ISO 27031 reality check: Why ITSCM is not enough and ISO 27031 requires genuine BCM

ISO 27031 reality check: Why ITSCM is not enough and ISO 27031 requires genuine BCM

Many companies are labouring under a dangerous misconception: IT departments confuse IT service continuity management with genuine business continuity management. This misjudgement creates a risky resilience gap, as it overlooks the fact that IT itself is an independent, vulnerable business area.

A dangerous misunderstanding has taken hold in the corporate landscape: IT departments assume that implementing IT Service Continuity Management (ITSCM) is equivalent to full-fledged Business Continuity Management (BCM) for their own area. This assumption, which views IT merely as a service provider for other departments, creates a critical resilience gap. It ignores the fact that the IT organisation itself is a complex business unit with its own non-technical vulnerabilities – from key personnel to locations to suppliers.

The new international standard ISO/IEC 27031:2025 challenges this status quo. The standard unambiguously calls for the integration of a holistic BCM approach into the IT function itself and treats it as a business unit that needs to be secured.

The fundamental misunderstanding: why IT needs its own BCM

There is a conceptual blurring in organisations that can have disastrous consequences in a crisis: the confusion between BCM and ITSCM.

Business Continuity Management is a holistic and strategic management process that aims to protect the time-critical business processes of the entire organisation from the effects of events with potential for failure. BCM considers all resources that contribute to value creation: people, infrastructure, supply chains and technology.

IT Service Continuity Management, on the other hand, is a specialised discipline and a sub-area of BCM. Its focus is exclusively on the restart and restoration of the technological infrastructure and IT services in order to meet the objectives defined by the business in the BCM process. ITSCM is the technical contribution of IT to the overall resilience of the company.

The problem arises when the IT department considers its task fulfilled as soon as it has an IT recovery plan. In doing so, it overlooks the fact that it is itself a time-critical business unit that can fail in ways that go far beyond a mere system failure. An IT recovery plan may regulate the restart and restoration of a server, but it does not answer the question of what happens if the administrators required for this are unavailable due to a pandemic.

The roots of the misunderstanding: a historical and cultural analysis

This dangerous simplification is no accident, but the result of a long development characterised by organisational silos and the influence of established frameworks.

  • Since the early days of enterprise IT, IT departments have often been viewed as centralised, technical support units that were organisationally separate from core business functions, leading to historical silos between business and IT. This separation led to differing priorities, communication barriers and a lack of shared responsibility for overall business resilience. The business ‘orders’ services, IT ‘delivers’ – a dynamic that makes it difficult to achieve an integrated understanding of BCM.

  • The widely used ITIL (IT Infrastructure Library) framework has professionalised IT, but at the same time cemented its role as a service provider, which can be referred to as the ITIL effect. Since ITSCM is a core process within ITIL, many IT organisations have internalised it as their primary and often only continuity commitment. In doing so, they fulfil the requirements of their framework, but overlook the need to view themselves as a business unit that also requires BCM.

  • IT experts naturally think in terms of technological solutions, which leads to a technology-centric view. An ‘emergency’ is primarily understood as a system failure, network problem or cyber attack. Recovery and restoration focus on data backups and redundant hardware. Risks such as the loss of key personnel or the loss of a time-critical supplier often fall outside this technology-centric framework.

The mandate of ISO 27031:2025: IT as a business unit to be secured

The new ISO 27031 standard breaks radically with this isolated view. It no longer treats the IT function as merely a technical service provider, but as an independent, time-critical business unit that requires its own integrated BCM. This paradigm shift is underpinned by several key aspects of the standard:

  • The standard explicitly calls for the integration rather than isolation (Chapter 6) of ‘ICT Readiness for Business Continuity’ (IRBC) into the overall corporate BCM. This positions IT not as an external supplier, but as an integral part of the resilience strategy, subject to the same holistic principles as any other department.

