eBook Audit

[ISACA] [BCM] [A] [C5] Cyber Resilience and BCM Auditing

Written by Moh Heng Goh | Jun 21, 2026 5:55:00 AM

Chapter 5

Cyber Resilience and BCM Auditing

 

Intoduction

Over the past decade, cyber incidents have emerged as one of the most significant threats to organisational continuity and resilience.

Unlike traditional disruptions such as fires, floods, or power outages, cyber incidents can simultaneously affect multiple business functions, technology platforms, third-party providers, customer services, and critical infrastructure.

High-profile ransomware attacks, cloud service outages, supply chain compromises, and nation-state cyber operations have demonstrated that organisations can no longer treat cybersecurity and Business Continuity Management (BCM) as separate disciplines.

A cyber incident is no longer solely an information security problem—it is a business disruption event that requires coordinated response, recovery, crisis management, and resilience capabilities.

Consequently, auditors must evaluate not only cybersecurity controls but also the organisation's ability to withstand, respond to, recover from, and adapt to cyber-related disruptions. This concept is commonly referred to as Cyber Resilience.

This chapter provides auditors with a practical framework for assessing Cyber Resilience through the lens of BCM, Operational Resilience, and regulatory expectations.

 

Understanding Cyber Resilience

What is Cyber Resilience?

Cyber Resilience is the ability of an organisation to:

  • Anticipate cyber threats
  • Prevent cyber incidents where possible
  • Detect cyber events quickly
  • Respond effectively to cyber disruptions
  • Recover critical services within acceptable timeframes
  • Adapt and improve following incidents

Cyber Resilience extends beyond cybersecurity protection.

While cybersecurity focuses on preventing attacks, Cyber Resilience focuses on ensuring business continuity despite successful attacks.

 

Cybersecurity versus Cyber Resilience

 

Cybersecurity

Cyber Resilience

Protect assets

Maintain business services

Prevent attacks

Operate during attacks

Focus on controls

Focus on outcomes

Technology-centric

Business-centric

Security operations

Service continuity

Confidentiality

Availability and continuity

Vulnerability management

Recovery capability

Auditors must assess both perspectives.

 

Why Cyber Resilience Matters to BCM Auditors

Historically, BCM audits focused on:

  • Natural disasters
  • Facility disruptions
  • Human resource disruptions
  • Utility failures

Today, cyber incidents account for a significant proportion of major business disruptions.

Examples include:

Ransomware Attacks
  • Systems unavailable
  • Data encrypted
  • Operations halted
Data Corruption
  • Information integrity compromised
  • Recovery delayed
Cloud Service Outages
  • Multiple business services are disrupted
Third-Party Breaches
  • Supply chain disruptions
  • Service interruptions
Distributed Denial-of-Service (DDoS) Attacks
  • Customer services unavailable

The auditor's challenge is to determine whether continuity arrangements remain effective in the event of cyber disruption.

 

Regulatory Expectations

Bank Negara Malaysia (BNM)

Under Risk Management in Technology (RMiT), financial institutions are expected to:

  • Maintain cyber recovery capabilities
  • Establish incident response procedures
  • Conduct technology recovery testing
  • Protect critical systems
  • Assess third-party technology risks

Auditors should assess whether BCM and cybersecurity programmes operate cohesively.

ISO 22301 Requirements

Relevant clauses include:

Clause 8.2

Business Impact Analysis and Risk Assessment

Clause 8.3

Business Continuity Strategies

Clause 8.4

Business Continuity Plans

Clause 8.5

Testing and Exercising

Cyber scenarios should be integrated into these activities.

Operational Resilience Expectations

Operational Resilience frameworks increasingly require organisations to demonstrate their ability to continue delivering critical business services during cyber incidents.

This includes:

  • Severe but plausible cyber scenarios
  • Recovery of critical services
  • Impact tolerance assessments
  • Dependency mapping

 

Auditing Cyber Governance

Audit Objective

Determine whether governance structures support effective cyber resilience.

