In today’s digitally connected world, continuity of information and communication technologies (ICT) is crucial to the continuous operation of any organisation. Ensuring digital resilience is becoming a priority, underlined by new regulations such as NIS 2 and DORA, which place significant demands on entities. ISO/IEC 27031 provides valuable guidance for managing ICT business continuity (IRBC) readiness, a necessary pillar for achieving overall business continuity.
Business continuity vs. ICT continuity
It is important to distinguish between business continuity and ICT continuity. Business Continuity is the ability of an organisation to continue to deliver products and services within acceptable timeframes and in a predefined capacity during a disruption. ICT Disaster Recovery, or ICT Disaster Recovery, then focuses on the ability of ICT elements to support the organisation’s critical processes and activities at an acceptable level following a disruption. While the risk of a continuity disruption may have a very low probability of occurrence, its impact on an organization can be catastrophic. The objectives of business continuity management include improving incident detection, preventing failure, minimizing the consequences, and reducing recovery time.
Regulatory framework and standards
The current regulatory framework, in particular the Digital Operational Resilience Act (DORA) and the NIS 2 Directive, significantly increases the requirements for digital resilience. DORA targets the financial sector and requires a comprehensive framework for ICT risk management, including business impact analysis (BIA), ICT business continuity, response and recovery plans, and regular testing. NIS 2 then extends cybersecurity obligations to a wider range of entities and emphasises business continuity management, backup management, disaster recovery and crisis management. Implementing Regulation (EU) 2024/2690 and the draft Decree on security measures for regulated services further specify technical and methodological requirements.
ISO standards play a key role in the implementation of these requirements.ISO/IEC 27001:2022, the standard for Information Security Management System (ISMS), includes measures related to information security during a breach and ICT preparedness to ensure business continuity for the organisation. ISO/IEC 27031:2025 then provides specific guidance on ICT business continuity preparedness (IRBC), including prevention, response and recovery from ICT-related disruptions. This standard promotes business continuity, strengthens the alignment between ICT, security and continuity, reduces recovery time and increases organizational resilience.
Key aspects of ICT continuity management
Effective ICT continuity management includes several key elements:
- Business Impact Analysis (BIA) and Risk Assessment: BIA is the process of analyzing the impact of a disruption on an organization over time, resulting in business continuity requirements such as Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). An RTO (Recovery Time Objective) is the target time after an incident within which a product, service, or activity should be restored to service. RPO (Recovery Point Objective) is the point at which information used in an activity is recovered. Minimum Business Continuity Objective (MBCO) defines the minimum level of services and/or products that is acceptable for an organization to achieve its business objectives during a disruption. The worst-case scenario must be considered when assessing the impact. Risk assessment includes identification of threats, vulnerabilities, probability of occurrence and impact of events.
- Business Impact Analysis (BIA): BIA is the process of analyzing the impact of a disruption on an organization over time, resulting in business continuity requirements such as Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Minimum Business Continuity Objective (MBCO). RTO (Recovery Time Objective) is the target time after an incident within which a product, service, or activity should be restored to service. The RPO (Recovery Point Objective) is the point to which the information used in the activity is recovered. MBCO (Minimum Business Continuity Objective) defines the minimum level of services and/or products that is acceptable for an organization to achieve its business objectives during a disruption.
- ICT continuity risk assessment: risk assessment includes identification of threats (causes of events), vulnerabilities of assets, feared events, their impact and probability of occurrence. The main threats include natural events, technical failures, unintentional and intentional human actions (including cyber-attacks) or specific threats to the ICT supply chain.
- ICT continuity preparedness strategies: strategies should be adapted to the complexity of the ICT architecture and should take into account different scenarios. Examples of strategies include dual site, collaboration, return to safe state, data recovery, vendor takeover, alternative sources, and traffic minimization.
- ICT recovery plans: organisations should develop plans and procedures for strategic, tactical and operational levels. Procedures should be clearly documented and regularly tested.
- Rehearsal and testing: regular testing and exercises are necessary to verify the functionality of recovery plans and procedures. The programme should include various levels of training, from data recovery to computer room resilience testing.
In conclusion, ensuring ICT continuity is a complex process that requires a systematic approach, compliance with regulatory requirements and the use of relevant standards and methodologies. Regular risk assessment, plan development and testing, and continuous improvement are key to maintaining digital resilience in a dynamic cyber environment.