Home

Blog

ISO 27001A.5.30

Annex A.5.30: ICT readiness for business continuity

The new 27001:2022 control that tripped half the certified companies. What it really takes to clear it.

January 22, 2026 1 min read

ISO 27001AuditDR

ISO 27001 audits and DR: what auditors actually ask

Three things: a DR plan, evidence of drills, change tracking. Everything else is garnish.

January 27, 2026 2 min read

NIS2Audit

NIS2 audit: the checklist we actually use in-house

52 items grouped into 10 macro-areas. One day of work for the first pass, half a day for subsequent ones.

January 2, 2026 2 min read

Disaster RecoveryBackup

Backup is not Disaster Recovery (and here is why)

A backup is necessary but not sufficient for DR. The eight things that have to come after the backup before you can call a system real Disaster Recovery.

September 19, 2025 3 min read

MSPBCDRPillar

BCDR for MSPs: the complete 2026 guide

How to structure a successful BCDR offering: pricing, SLAs, multi-tenant, runbooks, real margins. Everything an MSP needs to know before selling DR.

October 9, 2025 4 min read

ISO 27001BIA

Business Impact Analysis: how to run it in half a day

BIA usually means endless Excel sheets. Here is a lightweight format that produces useful results in four hours.

February 21, 2026 1 min read

ISO 27001Pubblica amministrazione

Certifications and public tenders: what the public sector actually asks

AgID, qualifications, ISO 27001 / 27017 / 27018: the updated 2026 map of what is needed to bid in Italian public tenders.

February 16, 2026 1 min read

NIS2Compliance

Who is subject to NIS2 in Italy (and who is not as exempt as they think)

Essential and important sectors, size thresholds and the borderline cases (supply chain, IT providers) that often think they are out of scope.

December 3, 2025 1 min read

Disaster RecoveryRTOBIA

How to calculate your real RTO (not the one on paper)

A step-by-step method to measure a realistic RTO starting from a Business Impact Analysis. Spreadsheet template and the mistakes to avoid.

August 30, 2025 3 min read

L2 TunnelHardwareConnector

The Sefthy Connector: inside the NanoPi R3S LTS

Why we picked a NanoPi R3S LTS in a CNC case. SoC, real throughput, out-of-band management and why a mini-PC was the wrong call.

April 22, 2026 2 min read

Disaster RecoveryCostiTCO

The hidden costs of DIY Disaster Recovery

Storage pricing is not DR pricing. Hardware, bandwidth, head-count, drills, training: everything missing from your storage vendor's quote.

September 14, 2025 2 min read

MSPDifferenziazione

How to differentiate from other MSPs with a serious managed DR

Everyone has backups. What separates good MSPs is the runbook, the quarterly drill and treating DR as a service, not a product.

November 3, 2025 1 min read

Disaster RecoveryBCDRPillar

Disaster Recovery: the complete 2026 guide

What Disaster Recovery is, how it is measured (RTO/RPO), which architectures exist and how to pick the right solution. Sefthy's reference guide.

August 20, 2025 5 min read

Disaster RecoveryCloudArchitettura

Cloud DR vs on-prem DR: an honest comparison

Cost, RTO, operational complexity, compliance: a head-to-head comparison between cloud DR and a secondary on-prem site. When the second datacentre still makes sense.

September 9, 2025 2 min read

Disaster RecoveryPMIItalia

Disaster Recovery for Italian SMBs: what really matters

SMBs, NIS2, public-tender requirements, cyber insurance: the 2026 picture and three feasible DR tiers for small budgets.

September 24, 2025 2 min read

L2 TunnelDNS

Failover without touching DNS: the L2 dividend

Flipping DNS records under stress is the worst part of L3 DR. With an L2 tunnel you skip it entirely because the IP does not change.

