+BCM-02 Business Impact Analysis
---+BCM-02.01B
---+BCM-02.02B
---+BCM-02 Supplementary Information - Complementary Customer Criteria

1. Übersicht

BCM-02 Business Impact Analysis

-
BCM-02.01B The cloud service provider performs a Business Impact Analysis (BIA). In this BIA, the cloud service provider analyses the impact of disrupting activities to its organisation with respect the development and operations of the cloud service in accordance with applicable policies and procedures with at least the following aspects:

1. Possible scenarios based on a risk assessment that includes cybersecurity risks;
2. Identification of critical products and services;
3. Identification of dependencies, including processes (including resources required), applications, business partners and third parties;
4. Capturing threats to critical products and services;
5. Identification of effects resulting from planned and unplanned outages, service degradations and changes over time;
6. Determination of the maximum tolerable period of downtime and service degregation;
7. Identification of restoration priorities;
8. Determination of time targets for the resumption of critical products and services within the maximum acceptable time period (i.e. RTO);
9. Determination of time targets for the maximum reasonable period during which cloud service derived data, cloud service provider data, account data and, if its processing is contractually agreed upon, cloud service customer data can be lost and not recovered (i.e. RPO); and
10. Estimation of the resources needed for resumption.


Scenarios to be considered according to the basic criterion are, for example, the loss of personnel, buildings, infrastructure and service providers.
BCM-02.02B The business impact analysis adheres to the applicable policies and procedures and is reviewed at regular intervals, at least once a year, or after significant organisational or environment-related changes.
BCM-02 Supplementary Information - Complementary Customer Criteria Cloud service customers ensure with suitable controls that the scenarios for a failure of the cloud service or the cloud service provider are sufficiently considered in the context of their business impact analysis.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum