Ransomware, cloud outages and identity incidents put business continuity back on the board agenda. ISO 22301 focuses on continuity; ISO 27001 on security — in practice they should share scenarios.
Connect both worlds
- shared scenarios (encryption, IdP compromise, SaaS outage);
- RTO/RPO per critical service — not per server;
- legal/PR/IT contact lists tested;
- tabletop at least annually; lessons in improvement register.
Evidence for auditors
Show restore tests, failover exercises and management review decisions. Backup without tested restore does not count. See BCM hub and incident management pages.
Ransomware in 2026 requires offline or immutable backups and tested restore within RTO — auditors ask for date of last successful restore, not backup job logs alone. Link BCM tests to ISO 27001 backup controls in the SoA.
Shared scenarios between security and BCM should sit in one exercise calendar. Duplicate tabletops with different conclusions are a red flag at surveillance — harmonise lessons in one register.
Management review must explicitly discuss continuity residual risk: which services lack tested failover and which investment is planned? Board decision documentation is mandatory evidence.
Continuity leadership understands
Board members want to know customer impact when one critical SaaS service fails — not which server sits in which rack. Translate RTO and RPO to services and revenue, and record that translation in the BCM document. That shortens management review and audit conversations.
Exercise at least one scenario where communication (press, customers, supervisors) matters as much as technical recovery. Many BCM plans fail not on backup but on unclear escalation to leadership and legal in the first hours.
Link vendor continuity to your vendor register: which SaaS has no alternative within RTO, which contractual exit plan exists and when was it tested? NIS2 and DORA customers ask explicitly in 2026.
After each exercise, document three concrete improvement actions with owner and deadline. A long report without follow-up does not count as evidence of operation for auditors.
Record crisis team contacts in the ISMS and test reachability — including private numbers where contractually allowed. BCM exercises fail more often on communication than technology. Link test results to the same improvement register as security incidents.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.