Content description of Publicly Available Specification 56 (PAS 56:2003) "Guide to business continuity management"

The Publicly Available Specification 56 (PAS 56:2003) "Guide to business continuity management"[1] was released by the British Standards Institution (BSi)[3] in March 2003. Its scope encompasses the process, principles, and terminology of business continuity management (BCM) in an organization. The specification describes the activities and expected results, provides recommendations for good practice, and outlines evaluation criteria. Although it is still a specification, which is a preliminary stage to a full-blown British Standard, PAS 56 offers an opportunity to design, establish and operate a functional, standardized business continuity management system (BCMS). The use of such a BCMS will ensure that current best practices are considered. The primary function of the BCMS is to allow your own organisation to manage the risks of adverse events, and especially if your organisation is bound by Service Level Agreements (SLA), your customers can have greater confidence in your ability to successfully recover from a critical business impact. In addition the benefits include the provision of a perspicuous set of metrics, an analysis of your compliance level to an upcoming standard through internal audits as well as providing possible benefits in negotiations with banks, assurance institutes, and in meeting the needs of business development requirements.

s ec u r i ty

c o r pora t io n

in f or m ati on

Figure 1 - BCM - the unifying process [2] If the Information Security Management System (ISMS) of your organisation is compliant with ISO/IEC 27001 and control objective 14 Business continuity management is selected as a result of the risk assessment, then a BCMS has to be specified and its implementation is mandatory for your organization! ISO/IEC 17799 documents specific controls, but does not describe in detail the process or a management system. It has been shown that using an integrated management system will reuse existing ISMS, QMS, or EMS implementation efforts and provide efficiency and improved effectiveness instead of creating your own BCMS at this point. PAS 56 provides the specification for such a management system and gives you clear steps to take and the expected outcomes.

a t s ec

Totalling 54 pages, the content [4] of PAS 56 fills 50 (including three annexes). After a two page introduction (ch.1), the document defines BCM as a unifying business process (Figure 1) and not just an information technology disaster recovery. PAS 56 includes six pages of terms and definitions (ch.2) and the abbreviations used in the specification (ch.3). In the overview (ch.4), the principles of BCM as an integral part of corporate governance and business processes are explained in detail. They are supported by a cyclical lifecycle figure (shown below), which depict an anchor for including BCM into an existing management system, such as an Information Security Management System (ISMS) based upon ISO/IEC 27001.

Figure 2 - Match of PAS 56 to PDCA-Model Figure 2 shows in blue the PLAN-DO-CHECK-ACT (PDCA) cyclic model of ISO/IEC 27001 and in the yellow overlay the nearly matching cycle of PAS 56. CHECK and ACT activities overlap because PAS 56 (in its March 2003 version) does not explicitly specify the requirements towards corrective and preventive actions, which will probably corrected in its next version update. "BCM programme management" (ch. 5) details the need for explicit commitment and support from management, sufficient resources and overall process awareness of the people involved. Further, the requirements towards a BCM policy are defined, as are the monitoring requirements for the BCM process performance (titled as "BCM assurance"). "Understanding your business" (ch. 6) requires you to define the heart of your business. "What are we doing? What are our key business objectives? How do we reach these objectives? Who needs to be involved? When do we need to achieve them?" are relevant questions. To learn about the consequences when you cannot achieve your key objectives, PAS 56 proposes a Business Impact Analysis (BIA) (this procedure is explained in ch. 6.2). To evaluate the likelihood of such impacts, a

