Dejan Kosutic on Business Continuity and Disaster Preparedness
From an organizational point of view, the concept of resilience is basically the same as the concept of business continuity: An organization’s ability to react properly in the event of a disaster or some other kind of disruption, and recover its operations quickly enough to avoid high losses.
But how can you be confident that your organization is adequately prepared to deal with a disruption to its critical business functionalities?
What should you learn next?
To find out, we caught up with Dejan Kosutic (@Dejan_Kosutic), the author of numerous articles, video tutorials, documentation templates, webinars and courses about the subjects of business continuity and information security management.
He is also the author of the leading ISO 27001 & ISO 22301 Blog, and has helped various organizations including financial institutions, government agencies, and IT companies implement business continuity management protocols.
Kosutic first points out that resilience used to be considered the lone responsibility of the IT department – this concept was called disaster recovery – and it basically meant that all the information systems and data would be duplicated at an alternative location so that in the event the primary location was down, IT could continue operating.
“But such a concept has proved to be insufficient in practice. If a company doesn’t recover its business processes, then computers and data will be of little use,” Kosutic said. “It is the combination of people and technology that keeps a business running, not computers only, and this is exactly why the concept of business continuity has prevailed in the last couple of years.”
Kosutic says that’s where ISO 22301 comes into play as a strategic element of any mature risk management program. Just as ISO 9001 became a synonym for quality, Kosutic believes ISO 22301 will very soon become synonymous with business continuity and resilience.
“ISO 22301 is designed in such a way that it is applicable to any industry, and any size company,” Kosutic said. “But it is most interesting for companies whose success depends on the availability of their products and services – e.g., try to imagine a bank whose payment systems are down, a cloud provider whose website is unavailable, or a telecom provider whose links are not working.”
Following this logic, Kosutic points out that there are more and more countries passing legislation that requires business continuity to be implemented, in particular for financial industry and government agencies.
ISO 22301 is a rather new international standard, having been published in 2012, that describes how to implement business continuity in any kind of organization. So how does ISO 22301 address Enterprise resilience?
“It specifies all the elements like business continuity policy, business impact analysis, risk assessment and mitigation, business continuity strategy, business continuity planning, testing and exercising, but also management elements like setting the objectives and measurement, providing resources, monitoring, improvement, and more,” Kosutic said.
That’s where business continuity fits into an enterprise risk management program. The concept of business continuity is twofold: First, to prevent the incident if possible, and second, if an incident does happen, to react in the best possible manner so that the damage is within acceptable limits.
“So basically, business continuity has grown from a technology domain into a risk management domain – its idea is to assess all possible risks and prepare for them in the best possible way,” Kosutic explained. “Consequently, many companies are placing their business continuity and information security functions within their risk management departments.”
Of course, implementing any standard is no simple matter. So what are the challenges involved in implementing ISO 22301?
“I would say the biggest challenges are the same as with other types of projects – lack of money, and lack of human resources; and all this happens because very often the top management doesn’t support the project fully,” Kosutic said. “And, to overcome this problem, before the project even starts someone has to ensure that the top management fully understands the benefits of business continuity.”
And this is where organizations typically fall short in their efforts, a matter complicated further by a lack of pre-implementation education and planning.
“Besides not having the buy-in from their top management, the second biggest mistake is to rush into business continuity without any plan, framework, or knowledge to do it,” Kosutic continued. “Telling the head of your IT department to ‘just deal with it’ won’t do any good.”
Kosutic says that in order for a project to succeed, an organization must have at least one person who is fully trained in the intricacies of business continuity, then choose a compatible business continuity framework to follow, and finally they must have a clear project structure.
“My new book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation provides the step-by-step methodology for the implementation of the whole standard, Kosutic said. “It not only explains the business continuity elements I mentioned before, but also how to approach your executives and get their buy-in, how to structure the project, how to go for the certification, and more.”
Kosutic wrote the book primarily for beginners in the business continuity field, and he tried to use plain English to explain even the most complex subjects like business impact analysis and risk assessments.
“However, I think that business continuity consultants and experienced practitioners will also find this book useful, because it not only provides a complete methodology for ISO 22301 implementation – it also gives a comprehensive overview of whole topic of business continuity,” Kosutic said.
“To provide a parallel – when I deliver my courses about the basics of ISO 22301, most of the attendees are beginners, but sometimes experienced business continuity professionals also attend such courses,” Kosutic explained.
“Typically, their comment is ‘I already knew most of the stuff from ISO 22301, but having all these things put together in one guide was definitely worth it.’”
Anthony M. Freed, who writes for The State of Security, is Tripwire’s Community Engagement & Social Media Coordinator, and has a passion for translating security techno-babble into the language of enterprise risk abatement for the business class. Prior to joining the Tripwire team, Anthony was an infosec journalist and editor who authored numerous feature articles, interviews, and investigative reports which were sourced and cited by dozens of major media outlets
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Dejan Kosutic on Business Continuity and Disaster Preparedness
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security