The organisation should create and maintain a resilience plan to ensure the continuity of its critical functions. The plan should be informed by an all-hazards risk assessment covering natural, accidental, and malicious threats. It should be reviewed at defined intervals and after any significant incident or material change to the operating environment.
The plan should describe the measures taken to prevent, protect against, respond to, withstand, and recover from incidents that could disrupt its services. The plan should at least include:
- Prevention, including disaster risk reduction and climate adaptation measures to reduce the likelihood of incidents occurring.
- Physical protection of premises and critical infrastructure, including perimeter controls, monitoring, detection equipment, and access management.
- Response and mitigation, including crisis management procedures, alert routines, and internal and external communication protocols.
- Recovery and business continuity, including arrangements to resume the provision of essential services, backup facilities, and the identification of alternative supply chains and suppliers.
- Personnel security, including background checks where appropriate for sensitive roles and management of access rights throughout the employment lifecycle.
- Staff awareness and training, so that relevant personnel understand their roles under the plan and can act on it effectively.
- Implementation schedule, including a defined timeline with clear milestones and deadlines for putting each technical, security-related, and organisational measure into practice. This ensures a structured and accountable approach to improving resilience over time.
The plan may also address:
- Incident response and mitigation
- Classification of installations and sensitive operational information
- Resilience of operational control systems
This ensures the proportionality of protective, ICT/OT, personnel and continuity measures, where relevant.
.svg)
