CP-02 Contingency Plan

Control: The organization develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel.

Supplemental Guidance: None.

Control Enhancements:

(1) The organization coordinates contingency plan development with organizational elements responsible for related plans.

Enhancement Supplemental Guidance: Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan.

(2) The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during crisis situations.

Baseline: LOW CP-2 MOD CP-2 (1) HIGH CP-2 (1) (2)

Family: Contingency Planning

Class: Operational

ISO 17799 mapping: 10.3.2, 10.4.1, 10.8.5, 14.1.3, 14.1.4

COBIT 4.1 mapping: DS4.2

PCI-DSS v2 mapping: 12.9.1, 12.9.2