Cloudflare outage
As a society, we are vulnerable. This was evident once again when an outage at Cloudflare brought down apps and websites worldwide. From news platforms to critical business applications. One incident and the digital chain immediately chafes. For organizations, this is now not a theoretical scenario, but a real operational risk.
What does ISO 27001 say about continuity?
And this is precisely why ISO 27001 (and also standards such as NEN 7510) explicitly calls attention to this topic. Controls A.5.29 (information security during a disruption) and A.5.30 (ICT readiness for business continuity) are all about emergency preparedness for organizations. A business continuity plan is a requirement for companies that want to keep a grip, even when the digital environment is temporarily out of their control.
The parallels between "Think Ahead" and business continuity
Where citizens are asked to put together an emergency plan, something similar applies to businesses: a plan that will stand up when systems momentarily fail to do so. Where individuals create a contingency plan for their families, organizations create a plan for their processes, access to data and communications.
And where people need to talk to and help each other, it is no different for teams. In a disruption, everyone has a role. The campaign confirms what ISO 27001 has emphasized for years: resilience takes preparation. And preparation prevents chaos.
Why continuity is increasingly urgent
The increase in geopolitical tensions, cyber attacks and dependence on cloud vendors increase the need for a good continuity plan. During an ISO 27001 implementation, you will soon see these risks reflected in an ISO 27001 risk analysis. Also from NIS2, attention to continuity is not an option but an obligation. Organizations that must meet NIS2 compliance, or are in the process of an NIS2 implementation, are expected to demonstrably organize their resilience. That means appropriate measures to cope with disruptions and maintain services.
What is in a continuity plan?
A good plan is concrete, tested and linked to realistic risks. Basically, you take the following into account:
1. Determine critical processes.
What activities must continue to mitigate the damage? Consider customer communications, order processing, healthcare delivery, financial transactions or security services. This only works if the organization has a sharp sense of where the dependencies lie: applications, vendors, data and locations. Therefore, analyze the impact of risks on business processes and determine which processes are critical.
2. Working out scenarios
A disruption is more than a cyber attack. It can also be a prolonged power outage, cloud vendor failure, fire, water damage or geopolitical risk, making vendors unavailable. Information security consulting and cybersecurity consulting are therefore increasingly going broader than just technology. A scenario is only complete when people, process and technology are included.
3. Recovery and communication steps.
How soon should a process be running again? Where are alternatives located? How do you communicate with employees, customers and partners when e-mail or the Internet is down? The power is in simplicity. During stress, no one is comfortable working with complicated schedules.
4. Roles & responsibilities
Who does what? This question must be crystal clear. Clearly define in the plan who has what role during an incident. This prevents noise when it comes down to it. Think about who is authorized to make decisions, who is responsible for implementing the continuity plan, who handles communication during a crisis situation and who tests and evaluates the plan at least annually. Clarity in advance brings peace of mind when you need it most.
5. RTO and RPO
The Recovery Time Objective (RTO) is the target time within which a prioritized ICT service or system should be restored after a disruption. The Recovery Point Objective (RPO) is the maximum amount of data loss an organization can accept, expressed in time. If your RPO is 8 hours, then you will lose a maximum of 8 hours of data since the last backup in the event of an acute emergency.
So determine in advance within what time a critical ICT service or system must be back online after a disruption and how often you must make backups (see also A.8.13 within ISO 27001). That sounds simple, but it also means that you have to look closely at your suppliers. What do they guarantee in their SLA? And do they perhaps impose requirements on you that extend further down the chain? These choices touch directly on determining your RTO.
For systems that really should not be down for long, it pays to think further. Redundancy (see also A.8.14 within ISO 27001) is then soon not a luxury but a necessity. Think of a second data center or an extra network connection. On paper this sometimes feels heavy, but in practice it is a way to create peace in an environment that is less and less predictable.
6. Response and recovery procedures.
Response and recovery procedures are the heart of your continuity plan: clear, step-by-step instructions on how to manage a disruption, prioritize, restore systems and when to scale up. Make sure these procedures not only exist on paper, but are actually tested. By practicing at least annually - with realistic scenarios - you discover whether the approach works, where there are gaps and whether everyone understands their role. This prevents a procedure from being "tried and tested" for the first time during a real disruption.
7. Test not only technology, but also features
Test and evaluation reports, in addition to providing demonstrability for ISO 27001 and NIS2, also provide learning opportunities. Usually, annual testing is neatly scheduled, but in practice the focus is mainly on technology. And that while it is at least as important to practice what happens when a critical function or key person is lost: can someone else perform, interpret and assess the test? By testing both technique and tasks, you avoid dependencies and you can be sure that your organization will keep running even under pressure.
Avoid the mistake many companies make
A continuity plan in a drawer disappears faster than Wi-Fi in a major cyber outage. Success is in testing and maintenance. Internal audits, a progress meeting or an exercise scenario always reveal areas for improvement. They are supposed to. Continuity is not static - it is a living part of your organization. After all, your organization (internal) and your environment (external) are also constantly changing.
And a word about that continuity plan in a drawer. Believe it or not: these are still often printed out today and tucked away in a drawer, even though they often contain critical data. So such a plan should also be stored safely 😉.
In short: as an organization, also be prepared
The "Think Ahead" campaign targets citizens, but the underlying principle is identical for organizations: those who are prepared function better when things go wrong. However, most wait until it is too late. We understand that many people and organizations feel this way, but it still remains a fallacy. Without a continuity plan, you are left empty-handed in the event of a digital disruption. Without an emergency kit, getting through 72 hours without water, power or internet becomes a lot harder.
Resilience starts at the drawing board, but only proves itself in practice. And these days, one failure, at one supplier, can cut the Internet in half. And then preparation has simply become a business requirement.
Need help with this? Schedule a no-obligation, no-cost consultation with us. 👇
