(BSI) BS 25999-1 Code of Practice For Business Continuity Management

Draft for Public Comment Form 36
Version 6.1
DPC: 06/30139869 DC
Head Office
389 Chiswick High Road
London W4 4AL
Telephone: +44(0)20 8996 9000
Fax: +44(0)20 8996 7001
Date: 23 June 2006
www.bsi-global.com Origin: National
Latest date for receipt of comments: 31 August 2006 Project no.: 2005/02478
Responsible committee: BCM/1
Interested committees:
Title: DPC BS 25999-1 Code of practice for business continuity management
Supersession information: If this document is published as a standard, the UK implementation of it will

supersede NONE and partially supersede NONE . If you are aware of a current national standard which
may be affected, please notify the content developer (contact details below).
WARNING: THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A

BRITISH STANDARD.
THIS DRAFT IS NOT CURRENT BEYOND 31 AUGUST 2006.
This draft is issued to allow comments from interested parties; all comments will be given
consideration prior to publication. No acknowledgement will normally be sent. See overleaf
for information on commenting.
No copying is allowed, in any form, without prior written permission from BSI except as
permitted under the Copyright, Designs and Patent Act 1988 or for circulation within a
nominating organization for briefing purposes. Electronic circulation is limited to
dissemination by e-mail within such an organization by committee members.
Further copies of this draft may be purchased from BSI Customer Services, Tel: +44(0) 20
8996 9001 or email orders@bsi-global.com. British, International and foreign standards are
also available from BSI Customer Services.
British Standards on CD or Online are available from British Standards Publishing Sales
Limited.
Tel: 01344 404409 or email bsonline@techindex.co.uk.
Information on the co-operating organizations represented on the committees referenced
above may be obtained from the responsible committee secretary.
Cross-references
The British Standards which implement International or European publications referred to in
this draft may be found via the British Standards Online Service on the BSI web site
http://www.bsi-global.com.
Responsible Committee Secretary: Mr Kevin Laverty Direct tel: 020 8996 7492
E-mail: kevin.laverty@bsi-global.com
1
Introduction
Your comments on this draft are welcome and will assist in the preparation of the consequent
British Standard. If no comments are received to the contrary, this draft may be implemented
unchanged as a British Standard.
Submission
The guidance given below is intended to ensure that all comments receive efficient and
appropriate attention by the responsible BSI committee. Annotated drafts are not
acceptable and will be rejected.
All comments must be submitted, preferably electronically, to:
Kevin Laverty
10 E National Content
British Standards Institution
389 Chiswick High Road
London W4 4AL
Email: Kevin.Laverty@bsi-global.com
Tel: 020 8996 7492
Fax: 020 8996 7187.
Comments should be submitted using the comments form installed at www.bsi-
global.com/bs25999. Any comments not submitted electronically should still adhere to
these format requirements.
All comments submitted should be presented as given in the example below.
Template for comments and secretariat observations Date: xx/xx/200x Document: ISO/DIS xxxxx
1 2 (3) 4 5 (6) (7)
M Clause No./ Paragraph/ Type of Comment (justification for Proposed change by the MB Secretariat observations
B Subclause No./ Figure/Table/N com- change) by the MB on each comment
Annex ote ment submitted
(e.g. 3.1) (e.g. Table 1)
3.1 Definition 1 ed Definition is ambiguous and Amend to read ‘... so that the
needs clarifying. mains connector to which no
connection ...’
6.4 Paragraph 2 te The use of the UV photometer as Delete reference to UV
