Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.
Each continuity plan shall contain at least the following information:
In the event of an incident , communication with internal and external stakeholders must be in accordance with the incident response plan.
The organization shall establish a incident response plan for security incidents to critical information systems. Response plans should also be tested by the necessary organizational elements. The plan should take into account at least:
In addition, the plan should at least:
The organization must document in advance procedures for responding to security breaches to ensure the actions of related departments, customers, and other critical partners in the event of a security breach.
The organization has to include disaster recovery in their continuity planning. Relevant disasters for the planning are natural disasters (e.g floods, earthquake, hurricanes) and human caused disasters (e.g terror attack, chemical attack/incident, insider attack).
In disaster planning there is greater emphasis on the returning operations to normal levels safely than in continuity planning. After this focus moves to resuming normal operations.
The continuity plans must be updated at least annually or after significant changes.
To ensure the reliability of the systems, the following measures should be taken:
Maintenance, updating and possible renewal of information systems, devices and networks should be planned with the necessary component and software updates to be implemented before possible failures. When examining the criticality of components, the perspective of customer and patient safety should be taken into account.