Chapter 5
Cyber Resilience and BCM Auditing
Intoduction
Over the past decade, cyber incidents have emerged as one of the most significant threats to organisational continuity and resilience.
Unlike traditional disruptions such as fires, floods, or power outages, cyber incidents can simultaneously affect multiple business functions, technology platforms, third-party providers, customer services, and critical infrastructure.
High-profile ransomware attacks, cloud service outages, supply chain compromises, and nation-state cyber operations have demonstrated that organisations can no longer treat cybersecurity and Business Continuity Management (BCM) as separate disciplines.
A cyber incident is no longer solely an information security problem—it is a business disruption event that requires coordinated response, recovery, crisis management, and resilience capabilities.
Consequently, auditors must evaluate not only cybersecurity controls but also the organisation's ability to withstand, respond to, recover from, and adapt to cyber-related disruptions. This concept is commonly referred to as Cyber Resilience.
This chapter provides auditors with a practical framework for assessing Cyber Resilience through the lens of BCM, Operational Resilience, and regulatory expectations.
Understanding Cyber Resilience
What is Cyber Resilience?
Cyber Resilience is the ability of an organisation to:
- Anticipate cyber threats
- Prevent cyber incidents where possible
- Detect cyber events quickly
- Respond effectively to cyber disruptions
- Recover critical services within acceptable timeframes
- Adapt and improve following incidents
Cyber Resilience extends beyond cybersecurity protection.
While cybersecurity focuses on preventing attacks, Cyber Resilience focuses on ensuring business continuity despite successful attacks.
Cybersecurity versus Cyber Resilience
|
Cybersecurity |
Cyber Resilience |
|
Protect assets |
Maintain business services |
|
Prevent attacks |
Operate during attacks |
|
Focus on controls |
Focus on outcomes |
|
Technology-centric |
Business-centric |
|
Security operations |
Service continuity |
|
Confidentiality |
Availability and continuity |
|
Vulnerability management |
Recovery capability |
Auditors must assess both perspectives.
Why Cyber Resilience Matters to BCM Auditors
Historically, BCM audits focused on:
- Natural disasters
- Facility disruptions
- Human resource disruptions
- Utility failures
Today, cyber incidents account for a significant proportion of major business disruptions.
Examples include:
Ransomware Attacks
- Systems unavailable
- Data encrypted
- Operations halted
Data Corruption
- Information integrity compromised
- Recovery delayed
Cloud Service Outages
- Multiple business services are disrupted
Third-Party Breaches
- Supply chain disruptions
- Service interruptions
Distributed Denial-of-Service (DDoS) Attacks
- Customer services unavailable
The auditor's challenge is to determine whether continuity arrangements remain effective in the event of cyber disruption.
Regulatory Expectations
Bank Negara Malaysia (BNM)
Under Risk Management in Technology (RMiT), financial institutions are expected to:
- Maintain cyber recovery capabilities
- Establish incident response procedures
- Conduct technology recovery testing
- Protect critical systems
- Assess third-party technology risks
Auditors should assess whether BCM and cybersecurity programmes operate cohesively.
ISO 22301 Requirements
Relevant clauses include:
Clause 8.2
Business Impact Analysis and Risk Assessment
Clause 8.3
Business Continuity Strategies
Clause 8.4
Business Continuity Plans
Clause 8.5
Testing and Exercising
Cyber scenarios should be integrated into these activities.
Operational Resilience Expectations
Operational Resilience frameworks increasingly require organisations to demonstrate their ability to continue delivering critical business services during cyber incidents.
This includes:
- Severe but plausible cyber scenarios
- Recovery of critical services
- Impact tolerance assessments
- Dependency mapping
Auditing Cyber Governance
Audit Objective
Determine whether governance structures support effective cyber resilience.
Audit Scope
Review:
- Cybersecurity governance framework
- BCM governance framework
- Incident management structure
- Crisis management arrangements
- Reporting mechanisms
Key Audit Questions
Governance Integration
- Is cybersecurity integrated with BCM?
- Are cyber risks included in BCM risk assessments?
- Are cyber scenarios incorporated into exercises?
Board Oversight
- Does the Board receive cyber resilience reports?
- Are major cyber risks discussed?
Accountability
- Are responsibilities clearly defined?
- Is ownership assigned for cyber recovery?
Common Audit Findings
Finding 1
Cybersecurity and BCM operate independently.
Finding 2
Cyber risks are not reflected in BCM planning.
Finding 3
Recovery responsibilities are unclear.
Auditing Cyber Risk Assessment and Business Impact Analysis
Audit Objective
Determine whether cyber threats are appropriately assessed and incorporated into continuity planning.
Audit Scope
Review:
Threat Assessment
- Ransomware
- Insider threats
- Cloud outages
- Third-party compromises
- Supply chain attacks
Business Impact Analysis
Assess whether:
- Critical business functions are identified
- Critical business services are identified
- Recovery objectives consider cyber scenarios
Key Audit Questions
- Are cyber threats included in risk assessments?
- Are cyber recovery requirements defined?
- Have dependencies been identified?
Common Audit Findings
Finding 1
Risk assessments focus primarily on physical disruptions.
Finding 2
Recovery objectives do not reflect the complexities of cyber recovery.
Finding 3
Critical technology dependencies are not identified.
Auditing Cyber Recovery Strategies
Audit Objective
Determine whether recovery strategies can support restoration following cyber incidents.
Key Strategy Areas
Backup and Recovery
Review:
- Backup frequency
- Backup protection
- Offline backup arrangements
- Recovery procedures
Audit Questions:
- Can backups be restored?
- Are backups protected from ransomware?
Alternate Processing
Review:
- Recovery environments
- Cloud failover arrangements
- Alternate infrastructure
Audit Questions:
