WikiGlossaryBusiness Continuity
Risk

Business Continuity

Definition

Business continuity is an organization’s ability to continue delivering critical products and services at acceptable levels during and after a disruptive incident. In ISO/IEC 27001:2022 programs, business continuity is typically addressed through risk-based planning and implementation of controls that ensure information security and availability are maintained when normal operations are disrupted. This includes identifying critical processes and supporting assets, defining recovery objectives (such as Recovery Time Objective and Recovery Point Objective), establishing response and recovery procedures, and validating them through testing and exercises. ISO/IEC 27001:2022 Annex A also includes guidance relevant to continuity, such as ensuring ICT readiness for business continuity, which focuses on preparing technology and supporting capabilities so that critical services can be restored or sustained. Business continuity also aligns with related continuity standards and practices (for example, ISO 22301 business continuity management) and widely used contingency planning guidance, even when implemented outside a formal certification program. Effective business continuity integrates governance (roles, decision-making, escalation paths), operational readiness (alternate work arrangements, supplier dependencies, communications), and technical resilience (backup, redundancy, failover, and restoration). The goal is not only to recover after an outage or security incident, but to reduce downtime, limit business impact, and continually improve preparedness based on lessons learned.

Real-World Examples

Startup SaaS outage response

A startup defines RTO/RPO for its core app, implements backups, and runs quarterly restore tests to ensure customer access can be restored after a cloud outage.

Scaleup cyber incident continuity

A scaleup prepares ransomware playbooks, isolates critical systems, and rehearses executive communications so billing and support can operate during containment.

Enterprise site disruption plan

An enterprise maintains alternate work locations, cross-trained staff, and supplier contingencies to keep critical operations running during a facility closure.

Critical service failover testing

A regulated organization validates redundancy and failover for key services and documents exercise results, actions, and improvements in its continuity program.

Common Questions

Business continuity is the capability to keep critical services operating, or restore them quickly, during disruptions such as outages, cyber incidents, or facility unavailability.

A BCP is a documented set of roles, procedures, and resources used to maintain or restore essential operations within agreed recovery objectives during an incident.

BCM is the ongoing governance and lifecycle process for analyzing impacts, selecting controls, maintaining plans, running exercises, and improving organizational resilience.

Business continuity focuses on sustaining critical business processes end-to-end, while disaster recovery typically emphasizes restoring IT systems and data after disruption.

Start with a business impact analysis, define recovery objectives, document response and recovery procedures, assign roles and communications, and validate through tests and exercises.

A BIA identifies critical processes, dependencies, and acceptable downtime, helping prioritize recovery strategies and set targets like RTO and RPO for continuity planning.

It should include incident roles, escalation paths, communications, critical process priorities, recovery procedures, resource requirements, supplier dependencies, and test schedules.

Test at least annually and after major changes; update whenever systems, suppliers, staffing, or risks change, and after exercises or incidents reveal improvement actions.

Common scenarios include ransomware, cloud or telecom outages, key supplier failures, staffing shortages, facility disruption, and data loss impacting critical services.

Accountability typically sits with senior management, while security, IT, operations, HR, facilities, and key business owners share defined responsibilities for execution.

Revision History

VersionDateAuthorDescription
1.0.02026-02-26WatchDog Security GRC Wiki TeamInitial publication