Documente Academic
Documente Profesional
Documente Cultură
Version 6.1
DPC: 06/30139869 DC
Head Office
389 Chiswick High Road
London W4 4AL
Telephone: +44(0)20 8996 9000
Fax: +44(0)20 8996 7001
Date: 23 June 2006
www.bsi-global.com Origin: National
Latest date for receipt of comments: 31 August 2006 Project no.: 2005/02478
Responsible committee: BCM/1
Interested committees:
Responsible Committee Secretary: Mr Kevin Laverty Direct tel: 020 8996 7492
E-mail: kevin.laverty@bsi-global.com
1
Introduction
Your comments on this draft are welcome and will assist in the preparation of the consequent
British Standard. If no comments are received to the contrary, this draft may be implemented
unchanged as a British Standard.
Submission
The guidance given below is intended to ensure that all comments receive efficient and
appropriate attention by the responsible BSI committee. Annotated drafts are not
acceptable and will be rejected.
All comments must be submitted, preferably electronically, to:
Kevin Laverty
10 E National Content
British Standards Institution
389 Chiswick High Road
London W4 4AL
Email: Kevin.Laverty@bsi-global.com
Tel: 020 8996 7492
Fax: 020 8996 7187.
Comments should be submitted using the comments form installed at www.bsi-
global.com/bs25999. Any comments not submitted electronically should still adhere to
these format requirements.
All comments submitted should be presented as given in the example below.
Template for comments and secretariat observations Date: xx/xx/200x Document: ISO/DIS xxxxx
M Clause No./ Paragraph/ Type of Comment (justification for Proposed change by the MB Secretariat observations
B Subclause No./ Figure/Table/N com- change) by the MB on each comment
Annex ote ment submitted
(e.g. 3.1) (e.g. Table 1)
3.1 Definition 1 ed Definition is ambiguous and Amend to read ‘... so that the
needs clarifying. mains connector to which no
connection ...’
6.4 Paragraph 2 te The use of the UV photometer as Delete reference to UV
an alternative cannot be supported photometer.
as serious problems have been
encountered in its use in the UK.
Microsoft and MS-DOS are registered trademarks, and Windows is a trademark of Microsoft Corporation.
2
BS 25999-1
0630139869 3
BS 25999-1
Contents
Foreword 5
1 Scope and applicability 6
2 Terms and definitions 6
3 What is business continuity management? 10
4 Overview of BCM 11
5 The business continuity management system (BCMS) 15
6 Programme management 16
7 Understanding the organization 18
8 Determining BCM options 21
9 Developing and implementing a BCM response 27
10 Exercising, maintenance, auditing and self-assessment of BCM arrangements 33
11 Embedding BCM in the organization’s culture 37
Bibliography 39
List of figures
Figure 1 — The BCM lifecycle 11
Figure 2 – Process of review and update of BCMS documentation 18
Figure 2 ― BCM options 22
List of tables
Table 1 —Types and methods of exercising BCM strategies 35
0630139869 4
BS 25999-1
Foreword
Publishing information
This British Standard was prepared by Subcommittee BCM/1/-/2, under the authority of
Technical Committee BCM/1, Business continuity management. A list of organizations
represented on this committee can be obtained on request to its secretary.
This British Standard has been developed by practitioners throughout the global community,
drawing upon their considerable academic, technical and practical experiences of business
continuity management (BCM). It has been produced to provide a system based on good
practice for business continuity management. It is intended to serve as a single reference
point for identifying the range of controls needed for most situations where business
continuity management is practised in industry and commerce, and to be used by large,
medium and small organizations in industrial, commercial, public and voluntary sectors.
BS 25999 is published in (will eventually comprise) two parts:
— Part 1: Code of practice for business continuity management;
— Part 2: Specification for business continuity management
Part 2 specifies the process for achieving certification that business continuity capability is
appropriate to the size and complexity of an organization.
Use of this document
As a code of practice, this British Standard takes the form of guidance and recommendations.
It should not be quoted as if it were a specification and particular care should be taken to
ensure that claims of compliance are not misleading.
