Home · Synthesis · cl-bcp-ict-readiness

Business continuity and ICT recovery readiness

ISO 27001 RBI CSF RBI ITGRCA SEBI CSCRF CSA CCM v4 IRDAI 2026 MeitY CSP NCIIPC NIS2 NIST 800-53 NIST CSF 2.0 RBI ITO 2023 SEBI Cloud SOC 2

Primary statement

ICT readiness for business continuity provides: (1) documented BCP and DR plans with explicit RTO (recovery time objective) and RPO (recovery point objective) per critical system; (2) DR site for critical systems with diverse-path connectivity and matching security controls; (3) immutable / air-gapped backups for ransomware resilience; (4) annual live DR test (full failover, not desktop walkthrough) for critical systems; (5) crisis communications plan integrated with the Cyber Crisis Management Plan (CCMP); (6) recovery procedures tested against cyber-specific scenarios (ransomware, destructive attack, supply-chain compromise); (7) Board-level scenario rehearsal at the highest maturity tier.

Audit-fatigue payoff

A single BCP/ICT-readiness programme — SEBI CSCRF RC.1 RTO/RPO + DR site + RBI CSF RS.6 crisis communications + ISO 27001 A.5.30 ICT continuity testing — satisfies BCP/DR requirements across all 14 contributing frameworks. Without unification, the auditor asks 4–6 distinct questions (RTO/RPO per system, DR test cadence, ransomware-specific recovery, crisis comms, tabletop coverage, Board awareness). With unification, one programme document + annual live DR test report + tabletop exercise records answer all.

Strictness matrix

Scope

Scope: BCP/DR coverage of ALL critical systems with documented RTO/RPO per system. DR site for critical systems with diverse-path connectivity (not single-region failover) and matching security controls (DR is not less-protected than production). For Most-Critical systems (per RBI CSF ID.3 classification), enhanced recovery controls including ransomware-resilient backups. Ceiling source: sebi_cscrf:CSCRF.RC.1 Rationale: SEBI CSCRF RC.1 specifies the most enumerated scope — RTO/RPO per critical system + DR site with diverse path + matching security controls. ISO 27001 A.5.30 is broad ("ICT readiness based on BC objectives") but less prescriptive. The SEBI specification is the audit-defensible scope.

Threshold

Threshold: explicit RTO and RPO documented PER critical system. These are the operational triggers — RTO defines acceptable downtime before recovery is initiated; RPO defines acceptable data loss window. Both must be documented per system, not as organisation-wide averages. DR test threshold: annual live failover for critical systems is the minimum. Ceiling source: sebi_cscrf:CSCRF.RC.1 Rationale: SEBI CSCRF RC.1 requires per-system RTO/RPO documentation. Other frameworks require BCP "based on business continuity requirements" without specifying per-system documentation. The per-system threshold is the audit-defensible specification.

Method

Method: (1) documented BCP and DR plans per critical system; (2) DR site with diverse-path connectivity and matching security controls; (3) annual live DR test (not tabletop) for critical systems; (4) tabletop exercises across cyber-specific scenarios — ransomware, destructive attack, supply-chain compromise (per RBI RS.7); (5) crisis communications plan integrated with CCMP, covering internal stakeholders, customers, regulators, media (per RBI RS.6); (6) post-test review with corrective action tracking; (7) recovery procedures retained current via change management integration. Ceiling source: sebi_cscrf:CSCRF.RC.1 Rationale: SEBI CSCRF RC.1 combined with RBI CSF RS.6 and RS.7 provides the most prescriptive method. Live DR testing (not tabletop) for critical systems is the uniquely strict element — many frameworks accept tabletop as adequate.

Frequency

DR test cadence: annual live test (full failover) for critical systems. Tabletop exercises: annual minimum across cyber scenarios. Cyber-range exercises (technical-team hands-on): quarterly for Maturity Level 4 banks (RBI RS.7). Board-level scenario rehearsal: annual at the highest tier. CCMP and BCP review: annual + on material change. Ceiling source: sebi_cscrf:CSCRF.RC.1 Rationale: Annual live DR test is the universal floor across frameworks. Cyber-range quarterly cadence for the highest tier (RBI RS.7) is the leading-edge frequency. The combined model is the audit-defensible cadence.

Evidence

Required evidence: (1) BCP and DR plan documents per critical system with RTO/RPO stated; (2) DR site architecture diagram showing diverse-path connectivity; (3) annual live DR test report with success/failure outcomes per system; (4) tabletop exercise records with after-action reports; (5) CCMP document and CCMP test results; (6) crisis communications plan with sample templated communications per stakeholder category; (7) corrective action tracker from past tests with closure evidence. Ceiling source: sebi_cscrf:CSCRF.RC.1 Rationale: SEBI CSCRF RC.1 evidence list is the most comprehensive single-control specification. Augmented by RBI RS.6 crisis comms evidence and RS.7 multi-level rehearsal evidence, this is the audit-defensible package.

Auditor test pattern

Step 1: Inspect BCP and DR plans; verify per-system RTO/RPO documentation. Step 2: Inspect the most recent annual DR test report; verify it was a live failover (not tabletop) and verify outcomes per critical system. Step 3: Sample 1 corrective action from a past DR test; verify closure. Step 4: Inspect the CCMP and verify cyber-specific recovery scenarios are addressed (ransomware, destructive attack, supply-chain). Step 5: Inspect tabletop exercise records; verify multi-scenario coverage. Step 6: For Maturity Level 4 banks, inspect cyber-range exercise records (quarterly cadence). Step 7: Inspect the crisis communications plan; verify it covers all stakeholder categories with templated communications.

Common findings

Common 2024–26 findings: (1) DR test annual but limited to non-cyber scenarios (data centre power, network outage) — cyber-specific recovery never rehearsed; (2) Backup restoration tested at file level but not at full-application level; (3) Immutable / air-gapped backups claimed but actually mounted writable on the same storage system; (4) DR site has lighter security controls than production (defeats the purpose); (5) Per-system RTO/RPO undocumented — organisation-wide averages only; (6) CCMP exists but not BCP-integrated; double recovery paths uncoordinated; (7) Crisis communications plan absent or limited to press-release templates — regulator and customer communications not addressed.