ISO/IEC 27031
ISO/IEC 27031:2025 — Cybersecurity — Information and communication technology readiness for business continuity
(second edition)
Abstract
“ISO/IEC 27031 provides guidance on ensuring that information and communication technology (ICT) is prepared to support business continuity. It outlines a framework for ICT readiness that aligns with broader business continuity objectives, helping organizations to prevent, respond to and recover from ICT-related disruptions that could impact critical operations.
In today’s digital world, organizations rely heavily on ICT systems to operate, deliver services and maintain trust with stakeholders. Disruptions to these systems — from cyberattacks to system failures — can have severe consequences. ISO/IEC 27031 helps organizations build ICT resilience by integrating readiness planning into business continuity and information security practices. It ensures that ICT services can be restored within agreed timeframes, protecting operations, reputation and customer trust. This readiness is not only about internal systems but also extends to dependencies on third-party services such as cloud providers.
Benefits:
Supports uninterrupted business operations during ICT disruptions
Strengthens alignment between ICT, security and continuity strategies
Reduces recovery time and data loss after incidents
Enhances organisational resilience and stakeholder confidence
Integrates smoothly with ISO/IEC 27001 and ISO 22301 practices”
[Source: ISO.org summary page]
Introduction
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of Information and Communication Technology in ensuring business continuity.
The standard:
Suggests a structure or framework (a coherent set or suite of methods and processes) for any organisation – private, governmental, and non-governmental;
Identifies and specifies all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organisation’s ISMS, helping to ensure business continuity;
Enables an organisation to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.
Scope
The standard encompasses all events and incidents (not just information security related) that could have an impact on ICT infrastructure and systems. It therefore extends the practices of information security incident handling and management, ICT readiness planning and services.
ICT Readiness for Business Continuity [a general term for the processes described in the standard] supports Business Continuity Management “by ensuring that the ICT services are as resilient as appropriate and can be recovered to pre-determined levels within timescales required and agreed by the organisation.”
ICT readiness is important for business continuity because ICT is prevalent and vital: many organisations’ critical business processes (including those involved in managing incidents plus the related business continuity, disaster and emergency responses) are highly dependent on ICT. Therefore, BCM would be incomplete without adequately considering the need to protect availability and continuity of the ICT.
ICT readiness encompasses:
Preparing the organisation’s ICT (i.e. the IT infrastructure, operations and applications), plus the associated processes and people, against unforeseeable events that could change the risk environment and impact ICT and business continuity;
Leveraging and streamlining resources among business continuity, disaster recovery, emergency response and ICT security incident response and management activities.
ICT readiness should of course reduce the impact (meaning the extent, duration and/or consequences) of information security incidents on the organisation.
The standard incorporates the cyclical Plan-Do-Check-Act Deming-style approach, extending the conventional business continuity planning process to take greater account of ICT. It incorporates ‘failure scenario assessment methods’ such as Failure Modes and Effects Analysis, with a focus on identifying ‘triggering events’ that could precipitate more or less serious incidents.
The SC 27 team responsible for ISO/IEC 27031 liaised with ISO Technical Committee 233 on business continuity, to ensure alignment and avoid overlap or conflict.
Structure
Main sections:
6: Integration of IRBC into BCM
7: Business expectations for IRBC
8: Defining prerequisites for IRBC
9: Determining IRBC strategies
10: Determining the ICT continuity plan
11: Testing, exercise, and auditing
12: Final MBCO
13: Top management responsibilities regarding evaluating the IRBC
Annex A: Comparing RTO and RPO to business objectives for ICT recovery
Annex B: Risk reporting for FMEA
Status
The first edition was published in 2011.
The revision project ran into trouble and was cancelled in 2020, then rebooted. The standard was revised to cover the need for ICT support for business continuity arising from both deliberate and accidental incidents.
The second edition was published in 2025.
Commentary
The value of this standard is unclear, given that ISO 22301 does such a good job in this general area while ISO/IEC 24762 covers ICT Disaster Recovery specifically.
This standard could usefully be extended beyond the ICT domain since:
The ISO27k standards concern risk and security to information, not just “ICT” (a clumsy and unnecessary amplification of good old “IT” which in common usage has included comms for, oh at least 50 years);
Operational Technology (such as Industrial Control Systems running manufacturing plant, and assorted facilities management systems providing power, cooling etc.) is not mentioned, not even once - neither included nor excluded, just completely ignored;
Information in forms or formats other than computer data can be just as important for business continuity, just as valuable and just as much at risk. For example, the loss of a critical knowledge worker, perhaps even an entire high-perfoming team of professionals, can devastate the operational capability of any department. Think September 11th, or COVID, or defection to/poaching by a competitor or startup.
However, the standard remains entirely ICT-focused, tech-centric.
Furthermore, to avoid any hint of overlap or conflict with the ISO 22300 standards, ISO/IEC 27031 does not replace a Business Continuity Management System. That said, the standard orbits around “IRBC” (ICT Readiness for Business Continuity) ... which is essentially a systematic way to manage the IT elements of business continuity, supplementing the BCMS as a whole.
Although the issued standard mentions ICT resilience to - as well as recovery from - disastrous situations, the coverage on resilience (the ability for critical processes and systems to withstand as well as recover from serious incidents) is limited.
It is similarly light on contingency. Contingency planning involves developing the organisation’s flexibility, capability, resources and dogged determination to cope with whatever situations actually eventuate, preparing for the uncertainties and challenges ahead. What will actually happen following an incident is contingent on the situation that occurs, its significance (reflecting its scale, nature, timing, implications for the business etc.) and the resources available (surviving!) at that point. The standard only refers once to ‘contingency’, as a convoluted and ineptly-phrased note to the definition of [ICT] readiness.