Skip to content
AuditFront
A.5.30 ISO 27001

ISO 27001 A.5.30: ICT readiness for business continuity

What This Control Requires

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives.

In Plain Language

If your servers go down tomorrow, how long before the business is back up and running? That is what this control is really about. It forces you to answer two uncomfortable questions: how much downtime can you survive (RTO), and how much data can you afford to lose (RPO)? Most business processes run on technology now, so ICT readiness is the foundation of your entire continuity strategy. You need to define RTOs and RPOs for every critical service based on a proper business impact analysis, then put technical solutions in place that actually meet those numbers. This goes well beyond just having backups. It covers your full stack - infrastructure, applications, data, networking, and crucially the people and procedures needed to recover everything under pressure. Auditors will want to see that you have tested all of it, not just documented it.

How to Implement

Start with a business impact analysis (BIA) to pin down the RTOs and RPOs for all critical business processes and the ICT services behind them. Identify the maximum tolerable downtime for each process and the acceptable data loss window. These numbers drive every technical decision that follows. Design your recovery solutions to match those targets. For critical systems needing very low RTO, look at active-active or active-passive high availability with automatic failover. For moderate RTO requirements, warm standby or rapid deployment from infrastructure-as-code works well. Where longer downtime is acceptable, cold standby or backup restoration may be enough. Get your backup strategy right. Set backup schedules based on RPO requirements and follow the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite or in the cloud. Encrypt your backups and protect them from ransomware using air-gapped or immutable storage. Test restoration regularly to verify data integrity and measure actual recovery times. Write detailed recovery procedures for each critical system. Cover system dependencies and recovery sequence, infrastructure requirements, application installation and configuration, data restoration steps, post-recovery verification, and communication procedures during the incident. Test regularly with different exercise types. Technical recovery tests verify individual systems can be recovered within their RTOs. Integrated tests check that dependent systems recover together properly. Full DR exercises simulate realistic scenarios end to end. Document results, identify gaps, and build action plans. Test at least annually, with critical systems tested more often.

Evidence Your Auditor Will Request

  • Business impact analysis with defined RTOs and RPOs for critical ICT services
  • ICT recovery solutions documentation showing alignment with RTO/RPO requirements
  • Backup procedures and configuration documentation including retention and testing schedules
  • ICT recovery test results demonstrating achieved recovery times
  • Action plans from recovery tests showing remediation of identified gaps

Common Mistakes

  • RTOs and RPOs are not defined or are not based on business impact analysis
  • Backup restoration has never been tested or tests show inability to meet RPO
  • Recovery procedures are outdated and do not reflect current system configurations
  • Disaster recovery tests are not conducted regularly or are limited in scope
  • Dependencies between systems are not considered in recovery planning and sequencing

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 A1.2 Equivalent
SOC 2 A1.3 Related
NIS2 Art.21(2)(c) Equivalent

Frequently Asked Questions

What is the difference between RTO and RPO?
RTO (Recovery Time Objective) is the maximum acceptable time to get a system back online after a disruption. RPO (Recovery Point Objective) is the maximum data loss you can tolerate, measured in time - so an RPO of 1 hour means you can afford to lose up to 1 hour of data. These two numbers drive everything: a shorter RPO means more frequent backups or real-time replication, and a shorter RTO means faster recovery solutions like hot standby.
How often should we test disaster recovery?
Full DR test at least once a year. Critical systems should get tested quarterly or semi-annually. Backup restoration should be tested monthly - you would be surprised how many organisations discover their backups are corrupt only when they actually need them. Also re-test after any significant infrastructure change, and always do a post-mortem and re-test after a real incident. The point is regular, varied testing - not a single annual tick-box exercise.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment