ISO 27031 reality check: Operationalising manual workarounds in the business continuity plan
ISO 27031:2025 represents a significant advancement in business continuity management (BCM). It acknowledges that absolute technological reliability is unattainable and instead focuses on an organisation's ability to remain operational even in the event of technological failure.The mandate of ISO 27031:2025: Resilience beyond technology
The ISO 27031:2025 standard marks an essential adjustment in business continuity management (BCM). It recognises that complete technological reliability is an illusion and shifts the focus to an organisation's operational capability when technology fails.The core of this realignment is clause 6.6a. It clearly states that if information and communication technology (ICT) cannot meet the recovery time objectives (RTO) or recovery point objectives (RPO) required by business operations, the organisation must have workarounds in place in its business continuity plan (BCP). RTO) or recovery points (Recovery Point Objective – RPO) required by business operations, the organisation must describe workarounds in the Business Continuity Plan (BCP) that enable operations to continue without ICT for the duration of this gap.
This requirement is supplemented by clause 10.4, which defines ‘temporary workarounds’ as a solution. These are manual or semi-manual processes that enable time-critical business processes to continue with potentially reduced efficiency until IT services are available again. The standard thus forces an honest examination of the gap between business requirements and real, often budget-limited ICT capabilities.
A crucial aspect that often leads to misunderstandings in practice is the necessary distinction between the recovery objectives of the business and those of IT. The RTO defined by the business (business RTO) specifies when a business process must be running again. For this to succeed, the underlying ICT infrastructure must necessarily be restored earlier. The ICT RTO (ICT RTO) must therefore be significantly shorter than the business RTO in order to create a buffer for restarting business processes, data validation and communication. Even more important, however, is the actual recovery time (RTA). Unlike RTO, which is a target value, RTA is the measured value determined during a test or simulation to determine performance in an emergency. RTA is therefore the ultimate reality check for any BCP.
The practical gap: Why familiar principles fail
Although the principles of the ISO standard are well known among experts, there is a dangerous gap between theory and implementation. The reasons for this are systemic and can often be traced back to fundamental misjudgements:-
An organisational divide arises because responsibility for maintaining business operations is often mistakenly misunderstood as purely an IT task. The business departments define their requirements, and IT delivers what the budget allows. The manual workaround for a business process falls into the vacuum of responsibility between these two silos. Neither side feels responsible for financing, development and testing.
-
The ‘paper plan’ syndrome describes the phenomenon whereby many BCPs exist solely to meet audit requirements. They are often outdated, untested and unrealistic. Manual processes in particular are rarely functionally tested, as this is operationally costly. A theoretical walkthrough test is not sufficient to validate the resilience of a manual process under stress. However, recent incidents such as the CrowdStrike outage in 2024 showed that restarting and recovery can take days and require massive manual intervention. A non-sustainable manual process can quickly create an unmanageable backlog due to massive inefficiency and high error rates, leading to an independent, even greater crisis.
The decisive methodology: gap analysis
The process of comparing business requirements (business RTO) with proven IT capabilities (measured as RTA) is called gap analysis. This analysis is not a superficial review, but an in-depth, multi-layered examination of the entire technological chain. It begins with the basic infrastructure, such as the power supply and air conditioning of the data centre, and continues through the network components, servers and storage systems to the databases and finally the application itself, which provides the business service.Each of these layers has its own recovery characteristics and dependencies. Only through such granular analysis can IT make a realistic and honest statement about its actual recovery time (RTA – determined by testing the various components). The result of this gap analysis forms the basis for the strategic decision: either invest in technology to close the gap, or develop a manual workaround.
A framework for effective workarounds
A structured approach is required to meet the requirements of the standard and close the gap in practice:-
The clear assignment of responsibility is crucial. Responsibility for the development and maintenance of manual workarounds must be explicitly assigned to those responsible for the business processes, not to IT.
-
The provision of budgets is essential. Create dedicated budget items for the resources required for manual workarounds – including employee training time, IT hardware, printing costs for emergency forms, and conducting realistic tests with external support if necessary.
-
Quantifying and reporting risks is a must. Create a transparent gap analysis and quantitative modelling of the potential business shortfall in the event of a failure. The business case for investing in workarounds must be argued on the basis of reducing the residual financial risk, not as a pure cost factor.
-
Establishing a testing culture is fundamental. Establish a mandatory, progressive testing programme that goes beyond simple tests and requires regular functional drills for these workarounds. Promote a culture in which vulnerabilities uncovered during testing are viewed as valuable insights rather than failures.