3.63Institutions’ business continuity management functions and crisis management teams should develop and implement a business continuity plan for material Cloud Computing arrangements. If Cloud Computing arrangements are outsourced, the Outsourcing Service Provider should have a business continuity plan in place that is acceptable to the Institution.
3.64Institutions should define key risk indicators, performance metrics and adverse conditions that can trigger the business continuity plan for the Cloud Computing arrangement during its on-going monitoring and oversight of any services provided by the Outsourcing Service Provider.
3.65As part of an Institution’s own business continuity planning for Cloud Computing services, it should tailor the plan to:
a.Account for any dependency on one Outsourcing Service Provider;
b.Define the division of roles and responsibilities;
c.Define recovery objectives;
d.Identify alternative solutions/develop transition plans; and
e.Test their business continuity plans for their Cloud Computing arrangement (jointly with the Outsourcing Service Provider if the Cloud Computing arrangement is outsourced) on at least an annual basis.