Business continuity management (BCM) is the set of measures that ensures an organization can continue its critical processes during a disruption. In a world where virtually all business processes depend on IT, the continuity of IT systems is a fundamental part of BCM.
An IT audit in the area of business continuity assesses whether an organization has taken sufficient measures to safeguard the availability of its IT environment. This includes assessing backup strategies, disaster recovery plans, redundancy, and the actual test results of these measures.
The basis of IT business continuity is a business impact analysis (BIA). In it, you determine for each business process how critical it is, the maximum acceptable downtime (RTO, Recovery Time Objective) and how much data loss is acceptable (RPO, Recovery Point Objective). This analysis forms the foundation for all subsequent measures.
Backups are an essential element, but simply having a backup is not enough. The auditor assesses whether backups are made regularly, whether they are tested through restore tests, whether they are stored offsite or in a different availability zone, and whether they are protected against ransomware.
A disaster recovery plan (DRP) describes the steps that must be taken to restore IT systems after a disaster. The plan must be up to date, contain roles and responsibilities, and be tested regularly. An auditor assesses not only whether the plan exists, but also whether it is realistic and feasible.
Regulation reinforces the importance of BCM. DORA requires financial institutions to test their digital operational resilience in a demonstrable manner. NIS2 sets requirements for business continuity management for essential and important entities. ISO 27001 contains specific controls for availability and continuity planning.
In its IT audits, Secure Audit assesses the maturity of business continuity measures and tests whether organizations are genuinely prepared for disruptions. Contact us for an assessment of your BCM approach.
About the author
Partner | IT Auditor