EFS Consulting
Looking for US-specific information? Visit our US site for content tailored to the US market.
07/06/2026

Business Continuity Management: The Underrated Pillar of Cyber Resilience

As cyber threats intensify and natural disasters becoming increasingly frequent, Business Continuity Management (BCM) is pushed further into the spotlight. This insight explores how organizations can effectively prepare for crises, which standards apply, and how BCM integrates with information security and IT risk management.

Table of contents

Key Takeaways   

  • BCM (Business Continuity Management) ensures the continuation of business processes during and after crises.
  • Information security and IT emergency management are essential components of an effective BCM.
  • Regulatory standards such as ISO/IEC 22301:2019 and BSI Standard 200-4 specify essential requirements for BCM.
  • Regular tests and exercises are required to check BCM plans for effectiveness.

 

Fundamentals of Business Continuity Management (BCM)

Business Continuity Management ensures that organizations remain operational during crises and can maintain critical business processes. It overlaps significantly with emergency management, which handles the operational response to acute disruptions, and crisis management, which focuses on strategic decision-making.

Definition of BCM

BCM is a structured process designed to rapidly restore critical business processes in the event of disruptions. It includes preventive measures, recovery strategies, and regular exercises to validate restoration capabilities.

Historical origin

Institutions have prepared for crises since the earliest stages of human civilization to ensure their survival. BCM as a formal management discipline emerged in the 1980s, when organizations began integrating continuity planning into their broader risk management frameworks. At that time, technological, economic, and societal risks – such as supply chain failures driven by increasing globalization, became more visible and posed significant threats to business operations.

Modern BCM extends beyond traditional outage scenarios to include aspects of IT security, as IT systems and data form the backbone of operational capability in most organizations. In addition to emergency planning, a comprehensive BCM program includes risk identification and analysis as well as the development of recovery strategies.

Objectives of the BCM

  • Ensure availability: Critical business processes must be maintained even during a disruption.
  • Minimise risks: A well-founded risk assessment is intended to minimise the impact of business interruptions.
  • Rapid restart: Contingency plans must be designed in such a way that operations can be resumed quickly after a failure.

Differentiation: BCM vs. emergency management vs. crisis management

Although these terms are related, they differ in their focus:

  • Emergency management refers to the immediate response to crises, such as evacuating buildings, calling in emergency services, or segmenting networks.
  • Crisis management deals with holistic control and communication in crisis situations and, organizationally, primarily affects the management level.
  • BCM, on the other hand, is an overarching approach that encompasses the entire preparation and response to emergencies and their recovery.

BCM is thus closely linked to risk management, information security, IT service continuity management (ITSCM), facility management and corporate security and governance.

 

Regulatory requirements, certifications and other relevant standards

There are numerous regulatory requirements and standards, some of which can be certified, which support companies in building an effective BCM and can be used as frameworks. Among the most important are:

  • ISO/IEC 22301:2019: [1] The international standard for BCM, which provides a systematic approach to identifying, preventing, and minimizing business interruptions. There are further standards for this with special subtopics such as communication.
  • BSI Standard 200-4: [2] The German standard for BCM, developed by the Federal Ministry for Information Security, which is specifically geared towards IT emergency management and BCM in German companies.
  • ISO/IEC 27001:2022: [3] in the current version, the focus is on an established BCM.
  • NIS-2: [4] The EU regulation to be transposed into national law by 2024 to safeguard critical industries places particular emphasis on maintaining business capacity and thus places demands on the BCM.
  • RKE / CER (Critical Entities Resilience): An EU framework addressing the physical and organizational resilience of critical entities. It obliges operators in essential sectors to conduct risk analyses, implement protective measures, and establish emergency and continuity plans. It complements NIS2 by addressing non‑digital threats such as natural hazards, sabotage, or physical attacks.

 

Importance of Information Security in the BCM Context

Cyberattacks, system failures, and data loss are among the most significant threats to an organization’s operational capability. As a result, the importance of information security within BCM continues to grow. A modern BCM program must ensure that critical information, systems, and processes remain protected and available, even under crisis conditions.

