Cloudflare failure

As a society, we are vulnerable. This was once again evident when a Cloudflare failure shut down apps and websites around the world. From news platforms to critical business applications. One incident and the digital chain chafes immediately. For organizations, this is now not a theoretical scenario, but a real operational risk.

What does ISO 27001 say about continuity?

And that's exactly why you're asking ISO 27001 (and also standards such as NO 7510) explicit attention to this topic. Controls A.5.29 (information security during a disruption) and A.5.30 (ICT readiness for business continuity) are all about emergency preparedness for organizations. A continuity plan is a requirement for companies that want to keep a grip, even when the digital environment no longer has control over them.

The parallels between “Think Ahead” and Business Continuity

Where citizens are asked to put together an emergency package, the same applies to companies: a plan that lasts when systems don't work for a while. Where individuals make an emergency plan for their families, organizations make a plan for their processes, access to data and communication.

And where people need to talk to each other and help each other, it's no different for teams. In the event of a disruption, everyone has a role. The campaign confirms what ISO 27001 has emphasized for years: resilience takes preparation. And preparation prevents chaos.

Why continuity is becoming increasingly urgent

The increase in geopolitical tensions, cyber attacks and dependence on cloud providers increase the need for a good continuity plan. During an ISO 27001 implementation, you will quickly see these risks reflected in an ISO 27001 risk analysis. Also from NICHE 2 attention to continuity is not an option but an obligation. Organizations that need to comply with NIS2 compliance, or are working on a NIS2 implementation, are expected to demonstrably organize their resilience. This means appropriate measures to absorb disruptions and maintain services.

What does a continuity plan include?

A good plan is concrete, tested and linked to realistic risks. Basically, you take the following things into account:

1. Define critical processes

Which activities need to be carried out to limit the damage? Think of customer communication, order processing, care, financial transactions or security services. This only works if the organization knows where the dependencies lie: applications, suppliers, data and locations. Therefore, analyze the consequences of risks for business processes and determine which processes are critical.

2. Develop scenarios

Disruption is more than just a cyber attack. It can also be a long-term power failure, a cloud supplier failure, fire, water damage or a geopolitical risk that prevents suppliers from being reachable. Information security advice and cybersecurity advice therefore increasingly go beyond just technology. A scenario is only complete when people, process and technology participate.

3. Recovery and communication steps

How fast does a process have to run again? Where are the alternatives? How do you communicate with employees, customers, and partners when email or internet is down? The strength lies in simplicity. During stress, no one likes to work with complicated schedules.

4. Roles & Responsibilities

Who does what? This question must be crystal clear. Clearly lay down in the plan who has what role during an incident. This prevents noise when it comes down to it. This includes who is authorized to make decisions, who is responsible for implementing the continuity plan, who provides communication during a crisis situation and who tests and evaluates the plan at least annually. Prior clarity brings peace of mind when you need it most.

5. RTO and RPO

The Recovery Time Objective (RTO) is the target time within which a prioritized ICT service or system must be restored after a disruption. The Recovery Point Objective (RPO) is the maximum amount of data loss an organization can accept, expressed in time. If your RPO is 8 hours, you will lose up to 8 hours of data since the last backup in the event of an acute emergency.

So decide in advance what time a critical ICT service or system should be back online after a disruption and how often you back up (see also) A.8.13 must be created within ISO 27001). That sounds simple, but it also means that you need to look closely at your suppliers. What do they guarantee in their SLA? And maybe they lay down requirements on you that work further down the chain? These choices are directly related to determining your RTO.

For systems that really shouldn't be down for long, it pays to think further. Redundancy (see also A.8.14 within ISO 27001) is quickly not a luxury but a necessity. Think of a second data center or an additional network connection. On paper, this sometimes feels difficult, but in practice, it is a way to create peace in an environment that is less and less predictable.

6. Response and recovery procedures

Response and recovery procedures are at the heart of your continuity plan: clear, step-by-step instructions on how to manage a disruption, set priorities, restore systems, and when to scale up. Make sure that these procedures not only exist on paper, but are actually tested. By practicing at least annually — with realistic scenarios — you will discover whether the approach works, where there are gaps and whether everyone understands their role. This prevents a procedure from being “tried out” for the first time during a real disruption.

7. Test not only technology but also functions

In addition to being verifiable for the ISO 27001 and NIS2, test and evaluation reports also provide learning opportunities. Annual testing is usually neatly planned, but in practice, the main focus is on technology. And that while it's just as important to practice what happens when a critical function or key person drops out: can someone else perform, interpret and assess the test? By testing both technology and tasks, you prevent dependencies and you can be sure that your organization will also continue to run under pressure.

Prevent the mistake that many companies make

A continuity plan in a drawer disappears faster than Wi-Fi in the event of a major cyber failure. The success lies in testing and maintenance. During internal audits, a progress meeting or a rehearsal scenario, areas for improvement always come up. That's how it should be. Continuity isn't static — it's a living part of your organization. After all, your organization (internal) and your environment (external) are also constantly changing.

And just about that continuity plan in a drawer. Believe it or not, these are still often printed and stored in a drawer today, while often containing critical data. Such a plan must therefore also be stored safely. 😉

In short: as an organization, be prepared too

The “Think Ahead” Campaign focuses on citizens, but the underlying principle is identical for organizations: those who are prepared work better when things go wrong. However, most people wait until it is too late. We understand that many people and organizations experience it this way, but it still remains a fallacy. Without a continuity plan, you are empty-handed in the event of a digital disruption. Without an emergency kit, it will be a lot harder to get through 72 hours without water, electricity or internet.

Resilience starts at the drawing board, but only proves itself in practice. And nowadays, one failure, with one supplier, can halve the internet. And then preparation has simply become a business condition.

Do you need help with this? Schedule an informal, free consultation with us. 👇

‍