A.5.30 ICT Readiness for Business Continuity
What is this control?
ISO 27001 control A.5.30 ICT Readiness for Business Continuity ensures the organisation’s ICT services are architected and maintained to be resilient and recoverable based on a formal Business Impact Analysis defining Recovery Time Objectives and Recovery Point Objectives for critical business processes. RTO readiness is achieved through cloud-native architecture and Azure redundancy. RPO readiness is met through AvePoint and Acronis backup configurations.
How to implement in Microsoft 365
Implement A.5.30 by conducting a formal Business Impact Analysis identifying all critical business processes and supporting ICT services with defined RTO and RPO for each critical service. Document the BIA in a SharePoint list or document with Critical service name, RTO in hours, and RPO in hours of data loss tolerance. Configure AvePoint backup frequency to meet RPO for M365 data with multiple-times-daily backups.
Configure Acronis backup frequency to meet RPO for on-premises data. Implement Azure redundancy with geo-redundant storage, availability zones, and soft-delete. Establish Infrastructure-as-Code repository in Azure DevOps with Terraform templates for critical infrastructure.
What an auditor looks for
Auditors will verify a formal BIA document or SharePoint register listing critical services with defined RTOs and RPOs. They will check the BIA is dated within 12 months showing current alignment with business requirements. Auditors will verify AvePoint configuration showing backup frequency aligns with M365 service RPO.
They will check Acronis configuration showing backup frequency aligns with on-premises RPO. Auditors will verify Azure portal configuration showing geo-redundant storage enabled for critical storage accounts. They will check test restore reports showing actual RTO measured and compared to BIA objective.