1.
The Disaster Recovery (DR) and Business Continuity Plan (BCP) is tested regularly, at least annually.
2.
The organization is capable of recovering from a cybersecurity event or incident in accordance with desire Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
3.
The organization maintains a crisis communication plan that manages the organization’s reputation after a cybersecurity event or incident occurs.
4.
The Disaster Recovery (DR) and Business Continuity Plan (BCP) is reviewed and updated regularly, at least annually.
