Business Continuity Management: The Underestimated Pillar of Cyber Resilience

Key Takeaways   

• BCM (Business Continuity Management) ensures the continuation of business processes during and after crises.

• Information security and IT emergency management play a central role in BCM.

• Regulatory standards such as ISO/IEC 22301:2019 and BSI Standard 200-4 specify essential requirements for BCM.

• Regular tests and exercises are required to check BCM plans for effectiveness.

Fundamentals of Business Continuity Management (BCM)

Business continuity management (BCM) ensures the maintenance of critical business processes, while emergency management manages the acute incident operationally and crisis management takes over the overarching strategic control in extraordinary situations.

Definition of BCM

Business continuity management (BCM) refers to the systematic process by which a company ensures that it is able to continue or quickly restore critical business processes even in crisis situations or unforeseen disruptions. The aim is to ensure operational capability and minimise the negative impact on the company. BCM includes both preventive planning and measures to quickly restore operational capability after an outage.

Historical origin

The origin of BCM lies in the need to prepare companies for unforeseen disruptions. In the 1980s, companies began to establish BCM as part of their risk management. At that time, technological, economic and societal risks were identified – e.g. supply chain failures due to increasing globalization, which can significantly affect business operations.

In addition to classic failures, the modern BCM approach also includes aspects of IT security, as IT and data form the basis of business capability in many companies. In addition to emergency planning, a comprehensive BCM also covers the identification and analysis of risks and the development of restart strategies.

Objectives of the BCM

• Ensure availability: Critical business processes must be maintained even during a disruption.
• Minimise risks: A well-founded risk assessment is intended to minimise the impact of business interruptions.
• Rapid restart: Contingency plans must be designed in such a way that operations can be resumed quickly after a failure.

Differentiation: BCM vs. emergency management vs. crisis management

Although these terms are related, they differ in their focus:

• Emergency management refers to the immediate response to crises, such as evacuating buildings, calling in emergency services, or segmenting networks.
• Crisis management deals with holistic control and communication in crisis situations and, organizationally, primarily affects the management level.
• BCM, on the other hand, is an overarching approach that encompasses the entire preparation and response to emergencies and their recovery.

BCM is thus closely linked to risk management, information security, IT service continuity management (ITSCM), facility management and corporate security and governance.

Regulatory requirements, certifications and other relevant standards

There are numerous regulatory requirements and standards, some of which can be certified, which support companies in building an effective BCM and can be used as frameworks. Among the most important are:

• ISO/IEC 22301:2019: [1] The international standard for BCM, which provides a systematic approach to identifying, preventing, and minimizing business interruptions. There are further standards for this with special subtopics such as communication.
• BSI Standard 200-4: [2] The German standard for BCM, developed by the Federal Ministry for Information Security, which is specifically geared towards IT emergency management and BCM in German companies.
• ISO/IEC 27001:2022: [3] in the current version, the focus is on an established BCM.
• NIS-2: [4] The EU regulation to be transposed into national law by 2024 to safeguard critical industries places particular emphasis on maintaining business capacity and thus places demands on the BCM.
• GDPR [5], ISO/IEC 31001:2018 [6], etc.: also make requirements that regulate, among other things, how to deal with the outflow of data that is relevant in the event of an IT failure and in connection with the disaster recovery of data availability and access.

These sets of rules provide a structured framework to ensure contingency planning and recovery of critical business processes and to meet regulatory requirements.

Importance of Information Security in the BCM Context

Due to increasing cyberattacks and their impact on business capacity, information security is becoming increasingly important within the framework of BCM.

Need to protect digital resources in the event of a crisis

In a crisis situation, the protection of digital assets is of central importance. The loss of data or the failure of IT systems can lead to significant financial and contractual damage as well as negative reputational impacts. An effective BCM must therefore ensure that the protection of information and data is guaranteed even in emergencies.

Integrity, availability and confidentiality in crisis situations

The cornerstones of information security – integrity, availability, and confidentiality (CIA) – are also crucial in the BCM context. In contrast to the classic  information security management system (ISMS), there is an inverted prioritization. Restoring the availability of critical data and systems must be a top priority in the BCM in emergencies. At the same time, the integrity and confidentiality of the data must also be ensured during crisis management.