Need to protect digital resources in the event of a crisis

Digital assets, from production data and communication systems to cloud platforms, are particularly vulnerable during emergencies. Data loss or the failure of core IT systems can lead to severe financial damage, contractual breaches, and reputational harm. An effective BCM program must therefore guarantee that information and data remain protected even in exceptional situations.

Integrity, availability and confidentiality in crisis situations

The cornerstones of information security – integrity, availability, and confidentiality (CIA) – are also crucial in the BCM context. In contrast to the classic  information security management system (ISMS), there is an inverted prioritization. Restoring the availability of critical data and systems must be a top priority in the BCM in emergencies. At the same time, the integrity and confidentiality of the data must also be ensured during crisis management.

Role of IT security strategy in BCM

The protective mechanisms of the IT infrastructure are regulated by the overarching IT security strategy. This includes technical approaches such as the Zero Trust architecture, which enforces continuous authentication and authorization for each access request. In crisis scenarios, business continuity measures must include redundant systems and emergency access procedures, such as offline administrator accounts with securely stored credentials, to ensure rapid recovery and operational resiliency.

IT/OT Convergence as a Driver of BCM in the Manufacturing Sector

In industrial environments, BCM is becoming increasingly important due to the growing convergence of IT and OT (Operational Technology). OT systems control physical processes such as production lines, robotics, or energy supply. A failure can cause not only financial losses but also safety‑critical situations.

An effective BCM approach for OT environments must consider:

  • High availability requirements: Production systems cannot be stopped or restarted arbitrarily. BCM plans must define realistic recovery strategies.
  • Long life cycles and legacy systems: Many OT systems remain in operation for decades and were not designed for modern cyber threats. BCM must account for alternative operating modes (e.g., manual operation).
  • Safety relevance: Malfunctions can cause physical harm, not just economic damage. BCM measures must therefore be closely aligned with safety management and occupational health requirements.
  • Supply chain dependencies: Just‑in‑time production and external suppliers increase complexity. BCM must define alternative sourcing and production pathways.
  • Specific recovery objectives: Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) often differ significantly from IT systems, as machine states and process parameters impose unique requirements.

Organizations that integrate IT emergency management, OT security, production planning, and supply chain management early on significantly strengthen their resilience and sustainably reduce production downtime.

 

Core areas and tasks of Business Continuity Management (BCM)

Effective BCM is not created through isolated documents but through a clear, structured strategy aligned with organizational objectives. BCM encompasses several key areas that are required for a comprehensive view of crisis prevention, crisis management and post-event processing. These include:

  • Business Impact Analysis (BIA): Analysis of the most important business processes including the impact of disruptions on them.
  • Restart strategy: Asset-specific measures and strategies to quickly resume business operations.
  • Crisis exercise: Preparation for possible crises and failures, especially with regard to crisis teams and communication.
  • Resilience management: Ability of the company to recover from disruptions and remain resilient in the long term.

Business Impact Analysis (BIA)

The BIA is a central component of BCM according to the BSI Standard 200-4. To minimize the impact of disruptions on the business, it’s critical to identify the critical business processes that are essential to the company’s continued existence. To this end, the importance of the processes and possible impairments of the ISMS protection goals of confidentiality, integrity, authenticity (C, I, A) are analysed on the basis of guiding questions. The results show which processes are particularly critical. For this purpose, a recovery time objective (RTO – maximum permissible interruption duration) and recovery point objective (RPO – maximum permissible data loss in time) are defined for each asset. The result of the BIA is a target value of these parameters defined for each process/system. For each asset, two key recovery parameters are defined:

  • Recovery Time Objective (RTO): Maximum allowable downtime.
  • Recovery Point Objective (RPO): Maximum allowable data loss measured in time.

The dependence of the processes on platforms and applications is mapped via an established Enterprise Architecture Management (EAM), which inherits  the priorities, broken down to asset management and down to individual items in the Configuration Management Database (CMDB). At the component level (network switches, servers or similar), vulnerability scans are then carried out by IT or IT security to protect them.

In general, cyber threats such as ransomware attacks in particular must be regularly assessed and integrated into emergency planning.

