It’s time for two important disciplines — business continuity and its related initiatives and cybersecurity — to collaborate better. Typically, cybersecurity and business continuity operate in different silos, but I’m keen to move them closer together, as they are both important elements of an organization’s resilience.
For example, a cybersecurity event, which is initially addressed by a cyber incident response plan, can trigger a business continuity or disaster recovery plan based on the incident’s severity and impact on business operations.
Fortunately, both areas have global standards that stipulate the creation of management systems for the continued operation and viability of the two disciplines. The International Organization for Standardization has published ISO 27001 and ISO 22301 for information security and business continuity, respectively. Each standard advocates for the creation of an information security management system (ISMS) and business continuity management system (BCMS) as the mechanism to plan, deploy and maintain programs in each discipline.
Where does collaboration fit?
ISO management systems provide a framework and structure for implementing each program. If that’s the case, we should have opportunities to integrate the management systems for cybersecurity and business continuity efforts, or at least find areas of commonality where the exchange of information and collaboration can enhance each program. The following table, based on ISO management system requirements, suggests opportunities where collaboration can occur.
Clearly, opportunities exist where cybersecurity and business continuity teams can collaborate. The key to doing this successfully boils down to completing the following steps:
- Agree that collaboration makes sense and provides additional value to the organization.
- Establish a mechanism for information sharing, joint exercising, cross-training and other relevant activities.
Assuming your organization wishes to achieve formal accreditation of its BCMS and ISMS, certain materials must be available for auditor review. The table below offers a list of those elements. Details on each can be obtained from the BCMS and ISMS frameworks.
In the above two tables, we’ve identified situations — using relevant global standards — where BC/DR and resilience teams can interact with similar cybersecurity teams. Most of the collaborative activities involve sharing data, but we’ve also identified areas where teams can benefit from participating in each other’s activities.
In the end, the secret to successfully integrating cybersecurity and business continuity is to acknowledge the value of sharing information between the two teams and to work collaboratively to identify ways each program can be improved by sharing data and experiences.