Business Continuity Management and Operational Resilience

A key component of the Information Security Program are business continuity management and operational resilience policies.

BCR Control Domains

BCR-01: Business Continuity Planning - Business Continuity and Disaster Recovery Policy

  • BCR-01.1: Does your organization have a plan or framework for business continuity management or disaster recovery management?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-01.2: Do you have more than one provider for each service you depend on?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-01.3: Do you provide a disaster recovery capability?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-01.4: Do you monitor service continuity with upstream providers in the event of provider failure?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-01.5: Do you provide access to operational redundancy reports, including the services you rely on?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-01.6: Do you provide a tenant-triggered failover option?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-01.7: Do you share your business continuity and redundancy plans with your tenants?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-02: Business Continuity Testing -

  • BCR-02.1: Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-03: Power / Telecommunications - Security Policy

  • BCR-03.1: Does your organization adhere to any international or industry standards when it comes to securing, monitoring, maintaining and testing of datacenter utilities services and environmental conditions?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-03.2: Has your organization implemented environmental controls, fail-over mechanisms or other redundancies to secure utility services and mitigate environmental conditions?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-04: Operational Resilience Documentation - Security Policy

  • BCR-04.1: "Are information system documents (e.g., administrator and user guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation and operation of the information system?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-05: Environmental Risks - Security Policy

  • BCR-05.1: Is physical damage anticipated and are countermeasures included in the design of physical protections?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-06: Equipment Location - Security Policy

  • BCR-06.1: Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-07: Equipment Maintenance - Security Policy

  • BCR-07.1: Do you have documented policies, procedures and supporting business processes for equipment and datacenter maintenance?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-07.2: Do you have an equipment and datacenter maintenance routine or plan?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-08: Equipment Power Failures - Security Policy

  • BCR-08.1: Are security mechanisms and redundancies implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.)?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-09: Impact Analysis -

  • BCR-09.1: Do you use industry standards and frameworks to determine the impact of any disruption to your organization (i.e. criticality of services and recovery priorities, disruption tolerance, RPO and RTO etc) ?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-09.2: Does your organization conduct impact analysis pertaining to possible disruptions to the cloud service?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-10: Policy -

  • BCR-10.1: Are policies and procedures established and made available for all personnel to adequately support services operations’ roles?


Policy to be referenced here is INSERT
*Action item: INSERT

BCR-11: Retention Policy - Security Policy

  • BCR-11.1: Do you have technical capabilities to enforce tenant data retention policies?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-11.2: Do you have documented policies and procedures demonstrating adherence to data retention periods as per legal, statutory or regulatory compliance requirements?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-11.3: Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-11.4: If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-11.5: If using virtual infrastructure, do you provide tenants with a capability to restore a virtual machine to a previous configuration?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-11.6: Does your cloud solution include software/provider independent restore and recovery capabilities?


Policy to be referenced here is INSERT
*Action item: INSERT

  • BCR-11.7: Do you test your backup or redundancy mechanisms at least annually?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

  • None

Hosting Provider Information