an alternative cannot be supported photometer.
as serious problems have been
encountered in its use in the UK.
Microsoft and MS-DOS are registered trademarks, and Windows is a trademark of Microsoft Corporation.
2
BS 25999-1
Code of practice for business continuity management
0630139869 3
BS 25999-1
Contents
Foreword 5
1 Scope and applicability 6
2 Terms and definitions 6
3 What is business continuity management? 10
4 Overview of BCM 11
5 The business continuity management system (BCMS) 15
6 Programme management 16
7 Understanding the organization 18
8 Determining BCM options 21
9 Developing and implementing a BCM response 27
10 Exercising, maintenance, auditing and self-assessment of BCM arrangements 33
11 Embedding BCM in the organization’s culture 37
Bibliography 39
List of figures
Figure 1 — The BCM lifecycle 11
Figure 2 – Process of review and update of BCMS documentation 18
Figure 2 ― BCM options 22
List of tables
Table 1 —Types and methods of exercising BCM strategies 35
0630139869 4
BS 25999-1
Foreword
Publishing information
This British Standard was prepared by Subcommittee BCM/1/-/2, under the authority of
Technical Committee BCM/1, Business continuity management. A list of organizations
represented on this committee can be obtained on request to its secretary.
This British Standard has been developed by practitioners throughout the global community,
drawing upon their considerable academic, technical and practical experiences of business
continuity management (BCM). It has been produced to provide a system based on good
practice for business continuity management. It is intended to serve as a single reference
point for identifying the range of controls needed for most situations where business
continuity management is practised in industry and commerce, and to be used by large,
medium and small organizations in industrial, commercial, public and voluntary sectors.
BS 25999 is published in (will eventually comprise) two parts:
— Part 1: Code of practice for business continuity management;
— Part 2: Specification for business continuity management
Part 2 specifies the process for achieving certification that business continuity capability is
appropriate to the size and complexity of an organization.
Use of this document
As a code of practice, this British Standard takes the form of guidance and recommendations.
It should not be quoted as if it were a specification and particular care should be taken to
ensure that claims of compliance are not misleading.
Any user claiming compliance with this British Standard is expected to be able to justify any
course of action that deviates from its recommendations.
Presentational conventions
The provisions of this standard are presented in roman (i.e. upright) type. Its
recommendations are expressed in sentences in which the principal auxiliary verb is
“should”.
Commentary, explanation and general informative material is presented in smaller italic
type, and does not constitute a normative element.
The word “should” is used to express recommendations of this standard. The word “may” is
used in the text to express permissibility, e.g. as an alternative to the primary
recommendation of the clause. The word “can” is used to express possibility, e.g. a
consequence of an action or an event.
Notes and commentaries are provided throughout the text of this standard. Notes give
references and additional information that are important but do not form part of the
recommendations. Commentaries give background information.
Contractual and legal considerations
This publication does not purport to include all the necessary provisions of a contract. Users
are responsible for its correct application.
Compliance with a British Standard cannot confer immunity from legal obligations.
0630139869 5
BS 25999-1
1 Scope and applicability

This British Standard establishes the process, principles and terminology of business
continuity management (BCM). The purpose of this Standard is to provide a basis for
understanding, developing and implementing business continuity within an organization and
to provide confidence in business-to-business and business-to-customer dealings. It also
enables the organization to measure its BCM capability in a consistent and recognized
manner.
This Standard provides a system based on BCM good practice.
This standard is intended for use by anyone with responsibility for business operations, from
board directors and chief executives through all levels of the organization; from those with a
single site to those with a global presence; from sole traders and small-to-medium enterprises
(SMEs) to organizations employing thousands of people. It is therefore applicable to anybody
who holds responsibility for any operation, and thus the continuity of that operation.
This standard is not intended as a beginner’s guide to business continuity management.
This standard does not cover the activities of emergency planning (also known as emergency
preparedness).
NOTE In the United Kingdom, emergency planning is a management system which prepares for, protects
against, and recovers from natural or man-made incidents that affect sections of society as a whole. That is,
emergency planning pertains to activity that is conducted for the benefit of the public or society; business
continuity management pertains to activity that is conducted for the benefit of a single organization.
2 Terms and definitions

For the purposes of this part of BS 25999, the following definitions apply.
2.1
activity
process or set of processes undertaken by an organization (or on its behalf) that produces or
supports one or more products or services, for example, accounts, call centre, IT,
manufacture, distribution
2.2
benchmarking
TBS
2.3
business continuity
strategic and tactical capability, pre-approved by management, of an organization to plan for
and respond to incidents and business interruptions in order to continue business operations at
an acceptable pre-defined level
2.4
business continuity management (BCM)
holistic management process that identifies potential threats to an organization and the
impacts to business operations those threats, if realized, might cause, and which provides a
framework for building organizational resilience with the capability for an effective response
0630139869 6
BS 25999-1
that safeguards the interests of its key stakeholders, reputation, brand and value-creating
activities
NOTE Business continuity management also involves the management of recovery or continuity in the event of
an incident and management of the overall programme through training, rehearsals, and reviews, to ensure the
business continuity plan stays current and up-to-date.
2.5
business continuity management lifecycle
series of business continuity activities which collectively cover all aspects and phases of the
business continuity management programme
NOTE The business continuity management lifecycle is illustrated in Figure 1.
2.6
business continuity management programme
ongoing management and governance process supported by senior management and
resourced to ensure that the necessary steps are taken to identify the impact of potential
losses, maintain viable recovery strategies and plans, and ensure continuity of
products/services through , training, exercising, maintenance and assurance
2.7
business continuity plan (BCP)
documented collection of procedures and information that is developed, compiled and
maintained in readiness for use in an incident to enable an organization to continue to deliver
its critical products and services
2.8
business continuity strategy
approach by an organization that will ensure its recovery and continuity in the face of a
disaster or other major incident or business interruption
2.9
business impact analysis
process of analysing business functions and the effect that a business interruption might have
upon them
2.10
business interruption
event, whether anticipated (e.g., a public service strike or hurricane) or unanticipated (e.g. a
blackout or earthquake), which disrupts the normal course of business operations
2.11
cost-benefit analysis
financial technique that measures the cost of implementing a particular solution and compares
this with the benefit delivered by that solution
NOTE The benefit may be defined in financial, reputational, service delivery, regulatory or other terms
appropriate to the organization.
0630139869 7
BS 25999-1
2.12
disruption
TBS
2.13
exercising
activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure
that the plan(s) contains the appropriate information and produces the desired result when put
into effect
NOTE An exercise can involve invoking business continuity procedures, but is more likely to involve the
simulation of a business continuity incident, announced or unannounced, in which participants role-play in
order to assess what issues might arise, prior to a real invocation.
2.14
impact
evaluated consequence of a particular outcome
2.15
incident
situation that might be, or could lead to, a business interruption, disruption, loss, emergency,
incident or crisis
2.16
incident management plan
clearly defined and documented plan of action for use at the time of an incident, typically
covering the key personnel, resources, services and actions needed to implement the incident
management process
2.17
invocation
act of declaring that an organization’s business continuity plan needs to be put into effect in
order to continue delivery of critical products or services
2.18
material
of a scale or significance that would threaten an organization’s key objectives should it not
occur
2.19
maximum tolerable period of disruption
duration after which an organization’s viability will be irrevocably threatened if product and
service delivery cannot be resumed
2.20
organization
business or administration concern united and constructed for a particular end
0630139869 8
BS 25999-1
NOTE An organization can be a company, corporation, firm, enterprise, institution, charity, sole trader or
association, or parts or combinations thereof.
2.21
products and services
beneficial outcomes provided to customers or recipients, for example manufactured items, car
insurance, regulatory compliance and community nursing
2.22
project management
TBS
2.23
recovery time objective
target time set for resumption of product, service or activity delivery after an incident
NOTE The recovery time objective has to be less than the maximum tolerable period of disruption.
2.24
resilience
ability of an organization to resist being affected by an incident
2.25
risk
combination of the probability of a perceived threat or opportunity and the magnitude of its
impact on objectives
NOTE In some situations, risk arises from the possibility of deviation from the expected outcome or event.
2.26
risk appetite
total amount of risk that an organization is prepared to accept, tolerate, or be exposed to at
any point in time
2.27
risk assessment
overall process of risk identification, analysis and evaluation
2.28
risk management
structured application of management culture, policy, procedures, and practices to the tasks
of analyzing, evaluating, and controlling risk
2.29
senior management
person or group of people who directs and controls an organization at the highest level
<MARGIN>NOTE Senior management, especially in a large multinational organization, might not be directly
involved; however senior management accountability through the chain of command is manifest. In a small
organization, senior management might be the owner or sole proprietor.
0630139869 9
BS 25999-1
2.30
stakeholders
those with an interest in an organization’s achievements, e.g. customers, partners, employees,
suppliers, shareholders, owners, government and regulators
2.31
threat
TBS
3 What is business continuity management?

Business continuity management (BCM) is an holistic management process that identifies,
in advance, the potential impacts of a wide variety of disruptions to the organization’s
ability to function, allowing that organization to tolerate the loss of part or all of its
operational capability.
BCM is a business-owned, business-driven process that establishes a fit-for-purpose strategic
and operational framework that:
• proactively improves an organization’s resilience against the disruption or interruption of
its ability to supply its products or services;
• provides a tried and proven method of restoring an organization’s ability to supply its
critical products and services to an agreed level;
• delivers a proven capability to manage a business interruption (incident) and protect the
organization’s reputation and brand.
The term BCM denotes the whole management system of providing and proving resilience
and recovery. BCM will result in the creation of one or more business continuity plans. A
small organization may have one business continuity plan that covers its entire operations. A
very large organization may have dozens of business continuity plans, each of which
specifies in detail the recovery of a particular part of its business. The degree to which BCM
is implemented in an organization will be proportionate to its size and scale, and may be
subject to such cost-benefit analysis as the organization deems appropriate.
The key elements of BCM include:
• understanding the overall context within which the organization operates;
• understanding the critical products and services that the organization has to deliver (its
objectives);
• understanding what barriers or interruptions can be encountered in trying to deliver these
critical products and services;
• understanding how the organization can continue to achieve these objectives should
interruptions occur;
• understanding the likely range of outcomes when controls and other mitigation strategies
are implemented;
• understanding the criteria or triggers for implementing incident and emergency response,
and business recovery procedures;
0630139869 10
BS 25999-1
• ensuring that all staff understand their roles and responsibilities when a major disruption
occurs;
• building consensus and commitment to the implementation, deployment and exercising of
business continuity;
• integrating business continuity as part of routine “business as usual”.
4 Overview of BCM
4.1 Elements of the business continuity management lifecycle

The BCM system comprises six elements, as illustrated by the lifecycle diagram in Figure 1.
With little modification, these can be implemented by organizations of all sizes, in all sectors:
public, private, non-profit, educational, manufacturing, etc. The scope and structure of a
BCM programme can vary, and the effort expended will be tailored to the needs of the
individual organization, but the essential steps still have to be undertaken.
Figure 1 — The BCM lifecycle
Understanding
the organization
Exercising, BCM
Programme Determining
maintenance BCM
auditing and Management
options
self-
assessment
Developing and
implementing
a BCM Response
a) BCM Programme management (see Clause 6)

Programme management enables the business continuity capability to be both established
(where this is currently not the case) and maintained in a manner appropriate to the size and
complexity of the organization.
0630139869 11
BS 25999-1
b) Understanding the organization (see Clause 7)

The activities associated with “Understanding the organization” provide information that
describes an organization’s critical products and services, and the activities and resources that
are required to deliver those products and services.
c) Determining BCM options (see Clause 8)
Determining BCM options enables a range of strategies and tactical options to be evaluated.
This allows an appropriate response to be chosen for each critical product or service, such
that the organization can continue to deliver those products and services at an acceptable
level of operation during and following a disruption. The choice made will take cognisance of
the resilience and countermeasure options already present within the organization
d) Developing and implementing a BCM response (see Clause 9)
Developing and implementing a BCM response results in the creation of business continuity
plans and incident management plans that detail the steps to be taken during and after an
incident to restore operations. A proactive component of BCM is to mitigate threats, which
includes eliminating or reducing the impact and likelihood of the threats.
e) Embedding BCM in the organization’s culture (see Clause 10)
Embedding BCM in the organization’s culture enables BCM to become part of the
organization’s core values and instil confidence in all stakeholders in the ability of the
organization to cope with major disruptions.
f) BCM exercising, maintenance, auditing and self-assessment (see Clause 11)
BCM exercising, maintenance and audit leads to the organization being able to demonstrate
that its strategies and plans are effective, credible, and fit-for-purpose.
<MARGIN>COMMENTARY ON 4.1f)
An incident might exceed the preparedness of an organization, even if it has carefully examined response
measures against an anticipated level of damage. It is therefore imperative that management and its supporting
structures do not adhere stubbornly to an existing plan, but use it as a basis for discussion, and make judgments
according to the circumstances. A business continuity plan is never a substitute for informed and competent
management decision-making.
4.2 BCM in a risk context

BCM is complementary to a wider risk management framework that sets out to understand
the risks to operations or business, and the consequences of those risks.
Risk management embraces the need to manage risk around the critical activities that enable
an organization to survive. BCM encompasses the identification and risk management of
those products and services on which the organization depends for its survival, and which
need to be accessible in time to enable the organization to retain credibility and continue to
meet its responsibilities. Through BCM, an organization can recognize what needs to be done
before an incident occurs to ensure its people, reputation, assets, systems and information are
secure.
With that recognition, the organization can then take a realistic view on the responses that are
likely to be needed as and when an interruption occurs, so that it can be confident that it will
manage through any consequences without unacceptable delay in delivering its products or
services.
0630139869 12
BS 25999-1
4.3 BCM in the context of organizational strategy

All organizations, whether large or small, have aims and objectives, such as to grow, to
diversify, to acquire other businesses and so on. These aims and objectives are generally met
via strategic plans to achieve the organization’s short, medium and long term goals.
As business practices and their sensitivities change, BCM is increasingly a central and crucial
strategic issue for organizations. BCM awareness and integration at the organization’s highest
level will help to ensure that any continuity risks associated with new business opportunities
are identified, and assessed for their acceptability.
The consequences of an incident vary and can be far-reaching. These consequences might
involve loss of life, loss of assets or income, or the failure of a critical activity on which the
organization’s reputation or survival might depend.
The consequences might not be to the organization. Examples of consequences include, but
are not restricted to:
• damage to the physical environment;
• interruptions to the technological infrastructure;
• interruptions to supply of a public utility, such as electricity, water, transport or phone
services;
• a requirement to undertake a fundamental change to the legal, regulatory and political
environment in which the organization operates; or
• a supply chain failure, where an urgently needed “just-in-time” supplier or distributor
might be directly affected by an incident, and whose failure to deliver could have an
equally serious impact on the organization’s own ability to continue to deliver products
and services.
BCM also needs to recognize the strategic importance of stakeholders. Examples of
stakeholders include, but are not restricted to, internal and “outsourced” employees,
customers, suppliers, distributors, investors and shareholders. Furthermore, as the
consequences of a damaging incident unfold, new stakeholders emerge and have a direct
impact on the eventual extent of the damage. Examples of these include competitors,
environmentalists, regulators, and the media. In some cases, issue groups may attempt to
apply negative pressure on the organization facing an interruption.
All these issues are of strategic concern to the organization, and are thus necessarily key
drivers for any effective management of risk exposures. Whilst the individual processes of
business continuity can change with an organization’s size, structures and responsibilities, the
basic principles remain exactly the same for voluntary, private or public sector organizations,
regardless of their size, scope or complexity.
4.4 Why should an organization undertake BCM?

BCM forms an important element of good business management, service provision and
entrepreneurial prudence.
Managers and owners have the responsibility to maintain the ability of the organization to
function continuously. Organizations constantly make promises or have a duty to deliver
products and services, i.e. they enter into contracts and otherwise raise expectations. All
organizations have moral and social responsibilities, particularly where they provide an
emergency response or a public or voluntary service. In some cases, organizations have a
0630139869 13
BS 25999-1
statutory duty to undertake BCM, e.g. those subject to the relevant provisions of the Civil
Contingencies Act.
Prudent management therefore recognizes the need for adequate risk recognition and risk
management. BCM delivers the ability to conduct core business and provides the capability
to adequately react to incidents or operational interruption, whilst protecting staff welfare and
safety. In any organization, all business activity inevitably leads to risks and to the possibility
of adverse circumstances arising from those risks. In addition to business risks, there are
internal operational risks, such as process breakdown and technology failure, and external
risks, such as flooding, utility disruption and terrorism.
Progressive organizations now regard BCM not as a costly planning process, but as a key
value added improvement process firmly integrated with risk management.
4.5 The benefits of an effective BCM programme

