This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity. This document is applicable to all types and sizes of organizations that: a) implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d) seek to enhance their resilience through the effective application of the BCMS. This document can be used to assess an organization’s ability to meet its own business continuity needs and obligations.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 6<\/td>\n | ForewordEuropean foreword <\/td>\n<\/tr>\n | ||||||
| 12<\/td>\n | Foreword <\/td>\n<\/tr>\n | ||||||
| 13<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 15<\/td>\n | Figure 1 \u2014 PDCA model applied to BCMS processes Table 1 \u2014 Explanation of PDCA model <\/td>\n<\/tr>\n | ||||||
| 19<\/td>\n | 3.5 business continuity management system BCMS business continuity plan 3.7 business continuity programme 3.8 business impact analysis <\/td>\n<\/tr>\n | ||||||
| 20<\/td>\n | 3.12 correction document 3.153.11 <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | 3.17 event 3.18 exercise 3.20 infrastructure <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 3.22 internal audit invocation 3.25 maximum acceptable outage MAO 3.26 maximum tolerable period of disruption MTPD <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | 3.28 minimum business continuity objective MBCO 3.293.18 3.30 mutual aid agreement 3.313.19 <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 3.343.22 3.36 performance evaluation 3.37 personnel 3.383.24 3.39 procedure <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 3.403.26 3.413.27 products and servicesproduct and service 3.42 prioritized activities 3.43 record 3.44 recovery point objective RPO 3.45 recovery time objective RTO <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | 3.483.30 3.49 risk appetite 3.50 risk assessment <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | 3.51 risk management 3.52 testing 3.533.31 3.54 verification 3.55 work environment 4.1 Understanding of the organization and its context <\/td>\n<\/tr>\n | ||||||
| 28<\/td>\n | 4.2 Understanding the needs and expectations of interested parties 4.2.1 General 4.2.2 Legal and regulatory requirements 4.3 Determining the scope of the business continuity management system 4.3.1 General 4.3.2 Scope of the BCMSbusiness continuity management system <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | 4.4 Business continuity management system 5.1 Leadership and commitment <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | 5.35.2 Policy 5.2.1 Establishing the business continuity policy 5.2.2 Communicating the business continuity policy 5.45.3 Organizational roles Roles, responsibilities and authorities <\/td>\n<\/tr>\n | ||||||
| 31<\/td>\n | 6.1 Actions to address risks and opportunities 6.1.1 Determining risks and opportunities 6.1.2 Addressing risks and opportunities 6.2 Business continuity objectives and plansplanning to achieve them 6.2.1 Establishing business continuity objectives <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | 6.2.2 Determining business continuity objectives 6.3 Planning changes to the business continuity management system 7.1 Resources 7.2 Competence <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | 7.3 Awareness 7.4 Communication 7.5 Documented information 7.5.1 General <\/td>\n<\/tr>\n | ||||||
| 34<\/td>\n | 7.5.2 Creating and updating 7.5.3 Control of documented information 8.1 Operational planning and control <\/td>\n<\/tr>\n | ||||||
| 35<\/td>\n | 8.2 Business impact analysis and risk assessment 8.2.1 General 8.2.2 Business impact analysis <\/td>\n<\/tr>\n | ||||||
| 36<\/td>\n | 8.2.3 Risk assessment <\/td>\n<\/tr>\n | ||||||
| 37<\/td>\n | 8.3 Business continuity strategystrategies and solutions 8.3.1 Determination and selectionGeneral 8.3.2 Identification of strategies and solutions 8.3.3 Selection of strategies and solutions 8.3.28.3.4 Establishing resourceResource requirements <\/td>\n<\/tr>\n | ||||||
| 38<\/td>\n | 8.3.3 Protection and mitigation a) reduce the likelihood of disruption, 8.3.5 Implementation of solutions 8.4 Establish and implement business continuity procedures Business continuity plans and procedures 8.4.1 General <\/td>\n<\/tr>\n | ||||||
