Revised guidance to help organisations safeguard and maintain essential business functions during and after disruptions such as disasters, cyber-attacks, or other incidents, has been published by British Standards (BSI).
The UK national standards body points to ransomware attacks on household name brands, such as Royal Mail and Marks & Spencer. Hence, Cybersecurity — Information and communication technology readiness for business continuity (BS ISO/IEC 27031:2025) offers a systematic approach to prevent, predict, and manage ICT disruptions, ensuring organisations can safeguard critical operations.
Cybersecurity breaches pose significant threat, with half of businesses and 32 per cent of charities reporting a cyber security breach or attack in the last 12 months. The attacks cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this grows to £10,830; according to the UK Government’s Cyber security breaches survey 2024.
The standard, updated for the first time since 2011, now takes into account the increased dominance of cloud ICT services, and growing sophistication of cyber criminals as they are no longer solely targeting critical national infrastructure such as hospitals and power grids but also commercial companies through social engineering.
David Cuckow, Director of Digital, BSI said: “We are seeing cyber criminals operate increasingly complex attacks of businesses, with enormous consequences for the global economy. When an organization is blindsided with digital disruption, it’s crucial that it has the right planning in place to protect its people, information, systems, and technology. The newly revised standard aims to offer best practice guidance for organizations to systematically plan, prepare, and manage their ICT resources to ensure the continuity of critical business processes in the face of disruptions. It is intended to embed digital trust into organizations of all sizes, assuring that they can maintain uninterrupted business operations during disruptions and reduce recovery time and data loss after incidents.”
The revision is designed to enhance coordination, prevent duplication of efforts, and integrate ICT resilience into broader security and business continuity strategies, whilst extending information security incident management practices into ICT readiness planning, training and making it a board level priority and capability. it also builds stakeholder trust, reinforces leadership accountability, and supports long-term business sustainability. Notable updates since the 2011 version include updated methodologies for risk management, incident response, and continuity strategy implementation. You can download the standard here.
About the standard
Developed internationally by experts within ISO/IEC JTC 1/SC 27 – Information security, cybersecurity and privacy protection, the UK contributed to this work through its national committee IST/33/4 – Security Controls and Services, with input from members representing organisations including the Ministry of Defence, the UK official National Cyber Security Centre (NCSC), the British Business Federation Authority, the University of Bath, and Siemens.
Photo by Mark Rowe: postbox, beside the River Thames, Hammersmith, west London.