The benefits of a BCM programme are that the organization:
• is able to proactively identify risks to its operation, and have in place a capability to
mitigate and manage those risks;
• maintains an ability to manage uninsurable risks, such as risk to reputation;
• has in place an effective response to major disruptions;
• is able to demonstrate that the programme is credible through a process of exercising and
auditing;
• may have a competitive advantage, conferred by the demonstrated ability to maintain
customer service, profitability and employment of its staff; and
• is able to demonstrate that the programme is iterative and is embedded as good business
practice.
4.6 The outcomes of an effective BCM programme

The outcomes of an effective BCM programme are that:
• critical activities are identified and protected, ensuring their continuity;
• an incident management capability is enabled to avoid incidents becoming a crisis;
• the organization’s understanding of itself, and its relationships with other organizations,
relevant regulators or government departments, local authorities and the emergency
services, is properly developed, documented and understood;
• staff are trained to respond effectively to an incident or business interruption through
appropriate exercising;
• staff are properly supported and communicated with in the event of business interruption;
• stakeholder requirements are understood and satisfied through effective delivery of these
outcomes;
• the organization’s reputation is protected; and
• the organization remains legal and compliant.
0630139869 14
BS 25999-1
5 The business continuity management system (BCMS)
5.1 Overview
<MARGIN>COMMENTARY ON 5.1
The purpose of establishing a business continuity programme is:
— to ensure that all BCM activities are conducted and implemented in an agreed and controlled manner;
— to achieve a business continuity capability that meets the changing business needs and is appropriate to the
size, complexity and nature of the organization; and
— to put in place a clearly defined framework for the ongoing management of the BCM capability.
The BCM system incorporates the following processes:
• the set-up activities to implement a business continuity capability; and
• ongoing management and maintenance of the business continuity capability.
The set-up activities, which may take the form of a project, incorporate the end-to-end
design, build, implementation and initial exercising of the business continuity capability.
The ongoing maintenance and management activities include embedding business continuity
within the organization, exercising it regularly, and updating it, particularly when there is a
significant change in personnel, process, technology or organizational structure.
In summary, the BCM system represents the set-up, organization and ongoing management
of the business continuity capability.
5.2 Context
The organization should ensure that its BCMS is appropriate to the nature, scale, complexity,
geography and criticality of its business activities and that it reflects its culture, dependencies
and operating environment. The BCMS is an ongoing process designed to ensure that
business continuity arrangements continue to meet the needs of the business in the event of a
major incident or operationally disruptive event. This system should ensure that a business
continuity capability is embedded in the organization’s business culture.
5.3 Development of a business continuity policy

The organization should develop a business continuity policy stating the objectives of the
BCM programme. Initially, this may be at a high level with further refinement and
enhancement as the capability is developed. The policy should be regularly reviewed and
updated in line with business needs.
The business continuity policy should provide the organization with documented principles to
which it will aspire and against which its business continuity capability should be measured.
The BCM policy should be owned at a high level, e.g. a board director or elected
representative.
The organization may consider the following when developing its BCM policy.
• Defining the scope of BCM within the organization.
• Defining the BCM principles, guidelines and minimum standards for the organization.
• Referencing any relevant standards, regulations or policies that should be included or can
be benchmarked.
0630139869 15
BS 25999-1
Business continuity should be incorporated in the development of new products and services
that are critical to the organization’s continued success and into the change management
process for existing products and services.
The organization should maintain and review its BCM policy, strategies, plans and solutions
on a regular basis.
An organization may chose to limit the application of this British Standard to specific
products, services or one or more geographic locations. Any such limitation in scope should
be documented in the policy.
6 Programme management
6.1 Overview
BCM programme management involves three steps:
• assign responsibilities (see 6.2);
• project management (see 6.3); and
• ongoing management (see 6.4).
6.2 Assign responsibilities (governance)

The organization’s management should:
• appoint or nominate a competent person to be accountable for BCM policy and
implementation; and
• appoint or nominate an individual to implement the BCM programme (this person may be
known as the BC manager).
If the organization’s structure so indicates, the BC manager may nominate representatives
within business units to assist in the implementation of the BCM programme.
The roles, accountabilities, responsibilities and authorities should be integrated into job
descriptions and skill sets.
The organization’s audit process should review these responsibilities.
These responsibilities may be reinforced by including them in the organization’s appraisal,
reward and recognition policy.
6.3 Project management

