Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 3-1-3 – The cybersecurity requirements for business continuity management must include at least the following:
Understanding the Requirement
This control requires that business continuity management (BCM) be defined, documented and maintained to ensure the organisation can continue critical operations during and after disruptive events. The objectives listed under 3-1-3-1, 3-1-3-2 and 3-1-3-3 indicate the requirement is modular: identify and prioritise critical services and assets, establish recovery goals and procedures, and maintain testing, communication and continuous improvement. For an SMB that means having a concise, actionable continuity plan that defines responsibilities, recovery time objectives, backups and regular exercises so the business can resume essential functions with minimal downtime.
Technical Implementation
-
Inventory and prioritize critical assets and services: create a simple register that maps customers, revenue-generating applications, internal systems (email, accounting, file shares) and third-party dependencies. Tag each item with impact categories (financial, legal, reputational) and set a business priority so recovery efforts focus on what matters most.
-
Define Recovery Objectives and acceptance criteria: for each critical service set a Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Document acceptable manual workarounds and the maximum tolerable downtime so responses are measurable and decisions are consistent during an incident.
-
Implement technical safeguards for resilience: deploy automated backups (with encryption) for critical systems, use off-site/cloud copies, and separate backup credentials from everyday admin accounts. Where appropriate, implement redundancy for key services (e.g., failover email or DNS) and maintain tested restore procedures.
-
Assign roles, contacts and communication templates: designate a continuity owner and alternates, maintain an up-to-date contact list (staff, vendors, customers, regulator contacts) and pre-write incident notification templates for internal and external stakeholders to speed communications under stress.
-
Test, exercise and review regularly: run at least annual tabletop exercises plus targeted technical restore tests after major changes. Capture lessons learned, update the plan and verify that backups and failover processes actually meet the documented RTO/RPOs.
-
Integrate third-party dependencies and contractual requirements: document SLAs with key suppliers, include vendor continuity provisions in procurement, and validate that outsourced services have appropriate resilience (e.g., that a cloud provider offers demonstrated recovery capabilities compatible with your RTO).
Example in a Small or Medium Business
GreenLeaf Accounting is a 25-person firm that handles sensitive client financials and deadlines. They started by listing their critical services: client file access, tax filing software, email and billing systems, and identified critical third parties like their cloud backup vendor and payroll provider. The firm set an RTO of 8 hours for client file access and 24 hours for non-critical administrative services, and established an RPO of 4 hours for client data. The IT lead implemented nightly encrypted backups to an independent cloud provider and tested restores quarterly; they also documented a manual process for accepting client files via secure upload if the primary client portal is unavailable. A continuity owner and deputy were named, with contact templates for clients and staff and a decision tree for when to invoke the full continuity plan. They performed an annual tabletop exercise simulating a ransomware event, updated their procedures based on gaps found, and added an SLA clause requiring quicker support from a critical vendor. By keeping the plan concise, testing regularly and assigning clear roles, GreenLeaf reduced expected recovery time and kept clients informed during an actual outage.
Summary
Combining simple policy — a documented, owner-assigned continuity plan with clear recovery objectives — and practical technical measures — prioritized inventories, encrypted backups, tested restores and defined communications — meets the control’s intent. Regular tests and vendor checks turn the plan from a document into an operational capability so SMBs can recover prioritized services within agreed RTO/RPOs, maintain customer trust and reduce financial and regulatory risk.