April 17, 2026 2 min read

Disaster RecoveryGDPRSovranità

Geo-redundancy in Italy: GDPR, NIS2 and data sovereignty

Having DR in a "European" cloud is no longer enough: what changes with NIS2, AgID and Italy's National Strategic Hub, and why an Italian cloud actually matters.

September 29, 2025 2 min read

ISO 27001Continuità operativaPillar

ISO/IEC 27001:2022 and business continuity: the complete guide

The Annex A controls that directly involve DR and continuity: A.5.30, A.8.13, A.8.14. What auditors actually ask for.

January 17, 2026 4 min read

ISO 27001Cloud

How to vet a cloud provider under ISO 27001

Fourteen questions to ask a cloud provider during selection. Which answers are acceptable, which should stop the deal.

March 3, 2026 2 min read

ISO 27001MSP

ISO 27001 for MSPs: is it worth it in 2026?

Typical cost (€15-35k year one), concrete sales upside and the two verticals where you cannot bid without certification.

February 11, 2026 1 min read

ISO 27001ISO 27017ISO 27018

ISO 27001 vs 27017 vs 27018: which ones do you need for cloud?

ISO 27001 is the framework. 27017 and 27018 are cloud-specific extensions. Which certification stack you actually need to bid for public-sector contracts.

February 1, 2026 2 min read

L2 TunnelLegacy

L2 and legacy apps: a lifeline for 2005-era ERPs

Legacy apps with hard-coded IPs are the main obstacle to clean DR. An L2 tunnel makes them recoverable without rewriting them.

March 28, 2026 2 min read

L2 TunnelDisaster RecoveryPillar

L2 tunnels for Disaster Recovery: the complete guide

What a Layer-2 tunnel is, why in DR it matters more than anything else and how this single architectural choice separates a 4-minute RTO from a 4-hour one.

March 8, 2026 4 min read

L2 TunnelMulti-sito

Multi-site L2 tunnels: extending several LANs into the same cloud

One head office, two branches, one shared DR cloud. How to do it with the Connector without creating IP collisions.

April 12, 2026 2 min read

L2 TunnelSicurezza

L2 tunnels: security and encryption deep dive

Encryption, tenant isolation, mutual auth: what makes an enterprise-grade L2 tunnel actually secure and the questions to ask vendors.

April 2, 2026 2 min read

L2 TunnelPerformance

L2-to-cloud latency: real-world numbers

Real Connector ↔ Sefthy datacentre latency in three setups: fibre, FTTH 2.5G, 5G. What works and what does not.

April 7, 2026 1 min read

L2 TunnelNetworking

Layer 2 vs Layer 3 in DR: practical differences

Layer 3 DR is the historical default, but it brings NAT, DNS reconfiguration and site-to-site VPN. Layer 2 eliminates roughly 70% of that work.

March 13, 2026 1 min read

MSPMargineBCDR

MSP margin on DR: real numbers, not brochure numbers

Typical gross margins for managed DR (45-60%), what erodes them over time and the three levers that bring them back above 50% without raising prices.

November 23, 2025 1 min read

NIS2Tecnica

The ten minimum technical measures NIS2 demands

Article 21 lists ten mandatory areas. We map them to concrete controls already in ISO 27001 and NIST CSF, avoiding duplicate work.

December 23, 2025 2 min read

MSPMonitoringBCDR

DR + monitoring bundle: why it outperforms DR on its own

Selling monitoring together with DR raises average revenue per customer by 35% and reduces churn. The three metrics customers want to see every week.

November 13, 2025 1 min read

MSPRansomwareResponsabilità

MSPs and ransomware: liability, contracts and what to do upfront

What an MSP risks when a customer gets encrypted. Useful contractual clauses, cyber insurance, operational playbook for the first 24 hours.

October 29, 2025 2 min read

NIS2Sanzioni

NIS2: Italian deadlines and effective penalties

The dates that matter (registration, notification, controls) and the actual numbers of fines ACN can issue. What has already happened in 2025-2026.

