S 6.2 Definition of "emergency", person-in-charge in an "emergency"

Initiation responsibility: Agency/company management; IT Security Management

Implementation responsibility: Agency/company management; IT Security Management

However, not every partial or complete failure of the system constitutes an emergency. Often, failures of the IT system can be remedied by planned measures, e.g. replacement procurement, even within a short time. An emergency will arise only when a state has been reached where restoration of availability could not be achieved within the required time (see S 6.1 Development of a survey of availability requirements) and this would result in very significant damage. As soon as an incident occurs which could give rise to an emergency, the necessary steps, leading to a reduction in damage, should be taken.

A person-in-charge should be appointed to provide authorised and timely instructions to introduce contingency measures . The agency/company management must authorise the person-in-charge to both take the decision as to whether an emergency situation has occurred. and to initiate the necessary contingency measures.

Additional controls:

• Who is authorised to determine the existence of an emergency?