Assurance and Audit
- Buy now
- Learn more
- Discussions
Information System Auditing Process

Part A: Audit Planning Frameworks and Strategic Foundations
Activity -Emerging Audit Areas
Part B: Audit Execution, Evidence, and Reporting
TY - What is EDI? - An Overview (5 min)
Activity - IS Auditing Process
Governance and Management

Part A: IT Governance
Activity - Read and Reflect
SANS - The Five Must-Haves of an AI Governance Framework [30 min]
Part B: IT Management
Activity - Governance - Management Quiz.
Information Systems Acquisition, Development, and Implementation

Part A: Information Systems Acquisition and Development
Activity - SDLC - part01
Part B: Information Systems Implementation
Activity 2 - SDLC - Part 02
Information Systems Operations and Business Resilience

Part A: Information System Operations
Activity - IS Operations
YB: Database Normalization (5 min)
Part B: Business Resilience
Activity - Business Resilience
YT: Types of databases (16 min)

Part B: Business Resilience

Business resilience is an organisation’s ability to resist, absorb, recover from, or successfully adapt to adversity or changes in conditions. This is a strategic end state that goes beyond traditional continuity and disaster recovery by embedding flexibility and proactive adaptation into the organisational culture. In today's environment, resilience is a measurable business imperative, driven by pressure from senior management and complex global threats.

Summary of Lessons and Objectives: Part B

The primary goal of business resilience assurance is to ensure that an organisation can continue its mission-essential functions during any disruption. This involves a holistic approach that integrates technology, people, and processes.

Business Impact Analysis (BIA): The foundation of resilience, the BIA identifies critical business functions, dependencies, and the potential impact of disruptions. The objective is to prioritise recovery efforts based on business needs.
System and Operational Resilience: This objective focuses on eliminating single points of failure through technical means such as fault-tolerant hardware, clustering, and high-availability configurations.
Data Protection and Recovery: Auditors must evaluate the effectiveness of data backup, storage, and restoration policies. The objective is to ensure that data can be recovered within the established Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Business Continuity and Disaster Recovery Planning: This involves developing, testing, and maintaining BCPs and DRPs. The objective is to provide a structured response to emergencies to ensure the organisation's survival.
Crisis Communication and Stakeholder Management: Effective resilience requires the ability to communicate internal and external status updates to stakeholders during a crisis to manage reputation and operational transparency.
Regulatory and Legal Compliance: Organisations must ensure their resilience programs comply with applicable laws, regulations, and contractual obligations, particularly in sectors such as finance and healthcare.

Business Resilience

Business resilience has shifted from a reactive "recovery" focus to a proactive "adaptive" focus. Historically, business continuity was viewed through a traditional, siloed approach, often limited to IT disaster recovery.

The emergence of the ISO 22301 standard provided a global framework for Business Continuity Management Systems (BCMS). ISO 22301 is not just about surviving a disruption but also about maintaining essential operations with minimal downtime and protecting stakeholders. However, while ISO 22301 outlines what is required, standards like NIST SP 800-34 Rev. 1 provide the technical how-to for federal and private sector IT contingency planning. Research suggests that combining these two standards creates a more robust framework, especially for public sector organisations. Recent systematic reviews on organisational resilience highlight five key dimensions: capital, strategic, cultural, relational, and learning resilience.

This multifaceted perspective indicates that highly resilient companies can overcome existential crises by adapting to market shifts and surviving challenging conditions. Discussions in the literature for 2024 and 2025 focus on "incident-agnostic" planning, which emphasises the effects of disruptions rather than their specific causes. Additionally, the COVID-19 pandemic has served as a significant catalyst for the shift toward resilience. Organisations that managed to persevere were those able to improvise, quickly mobilise resources, and coordinate their teams effectively.

Professional Analysis of Resilience Strategies

A resilience program is an integrated management process that identifies potential threats and builds capacity to respond before, during, and after an unplanned event.

The Business Impact Analysis (BIA) Process

The BIA is the critical first step in resilience planning. It quantifies the financial and operational impact of a disruption on specific business processes.

Urgency and Impact: Prioritising functions based on how quickly a failure affects the organisation.
Interdependencies: Identifying the technical and human resources required for each process.
Impact Tolerance: Defining the maximum duration a system can be unavailable before business objectives are compromised.

Technical Resilience and System Architecture

Resilience is built into the architecture through redundancy and fault tolerance.

Redundancy: The use of mirrored hard disks or clustered servers to ensure that the failure of a single component does not stop the entire system.
High Availability (HA): Systems designed for 99.999% uptime, often utilising load balancing and distributed cloud workloads.
Recovery Metrics: RTO (maximum acceptable downtime) and RPO (maximum acceptable data loss) are standard benchmarks for measuring the efficiency of recovery strategies.

Continuity and Recovery Planning

A Business Continuity Plan (BCP) focuses on sustaining business processes, while a Disaster Recovery Plan (DRP) focuses on restoring IT systems.

BCP: Mission-focused; may be activated alongside a DRP to manage non-IT functions such as human resources and logistics.
DRP: System-focused; provides the technical steps to restore data centres, networks, and applications at an alternate site.
Crisis Communications Plan: Ensures that internal and external stakeholders receive accurate information, which is critical for maintaining trust.

Testing, Exercising, and Maintenance

An untested plan is a major risk. Auditors emphasise that regular scenario drills—such as tabletop exercises or full-scale recovery tests—are essential for identifying flaws and ensuring that personnel are aware of their roles. Testing demonstrates a commitment to resilience to both stakeholders and regulators.

Supply Chain and Third-Party Risk

The dependence on external vendors for cloud services and critical components has introduced new vulnerabilities. Resilience programs must now integrate vendor risk management into continuity planning. This involves negotiating SLAs with resilience in mind and ensuring that vendors have their own auditable BC/DR plans.

Resilience as a Competitive Advantage

True resilience is not just a defensive posture; it is a strategic asset. Resilient organisations do not simply return to the previous state after a disruption; they use the event as a catalyst to improve processes and strengthen systems. This "bouncing forward" concept is a key distinction between traditional continuity and modern resilience.

In the current environment, the "cost of being unprepared" is catastrophic: 80% of organisations fail within 18 months of a significant outage if they lack a BC plan. Downtime is estimated to cost large enterprises thousands of dollars per minute, making resilience a clear financial priority.

The rise of AI in 2025 offers new opportunities to automate data collection and decision-making during crises. However, it also demands more technologically adept workers to bridge the gap between technical teams and senior leadership. The "resilience lead" is becoming a common role, often reporting directly to the board of directors, which indicates that resilience has reached the highest levels of corporate governance.