Showing results for 
Search instead for 
Did you mean: 


Regulatory compliance is a critical factor in the development of an IT Business Continuity strategy. The requirements vary across industry sectors and geographies. It is also worth noting that not all regulations may apply in a specific business situation but it is important for every business to be cognizant of these legislations and use them as a basis for developing a Business Continuity strategy. 


When a disaster, natural or otherwise impacts normal operations of a business, Business Continuity processes kick in to ensure that services remain available. The effectiveness of a Business Continuity plan is measured by how long it takes the business to recover the critical services (Recovery Time Objective or RTO) and how much data is lost in the process of recovery (Recovery Point Objective or RPO). Business Continuity plans typically specify the RPO and RTO goals for all the business-critical services. In addition to these internal business objectives, formal regulations exist across various industries in all parts of the world. Regulations can be broadly classified into two areas: (1) Standards that must be met in order to become a member of an organization and (2) Regulations imposed on specific industries to create and protect national standards of uniformity.


This article is applicable to Business Continuity planners and IT administrators, tasked with ensuring the compliance of their business recovery strategy to meet government/industry specific legislations and regulations.

Regulations Overview

This section provides an overview of IT Business Continuity regulations across specific industry verticals in the United States as well as regulations in various countries across the world. 



Business Continuity Regulations: USA – All Industries

Laws & Regulations

Impact on Business Continuity  plan (BCP)


Sarbanes-Oxley Act

Corporate officers are liable for business continuity

Relevant for publicly held companies in the U.S

IRS Procedure 86-19

Requires off-site protection and documentation of computer records of tax information

Records must be available in the event that the primary facility is subjected to unplanned outage

Consumer Credit Protection Act (CCPA) Section 2001 Title 1X

Due diligence for availability of data in Electronic Funds Transfers including Point of Sale


Foreign Corrupt Practices Act 1977

Publicly held corporations must provide “reasonable protection” for IT systems

Holds management accountable

Business Continuity Regulations: USA – Healthcare

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Requires data backup plan, DR plan and emergency mode operation plan

Requires increased budgets, new job descriptions, as well as additional staff and infrastructure

Food and Drug Administration (FDA) Code of Federal Regulations (CFR), Title XXI, 1999

Establishes the requirements for electronic records and electronic signatures

Acceptability of electronic records may require organizations to update BC measures to ensure availability of information

Business Continuity Regulations: USA – Government

Federal Information Security Act (FISMA) 2002

Requires electronic data to be available during a crisis

Emphasis of FISMA is on data security

Continuity of Operations (COOP) and Continuity of Government (COG). Federal Preparedness

Establishes minimum planning considerations for federal government operations

Business Continuity Plan (BCP) maintained at high level of readiness; operational no more than 12hrs after activation

NIST 800-53,Security Controls for Federal Systems, 2005

Mandatory security controls that have specific requirements for continuity planning and testing

Specific details on policy and procedures, plans, training, testing, and updating


All department heads must plan for continuity of operations

Written documents for BC must be maintained and current

National Institute of Standards & Technology (NIST), SP800-34 2002

Requires electronic data to be available during a crisis. Requires BC/DR and Continuity of Operations (COOP) plans


Business Continuity Regulations: USA – Finance

Federal Financial Institutions Examination Council (FFIEC), 2003-2004

Specifies that Board of Directors is responsible for ensuring that a comprehensive BC plan has been implemented

Covers companies regulated by FDIC, FRB, Treasury Department


Basel II, Basel Committee on Banking Supervision, 2003

Requires that banks put in place BC and DR plans to ensure continuous operation and to limit losses

Best Practice Standard 2007

Expedited Funds Availability (EFA) Act, 1989

Federally chartered financial institutions must have demonstrable BC plans

To ensure prompt availability of funds

GAO/IMTEC-91-56 Financial Markets: Computer Security Controls

Outlines need for risk assessments, data back-up procedures, Business Continuity operations, and security of U.S. Stock Exchanges

Guidelines for stock markets

Business Continuity Regulations: USA – Utilities

North American Electric Reliability Council (NERC) P6T3

Interim provisions if it is expected to take >1hr to implement BC/DR Plan

Details on BC/DR plan for communications, monitoring utilities, training and testing

Governmental Accounting Standards Board (GASB),1999

Requires a BCP to ensure that agency mission continues in time of crisis

Applies to all government

entities that operate utilities

Fed Energy Regulatory Commission(FERC),2003

Mandates recovery plans

Does not apply to Rural Utilities Service (RUS) borrowers and limited distribution co-ops

NERC Urgent Action Standard 1216

DR Plans and procedures must be in place

BC plans only for facilities considered “critical”

