+BCM-04 Testing Business Continuity
---+BCM-04.01B
---+BCM-04.02B
---+BCM-04.01AC
---+BCM-04.02AC
---+BCM-04.03AC
---+BCM-04.04AC
---+BCM-04 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
BCM-04 Testing Business Continuity
-
| Bezeichnung |
Standard |
|
BCM-04.01B
|
Business continuity plans are tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected cloud service customers and relevant third parties (e.g. service organisations).
Tests are primarily conducted at the operational level and are aimed at operational target groups. Tests include e.g.:
1. Test of technical precautionary safeguards;
2. Functional tests; and
3. Plan review.
Exercises also take place on a tactical and strategic level. These include e.g.:
1. Plan meeting;
2. Personnel exercise;
3. Command post exercise;
4. Communication and alerting exercise;
5. Simulation of scenarios; and
6. Emergency or full exercise.
Relevant third parties are in particular service organisations of the cloud service provider who contribute to the development or operation of the cloud service (cf. basic criteria SSO-02 and SSO-06). A cloud service customer is affected (in the sense of this criterion) if the test or excercise leads to a service downgrade outside of the level defined in the SLA or if the effectiveness of the plans can only be tested if the cloud service customer has to take action.
|
|
BCM-04.02B
|
The tests are documented and results are taken into account to review the business continuity plans and for future business continuity measures.
|
|
BCM-04.01AC
|
In addition to the tests, exercises are also carried out which, among other things, have resulted in scenarios from security incidents that have already occurred in the past.
Tests are primarily conducted at the operational level and are aimed at operational target groups. Tests include e.g.:
1. Test of technical precautionary safeguards;
2. Functional tests; and
3. Plan review.
Exercises also take place on a tactical and strategic level. These include e.g.:
1. Plan meeting;
2. Personnel exercise;
3. Command post exercise;
4. Communication and alerting exercise;
5. Simulation of scenarios; and
6. Emergency or full exercise.
Relevant third parties are in particular service organisations of the cloud service provider who contribute to the development or operation of the cloud service (cf. basic criteria SSO-02 and SSO-06). A cloud service customer is affected (in the sense of this criterion) if the test or excercise leads to a service downgrade outside of the level defined in the SLA or if the effectiveness of the plans can only be tested if the cloud service customer has to take action.
|
|
BCM-04.02AC
|
The cloud service provider has procedures in place to ensure that cloud service customers are timely informed about planned activities related to business continuity tests and exercises that could affect the information security of the cloud service (e.g. regarding its availability). This information includes the scheduled time frame for the operations as well as a description of the work to be carried out.
|
|
BCM-04.03AC
|
The cloud service provider provides cloud service customers an assessment of the potential impacts of those tests and excercises concerning the information security of the cloud service and with details for contacting the cloud service provider.
|
|
BCM-04.04AC
|
After a completed exercise, the existing alarm and notification plan is reviewed and (if needed) adapted.
The term 'alarm and notification plan' refers to the documented procedure for alerting responsible personnel and stakeholders in case of incidents or disruptions.
|
|
BCM-04 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that measures to prevent the impact of a cloud service or cloud service provider outage are regularly reviewed, updated, tested and exercised. The cloud service provider is involved in the tests and exercises in accordance with the contractual agreements.
Cloud service customers ensure with suitable controls that the results of the cloud service provider's BCM tests and exercises are incorporated into their own BCM and that they are fully appreciated with regard to ensuring the customer's operational continuity.
In tests and exercises that involve the customer and therefore require own measures on the customer side, cloud service customers ensure that the appropriate measures for coping with the scenario are practiced and tested by means of suitable BCM controls.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|