When it comes to business continuity in cybersecurity, most SMEs immediately think of backups or a redundant cloud server.
Yet this is only the tip of the iceberg. The ISO/IEC 27031 standard has been in existence for over 10 years, providing a framework for the continuity of information and communications technologies (ICT).
And in May 2025, this standard was completely updated .
Reminder 27031:2025 versus 22301:2019
ISO/IEC 27031 is a guidance standard (not certifiable) in the 27000 series, which explains how to build a concrete technology continuity plan.
ISO 22301 is a certification standard for global business continuity, including human, logistical and operational aspects.
Standard 27031 adds technical details to both standards:
- It complements ISO/IEC 27001, supporting controls A.5.29 and A.5.30 with practical methods.
- It details the IT component of ISO 22301, providing the means to meet RTO/RPO, organize IT recovery and keep critical assets operational.
What’s new in the 2025 version?
The 2025 version officially replaces the 2011 version with some major changes:
Integration into ISO/IEC 27000:2022 vocabulary
The standard has been rewritten to align it more closely with the other standards in the 27000 series. It uses the same definitions to avoid confusion.
Alignment with ISO/IEC 27001:2022 and ISO 22301:2019
The old version was difficult to integrate into an ISO 27001 ISMS. The new version facilitates direct integration into clause 6.1 (risk assessment) and 8.2 (risk treatment planning).
ICT Continuity Capabilities approach
The central concept is now that of ICT continuity capability (ICTCC). This refers to all the technological, human and organizational resources put in place to ensure that a company’s critical information systems can continue to function – or be rapidly restored – in the event of a major incident.
In other words, it’s an organization’s ability to absorb an IT shock without losing key operations. The standard provides a detailed methodology for defining this capability, implementing it in practice, testing it regularly and improving it on an ongoing basis.
Greater clarity on the role of the IT continuity plan
Whereas the previous version spoke vaguely of “plans”, 2025 clearly defines :
- What an ICT Continuity Plan should contain
- Who has to validate it
- How to test it
New focus on security incidents
The new standard is much more sensitive to the realities of 2025: ransomware, denial-of-service attacks, dependence on SaaS providers. It also incorporates notions of cyber-resilience.
Structure of ISO/IEC 27031:2025
The standard now follows a more accessible logic, here is the table of contents translated (Freely) :
- Introduction and basic principles
- Organizational context
- Assessment of ICT continuity requirements
- Developing continuity skills
- Implementation and operation
- Monitoring, testing and continuous improvement
Each section comes with explanatory appendices and sample measurements.
How to use ISO/IEC 27031 in an SME?
Here’s an example of a service I offer for a company in the process of implementing ISO/IEC 27001, or simply looking for an IT continuity plan.
Step 1 – Identify critical assets
What are the technological assets without which the company cannot operate for more than a few hours? (servers, ERP, customer platforms, cloud services, etc.).
→ ISO/IEC 27001 reference: clause 8.1 & A.5.9 (Asset inventory)
Step 2 – Determining the impact
What is the impact if these assets fall? This analysis is similar to ISO 22301’s BIA (Business Impact Analysis) approach, but at IT level.
→ ISO 22301 reference: clause 8.2
Step 3 – Define continuity requirements (RTO/RPO)
- RTO (Recovery Time Objective): Maximum acceptable downtime
- RPO (Recovery Point Objective): Maximum acceptable data loss
→ Reference ISO/IEC 27031:2025 – section 3 and 4
Step 4 – Building the ICT Continuity Plan
We create an ICT Continuity Plan, which describes :
- Restoration procedures
- Responsibilities (with substitutes)
- Incident communications
- Support tools (backups, redundancy, scripts, etc.)
→ Reference ISO/IEC 27031:2025 – section 5
Step 5 – Test, adjust, train
An untested plan is a false sense of security. We run simulations, document deviations and make adjustments.
→ ISO/IEC 27001 reference: clause 8.4 & A.5.30 (testing and review of continuity controls)
A few pitfalls
Believing that backups are enough
A backup with no test, no restoration process, no network redundancy or alternative physical access = no guarantee.
An IT-only plan
The IT continuity plan affects finance, HR and customer service. Everyone is involved.
Copy and paste a generic plan
The standard insists on adaptation to the organization’s context (size, sector, specific threats). Copying a bank plan for an SME is pointless.
Ignoring suppliers
If you’re dependent on a hosting provider, SaaS provider or cloud service, your plan should incorporate their own plan. Demand contractual commitments (SLAs).
After reading the new version 2025 of ISO/IEC 27031, I think this is an important step forward.
It’s much clearer and I feel it’s closer to reality than it was. In short, it’s time to stop believing that continuity boils down to “we’ve got a backup somewhere”.
A true continuity plan ensures resilience, credibility and survival. And now you have a clear standard to guide you.
I invite you to click on “Follow” to continue learning more about information security and privacy topics.
