Certified: The ISC(2) ISSMP Audio Course

In this episode, we’re going to build a clear picture of what resiliency planning actually needs as input, because strong plans do not start with a template or a checklist, they start with good information. Resiliency is the ability to keep delivering what matters even when something goes wrong, and that depends on understanding what must continue, what can pause, and what rules or constraints shape your options. The titles in this part of the series use a few important planning terms that can feel abstract at first, so we will translate them into plain language and connect them to practical decision-making. Some of these inputs come from inside the organization, like what the business depends on, and some come from outside, like laws and external disruptions. When you understand these inputs, you can support planning that is realistic, defensible, and actually helpful during a disruptive event.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A key idea to anchor early is the difference between resilience as a general goal and a resiliency plan as a set of decisions. Many people confuse resiliency with strength, like having the biggest systems or the most backups, but resiliency is more about adaptability. If a key facility becomes unavailable, resiliency is the ability to continue critical work through alternate locations, alternate processes, or alternate systems. If a supplier fails, resiliency is the ability to operate for a period of time without them or to switch to a substitute quickly. This is why planning must start with understanding what the organization does and what it depends on, not with buying new technology. In a beginner context, think of resiliency like planning for a school day when the building is closed: you need to know which classes must still happen, what resources they require, and what rules exist about attendance and privacy.

One of the most important inputs is a Continuity of Operations Plan (C O O P), which is focused on keeping essential functions running during a disruption. C O O P is not just about information technology, and that is a point that beginners often miss. It includes decisions about leadership succession, essential staff, alternate work sites, minimum resources, communications methods, and how the organization will operate in a degraded mode. If a disaster disrupts normal operations, C O O P answers questions like who is in charge, how do we contact the right people, and what must be done first to keep the mission alive. When you facilitate planning inputs, you are often helping planners translate the mission into a small set of functions that cannot stop, even if everything else slows down. That mission-centered view is the foundation that keeps a plan from becoming a long list of unrelated tasks.

C O O P inputs are especially important because they force clarity about priorities, and priorities are what you need when time and resources are limited. If you try to restore everything at once, you will restore nothing well, and you may create new failures by spreading people too thin. A good C O O P input set identifies essential functions, the minimum acceptable level of performance for each, and the conditions under which the organization shifts into continuity mode. It also defines the triggers for escalation, meaning when leadership should treat an event as serious enough to activate continuity procedures. For new learners, a helpful mental model is a hospital during a storm: elective appointments might stop, but emergency care continues, and the plan focuses on that essential service first. The same idea applies in other organizations, even if the mission is different, because the point is to preserve what matters most under pressure.

External factors are another major input category, and they include disruptions the organization cannot control but must be ready for. External factors can be natural, like severe weather, earthquakes, or wildfires, and they can be human-made, like power grid failures, civil unrest, supply chain disruptions, or widespread malware outbreaks impacting many organizations at once. External factors can also include dependency failures, such as a cloud provider outage or a telecom disruption that prevents staff from connecting. When facilitating resiliency planning, you are not predicting the future with perfect accuracy, but you are helping the organization think through plausible disruptions that would stress its operations. A useful approach is to ask, what do we rely on that is outside our direct control, and what would happen if it failed for a day, a week, or longer. The insight here is that resiliency is often about dependencies, and dependencies are often external.

External factors also include changes in the environment around the organization, such as economic conditions, geopolitical events, and regional infrastructure issues. For example, if a region frequently experiences storms, that affects how you plan for alternate work, generator capacity, and vendor contracts. If a region has limited medical resources, staffing shortages might last longer during a crisis, affecting how quickly operations can stabilize. Even for a beginner audience, it helps to see that resiliency planning is not only a security concern, it is a broad organizational concern that security leaders must understand. Security is often involved because disruptions can lead to increased pressure to bypass controls, and that creates new risks if planning does not include safe ways to operate under stress. When you account for external factors upfront, you reduce the chance that the plan collapses the moment reality differs from assumptions.

Laws and legal obligations are another essential input, and they shape what you are allowed to do during disruptions, not just what you want to do. Laws can require certain services to be maintained, certain records to be protected, or certain notifications to be made when incidents occur. Laws can also restrict how data is accessed, shared, or moved across locations, which matters when you want to shift operations to alternate sites or use external support. Some laws focus on privacy, some on safety, some on financial reporting, and some on industry regulation, but all of them can create constraints that your continuity plan must respect. The key beginner takeaway is that in a crisis, you do not get to temporarily ignore laws just because it is inconvenient. A resilient organization plans so that legal compliance remains possible even in degraded operations.

Legal inputs also matter because they can influence how you define criticality and acceptable downtime. For instance, if regulations require timely reporting, that reporting function becomes essential even when other work pauses. If privacy laws require strict access controls, you cannot simply broaden access to data to speed recovery without creating a compliance failure. This does not mean resiliency planning is mainly about avoiding trouble, it means resiliency planning must be realistic about what is permitted and what is required. When facilitating these inputs, you might not be acting as a lawyer, but you should know how to involve the right expertise early. The goal is to make sure the plan’s assumptions are legally defensible, because an illegal workaround is not truly resilient, it is just delaying one problem and creating another.

A Business Impact Analysis (B I A) is a major input that turns mission and operations into measurable priorities. A B I A identifies business functions, the resources they depend on, and the impact if those functions are disrupted. It often includes impacts like revenue loss, safety risks, legal violations, reputational damage, and operational backlogs. It also helps define time-based thresholds, such as how long a function can be down before the impact becomes unacceptable. Even though B I A sounds like a formal process, at its core it is an organized way of answering the question, what happens if we cannot do this work, and when does that become a serious problem. For beginners, think of it as mapping what the organization needs to keep going and what happens over time as interruptions extend from minutes to hours to days.

The B I A also helps connect technical systems to business outcomes, which is often where misunderstandings happen. People might believe that a specific system is critical because it is popular or because it is expensive, but the B I A asks how that system supports essential functions. It forces the organization to identify upstream and downstream dependencies, like whether one department’s work depends on another department completing tasks first. It also exposes hidden single points of failure, such as one key vendor, one unique dataset, or one specialized employee who knows how to run a process. When you facilitate B I A inputs, you help participants describe impacts in plain terms and avoid exaggeration, because if everything is labeled critical, then nothing is prioritized. The B I A is valuable precisely because it helps organizations choose, and choosing is what enables practical planning.

Another important part of facilitating inputs is aligning C O O P and B I A outputs so they do not contradict each other. C O O P may define essential functions based on mission and leadership needs, while the B I A may define priorities based on operational impact and time thresholds. If those sets do not match, the plan will confuse people during a crisis, because one document says function A is first while another says function B must be restored sooner. Facilitating means helping different stakeholders talk to each other until priorities make sense across the organization. This is a communication challenge as much as an analysis challenge, because departments often see their own work as most important. A good facilitator keeps the conversation anchored to mission, impact, and time, not to internal politics or personal preferences.

Facilitation also means capturing assumptions explicitly, because unspoken assumptions are one of the biggest reasons plans fail. People assume that power will be available, that staff will be able to travel, that suppliers will deliver, or that internet connectivity will remain stable, and those assumptions may be wrong during real events. When assumptions are written down, the organization can test whether they are realistic and can add contingencies where needed. For example, if the plan assumes staff can work remotely, it should also consider what happens if a regional outage prevents connectivity. If the plan assumes an alternate site is available, it should consider whether that site shares the same risks as the primary site. Making assumptions visible turns them into planning inputs that can be challenged and improved.

Finally, the quality of resiliency planning depends on how well the inputs are maintained over time, because missions, laws, and dependencies change. New systems are adopted, vendors change, staff roles shift, and legal obligations evolve, and any of those changes can quietly break a plan. Facilitating inputs is not a one-time meeting, it is an ongoing practice of gathering, validating, and updating the information that planning decisions depend on. That includes revisiting B I A results, confirming that C O O P essential functions still reflect the mission, and monitoring external factors that could introduce new risks. When the inputs stay current, the plans built from them remain usable and credible. When inputs become outdated, plans become confidence theater, and that false confidence is often more dangerous than admitting you are unprepared.

Resiliency planning becomes much more effective when you treat it as a disciplined way to collect and align inputs that guide decisions under pressure. C O O P provides the mission-focused continuity priorities and leadership structure needed to operate during disruption, while external factors remind you that dependencies and environmental realities will shape what is possible. Laws add constraints and obligations that cannot be ignored, even during emergencies, and B I A connects business functions to time-based impacts so restoration priorities are grounded in reality. Facilitating these inputs means helping people define terms clearly, surface assumptions, resolve conflicts between priorities, and keep information current as the organization evolves. When those inputs are strong, the resulting resiliency plans are not just documents, they are decision frameworks that help an organization continue operating safely and responsibly when conditions are at their worst.