Highlights of IS.005: Business Continuity and Disaster Recovery Standard
The IS.005 Business Continuity and Disaster Recovery Standard details the responsibility to establish and follow processes for business continuity and disaster recovery management in the event of any organizational or information technology infrastructure failure. Agencies are to:
- Develop and maintain processes for both Business Continuity and Disaster Recovery
- Perform risk assessment of critical information assets
- Conduct Business Impact Analysis assess the impact of disruption
- Develop a Business Continuity Plan and Disaster Recovery Plan and test each annually
- Develop Data Backup and Restoration processes to ensure that copies of critical data are retrievable
See the Enterprise Information Security Standards Self-Assessment Questionnaire (Excel) that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.