ICT Readiness for Business Continuity
Ensure ICT systems are ready to support business goals during disruptions through proper planning and testing.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Proactive
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
19 Mar 2026
🎯 Maturity levels
N/A
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Source: ISO/IEC 27001:2022
Plain language
This control is about making sure your technology systems can keep your business running, even if something goes wrong. Imagine trying to serve customers without computers, internet, or phones. It's about being prepared so your business doesn't grind to a halt when there's a hiccup.
Why it matters
Without ICT continuity readiness (tested recovery to meet RTO/RPO), disruptions can stop critical services and rapidly escalate financial and reputational harm.
Operational notes
Plan, maintain and regularly test ICT continuity arrangements against business continuity objectives, verifying recovery procedures meet defined RTOs/RPOs and dependencies.
Implementation tips
- The IT manager should develop a plan that identifies key technology systems essential for the business to operate during a disruption. This involves conducting a Business Impact Analysis (BIA) to understand which systems are critical and how quickly they need to be back online.
- Management should assign roles and responsibilities for handling technology-related disruptions. They must ensure there is a clear organisational structure with trained staff who know how to respond if systems go down unexpectedly.
- The IT team should create detailed ICT continuity plans that include how to recover critical systems quickly. These plans should outline the steps needed to restore functionality, including which staff members are involved and what resources are required.
- ICT services and systems should be regularly tested to ensure continuity plans work as expected. This can involve running simulations or drills to mimic real-life disruptions and adjust the plan based on what works and what doesn't.
- Management should review and approve the ICT continuity plans annually or after any significant organisational changes. This ensures that everyone is on the same page and that the plans align with business needs, Australian laws, and industry regulations like the OAIC and APRA requirements.
Audit / evidence tips
-
Ask: Request the Business Impact Analysis (BIA) document.
Good: The document clearly identifies key systems and priorities with timelines for recovery.
-
Ask: Ask to see the organisational structure for ICT disruption response.
Good: There is a clear chart or listing showing who is responsible for what during ICT disruptions.
-
Ask: Request copies of the ICT continuity plans.
Good: Plans are comprehensive, current, and have been approved by management.
-
Ask: Inquire about recent ICT disruption tests or drills.
Good: There is evidence of recent tests with feedback and updates made to the plans.
-
Ask: Request evidence of plan reviews and approvals.
Good: Documentation shows plans are reviewed regularly, with managerial sign-off recorded.
Cross-framework mappings
How Annex A 5.30 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| E8-RB-ML1.4 | E8-RB-ML1.4 involves testing restoration from backups to a common point in time during disaster recovery exercises | |
| Related (1) | ||
| E8-RB-ML1.1 | Annex A 5.30 requires ICT readiness to be planned, implemented, maintained and tested based on business continuity objectives and ICT con... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (4) | ||
| ISM-0734 | ISM-0734 demands the CISO to assist in business continuity and disaster recovery planning to ensure business-critical services can be sus... | |
| ISM-1019 | ISM-1019 requires a documented and maintained DoS response plan for video conferencing and IP telephony services | |
| ISM-1438 | ISM-1438 requires organisations with a high availability requirement for website hosting to use CDNs that cache websites to improve resil... | |
| ISM-1610 | ISM-1610 requires a method of emergency access to systems and resources to be documented and tested on initial implementation and after f... | |
| Partially overlaps (5) | ||
| ISM-1431 | Annex A 5.30 requires organisations to plan, implement, maintain and test ICT continuity capabilities to support the business during disr... | |
| ISM-1511 | Annex A 5.30 requires ICT continuity requirements to be implemented based on business continuity objectives and then maintained and tested | |
| ISM-1547 | Annex A 5.30 requires ICT readiness for business continuity to be planned, implemented, maintained and tested against business continuity... | |
| ISM-1580 | Annex A 5.30 requires organisations to ensure ICT services can continue or be recovered to meet business continuity objectives | |
| ISM-1805 | Annex A 5.30 requires planned, maintained, and tested ICT readiness to sustain or recover ICT services during disruptive events | |
| Supports (7) | ||
| ISM-0570 | ISM-0570 requires backup or alternative email gateways to be maintained to the same standard as the primary gateway so failover does not ... | |
| ISM-1123 | ISM-1123 requires UPS power to be used for all TOP SECRET IT equipment so services remain available during loss of mains power | |
| ISM-1437 | ISM-1437 requires online services to be hosted using cloud service providers to improve service continuity | |
| ISM-1548 | ISM-1548 requires organisations to develop, implement and maintain data restoration processes and supporting procedures | |
| ISM-1615 | ISM-1615 requires break glass accounts to be tested after their credentials are changed to confirm emergency access will still function w... | |
| ISM-1633 | ISM-1633 requires defining system boundaries, criticality and security objectives based on impact if compromised | |
| ISM-1732 | Annex A 5.30 requires ICT readiness to be maintained and tested so ICT can continue to support business objectives during disruptions | |