Managing cyber resilience with RESILIA

RESILIA CoverRESILIA™ Cyber Resilience Best Practice was launched in June 2015.  It is the latest publication from AXELOS, joining their existing portfolio of management practices that includes ITIL® for IT service management, PRINCE2® for project management and many more. As the lead author and chief examiner I have been extremely busy over the past few months helping to ensure that everything is in place. I am amazed that we managed to get the syllabus and exams ready at the same time as the publication, and that training organizations had their course materials ready to go as well. This was a great piece of release management by AXELOS, who recognized the importance of making sure that all the bits would be available at launch.

I have been very encouraged by how RESILIA has been received since the launch. Just this week I have read two blogs recommending that people study and adopt the RESILIA approach.

So what is RESILIA, and how is it different from all the other publications out there that tell you how to manage information security?


A management system approach

Many publications (and security experts) suggest that you need to have an information security management system. RESILIA takes a rather different approach, saying that you need to have a management system to run your business, and that this single management system should meet all your needs – for security management, quality management, IT service management, compliance management, and managing every other aspect of the business. Cyber resilience is not something that you manage separately, but something that you integrate into your management system to ensure you meet your security needs at the same time as you meet all your other needs.

To help with this, RESILIA has adopted a lifecycle structure similar to the one that will be familiar to users of ITIL, defining practices and controls in the areas of strategy, design, transition, operation and continual improvement. RESILIA also describes how cyber resilience can be integrated with IT service management to ensure that information and information systems meet the needs of the organization.

Because of this management system focus, the target audience for RESILIA is very wide, including people who work in every aspect of IT and information security, but also including any manager who has accountability for the security of assets. Recent well-publicised incidents have shown that this accountability extends all the way through the organization, including the CEO and CIO, as well as security managers and IT managers.


The need for balance in cyber resilience

RESILIA is focussed on the need for balance across a number of different dimensions.  This need for balance can be found throughout the publication. Some of the important areas that need to be balanced include:

  • Prevent, detect and correct. However much you try to prevent security incidents, you won’t always succeed, so you need to invest in detecting incidents as quickly as possible and correcting them with minimal impact on the business, as well as in protecting your assets. The controls described in RESILIA show how you can achieve this balance within your organization.
  • People, process and technology. Many security publications, and many security experts, focus almost entirely on technology solutions, but cyber resilience is as much about processes and people as it is about technology. RESILIA offers guidance to help you create and manage controls in all of these areas.
  • Risks and opportunities. The more security controls you put in place, the harder it can be to run your business. Really great security could make it absolutely impossible for the business to capitalize on new opportunities. This can lead to people working around your carefully crafted security controls, resulting in increased risk. RESILIA recognises the importance of balancing risks and opportunities. Achieving the right balance between risk and opportunity is a business decision that starts with the board of management and involves driving decisions about cyber resilience all the way through the organization.
  • Getting things right and continual improvement. RESILIA has a strong focus on continual improvement. Even if you have the most perfect set of security controls you still need continual improvement because the threat environment, business environment and technology environment are constantly changing.


Do you want to learn more?

If you’d like to learn more about RESILIA then here are some resources you can use:


If you’ve had a chance to look at the RESILIA publication, or to attend a RESILIA training course then please let me know what you think.

And finally, I’d like to thank my co-authors Moyn Uddin and Mike St John-Green. Collaborating with them has been a delight.

comments powered by Disqus

Optimal Service Management Ltd.

7 Ingatestone Road, Woodford Green,
Essex, IG8 9AN, UK

Registered No: 8791379 England

Phone: +44 20 8504 2002

Recent Posts

  • ITIL4
    Free ITIL 4 content

    Here are links to all the free ITIL 4 content that I have shared

  • Stephen Stills on stage playing a guitar
    Start where you are: Love the one you’re with

    Shiny new tools and processes aren't the only way to make improvements. And they won't be be of much use unless you've thought long and hard about what it is you are actually trying to achieve.

  • 2017 03 16 What configuration data do you need IMAGE
    3 ways to approach configuration management

    There are three very different approaches you can take to configuration management.  Each of them has benefits and disadvantages, and you need to blend aspects of all three to get the best value in your context.

Latest Tweets