Infographic titled “Business Continuity Plan (BCP)” with the subtitle “Prepare. Continue. Recover.” It explains why BCP matters: minimising impact, staying resilient, protecting trust and meeting ISO 27001 requirements. The infographic shows a five-step BCP lifecycle: understand, plan, prepare, respond and recover. It also highlights key BCP elements such as business impact analysis, roles and responsibilities, dependencies and resources, data and backup strategy, communication planning, and testing and training. The final section connects BCP to an Assume Breach approach, focusing on compromised systems, immutable backups, verified recovery and secure recovery environments, leading to stronger resilience, lower impact, faster detection, secure recovery and reduced costs.

Assume Breach: Why Business Continuity Planning Must Be More Than a Document

Introduction In the first post of this series, I introduced the principle of Assume Breach and highlighted three areas that are often underdeveloped in practice: Business Continuity Planning, Data Loss Prevention and Cryptography. This post takes a closer look at the first of these topics: Business Continuity Planning, or BCP. In my experience when reviewing organisations through internal laudits, maturity assessments or ISO 27001 implementations, Business Continuity Planning is often present on paper. There may be a policy, a business impact analysis, a list of critical systems and perhaps even a recovery plan. However, the real question is not whether a BCP document exists. The real question is whether the organisation can continue to operate when disruption actually occurs. ...

19 June 2026 · 6 min · 1138 words · Arnold
Image depicting the flow from BCP, DLP & Cryptography through the ISO 27001 alignment into the result: Reduced impact, faster detection & response and greater operational resilience

Assume Breach: Strengthening Security with BCP and DLP

Introduction In the past year, I have performed numerous internal audits. Across many of these audits, I observed a recurring pattern: three important security domains are often either limited in scope or insufficiently implemented: Business Continuity Planning Data Loss Prevention Cryptography In most cases, an initial effort has been made. However, the actual coverage, maturity and operational effectiveness of these implementations are often lacking. In my view, these controls do not always receive the level of attention and organisational weight they deserve. ...

25 May 2026 · 4 min · 823 words · Arnold