Cybersecurity is a critical part of business continuity management because it helps protect an organization’s information and systems from security threats. A breach of cybersecurity can have significant consequences for an organization, such as the loss of sensitive data, monetary loss, and damage to the organization’s reputation. To prevent these types of disruptions, organizations must incorporate robust cybersecurity measures into their business continuity management plan.

There are several organizations and institutions that offer recommendations and best practices for information and cyber security. Some of the main ones include the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Center for Internet Security (CIS), and the SANS Institute.

Here are some examples of recommendations and best practices for information security and cyber security from NIST, ISO, CIS, and SANS:

NIST recommends implementing strong password policies, regularly patching and updating software and security systems, and using encryption to protect sensitive data.

ISO recommends implementing a robust risk management program, including regular risk assessments and implementing controls to mitigate identified risks.

CIS recommends implementing a multi-layered approach to security, including both technical controls (such as firewalls and intrusion detection systems) and non-technical controls (such as employee training and incident response plans).

SANS recommends implementing a defense-in-depth strategy, which involves protecting the network and individual devices at multiple levels to reduce the likelihood and impact of a security breach.

The specific laws that require businesses to keep a degree of cyber security or resilience vary by country and jurisdiction. In the United States, for example, some of the main laws that address this issue include the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).

Here are some examples of what businesses need to do to comply with FISMA, HIPAA, and PCI DSS on cyber and information security:

FISMA requires that federal agencies implement a range of security controls to protect their information and systems, including regular risk assessments, training for employees, and incident response plans.

HIPAA requires that covered entities, such as healthcare providers and insurers, implement technical, physical, and administrative safeguards to protect patient health information. This includes implementing access controls, regular risk assessments, and training for employees.

PCI DSS requires that businesses that accept credit card payments implement a range of security controls to protect cardholder data, such as using encryption, implementing firewalls, and regularly testing security systems.

In general, however, most businesses are expected to take reasonable steps to protect their sensitive data and systems from cyber threats, such as implementing strong password policies, regularly updating software and security systems, and training employees on how to identify and report potential security threats. It’s also important for businesses to have a plan for responding to and recovering from a security breach, to minimize the damage and disruption caused by such an incident.

All-in-all, there are many organizations and institutions that offer recommendations and best practices for information security and cyber security, and there are also various laws and regulations that require businesses to keep a given level of security to protect sensitive data and systems. It’s important for businesses to be aware of these requirements and recommendations, and to implement controls and measures to protect themselves against cyber threats. By following cybersecurity recommendations and best practices, organizations can reduce the risk of a cybersecurity breach and ensure the ongoing availability of their systems and data. This will help organizations keep their overall resilience and ensure their ability to continue working in the face of potential disruptions.

For more information about how to better prepare your organization against cyber-related threats with an effective Business Continuity Management System, please contact us via: