The question is not whether a major incident will occur, but whether your organization will come through it in good order. I build and maintain your continuity capability under ISO 22301: BIA, strategies, BCP and DRP plans, and above all exercises.
Identification of critical activities, interruption impacts over time, recovery objectives (RTO) and data loss objectives (RPO) validated by the business lines and top management.
Degraded modes, fallback sites and resources, an IT recovery plan aligned with the BIA's RTOs and RPOs, backups isolated against ransomware: plans built to be played, not filed.
An annual exercise program, realistic scenarios, documented debriefs and corrective actions tracked to closure: what ISO 22301 requires, and what organizations most readily forget.
A full management system, management reviews, preparation and support through the ISO 22301 certification audit when your customers or your sector require it.
A BCP inherited from the seller's group no longer protects an entity that has become autonomous: shared fallback sites gone, recovery contracts left with the seller, a crisis cell to rebuild. Redefining the continuity capability is part of the separation plan, and must be tested before Day 1. That is the natural articulation with my carve-out programs, and with cyber crisis management.
With the BIA, the business impact analysis: identifying critical activities, assessing the consequences of their interruption over time, and deriving the recovery objectives (RTO) and maximum data loss (RPO). Without a BIA, a continuity plan protects at random.
Not necessarily: the standard is an excellent working framework even without certification. Certification becomes relevant when your customers or your regulator require it, or when continuity is a commercial argument in your sector.
At least one exercise a year, varying the formats: tabletop for the decision cell, technical failover testing for IT, and periodically a surprise exercise. The value of a capability is measured by the date of its last exercise.
6 pillars, 30 questions, 7 minutes. Walk away with a snapshot of your ISO 22301 maturity and your priorities.
→Start the self-assessmentOne 30-minute call and you know where your blind spots are and under what conditions to address them.
→Book a qualification callFirst call free, no commitment. See also the Cybersecurity GRC page.