Introduction

In the past year, I have performed numerous internal audits. Across many of these audits, I observed a recurring pattern: three important security domains are often either limited in scope or insufficiently implemented:

  • Business Continuity Planning
  • Data Loss Prevention
  • Cryptography

In most cases, an initial effort has been made. However, the actual coverage, maturity and operational effectiveness of these implementations are often lacking. In my view, these controls do not always receive the level of attention and organisational weight they deserve.

Recent incidents, such as the reported hack at Odido involving millions of customer records, and the fire in an Almere data centre causing nationwide disruptions, underline the importance of this issue. These events show that organisations must be prepared not only to prevent incidents, but also to respond, recover and continue operating when incidents occur.

Of course, implementing these three areas properly is not easy. It requires time, effort, investment and support from across the entire organisation. Business continuity planning must be tested and realistic. Data loss prevention must go beyond tooling and be embedded in processes and behaviour. Cryptography must be supported by strong key management, lifecycle control and clear ownership.

However, I am convinced that a more mature and integrated implementation of these domains, built around the principle of Assume Breach, can significantly improve an organisation’s resilience. It increases security maturity, strengthens incident response and reduces operational impact.

Ultimately, this is not only about compliance with ISO 27001. It is about ensuring that when an incident occurs, the organisation is better prepared, better protected and better able to recover. In the long run, that also reduces the financial, operational and reputational costs of a security incident.

This post is the first in a series in which I will explore this topic in more depth.

The traditional security model assumes that strong perimeter controls can keep attackers out. Firewalls, identity controls, endpoint protection and monitoring remain important, but they are no longer sufficient. Modern organisations must operate under a more realistic principle: assume breach. This means accepting that compromise is possible, or may already have occurred, and designing security, continuity and recovery capabilities accordingly.

Aligned with ISO 27001, assume breach is not a defeatist mindset. It is a risk-based operating model that strengthens the information security management system by focusing on impact reduction, detection, response and resilience. The question shifts from “How do we prevent every incident?” to “How do we continue operating securely when something goes wrong?”

Business Continuity Plan

A key area where assume breach must be embedded is Business Continuity Planning. BCP should not only cover natural disasters, power failures or supplier outages. It must also address cyber scenarios such as ransomware, credential compromise, data corruption, cloud service disruption and loss of administrative control. ISO 27001 expects organizations to protect information security during disruption, which means continuity plans must define critical processes, acceptable downtime, recovery priorities and secure fallback procedures. Backups must be tested, segregated and protected against tampering. Crisis roles must be clear, including who can make decisions when normal communication channels are unavailable or untrusted.

Data Loss Prevention

Data Loss Prevention is another essential control area. In an assume breach model, organizations should expect that attackers may obtain access to internal systems or legitimate accounts. DLP therefore needs to focus on detecting and limiting unauthorized movement of sensitive information. This includes classification of information assets, monitoring of outbound channels, restrictions on removable media, controls around email forwarding, cloud storage governance and alerts for abnormal data access patterns. DLP should not be implemented as a purely technical tool; it must be supported by clear policies, user awareness and defined response procedures. Poorly tuned DLP creates noise. Well-designed DLP provides visibility into real business risk.

Cryptography

Cryptography becomes especially important when prevention fails. Encryption protects confidentiality when devices, databases, backups or communications are exposed. However, encryption only helps when keys are properly managed. ISO 27001-aligned cryptographic control should include approved algorithms, secure key generation, key rotation, access restriction, certificate lifecycle management and separation of duties. Organizations should also consider where encryption is applied: data at rest, data in transit, backups, portable devices and sensitive application fields. Weak key management can turn strong encryption into a false sense of security.

Assume Breach touches the whole organisation

Assume breach also requires integration between BCP, DLP and cryptography. For example, encrypted backups are valuable only if recovery keys remain available during a crisis. DLP alerts are useful only if incident response teams can act quickly. Continuity plans are credible only if they assume that some systems, identities or data stores may be compromised.

In practical terms, ISO 27001 supports this approach through risk assessment, control selection, incident management, continuity planning, asset protection and continual improvement. Organizations should test breach scenarios, review lessons learned and update controls accordingly.

Assume breach is ultimately about resilience. It recognizes that perfect prevention is unrealistic, but controlled impact, secure recovery and sustained trust are achievable.