Control 5.30 : ICT Readiness for Business Continuity

Summary

Information and Communication Technology (ICT) readiness should be planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements. This ensures the technical infrastructure can support the business during a failure.

Applicability

In-Scope: Critical for any organization dependent on digital services for daily operations. It focuses on the technical RTO (Recovery Time Objective) and RPO (Recovery Point Objective).

Out-of-Scope: Only applicable if the organization has zero dependency on IT for its core business functions.

Implementation Guidance

Microsoft 365 / Entra ID

Backup Configuration: Implement Microsoft 365 Backup or a third-party integrated solution to ensure point-in-time recovery for SharePoint, OneDrive, and Exchange.
Service Availability: Leverage the Microsoft Azure global infrastructure to ensure high availability and automatic failover for critical cloud-hosted applications.
Testing: Conduct regular restore tests using Azure Site Recovery or Microsoft 365 backup tools to verify that data can be recovered within the agreed RTO.

Evidence Checklist

ICT Continuity Plan: A technical document detailing the recovery steps for all in-scope IT systems.
RTO/RPO Definitions: Formally approved targets for how much data loss and downtime the business can tolerate.
Restore Test Logs: Documented evidence of successful data restoration tests performed within the last 12 months.

Practical Audit Advice

Here are some questions the auditor might ask:

What are the defined RTO and RPO for your most critical business applications, and how were these determined?
How often do you perform a restoration test from your backups to ensure the data is actually usable?
In the event of a total Microsoft 365 regional outage, what is the organization's plan for maintaining core communications?
How do you ensure that your backup data is protected from the same threats as your production data (e.g., ransomware)?