Business Continuity Management: How your company can safely survive cyber attacks

Business Continuity Management

Business Continuity Management (BCM) is a holistic management process that aims to identify potential threats to a company and ensure critical business processes are maintained or restored quickly in the event of an incident. The most important elements of BCM are the business continuity plan (BCP), the incident response plan (IRP) and disaster recovery.

What is a business continuity plan?

A BCP describes how a company can maintain or restore its core business operations in the event of disruption. It forms part of a comprehensive continuity management system and is closely linked to the IRP and DR.

What is an incident response plan?

In the event of a cyberattack, it regulates communication channels and escalation levels, for example.

What is disaster recovery?

While a business continuity plan (BCP) focuses on maintaining the continuity of the entire company, disaster recovery describes specific IT measures for restoring systems and data.

Five steps to creating a BCM against cyber attacks

Well-thought-out, tested and up-to-date structured business continuity management protects your company in an emergency. The following five steps will guide you through setting up such a BCM.

1. Purpose, scope & objectives

The first step is to clarify the purpose of business continuity management and the objectives to be pursued, as well as the areas, locations, processes and systems to which it applies.

2. Business impact analysis (BIA)

A BIA is a systematic analysis that assesses the impact of IT failures, cyber-attacks or other disruptions on critical business activities. The aim is to determine the operational, financial, legal and reputational effects, how long a failure can be tolerated for, and how many resources are needed to resume operations.

Critical processes, systems and data must be identified, and the recovery time objective (RTO) and recovery point objective (RPO) must be determined.

Critical processes, systems and data include, for example:

• Production and supply chain management: ERP, MES and SCM – failure can halt production.
• Finance and accounting: treasury, controlling and accounting – legally relevant.
• IT infrastructure and network: Active Directory, central servers and VPNs.
• Compliance and documentation: legally required documents and certificates.

Which systems are classified as critical depends heavily on the business model.

Recovery Time Objective (RTO)

This defines the maximum permissible downtime after a cyber incident, such as a ransomware attack, before systems must be fully online and operational again. Example: RTO = 2 hours → services must be running again within 2 hours.

Recovery Point Objective (RPO)

Defines the maximum tolerable amount of data loss, i.e. how old the last backup can be. Example: RPO = 15 minutes: in the event of an incident, a maximum of 15 minutes' worth of data can be lost.

3. Develop strategies & measures

Based on the business impact analysis, targeted strategies can be developed to secure and quickly resume operations in the event of a crisis. A combination of technical and organisational measures is crucial here.

Define recovery strategies:

• Emergency processes
• Replacement systems
• Cloud failover

Technical measures include:

• Regular backups (snapshots, incremental)
• Replication (synchronous/asynchronous)
• Air-gapped & immutable backups
• High-availability solutions, clusters, load balancers
• Network segmentation & zero trust
• Monitoring (SIEM, IDS/IPS), integrity checks

Organisational measures include:

• Roles & responsibilities
• Internal & external crisis communication
• Training & awareness (e.g. phishing)
• Tabletop and live drills
• Third-party management & compliance
• Regular audits & updates

4. Create an incident response plan

A practical incident response plan should include the following sections:

1. Introduction and scope – objectives, area of application and responsible persons.
2. Emergency organisation and responsibilities – roles (e.g. emergency response team).
3. Types and differentiation of incidents – criteria for detection and differentiation, data breach, IT security incident, Physical security incident (e.g. physical loss of a device)
4. Reporting incidents (incident response trigger) – definition of the response process and reporting channels
5. Triage – identification of the incident; collection of relevant facts; classification of the incident; requirements for activating the emergency response team.
6. Emergency response – immediate IT measures; isolation of the incident; declaration and escalation of an incident by the emergency response team; and recovery after successful isolation. Cross-reference to the business continuity plan.
7. Incident analysis – investigating the incident after successful resolution (who, what, when, why and how).
8. Follow-up/lessons learned – post-mortem evaluation and improvements; updating the plan.
9. Review and exercises – review after incidents and exercises to test the effectiveness of the emergency response.
10. Appendices and contact directories – telephone list, system inventory, escalation matrix and checklists.

5. Create a business continuity plan

A practical business continuity plan should include the following sections:

1. Introduction and scope: objectives, area of application and responsible persons.
2. Disaster Scenarios: differentiation between scenarios involving the failure of IT systems, buildings, personnel, and suppliers/partners.
3. Recovery Time Objective (RTO)/Recovery Point Objective (RPO): definition and specifications for RTO and RPO.
4. Critical business processes: identification of business-critical processes as part of a business impact analysis.
5. Risks to critical business processes: identification of potential risks to critical business processes (e.g. staff absence: 1 day, 1–2 days, etc.).
6. Emergency response: general instructions on the emergency process, emergency reporting and coordination, situation assessment, review of initial IT emergency measures, selection of an emergency plan, and restart. Cross-reference to the incident response plan.
7. Emergency plan for IT and communication failure: per critical business process (preventive measures, emergency measures and restart) and per disaster scenario.
8. Emergency plan for personnel failure: per critical business process (preventive measures, immediate measures, restart) and disaster scenario.
9. Emergency plan for building failure: per critical business process (preventive measures, immediate measures, restart) and disaster scenario.
10. Emergency drills: drills to test the effectiveness of the emergency plans created.
11. Appendices and contact directories: telephone list, system inventory, escalation matrix and checklists.

6. Testing, practising & improving

Business continuity management and its elements are only effective if they are regularly tested and practised, as well as being created. Tests and exercises ensure practical suitability and reveal areas for improvement.

• Tabletop exercises: Simulated scenarios and simulation games in a meeting format.
• Live drills: Technical restarts in increasingly realistic scenarios.
• Tests after IT failures and cyber-attacks, and communication checks.
• Lessons learned are collected, results are documented and these are incorporated into the plan.
• Regular reviews: Annually or after changes to IT, processes or personnel.
• Adjustments in the event of audits or incidents: Incorporate findings from exercises or real events.
• Certification and standards: Based on ISO 22301 or BSI 200-4. External audits if necessary.

Important standards & frameworks for BCM

To ensure effectiveness, traceability and auditability, business continuity management should be based on proven standards.

• ISO 22301: 2019 – international standard for business continuity management
• BSI Standard 200-4 – German standard (in conjunction with ISO 22301) for BCM systems
• VdS guidelines (e.g. VdS 3473/10000) – special focus on information security and SMEs

Who is responsible for business continuity management (BCM) in the company?

For business continuity management to be effective, all roles within the company must be clearly defined and staff must be equipped with the appropriate skills.

• Management: Strategic responsibility and resource allocation
• Business Continuity Manager: Project management and coordination
• IT and CISO: technical implementation of RTO/RPO, backup and recovery processes.
• Department heads: Definition and evaluation of critical processes
• Crisis communication and HR: Training, escalation and employee information

Conclusion

In the cyber context, BCM protects your company, secures business operations and reduces operational and reputational risks, ideally before an attack occurs. The key lies in combining technological solutions with clear responsibilities, continuous training and regular reviews, all of which are supported by proven standards such as ISO 22301 and BSI 200-4.

Our services for your security

As specialists in information security consultancy, we support you throughout the business continuity management process.

• We offer individual consulting and gap analyses of existing emergency and BCP structures.
• Conducting business impact analyses (BIAs) and risk analyses
• Development and documentation of BCP and IT emergency plans
• We also provide training and crisis exercises for specialists and managers.
• Workshops on RTO/RPO determination
• Support with ISO 22301 or BSI 200-4 compliance.
• Comprehensive support as an external ISO.

Get in touch if you're looking for a practical and effective way to increase your resilience against cyber risks.