Any user claiming compliance with this British Standard is expected to be able to justify any
course of action that deviates from its recommendations.
Presentational conventions
The provisions of this standard are presented in roman (i.e. upright) type. Its
recommendations are expressed in sentences in which the principal auxiliary verb is
“should”.
Commentary, explanation and general informative material is presented in smaller italic
type, and does not constitute a normative element.
The word “should” is used to express recommendations of this standard. The word “may” is
used in the text to express permissibility, e.g. as an alternative to the primary
recommendation of the clause. The word “can” is used to express possibility, e.g. a
consequence of an action or an event.
Notes and commentaries are provided throughout the text of this standard. Notes give
references and additional information that are important but do not form part of the
recommendations. Commentaries give background information.
Contractual and legal considerations
This publication does not purport to include all the necessary provisions of a contract. Users
are responsible for its correct application.
Compliance with a British Standard cannot confer immunity from legal obligations.
0630139869 5
BS 25999-1
2.1
activity
process or set of processes undertaken by an organization (or on its behalf) that produces or
supports one or more products or services, for example, accounts, call centre, IT,
manufacture, distribution
2.2
benchmarking
TBS
2.3
business continuity
strategic and tactical capability, pre-approved by management, of an organization to plan for
and respond to incidents and business interruptions in order to continue business operations at
an acceptable pre-defined level
2.4
business continuity management (BCM)
holistic management process that identifies potential threats to an organization and the
impacts to business operations those threats, if realized, might cause, and which provides a
framework for building organizational resilience with the capability for an effective response
0630139869 6
BS 25999-1
that safeguards the interests of its key stakeholders, reputation, brand and value-creating
activities
NOTE Business continuity management also involves the management of recovery or continuity in the event of
an incident and management of the overall programme through training, rehearsals, and reviews, to ensure the
business continuity plan stays current and up-to-date.
2.5
business continuity management lifecycle
series of business continuity activities which collectively cover all aspects and phases of the
business continuity management programme
NOTE The business continuity management lifecycle is illustrated in Figure 1.
2.6
business continuity management programme
ongoing management and governance process supported by senior management and
resourced to ensure that the necessary steps are taken to identify the impact of potential
losses, maintain viable recovery strategies and plans, and ensure continuity of
products/services through , training, exercising, maintenance and assurance
2.7
business continuity plan (BCP)
documented collection of procedures and information that is developed, compiled and
maintained in readiness for use in an incident to enable an organization to continue to deliver
its critical products and services
2.8
business continuity strategy
approach by an organization that will ensure its recovery and continuity in the face of a
disaster or other major incident or business interruption
2.9
business impact analysis
process of analysing business functions and the effect that a business interruption might have
upon them
2.10
business interruption
event, whether anticipated (e.g., a public service strike or hurricane) or unanticipated (e.g. a
blackout or earthquake), which disrupts the normal course of business operations
2.11
cost-benefit analysis
financial technique that measures the cost of implementing a particular solution and compares
this with the benefit delivered by that solution
NOTE The benefit may be defined in financial, reputational, service delivery, regulatory or other terms
appropriate to the organization.
0630139869 7
BS 25999-1
2.12
disruption
TBS
2.13
exercising
activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure
that the plan(s) contains the appropriate information and produces the desired result when put
into effect
NOTE An exercise can involve invoking business continuity procedures, but is more likely to involve the
simulation of a business continuity incident, announced or unannounced, in which participants role-play in
order to assess what issues might arise, prior to a real invocation.
2.14
impact
evaluated consequence of a particular outcome
2.15
incident
situation that might be, or could lead to, a business interruption, disruption, loss, emergency,
incident or crisis
2.16
incident management plan
clearly defined and documented plan of action for use at the time of an incident, typically
covering the key personnel, resources, services and actions needed to implement the incident
management process
2.17
invocation
act of declaring that an organization’s business continuity plan needs to be put into effect in
order to continue delivery of critical products or services
2.18
material
of a scale or significance that would threaten an organization’s key objectives should it not
occur
2.19
maximum tolerable period of disruption
duration after which an organization’s viability will be irrevocably threatened if product and
service delivery cannot be resumed
2.20
organization
business or administration concern united and constructed for a particular end
0630139869 8
BS 25999-1
NOTE An organization can be a company, corporation, firm, enterprise, institution, charity, sole trader or
association, or parts or combinations thereof.
2.21
products and services
beneficial outcomes provided to customers or recipients, for example manufactured items, car
insurance, regulatory compliance and community nursing
2.22
project management
TBS
2.23
recovery time objective
target time set for resumption of product, service or activity delivery after an incident
NOTE The recovery time objective has to be less than the maximum tolerable period of disruption.
2.24
resilience
ability of an organization to resist being affected by an incident
2.25
risk
combination of the probability of a perceived threat or opportunity and the magnitude of its
impact on objectives
NOTE In some situations, risk arises from the possibility of deviation from the expected outcome or event.
2.26
risk appetite
total amount of risk that an organization is prepared to accept, tolerate, or be exposed to at
any point in time
2.27
risk assessment
overall process of risk identification, analysis and evaluation
2.28
risk management
structured application of management culture, policy, procedures, and practices to the tasks
of analyzing, evaluating, and controlling risk
2.29
senior management
person or group of people who directs and controls an organization at the highest level
<MARGIN>NOTE Senior management, especially in a large multinational organization, might not be directly
involved; however senior management accountability through the chain of command is manifest. In a small
organization, senior management might be the owner or sole proprietor.
0630139869 9
BS 25999-1
2.30
stakeholders
those with an interest in an organization’s achievements, e.g. customers, partners, employees,
suppliers, shareholders, owners, government and regulators
2.31
threat
TBS
0630139869 10
BS 25999-1
• ensuring that all staff understand their roles and responsibilities when a major disruption
occurs;
• building consensus and commitment to the implementation, deployment and exercising of
business continuity;
• integrating business continuity as part of routine “business as usual”.
4 Overview of BCM
Understanding
the organization
Exercising, BCM
Programme Determining
maintenance BCM
auditing and Management
options
self-
assessment
Developing and
implementing
a BCM Response
0630139869 11
BS 25999-1
0630139869 12
BS 25999-1
0630139869 13
BS 25999-1
statutory duty to undertake BCM, e.g. those subject to the relevant provisions of the Civil
Contingencies Act.
Prudent management therefore recognizes the need for adequate risk recognition and risk
management. BCM delivers the ability to conduct core business and provides the capability
to adequately react to incidents or operational interruption, whilst protecting staff welfare and
safety. In any organization, all business activity inevitably leads to risks and to the possibility
of adverse circumstances arising from those risks. In addition to business risks, there are
internal operational risks, such as process breakdown and technology failure, and external
risks, such as flooding, utility disruption and terrorism.
Progressive organizations now regard BCM not as a costly planning process, but as a key
value added improvement process firmly integrated with risk management.
0630139869 14
BS 25999-1
5.1 Overview
<MARGIN>COMMENTARY ON 5.1
The purpose of establishing a business continuity programme is:
— to ensure that all BCM activities are conducted and implemented in an agreed and controlled manner;
— to achieve a business continuity capability that meets the changing business needs and is appropriate to the
size, complexity and nature of the organization; and
— to put in place a clearly defined framework for the ongoing management of the BCM capability.
The BCM system incorporates the following processes:
• the set-up activities to implement a business continuity capability; and
• ongoing management and maintenance of the business continuity capability.
The set-up activities, which may take the form of a project, incorporate the end-to-end
design, build, implementation and initial exercising of the business continuity capability.
The ongoing maintenance and management activities include embedding business continuity
within the organization, exercising it regularly, and updating it, particularly when there is a
significant change in personnel, process, technology or organizational structure.
In summary, the BCM system represents the set-up, organization and ongoing management
of the business continuity capability.
5.2 Context
The organization should ensure that its BCMS is appropriate to the nature, scale, complexity,
geography and criticality of its business activities and that it reflects its culture, dependencies
and operating environment. The BCMS is an ongoing process designed to ensure that
business continuity arrangements continue to meet the needs of the business in the event of a
major incident or operationally disruptive event. This system should ensure that a business
continuity capability is embedded in the organization’s business culture.
0630139869 15
BS 25999-1
Business continuity should be incorporated in the development of new products and services
that are critical to the organization’s continued success and into the change management
process for existing products and services.
The organization should maintain and review its BCM policy, strategies, plans and solutions
on a regular basis.
An organization may chose to limit the application of this British Standard to specific
products, services or one or more geographic locations. Any such limitation in scope should
be documented in the policy.
6 Programme management
6.1 Overview
BCM programme management involves three steps:
• assign responsibilities (see 6.2);
• project management (see 6.3); and
• ongoing management (see 6.4).
6.4.1 Overview
The ongoing management activities should include ensuring that business continuity is
embedded within the organization, and is regularly exercised and updated. Business
continuity arrangements and plans should be reviewed and updated whenever there is a
0630139869 16
BS 25999-1
0630139869 17
BS 25999-1
BCMS documentation
7.1 Introduction
7.1.1 The aim of this element of the BCM lifecycle is to set the requirements that will
determine BCM options (see Clause 8) and develop a BCM response (see Clause 9). It
establishes a BCM understanding of the organization and ensures that the BCM programme
is aligned to its objectives, obligations and statutory duties.
0630139869 18
BS 25999-1
• identifying and evaluating the perceived threats that could disrupt its activities (see 7.5).
7.1.3 It is important that the organization understands the interdependencies of its activities
and any reliance on external organizations.
7.2 Analysing the impact of disruption
7.2.1 The organization should determine and document the impact of a disruption to the
activities that support its critical products and services. This process is commonly referred to
as a business impact analysis (BIA).
7.2.2 For each activity supporting the delivery of products and services within the BCM
scope, the organization should:
a) assess the impacts over time that its loss or disruption would have;
b) establish the maximum tolerable period of disruption of each activity by identifying:
• the maximum time period after an interruption within which it needs to be resumed,
• the minimum level at which the activity needs to be performed on its resumption,
• the length of time before normal levels of operation need to be resumed; and
c) identify any inter-dependent activities, assets or resources that have also to be recovered.
7.2.3 When assessing impacts, the organization should consider those that relate to its
business aims and objectives, its values and its stakeholders. These may include:
• threats to staff or public safety and welfare;
• breaches of statutory and regulatory requirements;
• damage to reputation;
• damage to financial viability;
• deterioration to product or service quality;
• environmental damage.
The organization should document its approach to assessing the impact of disruption and its
findings and conclusions.
<MARGIN>COMMENTARY ON 7.2.3
During a disruption, impacts generally increase over time and affect each activity differently. Impacts might
also vary depending on the day, month or point in the business lifecycle.
0630139869 19
BS 25999-1
<MARGIN>COMMENTARY ON 7.3
Time periods
The maximum time period for resuming activities can vary between seconds and several months depending on
the nature of the activity. Activities that are time-sensitive might need to be specified with a great degree of
accuracy, for example, to the minute or the hour. Less time-sensitive activities might require less accuracy.
Maximum tolerable period of disruption
The maximum tolerable period of disruption will influence each activity’s recovery time objective when
determining BCM options (see Clause 8).
7.4 Estimating recovery requirements
The organization should estimate the resources, facilities and services that each activity will
require at resumption. These may include:
a) staff resources, including numbers, skills and knowledge;
b) supporting equipment and supplies;
c) the works site and facilities required;
d) external services and suppliers; and
e) provision of electronic or paper records, or information about work-in-progress, all of
which are sufficiently up-to-date and accurate to allow the activity to continue unimpaired.
<MARGIN>COMMENTARY ON 7.4
If records or work in progress information are unavailable, inaccurate, or not sufficiently-up–to-date, this could
prevent or critically delay the resumption of activities. This information is used to formulate appropriate back-
up and records management strategies when determining BCM options (see Clause 8).
7.5 Review of the business impact analysis
The business impact analysis should be reviewed and updated as the organization or the
environment in which it operates changes.
<MARGIN>COMMENTARY ON 7.5
A business impact analysis can also be used to understand future recovery strategy requirements by
incorporating planned changes to products, services, processes or organizations (e.g. mergers).
7.6 Evaluating threats to organizational activities (risk assessment)
7.6.1 The organization should understand how specific threats could disrupt its activities.
This information should be used to identify ways of preventing the loss of or disruption to the
organization’s critical products and services. This process is commonly referred to as risk
assessment. The organization should, in particular, identify threats and vulnerabilities specific
to its critical activities.
7.6.3 The purpose of the risk assessment is to identify measures that would:
• reduce the likelihood of a disruptive event;
• shorten the period of disruption; and
0630139869 20
BS 25999-1
7.7 Sign-off
Senior management should sign off the documented business impact analysis and risk
assessment to ensure that these activities have been properly undertaken and subsequent
solutions and plans provide the correct level of continuity response.
8.1 Introduction
8.1.1 This element of the business continuity management system logically follows the
“understanding the organization” element. Selected options should remain applicable to the
organization, regardless of its size and sector, and have regard for associated stakeholders
who would suffer the consequences of an unplanned interruption to products or services.
0630139869 21
BS 25999-1
Strategic
Options:
Do nothing Change, Loss Business
suspend or mitigation / Continuity
terminate risk
treatment
Tactical
Options:
Workforce, Workspace Supporting Data and Equipment Human
skills and facilities technologies information and supplies welfare
knowledge
0630139869 22
BS 25999-1
38 8.3.1 General
39 8.3.1.1 Each critical product and service within an organization is supported by one or more
40 activities. These activities may each have different tactical solutions which recognize the
41 relative urgency of continuing that activity.
0630139869 23
BS 25999-1
1 8.3.1.2 The organization should determine and select appropriate, scalable and cost effective
2 BCM solutions to maintain continuity for the activities that support products and services.
3 The essential resources required for these activities are identified through impact analysis.
4 8.3.1.3 The organization should identify tactical solutions that will support the restoration of
5 the required activities within the recovery time objective. In each case, the organization
6 should evaluate alternatives in order to minimize the likelihood of the business continuity
7 solution being affected by the same incident. These may include:
8 • workforce, skills and knowledge (see 8.3.2);
9 • work site facilities (see 8.3.3);
10 • supporting technologies (see 8.3.4);
11 • data (see 8.3.5);
12 • equipment and supplies (see 8.3.6);
13 • human welfare (see 8.3.7);
14 • stakeholders, partners and contractors.
15 It is likely that a combination of solutions will provide the most robust and economic solution
16 to deliver these products and services according to the timeframes identified in the impact
17 analysis.
0630139869 24
BS 25999-1
9 8.3.4.1 The organization should identify all relevant technology assets that directly enable
10 and support the activities undertaken by the organization.
11 NOTE Technology implies the use of assets in the broadest sense and as relative to the organization.
12 Technology might include IT hardware, telecommunications equipment, lathes, food preparation machines or
13 vacuum sealing machinery.
14 8.3.4.2 Technology strategies will depend on the nature of the technology employed and its
15 relationship to critical products and services, but will typically be one or a combination of:
16 • provision made within the organization;
17 • services delivered to the organization; and
18 • services provided externally by a third party.
19 <MARGIN>COMMENTARY ON 8.3.4.2
20 Supporting technologies will vary significantly between organizations according to the size, nature and
21 complexity of business. Strategies may be developed to safeguard specialized or custom built technologies (for
22 example, plant or machinery essential to manufacturing and production capabilities).
23 The organization may need to make provision for manual operations before full IT services are recovered.
24 8.3.5 Information
25 Information security strategies should be such as to ensure that information vital to the
26 organization’s operation is appropriately protected and recoverable.
27 NOTE Further information is given in BS ISO/IEC 17799.
28 Any remote copy of information required to reinstate lost records should have appropriate:
29 • confidentiality;
30 • integrity (between different data sources); and
31 • availability to be used for reinstatement.
32 Information strategies should be documented for the recovery of work-in-progress
33 information, i.e. data that are not present on the remote copy.
34 Information strategies should extend to include:
35 • physical (hardcopy) formats,
36 • virtual (electronic) formats, etc.
37
0630139869 25
BS 25999-1
6 8.3.6.1 The organization should identify, and maintain an inventory of, the equipment and
7 supplies that support its critical products and services. Strategies to provide these may include
8 one or all of the following:
9 • storage of additional supplies at another location;
10 • arrangements with third parties for delivery of stock at short notice;
11 • diversion of just-in-time deliveries to other locations;
12 • holding of materials at warehouses or shipping sites;
13 • transfer of sub-assembly operations to an alternate location;
14 • holding of older equipment as emergency replacement or spares;
15 • additional risk mitigation for unique or long lead time equipment; and
16 • geographic diversity of critical processes.
17 8.3.6.2 Where activities are dependent upon key suppliers, these should be identified.
18 Strategies to manage these may include:
19 • multiple suppliers;
20 • encouraging or requiring suppliers to have a business continuity capability;
21 • contractual agreements with key suppliers; and
22 • identified alternate suppliers.
0630139869 26
BS 25999-1
23 8.4 Sign-off
24 Senior management should sign off the documented solutions to confirm that these activities
25 have properly mitigated or catered for the likely causes and effects of a business interruption.
26 <MARGIN>COMMENTARY ON 8.4
27 Implementation of a particular alternative has to support the overall organizational objectives and thus needs to
28 have acceptance and support at the highest level.
30 9.1 Introduction
31 A major incident can result in serious disruptions in the organization’s ability to meet its
32 obligations.
33 It is vital that the organization is able to respond to such incidents and the resulting
34 disruptions at a speed that meets the expectations of its stakeholders as identified in the
35 business impact analysis.
36 Clause 8 described the various means by which business activities can be protected from
37 intolerable disruption. This Clause gives recommendations for harnessing and coordinating
38 these resources to create an effective response.
39 The successful management of an incident has two main components:
0630139869 27
BS 25999-1
0630139869 28
BS 25999-1
1 The organization should document a clear process for standing down the team(s) once the
2 incident is over, and returning to business as usual.
3 <MARGIN>COMMENTARY ON 9.2c)
4 Time lost during a response can never be regained. It is almost always better to mobilize the response team and
5 subsequently stand it down than to miss an opportunity to contain an incident early and prevent escalation.
6 d) Document owner and maintainer
7 The organization should nominate the primary owner of the plan, and identify and document
8 who is responsible for reviewing, amending and updating the plan at regular intervals.
9 A system of version control should be employed, and changes formally notified to all
10 interested parties.
12 9.3.1 Introduction
13 The purpose of an incident management plan (IMP) is to allow the organization to manage
14 the acute phase of an incident. The IMP addresses the stakeholder and external issues facing
15 an organization during an incident. The IMP should be flexible, feasible, relevant and easy to
16 read and understand, and provide the basis for managing all possible issues arising from any
17 threat to the business. The primary aims of the IMP should be:
18 • to ensure the safety of all affected individuals; and
19 • to contain the incident to minimize further loss.
20 The IMP should:
21 • have senior management support, including a board sponsor where applicable; and
22 • be supported by an appropriate budget for development, maintenance and training.
0630139869 29
BS 25999-1
0630139869 30
BS 25999-1
1 The IMP should include an incident log or forms for the recording of vital information in
2 respect of event details, decisions made, details of casualties, damage assessments,
3 communications issued, etc.
4 The IMP may also include:
5 • maps/ charts/ plans/ photographs and other information that might be relevant in the event
6 of an incident;
7 • documented response strategies agreed with third parties as appropriate (joint venture
8 partners, contractors, suppliers, etc.);
9 • details of equipment staging areas;
10 • site access plans; and
11 • a claims management procedure that ensures all insurance and legal claims for or against
12 the organization meet regulatory and contractual requirements.
14 9.4.1 Introduction
15 The purpose of a business continuity plan (BCP) is to enable an organization to recover or
16 maintain its activities in the event of a major interruption affecting normal business
17 operations.
18 Business continuity plans are activated based on the strategy selected to manage the incident.
19 They may be invoked in whole or part and at any stage of the response to an incident.
20 <MARGIN>COMMENTARY ON 9.4.1
21 The components and contents of BCPs vary from organization to organization and have a different level of
22 detail based on the scale, environment, culture and technical complexity of the industries and associated
23 solutions, risk profile and environment in which they operate.
24 Large organizations might require separate documents for each of their critical business areas/functions,
25 whereas smaller organizations might be able to cover what is critical to them within a single document.
0630139869 31
BS 25999-1
0630139869 32
BS 25999-1
1 The organization should deploy staff to liaise with the emergency services.
2 <MARGIN>COMMENTARY ON 9.4.2d)
3 Emergency services play a significant part in protecting life and relieving suffering during emergencies.
4 Therefore, early liaison, pre-planning and real-time incident coordination between the organization and its first
5 responders can improve the efficiency of an incident response.
6 e) Forms and annexes
7 Where appropriate, the business continuity plan should list up-to-date contact details for
8 relevant internal and external agencies, organizations and providers that might be required to
9 support the organization.
10 The business continuity plan should include an incident log or forms for the recording of vital
11 information, especially in respect of decisions made.
12 The plan may also include:
13 • forms for recording administrative data, e.g. resources used, expenses etc.;
14 • maps, drawings, and site and office plans, especially those relating to any alternate
15 facilities such as work site recovery areas and storage locations.
17 10.1 Introduction
18 An organization’s business continuity arrangements are preserved as fit-for-purpose and
19 continually challenged through exercising and assurance processes.
20 An organization’s business continuity management arrangements cannot be considered
21 reliable until exercised. Exercising is essential to developing teamwork, competence,
22 confidence and knowledge which is vital at the time of an incident.
23 Arrangements should be verified through exercising, audit and self assurance processes to
24 ensure that they are fit-for-purpose.
0630139869 33
BS 25999-1
13 10.3 Exercises
14 If exercises use scenarios, these should be realistic and carefully planned and agreed with
15 stakeholders, so that there is minimum risk of disruption to business processes. An exercise
16 should never be allowed to become an incident.
17 Every exercise should have clearly defined aims and objectives and a post-exercise report
18 that contains recommendations. This report should be used to improve business continuity
19 arrangements in a timely manner.
20 The scale and complexity of exercises should reflect the organization’s recovery objectives.
21 Exercises should prove, through their success, that the organization’s business continuity and
22 incident management plans are able to be executed, and contain the appropriate detail and
23 instructions.
24 <MARGIN>NOTE A range of approaches to exercising BCM strategies is shown in Table 1.
25
0630139869 34
BS 25999-1
0630139869 35
BS 25999-1
1 • distribute updated, amended or changed BCM policy, strategies, solutions, processes and
2 plans to key personnel under a formal change (version) control process.
3 NOTE If there are major business changes then a revision of the BIA might be indicated. The other
4 components of the BCM programme may be amended to take account of these changes.
5 The outcomes from the BCM maintenance process should include:
6 • documented evidence of the proactive management and governance of the organization’s
7 business continuity programme;
8 • verification that key people who are to implement the BCM strategy and plans are trained
9 and competent;
10 • verification of the monitoring and control of the BCM risks faced by the organization;
11 and
12 • documented evidence that material changes to the organization’s structure, activities,
13 purpose, staff and objectives have been incorporated into the BCM and incident
14 management plans.
15 10.6 Audit
16 <MARGIN>COMMENTARY ON 10.6
17 The purpose of a BCM audit is to review an organization’s existing BCM competence and capability, and verify
18 these against predefined standards and criteria. It has two key functions:
19 — to verify that compliance with the organization’s BCM policy ensures compliance with applicable
20 laws, standards, strategies, framework and good practice guidelines; and
21 — to highlight key material deficiencies and issues and ensure their resolution.
22 The frequency and timing of audit activity can be influenced by laws and regulations, depending on the size,
23 nature and legal status of the organization. They might also be influenced by the requirements of stakeholders.
24 The organization should provide for the independent audit of its BCM to identify actual and
25 potential shortcomings. It should establish, implement and maintain procedures for dealing
26 with these.
