Proactively share your Security Profile with anyone, at any time. Learn More

I. Business Resilience

This domain covers the processes and plans you have in place to ensure a quick recovery if a failure occurs.

01) Does your organisation have a documented Incident Response Plan?

Answer yes if your organisation has a documented Incident Response Plan that has been reviewed in the last year. Please provide the Incident Response Plan (as a PDF file) as evidence.

Business Resilience
Incident Response Plan
Read more

02) Does your organisation's Incident Response Plan allow for the classification of information security events?

Answer yes if your organisation's Incident Response Plan contains a section for classifying information security events. Please reference the section of any previously provided plan in the notes.

Business Resilience
Incident Response Plan
Classification of Events
Read more

03) Does your organisation's Incident Response Plan include roles and responsibilities in the event of an incident?

Answer yes if your organisation's Incident Response Plan contains a section defining roles and responsibilities in an information security event. Please reference the section of any previously provided plan in the notes.

Business Resilience
Incident Response Plan
Roles and Responsibilities
Read more

04) Does your organisation's Incident Response Plan include plans for alternative communication methods should company email be unavailable?

Answer yes if your organisation's Incident Response Plan contains a section for alternate communication methods if email is unavailable. Please reference the section of any previously provided plan in the notes.

Business Resilience
Incident Response Plan
Alternative Comms
Read more

05) Does your organisation have a cyber incident response and forensic capability (either internally or via a third party or cyber insurance policy)?

Answer yes if your organisation has a cyber incident response capability that it can call upon in the event of an incident. This can be an in-house capability or provided by a third party or cyber insurance provider.

Business Resilience
Incident Response Team
Read more

06) Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?

Answer yes if your organisation has a documented process for reporting information security incidents, or suspected information security incidents (this is typically via an IT helpdesk). Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.

Business Resilience
Reporting Breaches
Read more

07) Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?

Answer yes if your organisation has a documented process for reporting information security breaches to all affected Clients within 72 hours of the breach being discovered. Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.

Business Resilience
Breach Notification
Read more

08) Does your organisation conduct a root cause analysis for all information security incidents that are reported?

Answer yes if your organisation completed a root cause analysis for all security incidents that are reported, and implements any lessons learnt after each analysis has been completed. Please provide a template root cause analysis document (as a PDF file) as evidence.

Business Resilience
Root Cause Analysis
Read more

09) Does your organisation have cyber insurance?

Answer yes if your organisation holds a valid cyber insurance policy. Please provide the certificate of insurance (as a PDF file) as evidence.

Business Resilience
Cyber Insurance
Read more

10) What is the limit of your organisation's cyber insurance policy (in GBP)?

Please state the limit of the cover in GBP (if in another currency, please convert to GBP).

Business Resilience
Cyber Insurance Limit
Read more

11) Does your organisation have an approved Business Continuity Plan to ensure the continuity of service in a disaster?

Answer yes if your organisation has a documented business continuity plan that has been reviewed in the last year. Please provide the Business Continuity Plan (as a PDF file) as evidence.

Business Resilience
Business Continuity Plan
Read more

12) Does your organisation's business continuity plan address the backup and restoration of all client data and operation of business activities from an alternative site?

Answer yes if your organisation's Business Continuity Plan includes the required steps to backup and restore all of your organisation's production data and continue business operations from an alternate site.

Business Resilience
DR Site
Disaster Recovery Site
Read more

13) Does your organisation's plan include the maintenance of security controls in a disaster?

Answer yes if your organisation's Business Continuity Plan includes a section that covers the maintenance of security controls in the event of a disaster.

Business Resilience
Business Continuity Security
Security in a Disaster
Read more

14) Does your organisation have an annual programme in place for the rehearsal of your BC and DR solutions?

Answer yes if your organisation operates an annual rehearsal of its Business Continuity Plan. Please provide a report (as a PDF file) that details the last rehearsal to take place, and state in the notes whether any findings have been implemented.

Business Resilience
Plan Rehearsal
Business Continuity Practice
Read more