Business continuity and ICT resilience

Overview

What is business continuity management?

Business continuity management is the discipline of identifying the activities an organisation cannot do without, determining how quickly they must be restored after a disruption, and putting arrangements in place to keep them running or recover them in time. It is concerned with outcomes and with keeping critical services available, rather than with any single cause of disruption.

When done well, it is a continuing management system rather than a binder on a shelf: it is governed, resourced, tested, and improved over time, so that the response is current when needed.

The standard

ISO 22301:2019 and the management-system approach

ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, is the international standard for business continuity that organisations certify against. It sets out a management system: leadership and policy, a business impact analysis and risk assessment, continuity strategies and solutions, documented plans, exercising, and continual improvement.

The standard does not prescribe a single plan. It requires an organisation to understand its own priorities and build proportionate arrangements around them, thereby keeping continuity tied to what the business actually needs.

The management-system approach also expects the arrangements to be exercised and validated at planned intervals, so the plan is proven rather than assumed. This is covered on the exercising and testing pillar.

The objectives

The business impact analysis, RTO and RPO

The business impact analysis (BIA) is the foundation. It identifies the most important activities and sets three objectives for each: the recovery time objective (RTO), the longest acceptable time an activity can be down; the recovery point objective (RPO), the most data loss that is tolerable; and the minimum business continuity objective (MBCO), the minimum level of service that must be maintained during a disruption.

These objectives drive everything else. They decide how resilient the supporting technology must be, how much standby capacity is justified, and how quickly recovery must occur.

ICT readiness

ICT readiness and ISO/IEC 27031:2025

Most critical activities now depend on technology, so business continuity depends on ICT readiness. ISO/IEC 27031:2025, Cybersecurity — Information and communication technology readiness for business continuity, is the current standard for this. It is the second edition, published in 2025, and it replaces the 2011 edition, which used a different title.

The 2025 standard treats ICT readiness as a governance and board concern rather than a purely technical exercise. It provides a framework for making ICT recoverable to the RTO and RPO, as set by the business impact analysis, and for aligning that readiness with business continuity, information security and incident response. IT disaster recovery sits within this discipline; it does not need a separate framework.

Exercising

Exercising and validating the continuity plan

A continuity plan that has never been exercised is a set of assumptions written down. The first real disruption is the worst time to discover that a recovery step depends on a system that is itself offline, or that two managers each believe the other is in charge. Exercising surfaces these faults while the stakes are low, confirming that the plan meets the recovery time objectives set in the business impact analysis and keeping the plan current as the organisation changes.

The range runs from a discussion-based tabletop exercise through to a full-scale test, and a managed programme repeats it to maintain readiness. The method is set out on the exercising and testing pillar.

The bigger picture

How business continuity supports SOCI and APRA obligations

Business continuity is also a compliance building block. For operators of critical infrastructure, continuity is part of managing the all-hazards risk that a SOCI Act risk-management program must address. For APRA-regulated entities, operational resilience and business continuity are central to APRA’s prudential standard CPS 230. In both cases, a credible continuity capability built on ISO 22301 and grounded in security risk management does double duty as evidence of compliance.

How we help

How Agilient supports business continuity

Agilient builds and tests business continuity capability in line with ISO 22301 and ISO/IEC 27031, from analysis through to exercises that prove it. The work spans government, healthcare, aviation, defence and critical infrastructure.

Agilient works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.