The operator shall apply a company-wide approach to maintaining or recovering business processes, in particular those business processes which are systemically important, in a timely manner in the event of damage or disruption.
The operator shall define the necessary resources (premises, staff, technical facilities, data, external service providers) for the individual business areas and assess the impact of any complete or partial loss or disruption of each of these resources with regard to business processes, in particular systemically important business processes (business impact analysis). The assessment shall include any interdependency among business areas and any dependency on external service providers.
Based on the business impact analysis, the operator shall define the maximum acceptable time before business processes are recovered, as well as the required degree of recovery (recovery objectives) and the associated resource requirements. The maximum acceptable time for recovery in the case of systemically important business processes, even in the event of major damage or disruption (e.g. non-availability of a business-critical building including staff), shall be two hours.
The operator shall define the procedure by which it aims to meet the recovery objectives specified in paragraph 3 (business continuity strategy), and shall draw up plans that describe in detail the action to be taken and the persons responsible (business continuity plans).
Subsequent to any major modifications but at least once a year, the operator shall review and test the business continuity plans with regard to their implementation and effectiveness, and to ensure that they are up to date. Such tests shall, if necessary, also involve participants and important service providers.
0 commentaries
No commentaries are available for this article yet.