations are used, the level of implemented security controls at these locations should be equivalent to the main site.

Back to T9.2.1 - P3 - DEVELOPING INFORMATION SYSTEMS CONTINUITY PLANS