Business Continuity Management

Business continuity management is about planning and preparing the organisation to maintain critical business processes and ensure rapid recovery after disruptive events such as cyberattacks, system outages or natural disasters. In ISO 27001, information security continuity is a key part of Annex A.

Back to Dictionary

What is business continuity management?

Business continuity management (BCM) is the overarching framework for ensuring that an organisation can continue its operations during and after serious incidents. From an information security perspective, it is primarily about ensuring the availability of critical systems and data.

BCM is closely linked to NIS2 requirements on operational resilience and to ISO 22301, the dedicated standard for business continuity management systems.

BCP and DRP

Two central documents in business continuity management are:

Business Continuity Plan (BCP): An overarching plan for how the organisation maintains critical business functions during an incident, including roles, communication procedures and alternative working arrangements.
Disaster Recovery Plan (DRP): A more technical plan for restoring IT systems and data after an outage, covering backup restoration, failover procedures and system recovery sequences.

Requirements in ISO 27001

ISO 27001:2022 addresses information security continuity in Annex A controls 5.29 (Information security during disruption) and 5.30 (ICT readiness for business continuity). These require the organisation to plan, implement, test and maintain arrangements to preserve the security level during disruptive events.

Control 5.29 focuses on maintaining information security requirements during adverse situations, whilst control 5.30 ensures that ICT services can be restored within agreed timeframes.

Test your plans: A continuity plan that has never been tested is of little value. Regular exercises and tests reveal gaps and ensure that employees know their roles when it matters. ISO 27001 explicitly requires that plans be tested and reviewed at planned intervals.

RTO and RPO

Two key metrics in business continuity management are:

RTO (Recovery Time Objective): The maximum acceptable time to restore a service after an outage. This drives requirements for failover capabilities and recovery procedures.
RPO (Recovery Point Objective): The maximum acceptable data loss measured in time (e.g. 'we can lose no more than 4 hours of data'). This drives requirements for backup frequency and replication.

These objectives must be defined for each critical system and agreed with business stakeholders. They form the basis for technical recovery planning and investment decisions.

Frequently Asked Questions about Business Continuity Management

What is business continuity management?

Business continuity management (BCM) is the framework for planning and preparing an organisation to maintain critical business processes and ensure rapid recovery after disruptive events. It covers both business and technical aspects of resilience.

What is the difference between a BCP and a DRP?

A Business Continuity Plan (BCP) is an overarching plan for maintaining critical business functions during an incident. A Disaster Recovery Plan (DRP) is a more technical plan specifically for restoring IT systems and data after an outage.

How does ISO 27001 address business continuity?

ISO 27001:2022 addresses it through Annex A controls 5.29 (Information security during disruption) and 5.30 (ICT readiness for business continuity). These require planning, implementing, testing and maintaining continuity arrangements.

What are RTO and RPO?

RTO (Recovery Time Objective) is the maximum acceptable time to restore a service. RPO (Recovery Point Objective) is the maximum acceptable data loss measured in time. Together, they define recovery targets for critical systems.

How often should continuity plans be tested?

ISO 27001 requires that continuity plans be tested and reviewed at planned intervals and after significant changes. Best practice is to conduct at least one tabletop exercise and one technical recovery test per year.