December 8, 2025 1 min read

NIS2CompliancePillar

NIS2 and Disaster Recovery: the complete guide

What NIS2 demands on business continuity and DR. Article 21, Italian deadlines, penalties and a concrete checklist to reach compliance.

November 28, 2025 4 min read

NIS2Supply chain

NIS2 and IT suppliers: how to handle the supply chain

NIS2 entities must assess their IT suppliers. What to ask, what to require contractually, what to accept as an attestation.

January 7, 2026 2 min read

NIS2Settori

Essential vs important sectors in NIS2: what changes

Concrete differences between essential and important entities: controls, maximum fines, audit frequency. Examples for each category.

December 18, 2025 2 min read

NIS2GDPR

NIS2 vs GDPR: two regimes, one governance

Overlaps, differences and the seven areas where a GDPR-compliant company is already halfway to NIS2 readiness.

December 13, 2025 2 min read

NIS2Incident

NIS2 incident notification: 24h, 72h and the final report

What to file at each of the three notification deadlines. Early-warning template and the three mistakes that make a filing officially "late".

December 28, 2025 2 min read

MSPOnboardingBCDR

Onboarding a DR customer in 5 days: the operational plan

Day-by-day of a clean DR onboarding: from discovery to first failover drill. Why five days is the right number, not five weeks.

November 8, 2025 1 min read

ISO 27001Template

Business continuity policy: downloadable template

A four-page business continuity policy that passes ISO 27001 audit without questions. Markdown, fully editable.

February 26, 2026 2 min read

MSPPricingBCDR

How to price BCDR as an MSP (with worked examples)

Three BCDR pricing models (per VM, per GB, per workload), realistic gross margins and the number-one mistake that burns the books at year end.

October 14, 2025 2 min read

MSPReportingBCDR

The DR report your customer actually reads

Five charts, one table, one paragraph of context. How to structure a monthly DR report the IT director can scan in five minutes.

November 18, 2025 1 min read

ISO 27001Risk

Risk assessment for DR: the method we follow

A blended qualitative-quantitative method that yields a usable risk-impact matrix in four hours — not another PDF to file away.

February 6, 2026 2 min read

Disaster RecoveryRTORPO

RTO vs RPO: differences, examples and how to actually measure them

RTO and RPO are the two numbers that define every DR project. We explain what they are, how to calculate them and why in practice they are almost always under-declared.

August 25, 2025 3 min read

NIS2Sefthy

Sefthy and NIS2: how we help you, concretely

Mapping the ten Article 21 areas to Sefthy features. What we solve directly, what stays your responsibility.

January 12, 2026 2 min read

MSPSLABCDR

Which DR SLA to propose to your client

Availability, RTO, RPO, test windows: how to write a DR SLA that protects both customer and MSP. Template included.

October 19, 2025 2 min read

Disaster RecoverySnapshotReplica

Snapshots vs continuous replication: choosing without regrets

When a 5-minute RPO is enough and when you need sub-second. The difference between interval snapshots, CDP and synchronous replication and what each really costs.

October 4, 2025 2 min read

L2 TunnelIP

Same IP in the cloud: how it actually works

A technical walkthrough (with ARP captures) showing how a Sefthy Connector extends the customer subnet into the Sefthy cloud while preserving original IPs.

March 23, 2026 2 min read

Disaster RecoveryTest

DR drills: how often to run them and how

Four levels of DR drill (tabletop, walkthrough, partial, full failover), the cadences recommended by NIST and ISO 22301 and an operational checklist.

September 4, 2025 2 min read

MSPSalesBCDR

Selling DR to SMB customers without underselling

The six objections you hear from small customers and how to answer them with data, not slides — without racing to the bottom on price.

October 24, 2025 2 min read

L2 TunnelVPN

Site-to-site VPN vs L2 tunnel: what changes for DR

A site-to-site VPN routes packets between different subnets. An L2 tunnel extends the same subnet. The difference only shows up when something breaks.

March 18, 2026 2 min read

Articles