BS 25999
Encyclopedia
BS 25999 is BSI's
standard in the field of Business Continuity Management
(BCM). This standard replaces PAS 56, a Publicly Available Specification
, published in 2003 on the same subject.
The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.
The second, "BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.
A useful means of understanding the difference between the two is Part 1 is a guidance document and uses the term 'should', Part 2 is an independently verifiable specification that uses the word 'shall'
Certification (independent verification) to this standard is available from certification bodies accredited by the United Kingdom Accreditation Service (UKAS) and is a multi stage process usually involving a number of assessment visits. The assessor will then make a recommendation that the organization receive certification or not. After initial certification a number of surveillance visits are made as per a plan to ensure that the organization is still in compliance.
Section 1 - Scope and Applicability. This section defines the scope of the standard, making clear that it describes generic best practice that should be tailored to the organization implementing it
Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard
Section 3 - Overview of Business Continuity Management. A short overview is the subject of the standard. It is not meant to be a beginners guide but describes the overall processes, its relationship with risk management and reasons for an organization to implement along with the benefits
Section 4 - The Business Continuity Management Policy. Central to the implementation of business continuity is having a clear, unambiguous and appropriately resourced policy
Section 5 - BCM Programme Management. Programme management is at the heart of the whole BCM process and the standard defines an approach
Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organization has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.
Section 7 - Determining BCM Strategies. Once the organization is thoroughly understood the overall business continuity strategies can be defined that are appropriate.
Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.
Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organization cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organizations goals.
Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organization is managed.
The contents of the specification (BS 25999-2) are as follows:
Section 1 - Scope. Defines the scope of the standard, the requirements for implementing and operating a documented business continuity management system (BCMS)
Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard
Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is predicated on the well established Plan-Do-Check-Act model of continuous improvement. The first step is to plan the BCMS, establishing and embedding it within the organization.
Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones plans. This section includes a number of topics that are found in Part 1 although Part 1 should only be used for general guidance and information. Only what is in Part 2 can be assessed.
Section 5 - Monitoring and Reviewing the BCMS (CHECK) To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS
Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is both maintained and improved on an ongoing basis this section looks at preventative and corrective action
in December 2006. The second part of BS 25999 (BS 25999-2:2007) was published in November 2007.
North America - Published by the National Fire Protection Association
NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
ASIS/BSI BCM.01:2010 Business Continuity Management Systems: Requirements with Guidance for Use. Published in December 2010 and developed jointly between ASIS and BSI for North America
Worldwide - Published by the International Organization for Standardization
(ISO)
ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management
Australia - Published by Standards Australia
HB 292-2006 : A practitioners guide to business continuity management
HB 293-2006 : Executive guide to business continuity management
AS/NZS 5050 : Business Continuity Managing disruption-related risk
Standards Australia have published AS 5050:2010.
BSI Group
BSI Group, also known in its home market as the British Standards Institution , is a multinational business services provider whose principal activity is the production of standards and the supply of standards-related services.- History :...
standard in the field of Business Continuity Management
Business continuity planning
Business continuity planning “identifies [an] organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity”. It is also called...
(BCM). This standard replaces PAS 56, a Publicly Available Specification
Publicly Available Specification
The PAS is a consultative document where the development process and written format is based on the British Standard model...
, published in 2003 on the same subject.
Structure
Produced by the British Standards Institution (BSI), BS 25999 is a Business Continuity Management (BCM) standard in two parts.The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.
The second, "BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.
A useful means of understanding the difference between the two is Part 1 is a guidance document and uses the term 'should', Part 2 is an independently verifiable specification that uses the word 'shall'
Certification (independent verification) to this standard is available from certification bodies accredited by the United Kingdom Accreditation Service (UKAS) and is a multi stage process usually involving a number of assessment visits. The assessor will then make a recommendation that the organization receive certification or not. After initial certification a number of surveillance visits are made as per a plan to ensure that the organization is still in compliance.
Contents
The contents of the code of practice (BS 25999-1) are as follows:Section 1 - Scope and Applicability. This section defines the scope of the standard, making clear that it describes generic best practice that should be tailored to the organization implementing it
Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard
Section 3 - Overview of Business Continuity Management. A short overview is the subject of the standard. It is not meant to be a beginners guide but describes the overall processes, its relationship with risk management and reasons for an organization to implement along with the benefits
Section 4 - The Business Continuity Management Policy. Central to the implementation of business continuity is having a clear, unambiguous and appropriately resourced policy
Section 5 - BCM Programme Management. Programme management is at the heart of the whole BCM process and the standard defines an approach
Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organization has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.
Section 7 - Determining BCM Strategies. Once the organization is thoroughly understood the overall business continuity strategies can be defined that are appropriate.
Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.
Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organization cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organizations goals.
Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organization is managed.
The contents of the specification (BS 25999-2) are as follows:
Section 1 - Scope. Defines the scope of the standard, the requirements for implementing and operating a documented business continuity management system (BCMS)
Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard
Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is predicated on the well established Plan-Do-Check-Act model of continuous improvement. The first step is to plan the BCMS, establishing and embedding it within the organization.
Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones plans. This section includes a number of topics that are found in Part 1 although Part 1 should only be used for general guidance and information. Only what is in Part 2 can be assessed.
Section 5 - Monitoring and Reviewing the BCMS (CHECK) To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS
Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is both maintained and improved on an ongoing basis this section looks at preventative and corrective action
Timelines
The first part of BS 25999 (BS 25999-1:2006) was published by the British Standards InstitutionBSI Group
BSI Group, also known in its home market as the British Standards Institution , is a multinational business services provider whose principal activity is the production of standards and the supply of standards-related services.- History :...
in December 2006. The second part of BS 25999 (BS 25999-2:2007) was published in November 2007.
Development
Both parts of the standard are likely to be revised and it may ultimately be incorporated into other national or international standards.Other related standards
There are a number of similar worldwide standards:North America - Published by the National Fire Protection Association
NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
ASIS/BSI BCM.01:2010 Business Continuity Management Systems: Requirements with Guidance for Use. Published in December 2010 and developed jointly between ASIS and BSI for North America
Worldwide - Published by the International Organization for Standardization
International Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
(ISO)
ISO/PAS 22399:2007 Guideline for incident preparedness and operational continuity management
Australia - Published by Standards Australia
Standards Australia
Standards Australia was established in 1922 and is recognised through a Memorandum of Understanding with the Australian government as the peak non-government standards development body in Australia. It is a company limited by guarantee, with 72 members representing groups interested in the...
HB 292-2006 : A practitioners guide to business continuity management
HB 293-2006 : Executive guide to business continuity management
AS/NZS 5050 : Business Continuity Managing disruption-related risk
See also
- Information AssuranceInformation AssuranceInformation assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
- physical securityPhysical securityPhysical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
Standards Australia have published AS 5050:2010.
External links
- BCM Page at BSI Business continuity and risk.
- BS 25999 News Portal dedicated to reporting events surrounding BS 25999.
- PAS56 and BS25999 The original portal dedicated to PAS56 and BS 25999.
- BCM resources BSI's business continuity portal
- BSI France BSI's French portal