Risk assessment (as proposed in ch. 6.3) should be performed. An organization that already uses an ISMS based on ISO 27001 can use the outcomes of the risk assessment already made there. After analyzing and evaluating the threats to valuable business assets (ch. 6), the next chapter leads us to "BCM strategies" (ch. 7). This chapter shows possible strategic BCM models, names the three levels on which BCM has to take place (organization/overall BCM strategy, process level and resource recovery) and lists potential strategic actions for BCM in general, including "doing nothing." Further, the objectives and proposed outcomes for the three aforementioned strategy levels are discussed in detail (ch. 7.2 and ch. 7.4). Based on the decisions and documentations made earlier, the next chapter gives guidance on "Developing and implementing BCM plans" (ch. 8), including details of "Business continuity plan" (ch. 8.2), "Resource recovery and solutions plan" (ch. 8.3) and, hopefully never needed, "Crisis management planning" (ch. 8.4). Carrying forward, PAS 56 proceeds with "Building and embedding a BCM culture" (ch. 9), which shows the critical elements needed for an appropriate awareness, training and culture for successful business continuity management. Knowing that the outcome from the previous chapters will be mostly paper documentation, PAS 56 as a "Guide to business continuity management" closes with "BCM exercising, maintenance and audit" (ch. 10) to check the implementation of BCM in the organization in a practical fashion. "Exercising" (ch. 10.1) states the need for regular exercises to be properly prepared in the case of an emergency. Exercises should be designed as challenging and realistic scenarios, so that the results can clearly identify areas of improvement. A big note in this chapter states that even a failure in the testing context is not a negative result - it shows a particular need for corrective action and shall be therefore considered as a positive and beneficial outcome of the exercise! This chapter also discusses "Maintenance" of BCM (ch 10.2) and the mistake made too often of treating BCM as a (simple) business continuity plan (BCP). Maintenance is clearly stated as not only maintenance of the BCP as developed in chapter 8, but also as maintenance of the processes and their documentation, including risk assessment, business impact analysis, strategic discussions and their relevant outcomes. Finally, with "Audit" (ch. 10.3), PAS 56 describes the objectives of the BCM audit process as playing a key role in ensuring that an organization has a robust, effective and fit-for-purpose BCM competence and capability. The BCM audit should be conducted on a regular basis to assess the effectiveness of the business continuity management process. An annual interval is recommended. PAS 56 contains three annexes as stated earlier: Annex A shows a (non-exhaustive) table with possible roles and functions which may be involved in all stages or responsible for a stage of the BCM process. Annex B contains the "BCM evaluation criteria," which includes detailed questions for each of the stages of the BCM lifecycle to be used as part of a self assessment process or by an auditor as part of a formal audit. Annex C lists various "Frequency and triggers" for a review or an audit of BCM, amongst others, the redefinition of business strategy or objectives, relocation of business units, and significant changes in the key technology (and/or information used) and communication technology.

Summary PAS 56:2003 is an applicable and helpful specification for designing, implementing, and monitoring a Business Continuity Management System. It provides a detailed, step-by-step guide and gives useful tips for reaching conformity with its normative requirements. Therefore, an established BCMS based on PAS 56 supports and secures your organization by: reduced exposure to particular risks by methodical risk identification improved understanding of the business through risk analysis reduced downtime through identified alternative processes and workarounds protection of both the physical and knowledge assets of the business maintenance and protection of vital records improved operational resilience from implementing risk reduction preservation of markets by ensuring continuity of supply identification of compliance issues and management of alternative processes consideration of implications for Health & Safety legislation and Duties of care avoidance of liability actions improved operational effectiveness through a forced program of business process reengineering better organizational resilience by designating alternative people to support key processes and by defining and documenting recovery processes In July 2005 the British Standards Institute (BSi) and the Business Continuity Institute (BCI)[5] announced the forming of a BCM Technical Committee[6], which currently reviews PAS 56 and aims to deliver a robust full British Standard for business continuity management by the end of 2006. References [1] British Standards Institute (BSi), Publicly Available Specification PAS 56:2003, Guide to Business Continuity Management ISBN 0-580-41370-5 (http://www.standardsdirect.org/pas56.htm) adapted from [1], Page iii http://www.bsi-global.com/ http://www.pas56.com/contents.htm http://www.thebci.org/ http://www.thebci.org/PA56pressrelease.htm http://www.atsec.com/

[2] [3] [4] [5] [6] [7]

About atsec information security atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone. For more information, please visit www.atsec.com. Media Contact: Andreas Fabis fabis@atsec.com atsec information security corporation (512) 615-7317