[BCM] [BIA] [ISO22301] [P4] Supporting IT Systems and Applications

Supporting IT Systems and Applications (Aligned with ISO 22301 BCMS)

Modern organisations rely heavily on information and communication technology (ICT) to deliver products and services.

Under ISO 22301:2019, organisations are required to identify and assess resources that support prioritised activities, including information, communication systems, applications, and infrastructure (Clause 8.2.2 – Business Impact Analysis).

Part 4: Supporting IT Systems and Applications is a critical component of the Business Impact Analysis (BIA) that documents the technology dependencies required for each business function.

This chapter ensures that IT recovery requirements are directly aligned with business recovery priorities, enabling effective planning for disaster recovery, technology resilience, and operational continuity.

By completingPart 4, organisations establish a structured link between business function recovery objectives and ICT recovery capabilities, as required by ISO 22301, and provide essential inputs for IT disaster recovery planning, third-party management, and resilience testing.

Rewritten Objectives of Part 4 (Aligned with ISO 22301)

The objectives of Part 4: Supporting IT Systems and Applications are to:

1. Identify and document ICT resources supporting each business function
   In accordance with ISO 22301 Clause 8.2.2, this includes applications, systems, data repositories, and enabling technologies required to perform prioritised activities.

2. Determine ICT recovery requirements aligned with business needs
   This section captures Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for systems, ensuring alignment with the supporting business function's maximum tolerable disruption (MTD).

3. Support continuity and disaster recovery strategy development
   The information collected provides essential input for Clause 8.3 – Business Continuity Strategies and Solutions, enabling informed decisions on backup solutions, redundancy, system replication, and recovery architecture.

4. Highlight critical technology dependencies and constraints
   This includes shared systems, specialised equipment, third-party platforms, and cloud or outsourced services that may affect recovery capability and response coordination.

5. Facilitate assurance, testing, and continual improvement
   Accurate system dependency data supports ICT recovery testing, exercises, and post-incident reviews required under Clauses 8.5 and 10 of ISO 22301.

Rewritten Content Description (ISO 22301–Enhanced)

When completing Part 4: Supporting IT Systems and Applications, the business function owner, in collaboration with IT and continuity stakeholders, should capture the following information:

1. Business Function and Function Code

Each entry must reference a business function previously identified and prioritised in Part 1 of the BIA, ensuring traceability between business activities and their supporting ICT resources, as required by ISO 22301 Clause 8.2.2.

2. Supporting IT Systems and Applications

List all applications, systems, platforms, or shared services required for the business function to operate, including:

• Core business applications (e.g. ERP, CRM, core banking systems)

• Collaboration and communication systems

• Databases and document management systems

• Cloud-based or outsourced platforms

Where applicable, indicate:

• Whether the system is internal or externally hosted

• Approximate number of users required during recovery

• Any system criticality or prioritisation notes

This ensures a complete understanding of ICT dependencies supporting prioritized activities.

3. Recovery Point Objective (RPO)

The RPO defines the maximum acceptable data loss, measured in time.
In line with ISO 22301, the RPO must:

• Reflect business tolerance for data loss

• Be consistent with backup frequency and data protection controls

• Support regulatory, contractual, and operational requirements

4. System Recovery Time Objective (System RTO)

The system RTO specifies the maximum time allowed to restore the system to an operational state following disruption.

The stated RTO must:

• Support the RTO of the associated business function

• Be realistic based on current ICT capabilities

• Inform disaster recovery prioritisation and recovery sequencing

5. Supporting Special Equipment or ICT Resources

Identify any specialised equipment or technology resources required to operate or access the system, such as:

• Secure workstations or terminals

• Printers, scanners, or network devices

• Authentication tools or encryption devices

This supports ISO 22301 requirements for identifying resource dependencies and constraints.

6. Remarks and Assumptions

Use this section to capture:

• Dependencies on third-party service providers

• Known recovery limitations or manual workarounds

• Licensing, access, or security constraints

• Any assumptions made during the assessment

Clear documentation of assumptions supports auditability and continual improvement under ISO 22301 Clause 10.

• Design effective IT disaster recovery and resilience strategies
• Align ICT recovery objectives with business continuity objectives
• Strengthen coordination between business, IT, and third-party providers
• Demonstrate compliance with ISO 22301 during audits and reviews