CP-02 Contingency Plan

Contingency Planning

Low Moderate High

Description

The organization develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel.

Supplemental Guidance

None.

Changes from Rev 4

Develop and document a map of system data actions, addressing the sharing of contingency information and noting the system operations that process personally identifiable information; incorporate lessons learned into contingency planning tests and training

MITRE ATT&CK Techniques (9)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Impact 9

Impact

T1485 Data Destruction T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1491 Defacement T1561 Disk Wipe T1491.001 Internal Defacement T1491.002 External Defacement T1561.001 Disk Content Wipe T1561.002 Disk Structure Wipe

Compliance Mappings

ISO 27001:2022

A.5.29A.5.30A.8.6

ISO 27002:2022

5.295.308.6

COBIT 2019

BAI04DSS04

CIS Controls v8

CIS 11.1

NIST CSF 2.0

GV.OC-04GV.OC-05GV.SC-08ID.AM-05ID.IM-04PR.IR-03PR.IR-04RC.CO-03RC.RP-01RC.RP-02

SOC 2 TSC

A1.2A1.2-POF1A1.2-POF2A1.2-POF3CC7.4-POF5CC7.5CC9.1CC9.1-POF1

CSA CCM v4

BCR-01BCR-02BCR-03BCR-04BCR-05BCR-07BCR-09IVS-02

CSA AICM v1

BCR-01BCR-02BCR-03BCR-04BCR-05BCR-07BCR-09I&S-02

ISO 42001:2023

A.4.5

IEC 62443

3-3 SR 7.2

NIS2 Directive

Art. 21(2)(c)

PRA Operational Resilience

SS1/21-10.1SS1/21-3.1SS1/21-4.1SS1/21-5.1SS1/21-8.1SS2/21-10.1SS2/21-12.1

MAS TRM

BSI IT-Grundschutz

DER.4

ANSSI

Hygiene.30Hygiene.35SecNumCloud.18.1

FINMA Circular 2023/1

IV.E(87)IV.E(88)IV.E(89)IV.E(90)IV.E(91)

OSFI B-13

B-13.2.6

EU GDPR

Art.32(1)(b)Art.32(1)(c)Art.32(1)(d)

EU DORA

Art.11(1)Art.11(3)Art.11(4)Art.12(1)

BIO2

5.295.308.6

RBI CSF

Annex1.19ITGRCA.28ITGRCA.29

FISC Security Guidelines

FISC.O5

LGPD + BCB 4893

BCB.Art.3

HKMA TM-E-1

TME1.6.1TME1.6.2

MLPS 2.0

8.1.10.11

DNB Good Practice

DNB.11.1DNB.11.4DNB.8.3

EU CRA

CRA.I.2h

NCA ECC

3-13-25-1

UAE IA

T12

CBB TM

TM-14

Qatar NIA

CBUAE

CR-13

CBE CSF

OVM-2

SA JS2

JS2-7.5

CBN CSF

Part3.6Part3.7

BoG CISD

CISD-BCM

POPIA

s19

BoM CTRM

5.2

IOSCO Cyber Resilience

PFMI-17RR-2RR-5

BCBS 239

Principle 2Principle 5Principle 6

CPMI-IOSCO PFMI

CG.RRPFMI.P15PFMI.P17

FFIEC IS

III.D

NYDFS 500

500.16500.2

HIPAA Security Rule

§164.308(a)(7)(i)§164.308(a)(7)(ii)(B)§164.308(a)(7)(ii)(C)§164.308(a)(7)(ii)(E)§164.310(a)(2)(i)§164.312(a)(2)(ii)

ECB CROE

CROE.2.5.2CROE.2.5.3

EBA ICT Guidelines

3.5(a)3.7.13.7.23.7.33.7.5

SEBI CSCRF

BCP-DRCCMPRC.CORC.IMRC.RP

BOT Cyber Resilience

Ch4.2

NERC CIP

CIP-009-6

10 CFR 73.54

RG5.71-B-CP

DOE C2M2 v2.1

RESPONSE

API 1164

Sec 11

AWIA

Sec 2013(b)

IAEA NSS 17-T

Sec 8

ISAE 3402

Clause 4

Solvency II

DR.266DR.266-BCPDR.274EIOPA-Cloud-GL11EIOPA-ICT-4.10

Lloyd's Minimum Standards

CRM.3MS8.6MS9.1

NAIC Insurance Data Security

44F-b

PRA SS1/23

P-IT.3

FCA SYSC 13

SYSC 13.8.1SYSC 13.8.2SYSC 13.9.5

HITRUST CSF v11

09.b09.d12.a12.b

FDA Cybersecurity Guidance

SA-6

ISO 27799

17.117.29.2

NHS DSPT

NDG-7.1NDG-7.2NDG-7.4

CCSS v9.0

1.06.11.06.4

MiCA

Art.68(5)Art.62(6)Art.47(1)

Basel SCO60

SCO60.21SCO60.23SCO60.50SCO60.53SCO60.63

BSSC Standards

NOS-07GSP-06

SEC Custody (Digital Assets)

SEC-CD-12

ISO 17799 (legacy)

10.3.210.4.110.8.514.1.314.1.4

COBIT 4.1 (legacy)

DS4.2