11 June 2025: Revised guidance to help organizations safeguard and maintain essential business functions during and after periods of disruption such as disasters, cyber-attacks, or other incidents, has been published by BSI, in the wake of attacks on household name brands.
Published by BSI in its capacity as the UK national standards body, Cybersecurity — Information and communication technology readiness for business continuity (BS ISO/IEC 27031:2025) offers a systematic approach to prevent, predict, and manage ICT disruptions, ensuring organizations can safeguard critical operations.
Cybersecurity breaches pose significant threat, with 50% of businesses and 32% of charities reporting a cyber security breach or attack in the last 12 months. The attacks cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this grows to £10,830[1].
The standard, updated for the first time since 2011, now takes into account the increased dominance of Cloud ICT services, and the growing sophistication of cyber criminals as they are no longer solely targeting critical national infrastructure such as hospitals and power grids but also commercial companies through social engineering.
David Cuckow, Director of Digital, BSI said: “We are seeing cyber criminals operate increasingly complex attacks of businesses, with enormous consequences for the global economy. When an organization is blindsided with digital disruption, it’s crucial that it has the right planning in place to protect its people, information, systems, and technology. The newly revised standard aims to offer best practice guidance for organizations to systematically plan, prepare, and manage their ICT resources to ensure the continuity of critical business processes in the face of disruptions. It is intended to embed digital trust into organizations of all sizes, assuring that they can maintain uninterrupted business operations during disruptions and reduce recovery time and data loss after incidents.”
The revision is designed to enhance coordination, prevent duplication of efforts, and integrate ICT resilience into broader security and business continuity strategies, whilst extending information security incident management practices into ICT readiness planning, training and making it a board level priority and capability. it also builds stakeholder trust, reinforces leadership accountability, and supports long-term business sustainability. Notable updates since the 2011 version include updated methodologies for risk management, incident response, and continuity strategy implementation. You can download the standard here.
[1] Cyber security breaches survey 2024 - GOV.UK
