High

A business contuinity plan (BCP) exists for potential disaster scenario’s that could affect the critical processes. The business contuinity plan is reviewed at least annually. The business continuity plan is tested periodically.

A disaster recovery plan (DRP) exists for potential disaster scenarios that could affect the IT systems. The disaster recovery plan is reviewed at least annually. The disaster recovery plan is tested periodically.

All critical backup media, documentation and other IT resources needed for IT recovery, and business continuity plans are stored offsite. The content of backup storage is determined after collaboration between business process owners and IT personnel. Management at the offsite storage facility acts on the basis of data classification policy and the enterprise’s media storage practices. IT management ensures that offsite arrangements are periodically assessed, at least annually, for content, environmental protection and security. Compatibility of hardware and software for restoring archived data is ensured, and archived data is periodically tested and refreshed.

Description Domain names reserved for organisational purposes cannot be released shortly after the domain name is no longer needed. A list of domain names that can never be released needs to be kept. Domain names not on this list need to remain reserved with a placeholder message that the domain is no longer in use by the organisation for 3 years before they can be released and used by other parties.

Emergency changes requiring immediate implementation are properly handled to ensure minimal impact on systems and IT applications. The emergency change is registered, evaluated and tested after implementation and approved by responsible management.