Audit Scope

Review:

  • Cybersecurity governance framework
  • BCM governance framework
  • Incident management structure
  • Crisis management arrangements
  • Reporting mechanisms
Key Audit Questions

Governance Integration

  • Is cybersecurity integrated with BCM?
  • Are cyber risks included in BCM risk assessments?
  • Are cyber scenarios incorporated into exercises?

Board Oversight

  • Does the Board receive cyber resilience reports?
  • Are major cyber risks discussed?

Accountability

  • Are responsibilities clearly defined?
  • Is ownership assigned for cyber recovery?
Common Audit Findings

Finding 1

Cybersecurity and BCM operate independently.

Finding 2

Cyber risks are not reflected in BCM planning.

Finding 3

Recovery responsibilities are unclear.

 

Auditing Cyber Risk Assessment and Business Impact Analysis

Audit Objective

Determine whether cyber threats are appropriately assessed and incorporated into continuity planning.

Audit Scope

Review:

Threat Assessment

  • Ransomware
  • Insider threats
  • Cloud outages
  • Third-party compromises
  • Supply chain attacks

Business Impact Analysis

Assess whether:

  • Critical business functions are identified
  • Critical business services are identified
  • Recovery objectives consider cyber scenarios
Key Audit Questions
  • Are cyber threats included in risk assessments?
  • Are cyber recovery requirements defined?
  • Have dependencies been identified?
Common Audit Findings

Finding 1

Risk assessments focus primarily on physical disruptions.

Finding 2

Recovery objectives do not reflect the complexities of cyber recovery.

Finding 3

Critical technology dependencies are not identified.

 

Auditing Cyber Recovery Strategies

Audit Objective

Determine whether recovery strategies can support restoration following cyber incidents.

Key Strategy Areas

Backup and Recovery

Review:

  • Backup frequency
  • Backup protection
  • Offline backup arrangements
  • Recovery procedures

Audit Questions:

  • Can backups be restored?
  • Are backups protected from ransomware?

 

Alternate Processing

Review:

  • Recovery environments
  • Cloud failover arrangements
  • Alternate infrastructure

Audit Questions:

  • Can services continue if primary environments fail?

 

Data Integrity Validation

Review:

  • Data verification processes
  • Recovery validation procedures

Audit Questions:

  • How is recovered data validated?

 

Common Audit Findings

Finding 1

Backup restoration testing is inadequate.

Finding 2

Recovery environments lack capacity.

Finding 3

Data integrity checks are insufficient.

 

Auditing Cyber Incident Response and Crisis Management

Audit Objective

Determine whether the organisation can effectively manage cyber crises.

Review Areas

Incident Response Plans

Assess:

  • Escalation procedures
  • Containment actions
  • Investigation processes

Crisis Management Plans

Review:

  • Executive decision-making
  • Stakeholder communications
  • Regulatory notifications

Communication Plans

Assess:

  • Internal communications
  • Customer communications
  • Media responses
Key Audit Questions
  • Are cyber incidents escalated appropriately?
  • Are crisis teams trained?
  • Have communication procedures been tested?
Common Audit Findings

Finding 1

Incident response plans are not aligned with BCM plans.

Finding 2

Communication procedures are incomplete.

Finding 3

Executives have not participated in cyber exercises.

 

Auditing Technology Recovery Capability

Audit Objective

Determine whether technology recovery capabilities support business recovery objectives.

Areas for Review

Disaster Recovery Plans

Assess:

  • Recovery procedures
  • Recovery sequencing
  • Resource requirements

Recovery Objectives

Review:

  • Recovery Time Objectives (RTO)
  • Recovery Point Objectives (RPO)

Recovery Testing

Review:

  • Recovery test results
  • Restoration times
  • Failure rates
Key Audit Questions
  • Have recovery objectives been achieved?
  • Are recovery procedures current?
  • Have recovery capabilities been demonstrated?
Common Audit Findings

Finding 1

Recovery testing does not validate critical systems.

Finding 2

Recovery objectives are consistently missed.

Finding 3

Dependencies delay recovery.

 

Auditing Third-Party Cyber Resilience

Why Third-Party Resilience Matters

Many organisations depend on:

  • Cloud providers
  • Managed service providers
  • Software vendors
  • Telecommunications providers

A disruption affecting a supplier may disrupt multiple critical services.

