<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">
ISO 27001 · Control A.5.30

Get the business continuity proof you need for ISO 27001 certification.

Your recovery plan describes how your systems recover. A.5.30 now expects proof it works. Codekeeper rebuilds the software you depend on, confirms it recovers within your target times, and packages it into an ISO 27001 Evidence Pack for your auditor.

Tested recovery — not a plan on paper.
A DR plan says your software can be recovered. It doesn't show anyone ever has. Certification now wants the difference — and Codekeeper's ISO 27001 Evidence Pack delivers it: a real recovery, run and tested.
badge-iso-27001-v2 ISO 27001
solutions_badge_dora DORA
badge-nis2 NIS2
badge-soc2 SOC 2
solutions-ffiec FFIEC
Every framework wants to know the same thing: Could you rebuild and run your critical software on your own? One pack answers all of them.
The old way

Even a well-written continuity plan won’t get you certified.

You’ve done everything A.5.30 expects on paper: a disaster recovery plan, defined recovery times, a nightly backup. But without tested proof that recovery works when a system goes down, no auditor will issue your certificate.

It isn’t a one-time exercise, either. Every system change makes last year’s test stale, so readiness has to be retested to stay valid.

However well your DR plan reads, the certificate stays unsigned until you can prove recovery works.

The DR plan on file
Disaster recovery plan PDF
Signed · 14 Mar 2024
Not tested
Written once, never tested — so no one knows if recovery actually works.
A team reviewing recovery and continuity plans together at a desk
Why we built it

We designed the ISO 27001 continuity evidence pack so you don’t fail your audit.

A.5.30 arrived in 2022 and raised the bar: a documented plan is no longer enough — now you have to demonstrate recovery. Doing that for software you don’t own or host is tough. Codekeeper turns its escrowed rebuilds into the evidence pack you hand your auditor.
10+
securing mission-critical and regulated software
3 500+
teams protected
ISO 27001
certified
24 hrs
to go live

What the pack gives your auditor that a plan can’t.

Each capability closes a gap a written plan leaves open. Together, they make up the tested evidence A.5.30 calls for.

Tested recovery

We rebuild your critical software from its deposit and confirm it runs, so recovery is proven, not presumed.

A Software Resilience Certificate

You get a dated, signed record that recovery was demonstrated, and when.

Line-by-line A.5.30 mapping

The pack ties each piece of evidence to the clause it satisfies, leaving nothing for the auditor to infer.

A real recovery-time number

Your recovery is timed against the targets your business impact analysis (BIA) set, so “within agreed timeframes” stops being a guess.

Scheduled retesting

We rerun the test on a set schedule, so readiness stays current between surveillance audits instead of going stale after one pass.

One document for your customers

Software vendors hand clients a single pack that settles their A.5.30 evidence, instead of working through a questionnaire round.

How it works

Hand off your A.5.30 testing and evidence in three simple steps.

In review
AC
Acme Corp Depositor
BL
Beneficiary Ltd Beneficiary
AgreementTripartite escrow
Last deposit2 days ago
Active
NV
Northwind Depositor
FB
FinBank Beneficiary
AgreementSaaS escrow
Last depositToday

1. You point us at the system that can’t go down.

The ones whose failure would halt your business are where A.5.30 expects you to prove readiness.

Deposits
3 active · last verified today
Software Resilience Certificate
Software Resilience
Certificate
Passed

2. We test recovery, and repeat it every year.

An automated rebuild plus expert review runs from a vault kept separate from production, so your evidence stays current.

Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified

3. You get the finished, verified evidence pack.

The certificate, the recovery test report, and the A.5.30 mapping arrive ready to drop into your audit file.

Set up in a day. From there, the pack stays current on its own.

Book a demo

Teams that can prove recovery, not just plan for it.

