One of the advantages of moving away from business continuity (BC) and working in the field of information security for a period of time is the perspective it provides when contrasting the relative fortunes of embedding the respective professional practices in value chains across the world.  One area that I feel contributes to the comparative deficit of traction of business continuity compared to information security is the lack of defined controls whether in published guidance or standards.

The ISO 27001 standard comes with 114 controls defined and these are developed through additional guidance in ISO 27002.  This approach provides a common language across the value chain and enables the robust design of information security management systems and the ability to provide assurance across participants.  Contrast this with business continuity where each value chain member essentially develops their own controls and expends considerable time and effort ‘aligning’.

The challenge will be exacerbated with the adoption of operational resilience frameworks as the protective disciplines supporting the framework are asked to come together to determine the holistic resilience profile. BC will not have a unified approach.  It may be too late to tackle the lack of a common controls’ framework given recent revisions to BC standards have not addressed this omission. It will more likely fall to the emerging operational resilience standards to ensure that a comprehensive control set is made available to drive consistency and increased adoption of business continuity practices across the value chain.