Audit Scope

Review:

Vendor Due Diligence

  • Cybersecurity assessments
  • Resilience assessments

Contractual Requirements

  • Recovery obligations
  • Service levels
  • Incident notification requirements

Monitoring

  • Vendor performance reviews
  • Audit rights
Key Audit Questions
  • Have critical vendors been identified?
  • Are resilience requirements contractual?
  • Are concentration risks assessed?
Common Audit Findings

Finding 1

Vendor recovery capabilities are not independently verified.

Finding 2

Fourth-party risks are not understood.

Finding 3

Cloud concentration risk is unassessed.

 

Auditing Cyber Resilience Testing

Exercise Types

Auditors should evaluate:

Ransomware Exercises

Test:

  • Detection
  • Escalation
  • Recovery

Technology Recovery Tests

Validate:

  • Restoration capability
  • Recovery objectives

Crisis Management Exercises

Assess:

  • Leadership effectiveness
  • Communications

Operational Resilience Scenarios

Evaluate:

  • Service continuity
  • Impact tolerance
Key Audit Questions
  • Are cyber scenarios included in exercises?
  • Are severe but plausible scenarios tested?
  • Are lessons learned implemented?
Common Audit Findings

Finding 1

Cyber exercises focus only on technical teams.

Finding 2

Business units are excluded.

Finding 3

Recovery capabilities are assumed rather than demonstrated.

 

Case Study: Ransomware Attack on a Financial Institution

Scenario

A financial institution experiences a ransomware attack that encrypts:

  • Customer databases
  • Payment systems
  • Online banking services

Multiple critical business services become unavailable.

Auditor Assessment Areas

Governance

  • Was escalation timely?
  • Was leadership involved?

Business Continuity

  • Were plans activated?
  • Were recovery teams mobilised?

Technology Recovery

  • Were backups recoverable?
  • Were recovery objectives achieved?

Customer Impact

  • How long were services unavailable?
  • Were impact tolerances exceeded?

Communication

  • Were customers informed?
  • Were regulators notified?

 

Typical Findings

Strengths

  • Effective crisis management
  • Strong executive involvement

Weaknesses

  • Incomplete recovery testing
  • Dependency on a single recovery environment
  • Delayed restoration of critical services

 

Future Cyber Resilience Audit Considerations

Emerging areas include:

Artificial Intelligence
  • AI service disruptions
  • Model failures
  • Data poisoning attacks
Cloud Resilience
  • Multi-cloud strategies
  • Cloud provider concentration risk
Digital Ecosystems
  • API failures
  • Fintech dependencies
Quantum Computing Risks
  • Cryptographic vulnerabilities
  • Long-term data protection

Auditors must continually update their approaches to address these evolving risks.

 

 

Cyber incidents have become one of the most significant threats to organisational resilience. As a result, BCM audits must evolve beyond traditional continuity planning and incorporate Cyber Resilience assurance.

Effective cyber resilience audits evaluate governance, risk assessments, recovery strategies, technology recovery capabilities, incident response, crisis management, third-party dependencies, and testing programmes.

The objective is to determine whether the organisation can continue delivering critical business services during cyber disruptions and recover within acceptable timeframes.

Ultimately, auditors should provide assurance not only that cyber controls exist but that the organisation can withstand and recover from cyber incidents while protecting customers, stakeholders, and critical business services.

The defining audit question is:

"If a major cyberattack occurs tomorrow, can the organisation continue operating its critical business services and recover within its approved resilience objectives?"

 

Introductory C1 C2 C3
eBook Cover C4 C5 C6

More Information About Auditing BCMS Courses

BCM Institute offers two levels of BCM auditing courses: A-3 BCM-8030 ISO22301 BCMS Auditor [A-3] and the ISO22301 BCMS Lead Auditor [A-5].

     
Please feel free to send us a note if you have any questions.
Click to View 5000-Level or 300-Level Catalogue.  What Expert- and Intermediate-level Learning Courses are Available?