CRISP Security Shield Logo

Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

20-S: Business Continuity and
Disaster Recovery Plan

This section evaluates how your organization prepares for, responds to, and recovers from disruptions to its operations and services.

The questions focus on whether you maintain documented and tested business continuity and disaster recovery plans, including defined recovery objectives, roles and responsibilities, communication procedures, and backup strategies for critical systems and data. They also address how often plans are reviewed, updated, and exercised.

Overall, this section confirms that you can continue or quickly resume essential services in the event of outages, incidents, or major disruptions.

Explanation: An incident response plan (IRP) outlines the steps to detect, respond to, and recover from security incidents. A well-defined IRP minimizes the impact of breaches, ensures compliance with regulations, and maintains business continuity.

Risks of Incorrect Answer: Delays in addressing incidents, leading to greater damage.

Non-compliance with industry or legal standards, resulting in fines.

Loss of client trust due to mishandling incidents.

Applicable Frameworks: NIST SP 800-61: Provides guidelines for establishing an incident response plan.

ISO 27001 (A.16.1.1): Addresses incident response and reporting.

HIPAA: Requires incident handling for PHI breaches.

PCI DSS (Requirement 12.10): Mandates an incident response plan for cardholder data.

Explanation: Having a dedicated team ensures accountability and coordination during an incident. Clearly defined roles improve response times and ensure tasks are not duplicated or missed.

Risks of Incorrect Answer: Confusion during an incident, delaying containment and recovery.

Key steps may be overlooked due to undefined responsibilities.

Non-compliance with regulatory requirements for incident management.

Applicable Frameworks: NIST SP 800-61: Recommends establishing a Computer Security Incident Response Team (CSIRT).

ISO 27001 (A.16.1.2): Focuses on defining roles and responsibilities.

SOX: Encourages formal accountability for security processes.

Explanation: Regular testing (e.g., through tabletop exercises or simulations) ensures the IRP works as intended and identifies gaps or areas for improvement. Testing also builds team readiness.

Risks of Incorrect Answer: Unidentified weaknesses in the incident response process.

Delayed response during a real incident due to lack of preparation.

Regulatory penalties for failing to test incident management procedures.

Applicable Frameworks: NIST SP 800-84: Covers simulation-based exercises for incident response.

ISO 27031: Addresses ICT readiness for incident response.

PCI DSS (Requirement 12.10.2): Requires annual testing of incident response procedures.

Explanation: Timely reporting ensures the affected parties can take appropriate action to mitigate risks. It also demonstrates compliance with breach notification regulations and transparency with stakeholders.

Risks of Incorrect Answer: Delayed client response, increasing potential damages.

Non-compliance with legal or regulatory notification timelines, leading to penalties.

Damage to client trust due to lack of transparency.

Applicable Frameworks: GDPR (Article 33): Requires notification within 72 hours of becoming aware of a breach.

HIPAA: Mandates notification of breaches involving PHI.

PCI DSS: Encourages prompt communication of breaches affecting cardholder data.

NIST CSF (DE.CM-6): Emphasizes incident reporting and escalation procedures

THANK YOU


You have successfully completed
the Business Continuity and Disaster Recovery Plan
portion of this Assessment.

Please Press Submit
so that we can process your results

NEXT
CRISP Secrity Logo

​Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

© 2025 Compliance Risk & Information Security Partners (CRISP). All rights reserved.