BCD-01: Business Continuity Management System (BCMS)

BCD 10 — Critical Govern

Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).

Control Question: Does the organization facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS) (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks)?

General (48)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	A1.2 A1.2-POF1 A1.2-POF10 A1.2-POF11 A1.2-POF2 A1.2-POF3 A1.2-POF4 A1.2-POF5 A1.2-POF6 CC7.4-POF5 CC7.5 CC7.5-POF1 CC7.5-POF2 CC7.5-POF4 CC7.5-POF5 CC8.1-POF15 CC9.1 CC9.1-POF1 CC9.1-POF2
CIS CSC 8.1	11 11.1
CIS CSC 8.1 IG1	11.1
CIS CSC 8.1 IG2	11.1
CIS CSC 8.1 IG3	11.1
COBIT 2019	DSS04.01 DSS04.02 DSS04.03 DSS04.04 DSS04.05 DSS04.06 DSS04.07 DSS04.08
CSA CCM 4	BCR-01 BCR-03 BCR-04 BCR-05 BCR-07 BCR-09
CSA IoT SCF 2	GVN-03
ENISA 2.0	SO19 SO20
GovRAMP Core	CP-10
GovRAMP Low	CP-01 CP-02 CP-10
GovRAMP Low+	CP-01 CP-02 CP-10
GovRAMP Moderate	CP-01 CP-02 CP-10
GovRAMP High	CP-01 CP-02 CP-10 IR-04(03)
IMO Maritime Cyber Risk Management	3.5.1 3.5.3 3.5.5 3.5.6 3.5.6.1
ISO 22301 2019	4.3 4.3.1 4.3.2 4.4 5.1 5.2 5.2.1 6.1 6.1.1 6.1.2 6.2 6.2.1 6.2.2 7.4 7.5.1 8.3 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 10.1 10.1.1 10.1.2 10.1.3 10.2
ISO 27002 2022	5.29 5.30
ISO 27017 2015	17.1.1 17.1.2
MITRE ATT&CK 10	T1485, T1486, T1490, T1491, T1491.001, T1491.002, T1561, T1561.001, T1561.002
MPA Content Security Program 5.1	OR-1.2 OR-3.4 TS-1.5
NAIC Insurance Data Security Model Law (MDL-668)	4.C(4)(c)
NIST AI 100-1 (AI RMF) 1.0	GOVERN 6.2
NIST AI 600-1	MG-2.3-001
NIST Privacy Framework 1.0	PR.PO-P7
NIST 800-53 R4	CP-1 CP-2 IR-4(3) PM-8 CP-10
NIST 800-53 R4 (low)	CP-1 CP-2 CP-10
NIST 800-53 R4 (moderate)	CP-1 CP-2 CP-10
NIST 800-53 R4 (high)	CP-1 CP-2 CP-10
NIST 800-53 R5 (source)	CP-1 CP-2 IR-4(3) PM-8 CP-10
NIST 800-53B R5 (low) (source)	CP-1 CP-2 CP-10
NIST 800-53B R5 (moderate) (source)	CP-1 CP-2 CP-10
NIST 800-53B R5 (high) (source)	CP-1 CP-2 CP-10
NIST 800-53 R5 (NOC) (source)	IR-4(3) PM-8
NIST 800-82 R3 LOW OT Overlay	CP-1 CP-2 CP-10
NIST 800-82 R3 MODERATE OT Overlay	CP-1 CP-2 CP-10
NIST 800-82 R3 HIGH OT Overlay	CP-1 CP-2 CP-10
NIST 800-161 R1	CP-1 CP-2 PM-8
NIST 800-161 R1 C-SCRM Baseline	CP-1 CP-2
NIST 800-161 R1 Level 1	CP-1 PM-8
NIST 800-161 R1 Level 2	CP-1 CP-2
NIST 800-161 R1 Level 3	CP-1 CP-2
NIST CSF 2.0 (source)	GV.SC-08 ID.IM-04 PR.IR-02 PR.IR-03 RC RC.RP RC.RP-02 RC.RP-04 RS.MA-05
Shared Assessments SIG 2025	K.4
TISAX ISA 6	5.2.8
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	BCD-01
SCF CORE ESP Level 1 Foundational	BCD-01
SCF CORE ESP Level 2 Critical Infrastructure	BCD-01
SCF CORE ESP Level 3 Advanced Threats	BCD-01

