Becoming resilient against risk: the new benchmark for best-practice security*

System compromise can affect not only an organization’s information but its people and reputation 

In the information security field, best practice now looks beyond an organization’s ability to recover from incidents, to being resilient against them. 

So how do we define resilience, and what does it look like in practice? 

Information resilience is a state where an organization or its clients can access their information securely and at exactly the moment they need it, with its integrity assured, regardless of the threats that exist.

The key to achieving information resilience for an organization is to realise the importance of the information assets it controls. 

How it does this will vary by the nature of the business, but the work should always be systematic and measurable.

Upper management need to be fully engaged in the process if it is to work; that starts by asking how resilient the
organization currently is.

Information resilience empowers organizations to safeguard their information – physical, digital and intellectual property – throughout its lifecycle from creation to destruction. 

It requires adopting information security-minded practices that enable stakeholders to create, store, access, use – and ultimately destroy – information securely and effectively.

In practice, this breaks down into four interconnecting subdomains to address with strategies, plans and actions.

These are: cybersecurity, information management and privacy, security awareness and training and compliance with requirements and regulations. 

When addressing these four domains, organizations need to employ operational best practices and good governance. 

They must be implemented in areas such as information security management, privacy management, third party supplier management, awareness, vulnerability management, data loss prevention (DLP), change management and review processes.

Regular incident management exercises help organizations practice their procedures outside of an actual event. 

They should also use repeatable risk-based processes to understand potential risks from third-party suppliers.

Organizations that have achieved a state of information resilience are ready for the unexpected. 

There are many business benefits in planning for resilience and it ensures longevity and sustainability of a business. 

Find out more about cybersecurity with BSI. Call 1300 730 134 or visit

*Copy supplied by BSI