Role of IT security strategy in BCM

The protective mechanisms of the IT infrastructure are regulated by the overarching IT security strategy. This includes technical approaches such as the Zero Trust architecture, which enforces continuous authentication and authorization for each access request. In crisis scenarios, business continuity measures must include redundant systems and emergency access procedures, such as offline administrator accounts with securely stored credentials, to ensure rapid recovery and operational resiliency.

Core areas and tasks of Business Continuity Management (BCM)

BCM encompasses several key areas that are required for a comprehensive view of crisis prevention, crisis management and post-event processing. These include:

• Business Impact Analysis (BIA): Analysis of the most important business processes including the impact of disruptions on them.
• Restart strategy: Asset-specific measures and strategies to quickly resume business operations.
• Crisis exercise: Preparation for possible crises and failures, especially with regard to crisis teams and communication.
• Resilience management: Ability of the company to recover from disruptions and remain resilient in the long term.

Business Impact Analysis (BIA)

To minimize the impact of disruptions on the business, it’s critical to identify the critical business processes that are essential to the company’s continued existence. To this end, the importance of the processes and possible impairments of the ISMS protection goals of confidentiality, integrity, authenticity (C, I, A) are analysed on the basis of guiding questions. The results show which processes are particularly critical. For this purpose, a recovery time objective (RTO – maximum permissible interruption duration) and recovery point objective (RPO – maximum permissible data loss in time) are defined for each asset. The result of the BIA is a target value of these parameters defined for each process/system.

The dependence of the processes on platforms and applications is mapped via an established Enterprise Architecture Management (EAM), which inherits  the priorities, broken down to asset management and down to individual items in the Configuration Management Database (CMDB). At the component level (network switches, servers or similar), vulnerability scans are then carried out by IT or IT security to protect them.

In general, cyber threats such as ransomware attacks in particular must be regularly assessed and integrated into emergency planning.

Recovery strategy

The restart strategy, emergency plans or disaster recovery plans (DRP) describe the planning and implementation of measures to provide solutions for the failures and risks considered in the BIA. A defined plan is a central part of BCM and ensures responsiveness in the event of an outage or crisis. A restart plan ensures that business operations can be resumed as quickly as possible after an interruption.

In the prevention of emergencies, the protection of the IT infrastructure serves as an important aspect. This also includes the implementation of measures to increase the redundancy of IT systems. Using cloud services and collaborating with external service providers can significantly increase a company’s resilience. External cloud providers often offer higher availability and faster recovery capabilities, scaling capacities that are crucial in the event of a crisis.

Communication in the event of a crisis

A non-negligible aspect of recovery is the close collaboration between IT security and BCM teams as well as communications experts. It is crucial here to define, keep open and use clear communication channels within the organization as well as externally. Within the organization, this must ensure that the application of IT and security measures remains functional even in crisis situations. Coordinated collaboration helps to maintain the integrity and availability of systems during an incident or to restore them as quickly as possible.

An important aspect of communication concerns the external image, which has a lasting influence (positive or negative) on the reputation of a company.

Crisis Exercise – Tests, Exercises and Continuous Improvement

In order to check the effectiveness of BCM measures, regular penetration tests or IT failures coordinated in a small circle (such as simulations of encryption and crisis situations) are essential. These tests ensure that the emergency and restart plans developed work in practice and that all those involved are prepared for an emergency. Such tests and exercises provide an opportunity to identify weaknesses in the BCM plan and to check the organization’s responsiveness. Two possible scenarios that could be tested are:

