Cybersecurity GRC · ISO 22301 Business Continuity

A continuity capability that survives
a surprise exercise.

The question is not whether a major incident will occur, but whether your organization will come through it in good order. I build and maintain your continuity capability under ISO 22301: BIA, strategies, BCP and DRP plans, and above all exercises.

The engagement

What the mission covers.

BIA: knowing what matters

Identification of critical activities, interruption impacts over time, recovery objectives (RTO) and data loss objectives (RPO) validated by the business lines and top management.

Strategies and BCP / DRP plans

Degraded modes, fallback sites and resources, an IT recovery plan aligned with the BIA's RTOs and RPOs, backups isolated against ransomware: plans built to be played, not filed.

Exercises and continuous improvement

An annual exercise program, realistic scenarios, documented debriefs and corrective actions tracked to closure: what ISO 22301 requires, and what organizations most readily forget.

Towards certification, if you aim for it

A full management system, management reviews, preparation and support through the ISO 22301 certification audit when your customers or your sector require it.

Special case

Continuity does not survive an M&A deal on its own.

A BCP inherited from the seller's group no longer protects an entity that has become autonomous: shared fallback sites gone, recovery contracts left with the seller, a crisis cell to rebuild. Redefining the continuity capability is part of the separation plan, and must be tested before Day 1. That is the natural articulation with my carve-out programs, and with cyber crisis management.

Certified ISO 22301 Lead Auditor and Lead Implementer: the capability is built to the standard, with or without a certification objective.
Frequently asked questions

What I get asked about continuity.

Where does the effort start?

With the BIA, the business impact analysis: identifying critical activities, assessing the consequences of their interruption over time, and deriving the recovery objectives (RTO) and maximum data loss (RPO). Without a BIA, a continuity plan protects at random.

Should you aim for ISO 22301 certification?

Not necessarily: the standard is an excellent working framework even without certification. Certification becomes relevant when your customers or your regulator require it, or when continuity is a commercial argument in your sector.

How often should the plans be tested?

At least one exercise a year, varying the formats: tabletop for the decision cell, technical failover testing for IT, and periodically a surprise exercise. The value of a capability is measured by the date of its last exercise.

Free resource

Does your continuity actually hold?

6 pillars, 30 questions, 7 minutes. Walk away with a snapshot of your ISO 22301 maturity and your priorities.

Start the self-assessment

Would your continuity hold on Monday morning?

One 30-minute call and you know where your blind spots are and under what conditions to address them.

Book a qualification call

First call free, no commitment. See also the Cybersecurity GRC page.