  • ISO 27031 establishes a holistic focus on resources by explicitly listing the resources of the IT function that need to be secured. This includes not only technology and data, but also ‘staff competencies’, ‘facilities’, “processes” (internal processes) and ‘suppliers’. This makes it unmistakably clear that a pure ITSCM approach that focuses solely on the restart and recovery of technology and data is not sufficient. IT must have plans in place for the absence of key personnel, the loss of their workplaces, the failure of their IT infrastructure and the failure of their own suppliers.

  • The standard assigns top management a clear responsibility (Chapter 13) for evaluating and approving IRBC strategies. This elevates the continuity of the IT function itself to a strategic level and signals that it must be treated with the same seriousness as the continuity of, for example, production.

ISO 27031 therefore requires IT to undergo a business impact analysis and implement a BCM that safeguards its own organisation so that it is able to perform its ITSCM tasks for the rest of the company.

The risks of the ITSCM fallacy in practice

If an IT department only operates ITSCM and believes that this makes it resilient, it exposes the company to incalculable risks. A pure focus on technical recovery leaves time-critical, non-technical failure scenarios unaccounted for:

  • An IT recovery plan that only describes the technical recovery steps is worthless if there is no one there to execute it, which is the risk of key personnel failure. What happens if the few specialists who administer a complex legacy system or critical database are simultaneously unavailable due to a pandemic, accident or strike? A BCM for IT would require measures such as multi-skill training, separation of core skills and automation.

  • The loss of IT locations is another risk, because a fire in the IT administration building, a regional flood or a power failure affecting the workplaces of IT staff can cripple the ability to coordinate restart and recovery. ITSCM plans the restart of servers in a backup data centre, but a BCM for IT plans where IT teams can control and execute this restart in the first place.

  • IT itself relies on a chain of processes, and the breakdown of internal IT processes can make it impossible to respond effectively to the actual emergency. If the systems that support these internal processes (e.g. ticket system, monitoring tools) or the personnel responsible for them fail, IT loses its ability to control the situation.

  • IT is heavily dependent on external partners, which is why the failure of suppliers poses a significant risk. An ITSCM plan may provide for a backup of cloud data, but a BCM for IT analyses contractual obligations, plans for alternative suppliers and defines processes in the event that a strategic partner fails.

Conclusion

The assumption that ITSCM or IRBC replaces a BCM for IT is one of the most dangerous resilience gaps in modern businesses. It stems from an outdated, technology-centric view and is cemented by organisational silos. ISO/IEC 27031 makes it unmistakably clear: IT is not just a service provider, but a critical business unit that requires its own integrated business continuity management.

Recommendations for action for management and those responsible:

  • The clear assignment of responsibility is crucial. Management must recognise that the IT organisation itself requires BCM. Responsibility for this ‘internal’ BCM for IT must be clearly assigned to the CIO/IT manager, in close coordination with the company's BCM manager.

  • It is essential to conduct a BIA for the IT organisation. Perform a business impact analysis that assesses not the IT services for others, but the internal processes, personnel, locations and suppliers of the IT department itself. Identify the true ‘single points of failure’ within your IT organisation.

  • Developing a BCP in IT is a must. Expand your perspective beyond existing IT and disaster recovery plans to include non-technical aspects. Create concrete plans for scenarios such as the loss of key personnel, the loss of IT workstations, the failure of critical IT systems, and the loss of critical data. Develop a plan for how to respond to a disaster and how to recover from it. Create concrete plans for scenarios such as the loss of key personnel, the loss of IT workstations, IT infrastructure failure and the failure of critical IT suppliers.

  • Establishing an integrated testing culture is fundamental. Conduct exercises that test not only technical failover, but also the resilience of the IT organisation itself. Simulate the loss of IT personnel and test whether the documented processes can also be carried out by alternative teams.

Close the resilience gap: Is your IT truly resilient or just recoverable?

ISO 27031:2025 calls for a new way of thinking. A purely technical recovery plan is no longer sufficient to secure IT itself. We support you in closing the gap between ITSCM and true BCM for your IT – from the BIA for your IT organisation to the development of integrated contingency plans. Contact us to put the resilience of your IT to the test and turn it into a crisis-proof business unit.