ISO 27001 A.5.30: ICT readiness for business continuity
What This Control Requires
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives.
In Plain Language
If your servers go down tomorrow, how long before the business is back up and running? That is what this control is really about. It forces you to answer two uncomfortable questions: how much downtime can you survive (RTO), and how much data can you afford to lose (RPO)?
Most business processes run on technology now, so ICT readiness is the foundation of your entire continuity strategy. You need to define RTOs and RPOs for every critical service based on a proper business impact analysis, then put technical solutions in place that actually meet those numbers.
This goes well beyond just having backups. It covers your full stack - infrastructure, applications, data, networking, and crucially the people and procedures needed to recover everything under pressure. Auditors will want to see that you have tested all of it, not just documented it.
How to Implement
Start with a business impact analysis (BIA) to pin down the RTOs and RPOs for all critical business processes and the ICT services behind them. Identify the maximum tolerable downtime for each process and the acceptable data loss window. These numbers drive every technical decision that follows.
Design your recovery solutions to match those targets. For critical systems needing very low RTO, look at active-active or active-passive high availability with automatic failover. For moderate RTO requirements, warm standby or rapid deployment from infrastructure-as-code works well. Where longer downtime is acceptable, cold standby or backup restoration may be enough.
Get your backup strategy right. Set backup schedules based on RPO requirements and follow the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite or in the cloud. Encrypt your backups and protect them from ransomware using air-gapped or immutable storage. Test restoration regularly to verify data integrity and measure actual recovery times.
Write detailed recovery procedures for each critical system. Cover system dependencies and recovery sequence, infrastructure requirements, application installation and configuration, data restoration steps, post-recovery verification, and communication procedures during the incident.
Test regularly with different exercise types. Technical recovery tests verify individual systems can be recovered within their RTOs. Integrated tests check that dependent systems recover together properly. Full DR exercises simulate realistic scenarios end to end. Document results, identify gaps, and build action plans. Test at least annually, with critical systems tested more often.
Evidence Your Auditor Will Request
- Business impact analysis with defined RTOs and RPOs for critical ICT services
- ICT recovery solutions documentation showing alignment with RTO/RPO requirements
- Backup procedures and configuration documentation including retention and testing schedules
- ICT recovery test results demonstrating achieved recovery times
- Action plans from recovery tests showing remediation of identified gaps
Common Mistakes
- RTOs and RPOs are not defined or are not based on business impact analysis
- Backup restoration has never been tested or tests show inability to meet RPO
- Recovery procedures are outdated and do not reflect current system configurations
- Disaster recovery tests are not conducted regularly or are limited in scope
- Dependencies between systems are not considered in recovery planning and sequencing
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | A1.2 | Equivalent |
| SOC 2 | A1.3 | Related |
| NIS2 | Art.21(2)(c) | Equivalent |
Frequently Asked Questions
What is the difference between RTO and RPO?
How often should we test disaster recovery?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment