Business continuity management (BCM): making companies crisis-proof
Business Continuity Management (BCM) is the organizational framework for maintaining critical business processes during and after crises. This article explains the BCM lifecycle according to ISO 22301, Business Impact Analysis (BIA), recovery strategies, Business Continuity Plans (BCP), crisis management structures, and integration with IT emergency management and ISO 27001.
Table of Contents (5 sections)
Ransomware strikes. The data center catches fire. A key employee is out of commission. A supplier goes bankrupt. In all these cases, the crucial question arises: How long can the company continue to operate—and what is the plan? BCM provides structured answers to these questions before a crisis strikes.
BCM vs. Disaster Recovery vs. IT Emergency Management
Distinction between the concepts:
BCM (Business Continuity Management):
→ Organizational framework for all types of business disruptions
→ Focus: maintaining critical business processes
→ Scope: entire organization (not just IT)
→ Standard: ISO 22301
→ Includes: BIA, BCP, crisis management, communication, training
Disaster Recovery (DR):
→ Technical restoration of IT systems after a failure
→ Subset of BCM
→ Focus: RTO/RPO for IT systems
→ Standard: ISO 27031 (IT for BCM)
IT Emergency Management (BSI):
→ BSI IT-Grundschutz: Ensuring information processing
→ Incident Response as a subset
→ Integration into ISMS (ISO 27001 Clauses 8.4, 6.1)
Business Continuity Plan (BCP):
→ Document describing how to continue operations in the event of a disruption
→ Includes: emergency organization, escalation, communication, recovery steps
Crisis Management:
→ Leadership and decision-making structure during a crisis
→ Crisis Management Team (CMT): Who decides what?BCM Lifecycle according to ISO 22301
ISO 22301:2019 - Business Continuity Management System (BCMS):
Clause 4: Context
→ Stakeholder analysis: Who is affected by an outage?
→ Scope of the BCMS: Which locations, processes, services?
→ Requirements: Regulatory (DORA, KRITIS), contractual (SLAs)
Clause 6: Planning
→ Conduct a Business Impact Analysis (BIA)
→ Risk analysis: Which events can cause disruptions?
→ Objectives: What are RTO/RPO targets?
Clause 8: Operation (Core component!)
8.2 Business Impact Analysis (BIA)
8.3 Business Continuity Strategy
8.4 Business Continuity Plans (BCPs)
8.5 Business Continuity Tests and Exercises
Clause 9: Performance Evaluation
→ Internal audits of the BCMS
→ Management Review
→ Metrics: MTPD, RTO, RPO compliance
Clause 10: Improvement
→ Lessons learned from tests and real-world events
→ CIP (continuous improvement process)
---
BCM Implementation Roadmap (6 months):
Months 1–2: Foundations
□ Define the scope of the BCMS
□ Adopt the BCM policy
□ Appoint a BCM manager
□ Nominate the Crisis Management Team (CMT)
Months 3–4: BIA and Risks
□ Conduct Business Impact Analysis
□ Identify critical processes
□ Set RTO/RPO targets
□ Risk analysis for BCM events
Months 5–6: Plans and Tests
□ Write Business Continuity Plans
□ Create communication plan
□ Conduct tabletop exercise
□ Complete BCMS documentationBusiness Impact Analysis (BIA)
BIA – the core of BCM:
Objective of the BIA:
→ Which processes are critical and to what extent?
→ How long can we manage without them?
→ What are the consequences of a failure (financial, legal, reputational)?
BIA data collection (workshop + interviews with process owners):
Questions per process:
□ Describe the process (Input → Processing → Output)
□ What resources does the process require? (Personnel, IT, facilities)
□ What dependencies does the process have? (Upstream processes, suppliers)
□ What happens if the process fails for 1 hour / 1 day / 1 week?
□ Are there regulatory deadlines that must be met?
□ When is the process most critical? (End of the month, end of the year?)
---
BIA Results:
MTPD (Maximum Tolerable Period of Disruption):
→ How long can the process be down for at most?
→ After MTPD: irreversible damage (loss of customers, insolvency)
RTO (Recovery Time Objective):
→ How quickly must the process be back up and running?
→ MUST be less than MTPD!
RPO (Recovery Point Objective):
→ How old can the data be after recovery?
→ Directly dependent on backup frequency
Sample BIA Table:
Process | MTPD | RTO | RPO | Criticality
---------------------|------|------|------|-------------
Webshop/Online Store | 4h | 2h | 1h | CRITICAL
Inventory Management | 1 Day | 4h | 4h | HIGH
Accounting | 1 Week | 2 Days | 1 Day | MEDIUM
HR System | 2 Weeks | 1 Week | 1 Day | LOW
Website (static) | 1 week | 4h | 1 day | MEDIUM
---
Recovery Strategies:
Strategies are defined based on BIA results:
1. Alternative workstations:
→ Ability to work from home (for pandemics, loss of building)
→ Alternative location at partner/affiliate
→ Mobile work kits (laptops, VPN access)
2. Manual fallback processes:
→ What if IT fails completely?
→ Critical forms and checklists available on paper!
→ "How did we do this 20 years ago?"
3. Alternative suppliers:
→ Critical suppliers: always identify an alternative supplier
→ Agree on an SLA with the alternative supplier in advance
4. IT recovery strategies:
→ Cold standby: Backup system exists, must still be set up (4–24 hours)
→ Warm standby: System is running but not up to date (1–4 hours of syncing)
→ Hot Standby: System runs in sync, immediate takeover (< 1h)
→ Active-Active: Both systems are running productively (< 15 minutes, most expensive option)Business Continuity Plan (BCP)
BCP Document Structure:
1. Scope and Objectives
→ For which scenarios does this plan apply?
→ Activation Trigger: When is the plan activated?
→ Who activates it? (Crisis Management Team)
2. Crisis Management Team (CMT)
→ Roles: Crisis Management Team members
→ Primary and alternate contacts
→ Emergency contact list (also available offline!)
3. Communication Plan
→ Internal: How are employees informed?
(Email, Teams, SMS chain, emergency website)
→ External: Customers, suppliers, authorities, press
→ Data protection: No premature announcements about cyberattacks!
→ Press contact: Who speaks on behalf of the company?
4. Process-specific recovery procedures
For each critical process:
□ Describe the failure scenario
□ Immediate actions (first 1 hour)
□ Short-term actions (first 24 hours)
□ Medium-term recovery
□ Responsibilities (Who does what?)
□ Resources (What is needed?)
5. IT recovery procedures (reference to DR plan)
→ DR plan is the technical counterpart to the BCP
→ BCP describes "what" – DR plan describes "how" technically
6. Tests and exercises
---
Crisis Management Team Activation:
Escalation thresholds:
Level 1 (Incident):
→ IT disruption, limited impact
→ IT manager + affected department resolve internally
→ No CMT necessary
Level 2 (Business Continuity Event):
→ Several hours of critical process downtime
→ CMT informed, possibly activated
→ CISO + COO involved in decision-making
Level 3 (Crisis):
→ > 1 day of downtime, external damage, data breach
→ CMT fully activated
→ Executive management involved
→ Crisis team: status meetings twice daily
CMT Initial Actions (Activation):
1. Assess the situation: What happened?
2. Evaluate the extent of damage: What is affected?
3. Decide on immediate measures: Activate emergency operations?
4. Internal communication: Inform all affected parties
5. Maintain a logbook: Document all decisions!
(For insurance, authorities, and future verification)BCM Tests and Exercises
Test types (from simple to complex):
1. Document review (quarterly):
→ Check BCP for up-to-date status
→ Are contact details current?
→ Are processes still described correctly?
→ Have organizational changes been incorporated?
2. Tabletop Exercise (semi-annual):
→ CMT meets, runs through scenario
→ Moderator presents scenario: "It’s Monday, 8:00 a.m., ransomware strikes..."
→ Team discusses: What do we do now? Who calls whom?
→ No actual IT involved—only testing decision-making processes
→ Duration: 2–4 hours
3. Functional Exercise (annually):
→ Actually test individual procedures
→ DR plan: Test failover to backup systems
→ Communication plan: Test emergency SMS chain
→ Result: Validate procedures
4. Full Simulation Exercise (every 2–3 years):
→ Complete crisis simulation, unannounced if necessary
→ CMT is activated, all plans are executed
→ Most realistic test scenario
→ Complex, expensive, but most valuable test result
Exercise Scenarios for Cyberattack BCM:
"Ransomware hits production system. 9:00 a.m. Monday morning."
→ Who is informed and when?
→ How do we communicate with customers?
→ Which emergency operations are activated?
→ When do we speak to the press?
→ When do we report to BSI/LfDI?Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
