Consulting Services
My consulting practice covers three interconnected disciplines: disaster recovery and business continuity, information security management, and IT risk management. These are not independent offerings — risk management is the analytical foundation that informs the other two, and disaster recovery is the primary area where I have developed a distinctive methodology and conducted peer-reviewed research.
All three services are grounded in formal credentials, delivered using recognised international standards, and supported by more than twenty years of consulting experience with international organisations including UN agencies and major NGOs.
| Disaster Recovery & Business Continuity · ISO 22301 · NIST SP 800-34 · Layered Dependency Methodology |
|
Disaster recovery is the primary focus of my consulting practice and the subject of my peer-reviewed research. Most DR failures I have encountered are not failures of effort — they are failures of analysis. Organisations build plans without adequately mapping the dependencies between IT systems, business processes, and recovery objectives. When disruption occurs, the plan does not hold. I have developed a layered dependency mapping methodology that structures DR planning around explicit dependency analysis across infrastructure, operational, and organisational layers. This framework has been applied in more than thirty real-world implementations and forms the basis of my 2025 book and co-authored academic paper currently under peer review. • Business Impact Analysis and dependency mapping • DR strategy design and plan development • ISO 22301 Business Continuity Management System implementation • Plan testing, exercising, and governance
|
|
Information Security Management · CISSP · ISO/IEC 27001 · NIST SP 800-53 |
|
Information security management is a secondary discipline in my practice, delivered alongside or in support of DR and risk management engagements. My approach is grounded in an MSc in Information Technology Security Management (Distinction) and the CISSP body of knowledge, and implemented using ISO/IEC 27001 for management system structure and NIST SP 800-53 for security controls. ISO 27001 and NIST 800-53 are complementary: ISO provides the certifiable management system framework; NIST provides detailed control specifications. I implement both, tailored to the organisation’s risk profile and objectives. • ISMS design and implementation • ISO 27001 certification preparation • ISMS maturity assessment and improvement • Security governance, metrics, and reporting
|
| IT Risk Management · CRISC · ISO 27005 · ISO 31000 · COBIT/RISK IT |
|
IT risk management is the analytical foundation for both DR and ISMS work. Without rigorous Business Impact Analysis and structured risk assessment, DR plans are built on assumptions rather than evidence, and ISMS control selection becomes a generic compliance exercise rather than a response to real exposure. As a CRISC-certified professional, I provide risk management services that are evidence-based, governance-oriented, and integrated with the other disciplines in my practice. • Business Impact Analysis (BIA) • Asset identification, classification, and threat modelling • Risk assessment and risk register development • Risk treatment, mitigation planning, and governance
|
Working Together
Engagements are structured to fit the organisation — from fixed-scope advisory work and specific deliverables through to embedded consultancy over a longer period. I work with organisations of varying sizes and sectors, with particular experience in international non-governmental organisations, UN agencies, and organisations operating across Swiss and EU jurisdictions.