ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


Can business continuity strategy save your money?

'By 'Dejan Kosutic on March 15, 2010

You are thinking about implementing the business continuity management/BS 25999-2 standard? But then you hear it will cost you a lot? It probably will cost you, but not necessarily as much as you thought – this you can solve with good business continuity strategy.

Business continuity strategy, as defined in BS 25999-2 standard, is an “approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption”. Therefore, the point is to prepare yourself in the best possible manner to counteract a disaster if such would occur. This preparation can include organizational measures (drawing up plans, making contracts with suppliers/partners, exercising, reviewing, awareness raising, etc.), and measures including investment in equipment, infrastructure etc.

Time is a very important factor in recovery – if you do not recover your business in time, you will probably lose your customers and consequently lose your business as well. So the business continuity strategy must set the recovery time objective (RTO) for each of your critical activities, whereas RTO can be different for each of those.

One important consideration: the shorter the RTO, the bigger the investment you will need – for instance, if you want to recover your data centre in less than one hour, you will have to invest in an alternative location almost the same equipment as in the primary location; on the other hand, if you want to recover your data centre in two weeks, the investment will be much lower because it would be enough to store the backup tapes at the alternative location, allowing you two weeks to obtain the necessary equipment. All this means that your RTO must not be too long, but not too short either.

Once the RTO is set, you will still need to make some investment; however, with a good business continuity strategy you will be able to decrease that investment, while still being able to recover your critical activities within the recovery time objective. Here are some examples:

  • you might not need your own data centre at an alternative location – in most countries you can rent such a location from a specialized company, which means you don’t need to invest in infrastructure, maybe not even in equipment or software,
  • you might not need offices at an alternative location – employees who do not have to meet customers face-to-face can work from their homes,
  • you might not need an alternative location at all if you have other business units at different locations which could take over the critical activities affected by the disaster,
  • you might not need to purchase equipment in advance if you can find the supplier that could guarantee the delivery of equipment within your RTO,
  • etc.

In all these examples you will need to increase your organizational capabilities, but if you want to save some money, it sure is something worth thinking about.

You can also check out our webinar BS 25999-2 Foundations Part 2: Business Continuity Strategy (commercially sold training).

  • Suzana Stojakovic – Celustka

    What if the office/working place is distributed,i.e. so called “virtual office”, where there are no fixed equipment and buildings but there are more or less mobile working places scattered around (possibly worldwide), connected via Internet? How BCM applies in such case?

  • Dejan

    In such case the emphasis of BC strategy will not be on the recovery of technology, but on recovery of people, processes, relationships with customers and suppliers, data in paper form etc.

  • Suzana Stojakovic – Celustka

    What implication would such a shift of emphasis have on total BCM costs? What is a real price of human life and how it can be evaluated? Take as an example recent earthquake disasaters. Isn’t the shift of importance from technology to human beings (which should be, by my opinion, a real priority in BCM)a costlier one?

  • Sachin

    Hi Dejan. I’m facing an issue in collecting Quality BIA data from my client. The issue is mis interpretation on RTO/RPO & dependency department. My doubts are:
    a) How to proceed further to fasten the process?
    b) can you throw some light on RPO applicability?
    c) while identifying dependency of one process of a department to other department? can you help me understanding how to use dependency item ,as explained in your BIA discription?


  • Dejan Kosutic


    Regarding the dependencies, you have to identify which activities are dependent on others for recovering their operations – if activity A is dependent on activity B, and activity A has RTO set to 24 hours, then activity B must have RTO set to 24 hours or less.

    I believe you’ll get the answers to rest of your questions in these blog posts:
    - What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? – Five Tips for Successful Business Impact Analysis

  • suzanne

    can somebody helps in this: when we dealw ith bcp, and the risk assesment in particaular, we always refer to system risk assessment/vulenrability assesment, so is it limited to systems?can we say, TENABLE for example or Qualys can be used as the only technique in assessment?

  • Dejan Kosutic

    Suzanne, neither ISO 22301 nor ISO 27001 require you to use particular methodology for risk assessment – you can use any technique you feel appropriate. You should not assess IT risks – you should assess all the risks that could influence the availability of your operations or the security of your information.

    See also this webinar: The basics of risk assessment and treatment according to ISO 27001