Information security professionals should identify their organization's needs
for continuity of operations and should prepare the organization and its
information systems accordingly.
Complexity: Organizations' needs for continuity may reflect legal, regulatory, or financial obligations of the organization,
organizational goodwill, or obligations to customers, board of directors, and owners. Understanding the
organization's continuity requirements will guide information security professionals in developing the
information security response to business interruption or disaster. The objectives(4) of this principle are to
ensure the continued operation of the organization, to minimize recovery time in response to business
interruption or disaster, and to fulfill relevant requirements.
The continuity principle may be applied in three basic concepts: organizational recovery, continuity of
operations, and end user contingent operations. Organizational recovery is invoked whenever a primary
operation site is no longer capable of sustaining operations. Continuity of operations is invoked when
operations can continue at the primary site but must respond to less than desirable circumstances (such as
resource limitations, environmental hazards, or hardware or software failures). End user contingent
operations are invoked in both organizational recovery and continuity of operations.