A Standard for Business Continuity - BS 25999
A Standard for Business Continuity - BS 25999 has been developed by practitioners throughout the global community, drawing upon their considerable academic, technical and practical experiences of business continuity management (BCM). It has been produced to provide a system based on good practice for BCM and is intended to serve as a single reference point for identifying the range of controls needed for most situations where BCM is practiced in industry and commerce, and to be used by large, medium and small organizations in industrial, commercial, public and voluntary sectors.
BS 25999 has been published in two parts:
BS 25999-1:2006 Code of practice for business continuity management was published in December 2006.
BS 25999-2:2007 Specification for business continuity management was published on November 20, 2007.
This new Standard defines BCM as "a holistic management process that identifies potential threats to an organisation and the impacts to operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities".
BS 25999-1:2006 replaces PAS 56, which has now been withdrawn. It is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings. In addition, it provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle
The British Standard sets out six elements to the BCM process.
1. BCM programme management - Programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.
2. Understanding the organisation - The activities associated with "Understanding the organisation" provide information that enables prioritisation of an organisation's products and services, identification of critical supporting activities and the resources that are required to deliver them.
3. Determining business continuity strategies - This allows an appropriate response to be chosen for each product or service, such that the organisation can continue to deliver those products and services at the time of disruption.
4. Developing and implementing a BCM response - This involves developing incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations.
5. BCM exercising, maintaining and reviewing BCM arrangements - This leads to the organisation being able to demonstrate the extent to which its strategies and plans are complete, current and accurate and identify opportunities for improvement.
6. Embedding BCM in the organisation's culture - This enables BCM to become part of the organisation's core values and instils confidence in all stakeholders in the ability of the organisation to cope with disruptions.
BS 25999-2:2007 describes the control framework and specifies the requirements for achieving certification which will help ensure that business continuity capability is appropriate to the size and complexity of an organisation. This provides organisations with a more efficient and robust way of ensuring that their partners and suppliers also have the correct procedures in place, thereby demonstrating to others that they are meeting the standard.
Following the publication of Part 2 various certification bodies e.g. the UK Accreditation Service (UKAS) / the British Standards Institute (BSI) etcetera have refined the process of training their assessors so that there is an independent accreditation scheme available to those bodies offering accreditation to Part 2. Accreditation means that certification bodies have been assessed against internationally recognised standards to demonstrate their competence, impartiality and performance capability.
NOTE- Business continuity management also involves the management of recovery or continuity in the event of an incident and management of the overall programme through training, rehearsals, and reviews, to ensure the business continuity plan stays current and up-to-date.