SCON.SP 2.1 Establish Service Continuity Plans
Summary
Establish and maintain service continuity plans that enable the organization to resume performing essential functions.
Description
A service continuity plan provides explicit guidance to the organization in the event of a significant disruption to normal operations. An organization can maintain multiple plans covering different types of disruptions or different types of services. Conversely, there may be need for only one service continuity plan.
Example Work Products
- Formal statement of who has the authority to initiate and execute the service continuity plan
- List of communication mechanisms needed to initiate the execution of the service continuity plan
- List of threats and vulnerabilities that could impede the ability of the organization to deliver services
- List of alternate resources and locations that support the organization’s essential functions
- Documentation of the recovery sequence
- List of key staff roles and responsibilities
- List of stakeholders and the methods used for communicating with them
- Documented methods for handling security related material as appropriate
Subpractices
1. Identify and document threats and vulnerabilities to ongoing service delivery.
Information on threats and vulnerabilities is usually developed in other processes and activities and used as an input to the service continuity plan. In the service continuity plan, the events, threats, and vulnerabilities most likely to lead to enacting the plan are recorded. Different actions can be planned for categories of events. Risk information gathered about individual services can also be an input to this portion of the plan.
2. Document the service continuity plan.
3. Review the service continuity plan with relevant stakeholders.
4. Ensure that secure storage and access methods exist for the service continuity plan and critical information and functions needed to implement the plan.
5. Ensure that vital data and systems are adequately protected.
Addressing the protection of vital data and systems can include developing additional service system components.
6. Document the acceptable service level agreed to by the customer for when a shift between the normal delivery environment and the recovery environment (e.g., site affected by disruption, alternate site) is necessary.
Document the acceptable service levels for various outage scenarios (e.g., site, city, country).
7. Plan for returning to normal working conditions.
8. Develop procedures for implementing the service continuity plan.
9. Revise the service continuity plan as necessary.
- Major changes to the services are being delivered
- Essential functions or infrastructure change
- Key dependencies on resources, both internal and external, change
- Feedback from training warrants change
- Preparing for verification and validation of the service continuity plan identifies changes that are needed
- Results of verification and validation warrant change
- The delivery environment changes
- New significant threats or vulnerabilities have been identified