Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Resilienz Glossary

Business Continuity Management (BCM)

A management discipline designed to ensure the continuity of critical business processes in the event of disruptions. This entry describes the basic concepts of RTO, RPO, BCP, and DRP. For practical implementation in the context of cyberattacks—including the 3-2-1-1-0 backup rule, ransomware scenarios, and tabletop exercises—see the more detailed entry on Business Continuity Management (Cyberattacks).

Business Continuity Management (BCM) ensures that a company remains operational even in the event of serious disruptions. While IT disaster recovery focuses on restoring systems, BCM takes a broader view: Which processes must be maintained at all costs? What is the minimum the company needs to survive?

Core Concepts: RTO, RPO, MTPD

RTO - Recovery Time Objective

How long can a system or process be down?

Critical system (online store):   RTO = 1 hour
Important system (ERP):            RTO = 4 hours
Standard system (internal docs):    RTO = 24 hours
Archive system:                     RTO = 72 hours

The shorter the RTO, the more expensive the solution (hot standby vs. cold standby).

RPO - Recovery Point Objective

How much data loss is acceptable?

Online banking:     RPO = 0 (no data loss acceptable, synchronous replication)
ERP system:         RPO = 1 hour (hourly snapshots)
Email server:      RPO = 4 hours (4x daily backup)
Reporting system:   RPO = 24 hours (daily backup)

Example: Ransomware strikes at 2:00 PM. The last backup was at 8:00 AM. RPO = 6 hours, data loss = 6 hours of work.

MTPD - Maximum Tolerable Period of Disruption

How long can the company even survive without this process/system? The MTPD sets the absolute upper limit—the RTO must be below this.

MTPD "Payment Processing": 24 hours (after 24 hours: legal obligations violated)
MTPD "Production Control": 8 hours (after 8 hours: production line stops)

Business Impact Analysis (BIA)

Before a BCP can be written: a systematic analysis of which processes are critical and to what extent.

BIA questionnaire (excerpt):

Process: "Order Processing"
├── Which IT systems are required? [ERP, CRM, Email]
├── What data is processed? [Customer data, orders]
├── What is the cost of 1 hour of downtime? [€5,000 in lost revenue]
├── What is the cost of 24 hours of downtime? [€50,000 + contractual penalties]
├── Are there manual alternatives? [Yes, Excel lists for 8 hours]
├── RTO for this process: [4 hours]
└── RPO for this process: [2 hours]

Business Continuity Plan (BCP)

The BCP is the document that defines all emergency measures:

Emergency Organization

Incident Commander (IC): Overall responsibility, decision-making authority
├── IT Crisis Team: Technical recovery
├── Communications Team: Internal + external communications
├── Business Teams: Manual process alternatives
└── Legal/Compliance: Regulatory reporting obligations (NIS2, GDPR)

Activation of the BCP

Trigger: Ransomware attack detected, systems encrypted

00:00 - Incident Commander activates BCP
00:15 - IT isolates infected systems from the network
00:30 - Crisis team convenes (virtually or in person)
01:00 - Assessment: Which systems are affected? How many?
02:00 - Decision: Recovery from backup or payment? (Never pay!)
04:00 - First systems are restored from backup
24:00 - Critical systems operational again
72:00 - Full recovery

IT Disaster Recovery Plan (DRP)

The DRP is the technical component of the BCP:

1. System inventory: What needs to be restored and in what order?
   Priority 1: Active Directory, DNS (everything else depends on these)
   Priority 2: Email, VPN (communication and remote access)
   Priority 3: ERP, core business processes
   Priority 4: Other systems

2. Backup Strategy:
   - 3-2-1-1-0: 3 copies, 2 media types, 1 off-site, 1 offline/immutable, 0 errors
   - Separate backup infrastructure (not in the same AD as production!)
   - Regular restore tests (at least quarterly)

3. Recovery Procedures:
   - Step-by-step instructions for each system
   - No dependency on compromised infrastructure
   - Secure communication channel (e.g., Signal, Teams on personal devices)

Ransomware-Specific: Special Considerations in the BCP

Ransomware places special demands on the BCP because:

  1. Backup systems are often affected as well (attackers wait until backups are also encrypted)
  2. Duration of the attack is unclear (were systems compromised weeks earlier?)
  3. Trustworthiness of the systems (can I trust the backup content?)

Specific Measures:

  • Immutable backups (unchangeable, even for admins)
  • Air-gapped backup (physically separated, no network access)
  • Backup retention period of at least 30 days (ransomware may have been introduced 14 days ago)
  • "Clean Room Recovery" – restoration in a fresh, isolated environment

Compliance

ISO 27001 A.5.29 (Information Security in the Event of Disruptions): BCM as an explicit control.

ISO 22301: International standard specifically for BCM – can be certified as a supplement to ISO 27001.

BSI IT-Grundschutz DER.4: Emergency management - detailed requirements for BCP and DRP.

NIS2 Art. 21 (h): Business continuity and crisis management as mandatory measures for critical and important facilities.

DORA (Financial Sector) Art. 11: Digital operational resilience - very detailed BCM requirements, including regular testing.

AWARE7 Services on This Topic

ISO 27001 Beratung Penetrationstest
Back to Glossary Book a free consultation