US (28)

Framework	Mapping Values
US C2M2 2.1	RESPONSE-4.A.MIL1 RESPONSE-4.D.MIL2 RESPONSE-4.H.MIL2 RESPONSE-4.M.MIL3
US CERT RMM 1.2	EC:SG4.SP5 EF:SG2.SP1 RRM:SG1.SP3 RRM:SG1.SP4 SC:SG1.SP1 SC:SG2.SP1 SC:SG3.SP2 SC:SG3.SP3 SC:SG3.SP4 SC:SG7.SP2
US CISA CPG 2022	5.A
US CMS MARS-E 2.0	CP-1 CP-2 PM-8 CP-10
US DHS CISA TIC 3.0	3.UNI.IRPIH 3.UNI.RESIL
US FCA CRM	609.930(c)(3)(iii)
US FedRAMP R4	CP-1 CP-2 IR-4(3)
US FedRAMP R4 (low)	CP-1 CP-2
US FedRAMP R4 (moderate)	CP-1 CP-2
US FedRAMP R4 (high)	CP-1 CP-2 IR-4(3)
US FedRAMP R4 (LI-SaaS)	CP-1 CP-2
US FedRAMP R5 (source)	CP-1 CP-2
US FedRAMP R5 (low) (source)	CP-1 CP-2
US FedRAMP R5 (moderate) (source)	CP-1 CP-2
US FedRAMP R5 (high) (source)	CP-1 CP-2
US FedRAMP R5 (LI-SaaS) (source)	CP-1 CP-2
US FFIEC	D5.IR.Pl.B.6
US HIPAA Administrative Simplification 2013 (source)	164.308(a)(7)(i) 164.308(a)(7)(ii)(C)
US HIPAA Security Rule / NIST SP 800-66 R2 (source)	164.308(a)(7)(i) 164.308(a)(7)(ii)(C)
US IRS 1075	CP-1 CP-2 CP-10
US NERC CIP 2024 (source)	CIP-003-8 1.1.6 CIP-009-6 R1 CIP-009-6 R2 CIP-009-6 R3
US NISPOM 2020	8-104 8-603 8-614
US NNPI (unclass)	6.1
US - CA CCPA 2025	7123(c)(18)
US - NY DFS 23 NYCRR500 2023 Amd 2	500.16(a)(2) 500.16(a)(2)(i) 500.16(a)(2)(ii) 500.16(a)(2)(iii) 500.16(a)(2)(iv) 500.16(a)(2)(v) 500.16(a)(2)(vi) 500.16(b) 500.2(b)(5) 500.3(e)
US - TX DIR Control Standards 2.0	CP-1 CP-2 CP-10
US - TX TX-RAMP Level 1	CP-1 CP-2 CP-10
US - TX TX-RAMP Level 2	CP-1 CP-2 CP-10

EMEA (23)

Framework	Mapping Values
EMEA EU EBA GL/2019/04	3.7(77) 3.7.1(78) 3.7.1(79) 3.7.2(80) 3.7.2(81) 3.7.2(82) 3.7.3(83) 3.7.3(84)(a) 3.7.3(84)(b) 3.7.3(84)(c) 3.7.3(85) 3.7.3(86)
EMEA EU DORA	11.1 11.10 11.11 11.2 11.2(a) 11.2(b) 11.2(c) 11.2(d) 11.2(e) 11.3 11.4 11.5 11.6(a) 11.6(b) 11.7 11.8 11.9 12.1 12.1(a) 12.1(b)
EMEA EU GDPR (source)	32.1(c)
EMEA EU NIS2	21.2(c)
EMEA EU NIS2 Annex	12.1.2(c) 13.2.2(a) 3.1.2 4.1.1 4.1.2 4.1.2(a) 4.1.2(b) 4.1.2(c) 4.1.2(d) 4.1.2(e) 4.1.2(f) 4.1.2(g) 4.1.2(h) 4.2.2 4.2.5 4.3.1
EMEA Austria	Sec 14 Sec 15
EMEA Belgium	16
EMEA Germany Banking Supervisory Requirements for IT (BAIT)	10.1 10.2 10.3 10.5
EMEA Germany C5 2020	BCM-01 BCM-02 BCM-03
EMEA Israel CDMO 1.0	11.7 25.1
EMEA Saudi Arabia CSCC-1 2019	2-8 3-1 3-1-1-1 3-1-1-2
EMEA Saudi Arabia IoT CGIoT-1 2024	2-12-2 2-8-1 3-1-1
EMEA Saudi Arabia ECC-1 2018	2-4-4 2-9-1 2-9-2 2-9-3 2-9-3-1 2-9-4 3-1-1 3-1-2 3-1-3 3-1-3-1 3-1-3-2 3-1-3-3 3-1-4
EMEA Saudi Arabia OTCC-1 2022	3-1 3-1-1 3-1-1-1 3-1-1-2 3-1-1-3 3-1-1-4 3-1-1-5 3-1-1-6 3-1-2
EMEA Saudi Arabia SACS-002	TPC-67 TPC-68 TPC-69
EMEA South Africa	19.1 19.2
EMEA Spain BOE-A-2022-7191	26
EMEA Spain 311/2022	26
EMEA Spain CCN-STIC 825	7.5.1 [OP.CONT.1] 7.5.2 [OP.CONT.2]
EMEA UAE NIAF	3.4 3.4.1 3.4.2 3.4.3
EMEA UK CAF 4.0	B5.a
EMEA UK CAP 1850	D1
EMEA UK DEFSTAN 05-138	2501 2502 4100

APAC (9)

Framework	Mapping Values
APAC Australia ISM June 2024	ISM-0734
APAC Australia Prudential Standard CPS230	12(b) 14 34(a) 34(b) 34(c) 34(d) 34(e) 40(a) 40(b) 40(c) 40(d) 40(e) 41
APAC China Cybersecurity Law	33 34(4)
APAC India SEBI CSCRF	PR.IP.S11 RC.RP.S1 RC.RP.S4 RS.MA.S3
APAC Japan ISMAP	17.1.1 17.1.2
APAC New Zealand HISF 2022	HHSP08 HHSP24 HHSP56 HHSP61 HML08 HML24 HML61 HMS21 HSUP08 HSUP22 HSUP53
APAC New Zealand HISF Suppliers 2023	HSUP08 HSUP22 HSUP53
APAC New Zealand NZISM 3.6	6.4.5.C.01 6.4.7.C.01 6.4.8.C.01 23.4.12.C.01 23.4.12.C.02
APAC Singapore MAS TRM 2021	8.1.1 8.1.2 8.1.3 8.1.4 8.2.1 8.2.2 8.2.3 8.2.4 8.5.1 8.5.2 8.5.2(a) 8.5.2(b) 8.5.2(c)

Americas (3)

Framework	Mapping Values
Americas Bermuda BMACCC	6.14 7.1
Americas Canada CSAG	2.9
Americas Canada OSFI B-13	2.9 2.9.1

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS).

Level 1 — Performed Informally

Business Continuity & Disaster Recovery (BCD) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

IT personnel work with business stakeholders to identify business-critical systems and services, including internal teams and third-party service providers.
IT personnel develop limited Disaster Recovery Plans (DRP) to recover business-critical systems and services.
Business stakeholders develop limited Business Continuity Plans (BCPs) to ensure business-critical functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
Backups are performed ad-hoc and focus on business-critical systems.
Limited technologies exist to support near real-time network infrastructure failover (e.g., redundant ISPs, redundant power, etc.).

