Standard for Information Security Continuity

I. Purpose

The purpose of this standard is to establish the University’s obligation to ensure information continuity within its business continuity management systems and processes.

II. Scope

It is the responsibility of any college or departmental representative developing or contributing to business continuity plans for their area to ensure that the continuity of information security is embedded within those plans.

III. Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at

IV. Standard

Planning information security continuity

Information security management should remain the same in adverse situations as in normal operational conditions and these requirements should be considered when planning for business continuity and disaster recovery.

Implementing information security continuity

Business continuity and disaster recovery plans should contain processes and procedures to ensure the continuity of information security. Recommendations include:

  • Having an adequate management structure in place to prepare for, mitigate and respond to a disruptive event using personnel with necessary authority, experience and competence;
  • Establishing incident response personnel with necessary responsibility, authority and competence to manage an incident and maintain information security;
  • Documenting and obtaining approval for a plan, response and recovery procedures that detail how the department, college or other entity will manage a disruptive event and will maintain its information security;
  • Developing mitigation steps for information security controls that cannot be maintained during an adverse situation.

Verify, review and evaluate information security continuity

The University as a whole and colleges and departments individually should verify information security continuity controls at regular intervals to ensure that they are valid and effective during adverse situations. Information security continuity should be verified by conducting exercises and testing.


Information redundancy can help ensure that availability requirements meet the needs of the University. Redundancies should be tested to ensure the failover from one component to another works as intended. Because redundancies can introduce additional risks to the integrity and confidentiality of information systems, appropriate controls should be considered in the design of these systems.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 5/15/15
Updated 8/03/23