They made the decision. They built their resilience. They have peace of mind. You can too.
icon-google
icon-g2
“We’ve had a great experience with CodeKeeper. The setup process was smooth, and the team made everything very straightforward. Knowing our critical software assets are securely protected gives us real peace of mind. Their support has been responsive and professional, and the overall service has been reliable and easy to work with. Highly recommended.”
testimonial-circle-j

Jordan Adler

“We worked with Codekeeper as our escrow provider for major enterprise deployments and found them to be extremely professional, responsive, and flexible throughout.
I'd highly recommend Codekeeper. They clearly understand the realities of working with growing tech businesses and enterprise customers alike.”
testimonial-circle-r

Ross Kilshaw

I found Codekeeper's solution excellent for what I need. I scheduled a demo to better understand the possibilities. Very easy! It was a clear and straightforward meeting, focused exactly on what I needed. Excellent service!
testimonial-circle-t

Thiago Mendes

Airbus partner logo in muted style
Bayer partner logo in muted style
EU Parliament partner logo in muted style
General Motors partner logo in muted style
Intuit partner logo in muted style
Nestle partner logo in muted style
Pepsico partner logo in muted style
Pfizer partner logo in muted style
Framework mapping

One recurring test to satisfy five different frameworks.

The same evidence pack that proves ISO 27001 A.5.30 also covers the continuity-testing demands in the other software-resilience frameworks your auditors care about.
badge-iso-27001-v2
ISO 27001 A.5.30 ICT readiness for business continuity, planned and tested.
solutions-ffiec
FFIEC — NIST CSF 2.0 Evidence mapped to the Recover function for US banking examiners.
solutions-dora
DORA — Art. 28 / Arts. 24–25 Tested exit strategy for critical ICT providers.
badge-nis2
NIS2 Art. 21(2)(c) Backup, disaster recovery, and continuity for in-scope entities.
badge-soc2
SOC 2 — CC9 Vendor continuity evidence for the subservice organizations.
What's at stake

Two ways the next surveillance audit can go.

Without it

  • A surveillance auditor asks for evidence of ICT readiness, and all you have is a plan no one has tested. That’s a nonconformity.
  • Miss the remediation window, and the certificate can be suspended — so you can’t show it to the customers who require it.
90 days grace window is all you get to retest recovery and prove it — sometimes with a return audit visit — before the nonconformity escalates

With the evidence pack

  • Recovery tested before anyone asks — hand over a dated certificate and A.5.30 mapping, and the control closes.
  • One test clears several obligations — ISO 22301, DORA, NIS2, and SOC 2 continuity too.
  • The certificate stays valid — and stays in front of the customers who want it.
Sample pack

See exactly what your auditor receives.

Inside the sample: a Software Resilience Certificate, a recovery test summary, and a A.5.30 mapping — the quickest way to judge whether the evidence holds up.
Recovery test · summary
Article 28 mapping
Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified
Get the sample ISO 27001 Evidence Pack

We’ll email the sample ISO 27001 continuity evidence pack to you.

Walk into your surveillance audit with proof, not promises.

You're already testing and documenting continuity for other regulations. Codekeeper handles that work—and turns the same results into your ISO 27001 evidence pack. Start now, and earn the certification your clients are looking for.

Frequently asked questions

What is ISO 27001 control A.5.30?
A.5.30, “ICT readiness for business continuity,” is a control introduced in ISO 27001:2022. It requires that ICT recovery is planned, implemented, maintained, and tested against your business continuity objectives, so critical systems can be restored within agreed timeframes after a disruption.
How is the ISO 27001 continuity evidence pack different from a disaster recovery plan?
A disaster recovery plan describes what should happen. The evidence pack proves it does — through a recovery test run against your software, measured to your recovery times, and documented in a certificate. A.5.30 requires the second one.
Isn’t software escrow enough for ISO 27001?
Escrow satisfies the supplier and outsourced-development controls. A.5.30 is about whether recovery works, and an untested deposit doesn’t prove that. 90% of untested escrow deposits fail when someone tries to rebuild from them. The pack is the test that closes the gap.
Which regulations does this cover?
ISO 27001 A.5.30 primarily, plus ISO 22301, DORA (Arts. 11 and 24–25), NIS2 (Art. 21(2)(c)), and the SOC 2 Availability criterion. One recovery test gives you evidence for all of them.
How often does the recovery test need to be redone?
A.5.30 requires ICT recovery maintained and tested at planned intervals and after significant changes, and a test only proves recovery as of the day it ran. Systems and dependencies drift, so last year's pass doesn't prove this year's recovery. Codekeeper can rerun the test on a schedule you set. We also keep deposits current with daily syncs, so the certificate reflects your systems as they stand at audit, not as they were.
How fast can we have the evidence?
Setup is live in 24 hours; recovery testing and the completed pack follow on the schedule we agree on for your systems.