|
Article 14
|
- When the core system is outsourced, an organization shall ensure, based on the scope and characteristics of outsourced services, the recovery level of the core system can meet the recovery time objective (RTO) and recovery point objective (RPO) of the system in order to support the core business for recovery to the minimum acceptable service level after an operational disruption to a supplier due to the following reasons. The organization shall further require that the supplier perform exercise either in collaboration with the organization or by itself to validate feasibility of the core system.
- disruption due to a natural disaster, man-made disaster, or information and communication security incident
- an unexpected breakdown of or alteration to equipment
- an adjustment to a function of or a material structural change to the system
- product end of life, with no more technical assistance and services offered and the product being no longer usable
- An organization shall include the above requirements on business continuity management in the outsource contract.
|