Article 77
Business impact analysis
1. A CSD shall conduct a business impact analysis to:
|
(a) |
prepare a list with all the processes and activities that contribute to the delivery of the services it provides; |
|
(b) |
identify and create an inventory of all the components of its IT system that support the processes and activities identified in point (a) as well as their respective interdependencies; |
|
(c) |
identify and document qualitative and quantitative impacts of a disaster recovery scenario to each process and activity referred to in point (a) and how the impacts change over time in case of disruption; |
|
(d) |
define and document the minimum service levels considered acceptable and adequate from the perspective of the users of the CSD; |
|
(e) |
identify and document the minimum resource requirements concerning personnel and skills, work space and IT to perform each critical function at the minimum acceptable level. |
2. A CSD shall conduct a risk analysis to identify how various scenarios affect the continuity of its critical operations.
3. A CSD shall ensure that its business impact analysis and risk analysis fulfil all of the following requirements:
|
(a) |
they are kept up to date; |
|
(b) |
they are reviewed following a material incident or significant operational changes and, at least, annually; |
|
(c) |
they take into account all relevant developments, including market and IT developments. |