1. IT system failure due to cyber attack (e.g. ransomware attack): This scenario simulates that a ransomware attack has occurred on the company’s IT infrastructure, encrypting important data and blocking access to IT systems.
   The aim is to test the responsiveness of the IT department, the incident response team, and the accuracy and applicability of recovery measures. In the course of this exercise, segmentation, isolation of affected networks, restore via hardened backups (Immutable Storage), the communication guide for employees, and access to backup data, the integrity of it, and coordination with external, as well as internal security experts, should also include. The attack is to be stopped and the data restored. The scenario helps to check the effectiveness of IT emergency planning, the functionality of the processes, the knowledge and interaction of the staff, and the communication processes in a critical state. The lessons learned should then be incorporated into the hardening, emergency manual and playbooks.
2. Supply chain disruption due to natural disaster: Another test scenario is the failure of a key supplier or a transport stop caused by a natural disaster, which brings the supply chain to a standstill.
   This scenario tests the ability to maintain the company’s ability to operate, as well as the identification and relocation/rerouting of alternative sources of supply or transportation routes. It also checks how quickly the crisis management team can respond to inform customers and ensure that all business-critical deliveries continue to be made on time. This exercise helps to test supply chain resilience and strengthen decision-making in the event of an external crisis.

These tests are not to be regarded as comprehensive, but are intended to indicate how regular tests and crisis exercises ensure that the organization is not only theoretically prepared for crises, but is also practically capable of acting quickly and effectively.

Lessons learned and adaptation of BCM plans

After each test, crisis exercise, or real-world incident, the lessons learned should be used to revise and improve existing BCM plans. This is part of the continuous improvement process in BCM, which is also required by ISO/IEC 22301:2019.

Revision and audit processes (internal/external)

On the occasion of possible certifications, a regular audit process helps to ensure that BCM measures meet current requirements and are continuously adapted to new risks. In the course of a certification cycle, regular internal and external audits are necessary to inquire about the transparency and development status of business continuity management. The focus here is also on transparency towards customers, who want to test and secure the resilience of their supply chain in the course of supplier audits.

Crisis as an opportunity: The EFS practical example for effective business continuity management

A recent case study of a crisis exercise in large-scale manufacturing industry showed how quickly a company could react to unforeseen IT failures. First, a well-thought-out BCM concept was established in close cooperation between IT, IT security and BCM.

Subsequently, a failure of the OT (production IT) was staged in a test scenario. When the line PLC failed, emergency management was switched to manual operation (workarounds). Crisis management informs customers about delivery delays that occur. As part of the prioritized restart of the SCADA/ERP interfaces defined in the BCM, it was possible to validate that the defined recovery targets (RTO: 8 hours, RPO: 30 minutes) for production data were met. Business operations were successfully resumed within a few hours.

It could be shown that the measures introduced were effective, the reporting chains worked and both alerting and rectification worked smoothly.

Conclusion

Business continuity management is an indispensable component of a modern, competitive corporate strategy in order to remain capable of acting in the event of a crisis or to regain the ability to act. By integrating BCM, IT security and risk management, companies can strengthen their resilience and ensure business continuity even in difficult times.

If your interest in business continuity management has now been aroused, our experts look forward to an exchange.

Bibliography

1. ISO/IEC 22301:2019 International Organization for Standardization (ISO). Security and resilience — Business continuity management systems — Requirements (ISO 22301:2019). Geneva: ISO, 2019 (Amendment: ISO 22301:2019/Amd 1:2024 — Climate action changes).
2. BSI Standard 200-4 Federal Office for Information Security (BSI). BSI Standard 200-4: Business Continuity Management. Bonn: BSI, final version 14.06.2023 (Official PDF, continuously updated).
3. ISO/IEC 27001:2022 International Organization for Standardization (ISO) & International Electrotechnical Commission (IEC). Information security, cybersecurity and privacy protection — Information security management systems — Requirements (ISO/IEC 27001:2022). Geneva: ISO/IEC, 2022 (Amendment: ISO/IEC 27001:2022/Amd 1:2024 — Climate action changes).
4. NIS 2 DirectiveEuropean Parliament and Council of the European Union. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union … (NIS 2). Official Journal of the EU L 333, 27.12.2022, pp. 80–152.
5. GDPREuropean Parliament and Council of the European Union. Regulation (EU) 2016/679 … (General Data Protection Regulation, GDPR). Official Journal of the EU L 119, 04.05.2016, pp. 1–88 (applicable since 25.05.2018).
6. ISO/IEC 31000:2018 International Organization for Standardization (ISO). Risk management — Guidelines (ISO 31000:2018). Geneva: ISO, 2018.