Level 2 — Planned & Tracked

Business Continuity & Disaster Recovery (BCD) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Business Continuity / Disaster Recovery (BC/DR) management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for BC/DR management.
IT/cybersecurity personnel work with business stakeholders to identify business-critical systems, services, internal teams and third-party service providers.
BC/DR roles are formally assigned as an additional duty to existing IT/cybersecurity personnel.
Recovery Time Objectives (RTOs) identify business-critical systems and services, which are given priority of service in alternate processing and storage sites.
IT personnel develop Disaster Recovery Plans (DRP) to recover business-critical systems and services.
Data/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
IT/cybersecurity personnel work with business stakeholders to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within Recovery Time Objectives (RTOs).
Within the BCPs, alternate communications channels have been defined and alternative decision-makers are designated if primary decision-makers are unavailable.
IT personnel use a backup methodology (e.g., grandfather, father & s on rotation) to store backups in a secondary location, separate from the primary storage site.
IT personnel configure business-critical systems to transfer backup data to the alternate storage site at a rate that is capable of meeting Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Level 3 — Well Defined

Business Continuity & Disaster Recovery (BCD) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

A formal Business Continuity & Disaster Recovery (BC/DR) program exists with defined roles and responsibilities to restore functionality in the event of a catastrophe, emergency, or significant disruptive incident that is handled in accordance with a Continuity of Operations Plan (COOP).
BC/DR personnel work with business stakeholders to identify business-critical systems, services, internal teams and third-party service providers.
Specific criteria are defined to initiate BC/DR activities that facilitate business continuity operations capable of meeting applicable RTOs and/or RPOs.- Application/system/process owners conduct a Business Impact Analysis (BIA) at least annually, or after any major technology or process change, to identify assets critical to the business in need of protection, as well as single points of failure.
Recovery Time Objectives (RTOs) are defined for business-critical systems and services.
Recovery Point Objectives (RPOs) are defined and technologies exist to conduct transaction-level recovery, in accordance with RPOs.
Controls are assigned to sensitive/regulated assets to comply with specific BC/DR requirements to facilitate recovery operations in accordance with RTOs and RPOs.
IT personnel work with business stakeholders to develop Disaster Recovery Plans (DRP) to recover business-critical systems and services within RPOs.
Business stakeholders work with IT personnel to develop Business Continuity Plans (BCPs) to ensure business functions are sustainable both during and after an incident within RTOs.
The data backup function is formally assigned with defined roles and responsibilities.
BC/DR personal have pre-established methods to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.
The integrity of backups and other restoration assets are verified prior to using them for restoration.

Level 4 — Quantitatively Controlled

Business Continuity & Disaster Recovery (BCD) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of contingency planning controls to help ensure resilient Technology Assets, Applications and/or Services (TAAS).

Assessment Objectives

BCD-01_A01 cybersecurity issues are addressed in the development of a critical infrastructure and key resources protection plan.
BCD-01_A02 privacy issues are addressed in the development of a critical infrastructure and key resources protection plan.
BCD-01_A03 cybersecurity issues are addressed in the documentation of a critical infrastructure and key resources protection plan.
BCD-01_A04 privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan.
BCD-01_A05 cybersecurity issues are addressed in the update of a critical infrastructure and key resources protection plan.
BCD-01_A06 privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.
BCD-01_A07 Business Continuity & Disaster Recovery (BC/DR) operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
BCD-01_A08 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support Business Continuity & Disaster Recovery (BC/DR) operations.
BCD-01_A09 responsibility and authority for the performance of Business Continuity & Disaster Recovery (BC/DR)-related activities are assigned to designated personnel.
BCD-01_A10 personnel performing Business Continuity & Disaster Recovery (BC/DR)-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-BCM-01 Continuity of Operations Plan (COOP): Documented evidence of a Continuity of Operations Plan (COOP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards. This involves internal and external stakeholders for incident response, disaster recovery and business continuity support requirements.
Business Continuity

Technology Recommendations

Micro/Small

Continuity of Operations Plan (COOP)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Business Impact Analysis (BIA)
Criticality assessments

Small

Continuity of Operations Plan (COOP)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Business Impact Analysis (BIA)
Criticality assessments

Medium

Continuity of Operations Plan (COOP)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Business Impact Analysis (BIA)
Criticality assessments

Large

Continuity of Operations Plan (COOP)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Business Impact Analysis (BIA)
Criticality assessments

Enterprise

Continuity of Operations Plan (COOP)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Business Impact Analysis (BIA)
Criticality assessments