Recovery strategy

The recovery strategy, often documented in emergency plans or Disaster Recovery Plans (DRPs), defines the technical and organizational measures required to address the failures and risks identified in the Business Impact Analysis (BIA). A clearly defined plan is a core component of BCM and ensures the organization’s ability to respond effectively in the event of an outage or crisis. A recovery plan enables the rapid resumption of normal business operations after a disruption.

An effective recovery plan includes:

  • clearly assigned responsibilities
  • defined restoration processes
  • prioritized systems and applications
  • technical measures to enable rapid operational recovery

Prevention and Technical Resilience

In the prevention of emergencies, the protection of the IT infrastructure serves as an important aspect. This also includes the implementation of measures to increase the redundancy of IT systems. Using cloud services and collaborating with external service providers can significantly increase a company’s resilience. External cloud providers often offer higher availability and faster recovery capabilities, scaling capacities that are crucial in the event of a crisis.

Communication in the event of a crisis

Efficient crisis communication is a key success factor in BCM. It ensures that all stakeholders – internal and external – receive timely, clear, and consistent information. Defining and maintaining reliable communication channels, both within the organization and outward, is essential.

Key elements of crisis communication include:

  • defined communication channels (e.g., emergency messaging tools, crisis portals)
  • close coordination between IT security, BCM, and communication teams
  • clear roles and approval workflows
  • templates for internal and external communication

Within the organization, communication must ensure that IT and security measures remain functional even under crisis conditions. Coordinated collaboration helps maintain or quickly restore the integrity and availability of systems during an incident.

External communication is equally important, as it can have a lasting positive or negative impact on the organization’s reputation.

Crisis Exercise – Tests, Exercises and Continuous Improvement

Regular testing is essential to ensure that BCM measures work not only on paper but also in practice. Tests help identify weaknesses early, optimize processes, and strengthen the organization’s response capabilities.

To validate BCM effectiveness, various scenarios can be tested, such as:

  • regular penetration tests
  • technical IT outage simulations
  • table‑top exercises
  • full‑scale crisis simulations

Such tests and exercises provide an opportunity to identify weaknesses in the BCM plan and to check the organization’s responsiveness. Two possible scenarios that could be tested are:

  • IT System Failure Due to a Cyber Attack (e.g., Ransomware Attack)

This scenario simulates that a ransomware attack has occurred on the company’s IT infrastructure, encrypting important data and blocking access to IT systems. The aim is to test the responsiveness of the IT department, the incident response team, and the accuracy and applicability of recovery measures. In the course of this exercise, segmentation, isolation of affected networks, restore via hardened backups (Immutable Storage), the communication guide for employees, and access to backup data, the integrity of it, and coordination with external, as well as internal security experts, should also include. The attack is to be stopped and the data restored. The scenario helps to check the effectiveness of IT emergency planning, the functionality of the processes, the knowledge and interaction of the staff, and the communication processes in a critical state. The lessons learned should then be incorporated into the hardening, emergency manual and playbooks.

  • Supply Chain Disruption Due to Natural Disaster

Another test scenario is the failure of a key supplier or a transport stop caused by a natural disaster, which brings the supply chain to a standstill.
This scenario tests the ability to maintain the company’s ability to operate, as well as the identification and relocation/rerouting of alternative sources of supply or transportation routes. It also checks how quickly the crisis management team can respond to inform customers and ensure that all business-critical deliveries continue to be made on time. This exercise helps to test supply chain resilience and strengthen decision-making in the event of an external crisis.

These tests are not to be regarded as comprehensive, but are intended to indicate how regular tests and crisis exercises ensure that the organization is not only theoretically prepared for crises, but is also practically capable of acting quickly and effectively.

Lessons learned and adaptation of BCM plans

After every test, crisis exercise, or real-world incident, the lessons learned should be used to revise and improve existing BCM plans. This is part of the continuous improvement process embedded in BCM, anchored in BSI Standard 200‑4 and required by ISO/IEC 22301:2019, to ensure that BCM plans are continuously updated to reflect emerging threats.

Revision and audit processes (internal/external)

In the context of potential certifications, regular audit processes help ensure that BCM measures meet current requirements and are continuously adapted to new risks. Internal and external audits assess the effectiveness of BCM and are prerequisites for certifications such as ISO 22301. They also create transparency for management, customers, and suppliers.

