Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.
Each continuity plan shall contain at least the following information:
The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.
Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.
Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.
Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.
Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.
The planning must take into account in particular:
The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.
Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners
In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.
To ensure the reliability of the systems, the following measures should be taken:
Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.
Omavaltontasuunnitelmassa on kuvattava, kuinka varmistetaan ohjeiden saatavuus poikkeustilanteesta huolimatta silloin, kun niitä tarvitaan.