27 10.7 Self-assessment
28 <MARGIN>COMMENTARY ON 10.7
29 BCM self-assessment process plays a role in ensuring that an organization has a robust, effective and fit-for-
30 purpose BCM competence and capability. It provides the qualitative verification of an organization’s ability to
31 recover from an incident. Self-assessment is regarded as good practice.
32 Actions taken should be appropriate to the magnitude of the problems and the organizational
33 impacts encountered.
34 The audit or self-assessment of the organization’s BCM programme should verify that:
35 • all critical products and services, their dependent activities and their supporting resources
36 have been identified and included in the organization’s BCM strategy;
37 • the organization’s BCM policy, strategies, framework and plans continue to accurately
38 reflect its priorities and requirements;
39 • the organization’s BCM competence and its BCM capability are effective and fit-for-
40 purpose and will permit management, command, control and coordination of a BCM
41 incident;
0630139869 36
BS 25999-1
1 • the organization’s BCM solutions are effective, up-to-date and fit-for-purpose, and
2 appropriate to the level of risk faced by the organization;
3 • the organization’s BCM maintenance and exercising programmes have been effectively
4 implemented;
5 • BCM strategies and plans incorporate lessons learned from exercises, as contained in a
6 post-exercise report, and amendments arising from the maintenance programme;
7 • the organization has an ongoing programme for BCM training and awareness; and
8 • change control processes are in place and operate effectively.
9 Self-assessment should be conducted against the organization’s objectives. It should also take
10 into account relevant industry standards and good practice.
12 11.1 General
13 Building, promoting and embedding a BCM culture within an organization ensures that it
14 becomes part of the organization’s core values and effective management.
15 A BCM culture will ensure that an organization can:
16 • develop a BCM programme more efficiently;
17 • instil confidence in its stakeholders (especially staff and customers) in its ability to handle
18 disruptions;
19 • increase its resilience over time by ensuring BCM implications are considered in
20 decisions at all levels; and
21 • minimize the impact and likelihood of disruptions.
22 <MARGIN>COMMENTARY ON 11.1
23 Creating and embedding a BCM culture within an organization can be a lengthy and difficult process which
24 might encounter a level of resistance that was not anticipated. An understanding of the existing culture within
25 the organization will assist in the development of an appropriate BCM culture programme.
26 All staff have to understand that business continuity management is a serious issue for the organization and that
27 they have an important role to play in maintaining the delivery of products and services to their clients and
28 customers.
29 Development of a BCM culture is achieved by:
30 • assignment of responsibilities (see 6.2);
31 • skills training; and
32 • awareness training.
33 11.2 Training
34 The organization should have a process for identifying and delivering the BCM training
35 requirements of relevant participants and evaluate the effectiveness of its delivery.
36 The organization should undertake training of:
37 a) BCM staff for such tasks as:
38 • programme management,
0630139869 37
BS 25999-1
8 11.3 Awareness
9 The organization should have a process for identifying and delivering the BCM awareness
10 requirements of the organization and evaluating the effectiveness of its delivery.
11 <MARGIN>NOTE Raising and maintaining awareness of BCM with all the organization’s staff is important
12 to ensure that they are aware of why BCM is important to the organization. They will need to be convinced that
13 this is a lasting initiative that has the ongoing support of the executive.
14 The organization should raise, enhance and maintain awareness by maintaining an ongoing
15 BCM education and information programme for existing and new staff.
16 Such a programme may include:
17 • a consultation process with staff throughout the organization, concerning the
18 implementation of the BCM programme;
19 • discussion of BCM in the organization’s newsletters, briefings or journals;
20 • inclusion of BCM on relevant web pages or intranets;
21 • learning from internal and external incidents;
22 • BCM as an item at team meetings;
23 • exercising continuity plans at an alternate location (e.g. a recovery site);
24 • visits to any designated alternate location (e.g. a recovery site).
25 The organization may extend its BCM awareness programme to its suppliers and other
26 stakeholders.
0630139869 38
BS 25999-1
1 Bibliography
2 BS ISO/IEC 17799, Information technology ― Security techniques — Code of practice for
3 information security management.
4
0630139869 39