The project management activities should include the design, build, implementation and
initial exercising of the business continuity capability. The organization may adopt a
recognized project management methodology to ensure that the project is effectively
managed.
6.4 Ongoing management
6.4.1 Overview
The ongoing management activities should include ensuring that business continuity is
embedded within the organization, and is regularly exercised and updated. Business
continuity arrangements and plans should be reviewed and updated whenever there is a
0630139869 16
BS 25999-1
significant change in personnel, process or technology, and when an exercise or incident

highlights deficiencies.
6.4.2 Ongoing maintenance

Individuals tasked with maintaining the business continuity management system may reside
in many areas of an organization depending on its size, scale and complexity. It is essential,
however, that a person with appropriate responsibility, e.g. board director or elected
representative, has overall responsibility for BCM and is directly accountable for ensuring the
continued success of this capability.
COMMENTARY ON 6.4.2
In large organizations there might be a need for a team of business continuity representatives
with differing roles and responsibilities. In smaller organizations, responsibility for business
continuity may reside with one or more individuals.
However BCM is resourced, there are activities that should be carried out both initially and
on an ongoing basis. These should include:
• defining the scope, roles and responsibilities for BCM;
• appointing a person or team to manage the BCM capability;
• monitoring performance of the business continuity capability;
• promoting business continuity across the organization and wider, where appropriate;
• managing costs associated with the business continuity capability;
• administering the exercise programme;
• coordinating the regular review and update of the business continuity capability;
• maintaining documentation appropriate to the size and complexity of the organization
(see 6.5); and
• establishing and monitoring a change and succession management regime.
6.5 BCMS documentation

Individuals tasked with maintaining the business continuity management system should be
responsible for coordinating the business continuity documentation. This may include the
following:
• BCMS scope statement;
• BCMS terms of reference;
• BCM policy;
• business impact analysis;
• risk assessment;
• BCM strategy/ strategies;
• statement of applicability;
• training programme;
• incident management plans;
• business continuity plans;
0630139869 17
BS 25999-1
• SLAs, contracts and other evidence.

Figure 2 shows the process by which BCMS documentation might be reviewed and updated.
Figure 2 – Process of review and update of BCMS documentation
BCMS documentation
BCMS scope statement

BCMS terms of reference Catalyst for change
BCM policy Incidents
Business impact analysis Malfunctions
Risk assessment Failures
BCM strategy / strategies Risk management reports
Test results
Statement of applicability Self audit observations
Training programme External audit observations
Incident management Change or asset management
plans
Business continuity plans
SLAs, contracts and other
evidence
Review and update
7 Understanding the organization
7.1 Introduction
7.1.1 The aim of this element of the BCM lifecycle is to set the requirements that will
determine BCM options (see Clause 8) and develop a BCM response (see Clause 9). It
establishes a BCM understanding of the organization and ensures that the BCM programme
is aligned to its objectives, obligations and statutory duties.
7.1.2 A BCM understanding of the organization comes from:

• identifying the organization’s objectives and stakeholder obligations;
• requiring senior management to identify critical products and services that support these
objectives and obligations (which determine the BCM scope);
• identifying the activities, assets and resources that support the delivery of these products
and services;
• assessing the impact and consequences over time of the failure of these activities (see
7.2); and
0630139869 18
BS 25999-1
• identifying and evaluating the perceived threats that could disrupt its activities (see 7.5).
7.1.3 It is important that the organization understands the interdependencies of its activities
and any reliance on external organizations.
7.2 Analysing the impact of disruption
7.2.1 The organization should determine and document the impact of a disruption to the
activities that support its critical products and services. This process is commonly referred to
as a business impact analysis (BIA).
7.2.2 For each activity supporting the delivery of products and services within the BCM
scope, the organization should:
a) assess the impacts over time that its loss or disruption would have;
b) establish the maximum tolerable period of disruption of each activity by identifying:
• the maximum time period after an interruption within which it needs to be resumed,
• the minimum level at which the activity needs to be performed on its resumption,
• the length of time before normal levels of operation need to be resumed; and
c) identify any inter-dependent activities, assets or resources that have also to be recovered.
7.2.3 When assessing impacts, the organization should consider those that relate to its
business aims and objectives, its values and its stakeholders. These may include:
• threats to staff or public safety and welfare;
• breaches of statutory and regulatory requirements;
• damage to reputation;
• damage to financial viability;
• deterioration to product or service quality;
• environmental damage.
The organization should document its approach to assessing the impact of disruption and its
findings and conclusions.
<MARGIN>COMMENTARY ON 7.2.3
During a disruption, impacts generally increase over time and affect each activity differently. Impacts might
also vary depending on the day, month or point in the business lifecycle.
7.3 Identification of critical activities

