ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


How to deal with BCM sceptics?

'By 'Dejan Kosutic on October 05, 2010

Have you ever heard something like “It can’t be done”, “It has no use”, or “It’s useless if a major disaster occurs”? If you implemented business continuity management, you probably did. Naturally, such an attitude would not help your project, so here are some suggestions how to handle such people.

“If a major disaster occurs, we won’t be able to do anything”

This is probably the most common one. Well, they may be right, unless you really prepared your business continuity strategy and business continuity plans taking into account all the possible scenarios – if you did that, then you can explain to them that you have prepared an alternative site which is distant enough to withstand any kind of disaster, that you’ve made a backup copy of data, that there is a replacement for any employee in the company, that you have alternative suppliers for any critical service etc.

“If a nuclear war breaks out, it won’t work”

Well, unless you are a military supplier, it wouldn’t matter, would it? Basically, in this kind of catastrophic scenarios, your business probably wouldn’t have a purpose anymore.

“It has no use”

Just pray you’ll never have to use business continuity. Even without mentioning the well-known examples like 9/11 or Hurricane Katrina, it is enough to ask – have you ever experienced a power outage? Or did your server break down? Or maybe a PC with important data on it? Have you ever heard of a building that burned down completely? It is enough to read newspaper headlines to understand that those things can happen to anyone.

“We will do this only to satisfy the auditor”

Wrong priority. If you do it properly, you’ll protect yourself, and as a consequence your auditor will be happy.

“We can’t foresee all the incidents”

This is true, at least in the beginning. But if you perform your risk assessment right, use literature and various resources, and review the assessment regularly, the chances are that in time you’ll be able to take into account all the possible risks. Once you know them, you can prepare your response.

“In case of emergency, people will start looking after their families, not after the business”

True also. Who wouldn’t call his/her family first to see if they are all right in case of an earthquake? But if you plan very carefully who can go home right after an incident occurs and who must stay and resolve the situation, and if you take care of the family of the employees that must stay (e.g. by assigning some other employees to this task), then you’ve probably solved this problem.

“People will react irrationally in crisis situations”

Definitely true. But if you train your employees (and suppliers/partners) regularly, and if you exercise your business continuity plans, they will get used to stressful situations, and will probably respond in the right way if such situations occurs.

If you already implemented similar projects, you know how awareness is important – if your co-workers do not recognize the purpose of such projects, you will experience great difficulties with implementation. Not to mention that your project might altogether fail – this is why you need to consider awareness raising in advance.

You can also check out our webinar BS 25999-2 Foundations Part 2: Business Continuity Strategy which explains how to prepare for different disruption scenarios (commercially sold training).

  • Chris Ng


    Well said! ;> In the Asian countries, BCM will have its challenges. The no. 1 reason for this is the cost. The 2nd reason is that they always believe the so-called disaster will not happen to them.

    Fortunately in Singapore, the government is very proactive in BCM. We have a standrad called SS 540, which is the Singapore Standard for Business Continuity Management (BCM) As this is a very comprehensive standard, if you have performed the SS 540 certification, you can generally cover all the BS 25999 elements.

    I have just done a seminar with the Information Technology Standards Committee (ITSC) of Infocomm Authority of Singapore(IDA) on the SS 540 and its relationship to ISO 27001 standards. The reponses are good and it seems that people are more aware of BCM.

    Chris Ng
    Product Manager / Lead Auditor

  • Dejan Kosutic

    Thank you for your comment! Could you say a little bit more about SS 540 standard – is it mandatory in Singapore? How many companies have implemented it?

  • business continuity disaster planning

    ISO are the key qualifiers for the business plans

  • Michael Christensen

    Good points. I agree. Training is the key as is management support and funding.