Review of “Becoming Resilient: The definitive guide to ISO22301 implementation” by Dejan Kosutic
In an effort to sell their services, lots of consultants jump on the ISO 22301 bandwagon. However, if you ask them how many organisations they have taken to standard, their answers are a bit vague.
For fear of sounding a little smug, I have taken three companies through to ISO 22301, the latest being a Swedish technology firm.
This week I was in Sweden where we had our ISO 22301 stage 2 audit and yesterday I was told that the company had been recommended for certification.
One person who is very prominent on the web talking about the ISO 22301 standard is Dejan Kosutic of the Information Security and Business Continuity Academy, based in Zagreb, Croatia.
He is one of the few people on the web discussing the standard, who actually seems to know what they are talking about. This week I thought I would review his book on the subject – “Becoming Resilient: The Definitive Guide to ISO 22301 Implementation”.
My first thought is that there are a number of books on business continuity, all of which claim to be the definitive guide. I read the book yesterday, on my two-and-a-half-hour journey from Sweden to Copenhagen airport.
The first thing I noticed was the chatty style in which it was written. It was not a dry text book, giving the detail clause by clause. Instead it took you on the journey from first thinking about how to persuade your senior managers to back you in going for the standard, through to how to work with the auditor when they come to audit you.
I also liked how it gave a history of the standard and how it has developed over time. At the same time as taking you through the standard’s requirements, the book gave you details on how to carry out each element of the business continuity life cycle, starting with policy development all the way thought to running exercises and maintaining your management system.
I especially liked Chapter 8: Getting Ready for Certification, which talked all about how to choose an auditor and how the audit will be conducted. This is useful information which I have not seen in other books. Another thing I liked was the honesty in the book and a good understanding of how not all people in an organisation are as enthusiastic about business continuity as we are. The quote “the majority of people simply don’t care about business continuity because they think it is useless” rang particularly true!
If I was to make any criticism of the book it was that the business continuity procedures and ways of working were a little out of date. For example Chapter 3 talks about return on investment and gives a formula for calculating this, which in my opinion not many people still use. The section on writing the detail of a disruptive scenario, such as a fire, and then writing a response plan to the scenario, is not a very common practice as far as I know. Plans tend to be written about loss of asset (people, premises, recourses and supplier) rather around the scenarios which can cause the loss.
The only major omission from the book, which is also a requirement of the standard, is the fact that there is nothing on plan hierarchies and no mention of strategic, tactical and operational plans. As far as I could see these are not mentioned in the book.
Perhaps I am being a little picky in my criticism. Some of the finer points I have raised would not be of interest to business continuity newcomers who are just looking for a workable system and plan.
In conclusion, if you are thinking about going for the standard and want some good background on the standard and the detail of implementing it, this book is ideal. If you are new to business continuity, this is one of the books I would buy.
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation By Dejan Kosutic is now available to buy.Buy Now