Security controls are implemented on an ongoing basis by individuals within the organization. Many of these control types deal with the day-to-day operations of the organizational information systems:

• Organizational business continuity: As an operational capability clearly defining your organization's business continuity objectives will serve feed lower level business unit and information system business continuity plans.
• Individual business continuity plans: Each business unit should develop specific business continuity plans, ensuring that they are in alignment with overall organizational plans and that there is a clear understanding regarding what is needed to keep individual business units operating in the event of a disaster.
• Policies and procedures: These policies and procedures are the detailed plans associated with disaster recovery. This is where the organization's business and IT units come together to build the steps to keep the organization operating during a disaster.