Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations).

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

• Event for which the plan has been made
• Goal for recovery time
• Responsible persons and related stakeholders and contact information
• Planned immediate actions
• Planned recovery steps

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

Organization must identify the required level of availability for the services it offers as well as for any related data systems and other data processing environment. The organization must plan its systems and operations so that the availability level can be met.

When planning a resilient data processing environment, the organization should consider the following factors:

• use of resilient networks
• use of two geographically separate data centers with mirrored databases
• use of several parallel software components with automatic load sharing
• use of duplicated key components in systems (e.g. CPU, hard drives, memories) or networks (e.g. firewalls , routers, switches)

For example, in important production systems, the resilience should also be tested regularly to ensure a smooth transition to backup solutions during incidents.

The organization must test and update its response to the security breach at scheduled intervals or after significant changes. For critical parts of the organization, operational plans should be tested at least annually. Test results should be documented and communicated to improve the plan.

The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.

Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners

In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.

The security arrangements required for critical online services, such as security features, service levels, and management requirements, are carefully defined in advance. Online services include e.g. connections, networks and network security solutions (e.g. firewalls).

The security features of online services can be e.g. the following:

• required security-related technologies such as authentication, encryption technology, and network connection management tools
• the technical parameters required for a secure connection to network services
• online service usage criteria that restrict access to the online service or applications as needed