Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.
Each continuity plan shall contain at least the following information:
The organization should regularly and at least annually test and review information security continuity plans to ensure that they are valid and effective in adverse situations.
Stakeholders critical to each plan will be involved in the testing of continuity plans, as appropriate.
In addition, in the event of significant changes in operations, the adequacy of continuity plans and related management mechanisms should be reassessed.
Restorability refers to how quickly personal data are restored to be available and accessible in the event of a physical or technical failure.
The organization should define requirements for the continuity of information security management during a crisis or disaster.
Information security management can either assume that the requirements are the same in adverse situations as in normal operating conditions, or seek to determine separately the security requirements applicable to adverse situations.