Over the past decade, cyber incidents have emerged as one of the most significant threats to organisational continuity and resilience.
Unlike traditional disruptions such as fires, floods, or power outages, cyber incidents can simultaneously affect multiple business functions, technology platforms, third-party providers, customer services, and critical infrastructure.
High-profile ransomware attacks, cloud service outages, supply chain compromises, and nation-state cyber operations have demonstrated that organisations can no longer treat cybersecurity and Business Continuity Management (BCM) as separate disciplines.
A cyber incident is no longer solely an information security problem—it is a business disruption event that requires coordinated response, recovery, crisis management, and resilience capabilities.
Consequently, auditors must evaluate not only cybersecurity controls but also the organisation's ability to withstand, respond to, recover from, and adapt to cyber-related disruptions. This concept is commonly referred to as Cyber Resilience.
This chapter provides auditors with a practical framework for assessing Cyber Resilience through the lens of BCM, Operational Resilience, and regulatory expectations.
Cyber Resilience is the ability of an organisation to:
Cyber Resilience extends beyond cybersecurity protection.
While cybersecurity focuses on preventing attacks, Cyber Resilience focuses on ensuring business continuity despite successful attacks.
|
Cybersecurity |
Cyber Resilience |
|
Protect assets |
Maintain business services |
|
Prevent attacks |
Operate during attacks |
|
Focus on controls |
Focus on outcomes |
|
Technology-centric |
Business-centric |
|
Security operations |
Service continuity |
|
Confidentiality |
Availability and continuity |
|
Vulnerability management |
Recovery capability |
Auditors must assess both perspectives.
Historically, BCM audits focused on:
Today, cyber incidents account for a significant proportion of major business disruptions.
Examples include:
The auditor's challenge is to determine whether continuity arrangements remain effective in the event of cyber disruption.
Under Risk Management in Technology (RMiT), financial institutions are expected to:
Auditors should assess whether BCM and cybersecurity programmes operate cohesively.
Relevant clauses include:
Clause 8.2
Business Impact Analysis and Risk Assessment
Clause 8.3
Business Continuity Strategies
Clause 8.4
Business Continuity Plans
Clause 8.5
Testing and Exercising
Cyber scenarios should be integrated into these activities.
Operational Resilience frameworks increasingly require organisations to demonstrate their ability to continue delivering critical business services during cyber incidents.
This includes:
Determine whether governance structures support effective cyber resilience.
Review:
Governance Integration
Board Oversight
Accountability
Finding 1
Cybersecurity and BCM operate independently.
Finding 2
Cyber risks are not reflected in BCM planning.
Finding 3
Recovery responsibilities are unclear.
Determine whether cyber threats are appropriately assessed and incorporated into continuity planning.
Review:
Threat Assessment
Business Impact Analysis
Assess whether:
Finding 1
Risk assessments focus primarily on physical disruptions.
Finding 2
Recovery objectives do not reflect the complexities of cyber recovery.
Finding 3
Critical technology dependencies are not identified.
Determine whether recovery strategies can support restoration following cyber incidents.
Backup and Recovery
Review:
Audit Questions:
Alternate Processing
Review:
Audit Questions:
Data Integrity Validation
Review:
Audit Questions:
Finding 1
Backup restoration testing is inadequate.
Finding 2
Recovery environments lack capacity.
Finding 3
Data integrity checks are insufficient.
Determine whether the organisation can effectively manage cyber crises.
Incident Response Plans
Assess:
Crisis Management Plans
Review:
Communication Plans
Assess:
Finding 1
Incident response plans are not aligned with BCM plans.
Finding 2
Communication procedures are incomplete.
Finding 3
Executives have not participated in cyber exercises.
Determine whether technology recovery capabilities support business recovery objectives.
Disaster Recovery Plans
Assess:
Recovery Objectives
Review:
Recovery Testing
Review:
Finding 1
Recovery testing does not validate critical systems.
Finding 2
Recovery objectives are consistently missed.
Finding 3
Dependencies delay recovery.
Many organisations depend on:
A disruption affecting a supplier may disrupt multiple critical services.
Review:
Vendor Due Diligence
Contractual Requirements
Monitoring
Finding 1
Vendor recovery capabilities are not independently verified.
Finding 2
Fourth-party risks are not understood.
Finding 3
Cloud concentration risk is unassessed.
Auditors should evaluate:
Ransomware Exercises
Test:
Technology Recovery Tests
Validate:
Crisis Management Exercises
Assess:
Operational Resilience Scenarios
Evaluate:
Finding 1
Cyber exercises focus only on technical teams.
Finding 2
Business units are excluded.
Finding 3
Recovery capabilities are assumed rather than demonstrated.
A financial institution experiences a ransomware attack that encrypts:
Multiple critical business services become unavailable.
Governance
Business Continuity
Technology Recovery
Customer Impact
Communication
Strengths
Weaknesses
Emerging areas include:
Auditors must continually update their approaches to address these evolving risks.
Cyber incidents have become one of the most significant threats to organisational resilience. As a result, BCM audits must evolve beyond traditional continuity planning and incorporate Cyber Resilience assurance.
Effective cyber resilience audits evaluate governance, risk assessments, recovery strategies, technology recovery capabilities, incident response, crisis management, third-party dependencies, and testing programmes.
The objective is to determine whether the organisation can continue delivering critical business services during cyber disruptions and recover within acceptable timeframes.
Ultimately, auditors should provide assurance not only that cyber controls exist but that the organisation can withstand and recover from cyber incidents while protecting customers, stakeholders, and critical business services.
The defining audit question is:
"If a major cyberattack occurs tomorrow, can the organisation continue operating its critical business services and recover within its approved resilience objectives?"
| Introductory | C1 | C2 | C3 |
| eBook Cover | C4 | C5 | C6 |
BCM Institute offers two levels of BCM auditing courses: A-3 BCM-8030 ISO22301 BCMS Auditor [A-3] and the ISO22301 BCMS Lead Auditor [A-5].
| Please feel free to send us a note if you have any questions. |
| Click to View 5000-Level or 300-Level Catalogue. What Expert- and Intermediate-level Learning Courses are Available? |