Particularly in supplier audits, organizations increasingly expect reliable evidence of their partners’ resilience. A structured BCM audit strengthens trust and improves a company’s position within the supply chain.

 

Crisis as an Opportunity: The EFS Practical Example for Effective Business Continuity Management

A recent case study of a crisis exercise in large-scale manufacturing industry showed how quickly a company could react to unforeseen IT failures. First, a well-thought-out BCM concept was established in close cooperation between IT, IT security and BCM.

Subsequently, a failure of the OT (production IT) was staged in a test scenario. When the line PLC failed, emergency management was switched to manual operation (workarounds). Crisis management informs customers about delivery delays that occur. As part of the prioritized restart of the SCADA/ERP interfaces defined in the BCM, it was possible to validate that the defined recovery targets (RTO: 8 hours, RPO: 30 minutes) for production data were met. Business operations were successfully resumed within a few hours.

It could be shown that the measures introduced were effective, the reporting chains worked and both alerting and rectification worked smoothly.

 

Conclusion: BCM as a Strategic Success Factor

Business Continuity Management (BCM) is far more than an emergency concept. It is a strategic success factor for modern, competitive organizations. Effective BCM ensures that companies remain operational during crises, manage disruptions in a controlled manner, and restore business capability quickly.

By tightly integrating BCM with IT security, risk management, and operational processes, organizations create a holistic resilience framework that strengthens their ability to withstand cyberattacks, technical failures, and external crises. This not only safeguards business continuity but also reinforces trust, reputation, and long‑term competitiveness.

If you want to strengthen your organization’s resilience or have questions about building a modern Business Continuity Management program, our EFS Consulting experts are available for a personal consultation.

FAQs

What is the difference between Business Continuity Management and Crisis Management?

Business Continuity Management (BCM) focuses on maintaining and restoring critical business operations during disruptions. Crisis Management, on the other hand, is responsible for decision-making, coordination and communication during a crisis.

Which standards are relevant for Business Continuity Management?

The most important BCM standards and frameworks include ISO 22301, BSI Standard 200-4, ISO 27001 as well as regulatory requirements such as NIS2 and the Critical Entities Resilience (CER) Directive.

What role does information security play in BCM?

Information security protects critical systems, applications and data from cyberattacks, outages and unauthorized access. As a result, it is a key component of an effective Business Continuity Management framework.

What are RTO and RPO?

Recovery Time Objective (RTO) defines the maximum acceptable downtime of a system or process. Recovery Point Objective (RPO) specifies the maximum amount of data that can be lost following a disruption.

How often should a BCM program be tested?

Business Continuity Management should be validated through regular exercises, simulations and audits. Continuous testing helps ensure that recovery plans, crisis procedures and response teams are prepared for real-world incidents.

References

  • ISO/IEC 22301:2019
    International Organization for Standardization (ISO). Security and resilience — Business continuity management systems — Requirements (ISO 22301:2019). Geneva: ISO, 2019. (Amendment: ISO 22301:2019/Amd 1:2024 — Climate action changes).
  • BSI Standard 200‑4
    Bundesamt für Sicherheit in der Informationstechnik (BSI). BSI‑Standard 200‑4: Business Continuity Management. Bonn: BSI, final version 14.06.2023.
  • ISO/IEC 27001:2022
    ISO & IEC. Information security, cybersecurity and privacy protection — Information security management systems — Requirements (ISO/IEC 27001:2022). Geneva: ISO/IEC, 2022. (Amendment: ISO/IEC 27001:2022/Amd 1:2024 — Climate action changes).
  • NIS2 Directive
    European Parliament and Council. Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union. Official Journal of the EU L 333, 27.12.2022, pp. 80-152.
  • RKE / CER Directive
    European Parliament and Council. Directive (EU) 2022/2557 of 14 December 2022 on the resilience of critical entities (CER Directive). Official Journal of the EU L 333, 27.12.2022, pp. 164-196.
  • ISO/IEC 31000:2018 ISO
    Risk management – Guidelines (ISO 31000:2018). Geneva: ISO, 2018.
More about this Business Area:
Information Security