H. Business Resilience
This domain covers the processes and plans you have in place to ensure a quick recovery if a failure occurs.
01) Does your organisation have a documented Incident Response Plan?
Answer yes if your organisation has a documented Incident Response Plan that has been reviewed in the last year. Please provide the Incident Response Plan (as a PDF file) as evidence.
02) Does your organisation's Incident Response Plan allow for the classification of information security events?
Answer yes if your organisation's Incident Response Plan contains a section for classifying information security events. Please reference the section of any previously provided plan in the notes.
03) Does your Incident Response Plan include consideration of legal and regulatory commitments?
Answer yes if your organisation's Incident Response Plan contains an assessment of impact to legal and regulatory compliance. Please reference the section of any previously provided plan in the notes.
04) Does your organisation's Incident Response Plan include roles and responsibilities in the event of an incident?
Answer yes if your organisation's Incident Response Plan contains a section defining roles and responsibilities in an information security event. Please reference the section of any previously provided plan in the notes.
05) Does your organisation's Incident Response Plan include alternative communication systems in case your usual systems are disrupted?
Answer yes if your organisation's Incident Response Plan contains a section for alternative communication methods. Please reference the section of any previously provided plan in the notes.
06) Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?
Answer yes if your organisation has a cyber incident response capability that it can call upon in the event of an incident. This can be an in-house capability or provided by a third party or cyber insurance provider.
07) Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?
Answer yes if your organisation has a documented process for reporting information security incidents, or suspected information security incidents (this is typically via an IT helpdesk). Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.
08) Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?
Answer yes if your organisation has a documented process for reporting information security breaches to all affected clients within 72 hours of the breach being discovered. Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.
09) Does your organisation conduct a root cause analysis for all information security incidents that are reported?
Answer yes if your organisation completed a root cause analysis for all security incidents that are reported, and implements any lessons learnt after each analysis has been completed. Please provide a template root cause analysis document (as a PDF file) as evidence.
10) Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?
Answer yes if your organisation has a documented business continuity plan that has been reviewed and approved by senior management in the last year. Please provide the Business Continuity Plan (as a PDF file) as evidence.
11) Is your organisation's Business Continuity Plan based on a current risk assessment of your business?
Answer yes if your organisation has assessed the potential business-disruptive risks and used this assessment to inform your Business Continuity Plan. This process may involve conducting a Business Impact Analysis (BIA) for certain scenarios. Please provide the business continuity risk summary as evidence or reference a section of a previously provided document in the notes section.
12) Does your organisation's Business Continuity Plan address the backup and restoration of your business data and the data you process for your clients?
Answer yes if your organisation's Business Continuity Plan includes the required steps to backup and restore the data used by your organisation for day to day operations and the data your clients may have transferred to you for processing, including the outcomes of that processing. This may include defining and agreeing the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for certain services.
13) Does your organisation's Business Continuity Plan include operation of business activities from an alternative location?
Answer yes if your organisation's Business Continuity Plan includes the required steps to continue business operations from an alternate location if the normal business location is inaccessible.
14) Does your organisation's plan include the maintenance of security controls in a disaster?
Answer yes if your organisation's Business Continuity Plan includes information describing the maintenance of security controls in the event of a disaster.
15) Does your organisation have a programme in place to regularly rehearse and maintain your Business Continuity and Disaster Recovery plans?
Answer yes if your organisation runs rehearsal of its Business Continuity and Disaster Recovery plans at least annually involving all parties, including senior operational leaders. Please provide a report (as a PDF file) that details the last two tests to take place. In the notes section, please describe the nature of the exercises (e.g. desktop exercises, partial or whole practical/technical service restoration and recovery) and who was involved. Please also describe the outcome of the rehearsals, e.g. plans have been updated and re-issued with all material findings addressed.