| 39<\/td>\n | 8.4.2 Incident responseResponse structure <\/td>\n<\/tr>\n | ||||||
| 40<\/td>\n | 8.4.3 Warning and communication <\/td>\n<\/tr>\n | ||||||
| 41<\/td>\n | 8.4.4 Business continuity plans <\/td>\n<\/tr>\n | ||||||
| 42<\/td>\n | 8.4.5 Recovery 8.5 Exercising and testingExercise programme <\/td>\n<\/tr>\n | ||||||
| 43<\/td>\n | 8.6 Evaluation of business continuity documentation and capabilities 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General <\/td>\n<\/tr>\n | ||||||
| 44<\/td>\n | 9.1.2 Evaluation of business continuity procedures 9.2 Internal audit 9.2.1 General 9.2.2 Audit programme(s) <\/td>\n<\/tr>\n | ||||||
| 45<\/td>\n | 9.3 Management review 9.3.1 General 9.3.2 Management review input <\/td>\n<\/tr>\n | ||||||
| 46<\/td>\n | 9.3.3 Management review outputs <\/td>\n<\/tr>\n | ||||||
| 47<\/td>\n | 10.1 Nonconformity and corrective action 10.2 Continual improvement <\/td>\n<\/tr>\n | ||||||
| 48<\/td>\n | Bibliography <\/td>\n<\/tr>\n | ||||||
| 52<\/td>\n | undefined <\/td>\n<\/tr>\n | ||||||
| 55<\/td>\n | European foreword Endorsement notice <\/td>\n<\/tr>\n | ||||||
| 61<\/td>\n | Foreword <\/td>\n<\/tr>\n | ||||||
| 62<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 65<\/td>\n | 1\tScope 2\tNormative references 3\tTerms and definitions <\/td>\n<\/tr>\n | ||||||
| 71<\/td>\n | 4\tContext of the organization 4.1\tUnderstanding the organization and its context 4.2\tUnderstanding the needs and expectations of interested parties 4.2.1\tGeneral 4.2.2\tLegal and regulatory requirements 4.3\tDetermining the scope of the business continuity management system 4.3.1\tGeneral <\/td>\n<\/tr>\n | ||||||
| 72<\/td>\n | 4.3.2\tScope of the business continuity management system 4.4\tBusiness continuity management system 5\tLeadership 5.1\tLeadership and commitment 5.2\tPolicy 5.2.1\tEstablishing the business continuity policy <\/td>\n<\/tr>\n | ||||||
| 73<\/td>\n | 5.2.2\tCommunicating the business continuity policy 5.3\tRoles, responsibilities and authorities 6\tPlanning 6.1\tActions to address risks and opportunities 6.1.1\tDetermining risks and opportunities 6.1.2\tAddressing risks and opportunities 6.2\tBusiness continuity objectives and planning to achieve them 6.2.1\tEstablishing business continuity objectives <\/td>\n<\/tr>\n | ||||||
| 74<\/td>\n | 6.2.2\tDetermining business continuity objectives 6.3\tPlanning changes to the business continuity management system 7\tSupport 7.1\tResources 7.2\tCompetence <\/td>\n<\/tr>\n | ||||||
| 75<\/td>\n | 7.3\tAwareness 7.4\tCommunication 7.5\tDocumented information 7.5.1\tGeneral 7.5.2\tCreating and updating <\/td>\n<\/tr>\n | ||||||
| 76<\/td>\n | 7.5.3\tControl of documented information 8\tOperation 8.1\tOperational planning and control 8.2\tBusiness impact analysis and risk assessment 8.2.1\tGeneral <\/td>\n<\/tr>\n | ||||||
| 77<\/td>\n | 8.2.2\tBusiness impact analysis 8.2.3\tRisk assessment 8.3\tBusiness continuity strategies and solutions 8.3.1\tGeneral 8.3.2\tIdentification of strategies and solutions <\/td>\n<\/tr>\n | ||||||
| 78<\/td>\n | 8.3.3\tSelection of strategies and solutions 8.3.4\tResource requirements 8.3.5\tImplementation of solutions 8.4\tBusiness continuity plans and procedures 8.4.1\tGeneral <\/td>\n<\/tr>\n | ||||||
| 79<\/td>\n | 8.4.2\tResponse structure 8.4.3\tWarning and communication <\/td>\n<\/tr>\n | ||||||
| 80<\/td>\n | 8.4.4\tBusiness continuity plans <\/td>\n<\/tr>\n | ||||||
| 81<\/td>\n | 8.4.5\tRecovery 8.5\tExercise programme 8.6\tEvaluation of business continuity documentation and capabilities 9\tPerformance evaluation 9.1\tMonitoring, measurement, analysis and evaluation <\/td>\n<\/tr>\n | ||||||
| 82<\/td>\n | 9.2\tInternal audit 9.2.1\tGeneral 9.2.2\tAudit programme(s) 9.3\tManagement review 9.3.1\tGeneral 9.3.2\tManagement review input <\/td>\n<\/tr>\n | ||||||
| 83<\/td>\n | 9.3.3\tManagement review outputs 10\tImprovement 10.1\tNonconformity and corrective action <\/td>\n<\/tr>\n | ||||||
| 84<\/td>\n | 10.2\tContinual improvement <\/td>\n<\/tr>\n | ||||||
| 85<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Tracked Changes. Security and resilience. Business continuity management systems. Requirements<\/b><\/p>\n |