- Can services continue if primary environments fail?
Data Integrity Validation
Review:
- Data verification processes
- Recovery validation procedures
Audit Questions:
- How is recovered data validated?
Common Audit Findings
Finding 1
Backup restoration testing is inadequate.
Finding 2
Recovery environments lack capacity.
Finding 3
Data integrity checks are insufficient.
Auditing Cyber Incident Response and Crisis Management
Audit Objective
Determine whether the organisation can effectively manage cyber crises.
Review Areas
Incident Response Plans
Assess:
- Escalation procedures
- Containment actions
- Investigation processes
Crisis Management Plans
Review:
- Executive decision-making
- Stakeholder communications
- Regulatory notifications
Communication Plans
Assess:
- Internal communications
- Customer communications
- Media responses
Key Audit Questions
- Are cyber incidents escalated appropriately?
- Are crisis teams trained?
- Have communication procedures been tested?
Common Audit Findings
Finding 1
Incident response plans are not aligned with BCM plans.
Finding 2
Communication procedures are incomplete.
Finding 3
Executives have not participated in cyber exercises.
Auditing Technology Recovery Capability
Audit Objective
Determine whether technology recovery capabilities support business recovery objectives.
Areas for Review
Disaster Recovery Plans
Assess:
- Recovery procedures
- Recovery sequencing
- Resource requirements
Recovery Objectives
Review:
- Recovery Time Objectives (RTO)
- Recovery Point Objectives (RPO)
Recovery Testing
Review:
- Recovery test results
- Restoration times
- Failure rates
Key Audit Questions
- Have recovery objectives been achieved?
- Are recovery procedures current?
- Have recovery capabilities been demonstrated?
Common Audit Findings
Finding 1
Recovery testing does not validate critical systems.
Finding 2
Recovery objectives are consistently missed.
Finding 3
Dependencies delay recovery.
Auditing Third-Party Cyber Resilience
Why Third-Party Resilience Matters
Many organisations depend on:
- Cloud providers
- Managed service providers
- Software vendors
- Telecommunications providers
A disruption affecting a supplier may disrupt multiple critical services.
Audit Scope
Review:
Vendor Due Diligence
- Cybersecurity assessments
- Resilience assessments
Contractual Requirements
- Recovery obligations
- Service levels
- Incident notification requirements
Monitoring
- Vendor performance reviews
- Audit rights
Key Audit Questions
- Have critical vendors been identified?
- Are resilience requirements contractual?
- Are concentration risks assessed?
Common Audit Findings
Finding 1
Vendor recovery capabilities are not independently verified.
Finding 2
Fourth-party risks are not understood.
Finding 3
Cloud concentration risk is unassessed.
Auditing Cyber Resilience Testing
Exercise Types
Auditors should evaluate:
Ransomware Exercises
Test:
- Detection
- Escalation
- Recovery
Technology Recovery Tests
Validate:
- Restoration capability
- Recovery objectives
Crisis Management Exercises
Assess:
- Leadership effectiveness
- Communications
Operational Resilience Scenarios
Evaluate:
- Service continuity
- Impact tolerance
Key Audit Questions
- Are cyber scenarios included in exercises?
- Are severe but plausible scenarios tested?
- Are lessons learned implemented?
Common Audit Findings
Finding 1
Cyber exercises focus only on technical teams.
Finding 2
Business units are excluded.
Finding 3
Recovery capabilities are assumed rather than demonstrated.
Case Study: Ransomware Attack on a Financial Institution
Scenario
A financial institution experiences a ransomware attack that encrypts:
- Customer databases
- Payment systems
- Online banking services
Multiple critical business services become unavailable.
Auditor Assessment Areas
Governance
- Was escalation timely?
- Was leadership involved?
Business Continuity
- Were plans activated?
- Were recovery teams mobilised?
Technology Recovery
- Were backups recoverable?
- Were recovery objectives achieved?
Customer Impact
- How long were services unavailable?
- Were impact tolerances exceeded?
Communication
- Were customers informed?
- Were regulators notified?
Typical Findings
Strengths
- Effective crisis management
- Strong executive involvement
Weaknesses
- Incomplete recovery testing
- Dependency on a single recovery environment
- Delayed restoration of critical services
Future Cyber Resilience Audit Considerations
Emerging areas include:
Artificial Intelligence
- AI service disruptions
- Model failures
- Data poisoning attacks
Cloud Resilience
- Multi-cloud strategies
- Cloud provider concentration risk
Digital Ecosystems
- API failures
- Fintech dependencies
Quantum Computing Risks
- Cryptographic vulnerabilities
- Long-term data protection
Auditors must continually update their approaches to address these evolving risks.
Cyber incidents have become one of the most significant threats to organisational resilience. As a result, BCM audits must evolve beyond traditional continuity planning and incorporate Cyber Resilience assurance.
Effective cyber resilience audits evaluate governance, risk assessments, recovery strategies, technology recovery capabilities, incident response, crisis management, third-party dependencies, and testing programmes.
The objective is to determine whether the organisation can continue delivering critical business services during cyber disruptions and recover within acceptable timeframes.
Ultimately, auditors should provide assurance not only that cyber controls exist but that the organisation can withstand and recover from cyber incidents while protecting customers, stakeholders, and critical business services.
The defining audit question is:
"If a major cyberattack occurs tomorrow, can the organisation continue operating its critical business services and recover within its approved resilience objectives?"
More Information About Auditing BCMS Courses
BCM Institute offers two levels of BCM auditing courses: A-3 BCM-8030 ISO22301 BCMS Auditor [A-3] and the ISO22301 BCMS Lead Auditor [A-5].
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Click to View 5000-Level or 300-Level Catalogue. What Expert- and Intermediate-level Learning Courses are Available? | ![]() |





![[ISACA] [BCM] [A] [C0] Auditing Business Continuity Management in the Digital Resilience Era: From Compliance Verification to Resilience Assurance](https://no-cache.hubspot.com/cta/default/3893111/979a36e3-30ae-4b10-881d-b1d0898c22d9.png)
![[ISACA] [BCM] [A] [C1] The Changing Role of Business Continuity Management Audits](https://no-cache.hubspot.com/cta/default/3893111/97be4863-e3dc-497d-b3f8-dfe8037feee3.png)
![[ISACA] [BCM] [A] [C2] Auditing the Business Continuity Management Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/777ba2bc-42b8-42e1-8bb9-131f87090e44.png)
![[ISACA] [BCM] [A] [C3] Auditing Testing and Exercising Programmes](https://no-cache.hubspot.com/cta/default/3893111/74c1d537-f600-40e8-a55b-b2cac285b3fe.png)

![[ISACA] [BCM] [A] [C4] Auditing BCM in the Era of Operational Resilience](https://no-cache.hubspot.com/cta/default/3893111/46eddab1-feab-4157-8ea1-5bafff066470.png)
![[ISACA] [BCM] [A] [C5] Cyber Resilience and BCM Auditing](https://no-cache.hubspot.com/cta/default/3893111/fbeeeecb-d028-4231-bcfb-b1abefa991c8.png)
![x [ISACA] [BCM] [A] [C6] The Future of BCM Auditing](https://no-cache.hubspot.com/cta/default/3893111/86101242-1ae6-46c8-b6c0-054d3866803e.png)

![TMM [BL-A-5]](https://no-cache.hubspot.com/cta/default/3893111/e7af9322-15cb-412d-91b6-59cd388ee6e9.png)
![Register [BL-A-5]](https://no-cache.hubspot.com/cta/default/3893111/bb38417e-6241-4057-b90c-f319f31a494e.png)





![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)


![Banner [BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/0af5fc88-8985-4a94-a49f-de0becdde9e5.png)
![[BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/2c380bfc-13aa-46a5-adcc-4ced87465acd.png)

