From an organizational point of view, the concept of resilience is basically the same as the concept of business continuity: An organization’s ability to react properly in the event of a disaster or some other kind of disruption, and recover its operations quickly enough to avoid high losses.
But how can you be confident that your organization is adequately prepared to deal with a disruption to its critical business functionalities?
To find out, we caught up with Dejan Kosutic (@Dejan_Kosutic), the author of numerous articles, video tutorials, documentation templates, webinars and courses about the subjects of business continuity and information security management.
He is also the author of the leading ISO 27001 & ISO 22301 Blog, and has helped various organizations including financial institutions, government agencies, and IT companies implement business continuity management protocols.
Kosutic first points out that resilience used to be considered the lone responsibility of the IT department – this concept was called disaster recovery – and it basically meant that all the information systems and data would be duplicated at an alternative location so that in the event the primary location was down, IT could continue operating.
“But such a concept has proved to be insufficient in practice. If a company doesn’t recover its business processes, then computers and data will be of little use,” Kosutic said. “It is the combination of people and technology that keeps a business running, not computers only, and this is exactly why the concept of business continuity has prevailed in the last couple of years.”
Kosutic says that’s where ISO 22301 comes into play as a strategic element of any mature risk management program. Just as ISO 9001 became a synonym for quality, Kosutic believes ISO 22301 will very soon become synonymous with business continuity and resilience.
“ISO 22301 is designed in such a way that it is applicable to any industry, and any size company,” Kosutic said. “But it is most interesting for companies whose success depends on the availability of their products and services – e.g., try to imagine a bank whose payment systems are down, a cloud provider whose website is unavailable, or a telecom provider whose links are not working.”
Following this logic, Kosutic points out that there are more and more countries passing legislation that requires business continuity to be implemented, in particular for financial industry and government agencies.
ISO 22301 is a rather new international standard, having been published in 2012, that describes how to implement business continuity in any kind of organization. So how does ISO 22301 address Enterprise resilience?
“It specifies all the elements like business continuity policy, business impact analysis, risk assessment and mitigation, business continuity strategy, business continuity planning, testing and exercising, but also management elements like setting the objectives and measurement, providing resources, monitoring, improvement, and more,” Kosutic said.
That’s where business continuity fits into an enterprise risk management program. The concept of business continuity is twofold: First, to prevent the incident if possible, and second, if an incident does happen, to react in the best possible manner so that the damage is within acceptable limits.
“So basically, business continuity has grown from a technology domain into a risk management domain – its idea is to assess all possible risks and prepare for them in the best possible way,” Kosutic explained. “Consequently, many companies are placing their business continuity and information security functions within their risk management departments.”
Of course, implementing any standard is no simple matter. So what are the challenges involved in implementing ISO 22301?
“I would say the biggest challenges are the same as with other types of projects – lack of money, and lack of human resources; and all this happens because very often the top management doesn’t support the project fully,” Kosutic said. “And, to overcome this problem, before the project even starts someone has to ensure that the top management fully understands the benefits of business continuity.”
And this is where organizations typically fall short in their efforts, a matter complicated further by a lack of pre-implementation education and planning.
“Besides not having the buy-in from their top management, the second biggest mistake is to rush into business continuity without any plan, framework, or knowledge to do it,” Kosutic continued. “Telling the head of your IT department to ‘just deal with it’ won’t do any good.”
Kosutic says that in order for a project to succeed, an organization must have at least one person who is fully trained in the intricacies of business continuity, then choose a compatible business continuity framework to follow, and finally they must have a clear project structure.
“My new book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation provides the step-by-step methodology for the implementation of the whole standard, Kosutic said. “It not only explains the business continuity elements I mentioned before, but also how to approach your executives and get their buy-in, how to structure the project, how to go for the certification, and more.”
Kosutic wrote the book primarily for beginners in the business continuity field, and he tried to use plain English to explain even the most complex subjects like business impact analysis and risk assessments.
“However, I think that business continuity consultants and experienced practitioners will also find this book useful, because it not only provides a complete methodology for ISO 22301 implementation – it also gives a comprehensive overview of whole topic of business continuity,” Kosutic said.
“To provide a parallel – when I deliver my courses about the basics of ISO 22301, most of the attendees are beginners, but sometimes experienced business continuity professionals also attend such courses,” Kosutic explained.
“Typically, their comment is ‘I already knew most of the stuff from ISO 22301, but having all these things put together in one guide was definitely worth it.’”
Anthony M. Freed, who writes for The State of Security, is Tripwire’s Community Engagement & Social Media Coordinator, and has a passion for translating security techno-babble into the language of enterprise risk abatement for the business class. Prior to joining the Tripwire team, Anthony was an infosec journalist and editor who authored numerous feature articles, interviews, and investigative reports which were sourced and cited by dozens of major media outlets