Presidential decision directive 13010

BC/DR plans required for all national infrastructures


Business Continuity Regulations: USA – Manufacturing

ISO 9000 Qualifications

Requires incident preparedness, BC/DR plans, testing and assurances

Operational Continuity Management

Business Continuity Regulations: Australia

Protective Security Framework – June 2010

Applies to all Australian Government Agencies and mandates BCM for all agencies

Authority of Australian Government

Prudential Standard  APS232 Business Continuity Management

APRA regulation for BCM in Authorized Deposit-taking Institutions

Australian Prudential Regulation Authority (APRA)

AS/NZS 5050:2010 Business continuity - Managing disruption-related risk

Describes the application of the principles, framework and process for risk management to disruption-related risk

Standards Australia


HB 221:2004 Business Continuity Management Handbook

Process for business continuity management and workbook to assist organizations in implementation

Standards Australia


Business Continuity Regulations: Brazil

NBR15999-1 Gestão de continuidade de negócios - Parte 1: Código de prática


Brazilian Portuguese translation of the English standard BS 25999-1 Business continuity management. Code of practice

Authority of ABNT (Associação Brasileira de Normas Técnicas)


Standard: NC nº06/IN01/DSIC/GSIPR – Gestão De Continuidade de Negócios

Establishing guidelines for BCM, in the bodies and entities of Federal Public Administration

Institutional Security Cabinet – Information Security and Communication Department

Business Continuity Regulations: Canada

Regulation: IDA By-Law 17.19 – Business Continuity Plan Requirement

Establish and maintain a business continuity plan, such that the member can stay in business in the event of a significant business disruption

Authority of OSC (Ontario Securities Commission)


CSA Z1600-08

Canadian standard for integrating business continuity and emergency management programs

Authority of CSA (Canadian Standards Association)

Guideline: Government of Saskatchewan Business Continuity Guide

Business Continuity Guidelines


Authority of Government of Saskatchewan

Business Continuity Regulations: Hong Kong

Regulation: Business continuity planning supervisory policy manual – TM-G-2

Sets out HKMA‘s supervisory policies and practices in order to satisfy the requirements of the Banking ordinance

Authority of The Hong Kong Monetary Authority (HKMA)


HKMA Supervisory Policy Manual, BCP TM-G-2 V1 02.12.02

Requires need for BC plan documentation and testing at least annually

Hong Kong Monetary Authority

Business Continuity Regulations: India

Regulation: India BCP

Enforced by audit, requires need for BC plan documentation and testing for least annually

Authority of 1. Reserve Bank of India (RBI) 2. Securities & Exchange Board of India (SEBI) 3. National Stock Exchange (NSE) 4. Bombay Stock Exchange (BSE)

Good practice: BPO (Business Process Outsourcers)

In IT/BPO organizations, BCM is based on internal business requirements and often global customer specific requirements


Business Continuity Regulations: Japan

Regulation: Business Continuity at Bank of Japan

Assures a consistent approach to operational continuity

Authority of BOJ (Bank of Japan)

Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA

Regular review of plan

Corporate-wide testing at least annually

Authority of FISC (The Centre for Financial Industry Information System)

Business Continuity Regulations: Singapore

Regulation: MAS Business Continuity Management Guidelines

Testing BC plan regularly, completely and meaningfully; developing recovery strategies

Authority of MAS (Monetary authority of Singapore)


Regulation: SGX Member Rules

Rules requiring SGX member firms to develop robust Business Continuity Management (BCM) arrangements

Authority of SGX (Singapore Exchange Limited)

Standards: SS507:2004


Standard for business continuity/disaster recovery service providers

Authority of SPRING Singapore (Singapore productivity and innovation)

Business Continuity Regulations: UK

Regulation: Business Continuity Practice Guide: 2006

Guidance on BC management requirements for regulated firms

Authority of UK Authorities

- Financial Services Authority (FSA)

- HM Treasury

- Bank of England

Standard: BS25999-2 : 2007

Specification for Business Continuity Management

Specifies requirements for setting up and managing an effective business continuity management system

Authority of British Standards Institution



Meet Business Continuity Regulations with Symantec solutions

Veritas Cluster Server from Symantec provides the ability to test the readiness of business-critical applications to meet Business Continuity needs without any application downtime. Specifically, the Veritas Cluster Server Fire Drill feature in conjunction with Veritas Operations Manager resolves these challenges by allowing a disaster to be simulated and have the complete recovery plan tested comprehensively with no impact to the business-critical applications at the production data center. This enables IT to earn the full confidence of senior management and business owners in assessing the readiness level of business-critical services. For more information about Symantec Veritas Cluster Server, please visit 



Written by: Sai Mukundan, Product Management, Symantec Storage and Availability Management Group

Sources: Business Continuity Institute, Geminare Overview of US Regulations pertaining to Business Continuity, Gartner: Laws influence Business Continuity and Disaster Recovery Planning among Industries

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.




Excellent article !!! Many thank indeed Sai.