The organization may categorize its activities according to their priority for recovery. Those
activities whose loss, as identified during the impact assessment, would have the greatest
impact in the shortest time and which need to be recovered most rapidly, may be termed
“critical activities”. Other activities that require advance arrangements to be in place in order
to ensure that they can be recovered within their maximum tolerable period of disruption,
may also be termed critical. The organization may wish to focus its planning activities on
critical activities, but should recognize that other (“non-critical”) activities will also need to
be recovered within their maximum tolerable period of disruption.
0630139869 19
BS 25999-1
Time periods
The maximum time period for resuming activities can vary between seconds and several months depending on
the nature of the activity. Activities that are time-sensitive might need to be specified with a great degree of
accuracy, for example, to the minute or the hour. Less time-sensitive activities might require less accuracy.
Maximum tolerable period of disruption
The maximum tolerable period of disruption will influence each activity’s recovery time objective when
determining BCM options (see Clause 8).
7.4 Estimating recovery requirements
The organization should estimate the resources, facilities and services that each activity will
require at resumption. These may include:
a) staff resources, including numbers, skills and knowledge;
b) supporting equipment and supplies;
c) the works site and facilities required;
d) external services and suppliers; and
e) provision of electronic or paper records, or information about work-in-progress, all of
which are sufficiently up-to-date and accurate to allow the activity to continue unimpaired.
If records or work in progress information are unavailable, inaccurate, or not sufficiently-up–to-date, this could
prevent or critically delay the resumption of activities. This information is used to formulate appropriate back-
up and records management strategies when determining BCM options (see Clause 8).
7.5 Review of the business impact analysis
The business impact analysis should be reviewed and updated as the organization or the
environment in which it operates changes.
A business impact analysis can also be used to understand future recovery strategy requirements by
incorporating planned changes to products, services, processes or organizations (e.g. mergers).
7.6 Evaluating threats to organizational activities (risk assessment)
7.6.1 The organization should understand how specific threats could disrupt its activities.
This information should be used to identify ways of preventing the loss of or disruption to the
organization’s critical products and services. This process is commonly referred to as risk
assessment. The organization should, in particular, identify threats and vulnerabilities specific
to its critical activities.
7.6.2 The organization should consider:

• internal threats, such as fire and staff loss; and
• external threats, such as flooding and nearby hazard sites.
7.6.3 The purpose of the risk assessment is to identify measures that would:
• reduce the likelihood of a disruptive event;
• shorten the period of disruption; and
0630139869 20
BS 25999-1
• limit the impact on the organization’s critical products and services.

It might be beneficial to consult risk registers that have already been established elsewhere in the organization
or by external bodies.
7.7 Sign-off
Senior management should sign off the documented business impact analysis and risk
assessment to ensure that these activities have been properly undertaken and subsequent
solutions and plans provide the correct level of continuity response.
8 Determining BCM options
8.1 Introduction
8.1.1 This element of the business continuity management system logically follows the
“understanding the organization” element. Selected options should remain applicable to the
organization, regardless of its size and sector, and have regard for associated stakeholders
who would suffer the consequences of an unplanned interruption to products or services.
8.1.2 The organization’s approach to determining BCM options should:

a) provide continuity for the products or services of the organization following an incident,
and
b) implement appropriate measures to prevent incidents occurring, and/or reduce the potential
effects of those incidents;
c) take due cognisance of the resilience and countermeasure options already present within
the organization, in order to avoid the development of duplicate controls.
NOTE Figure 2 identifies the context and relationship between strategic and tactical planning for all
organizations.
The business impact analysis and risk assessment form the primary basis by which the organization will
determine appropriate, scalable and cost effective strategic and tactical BCM options.
0630139869 21
BS 25999-1
1 Figure 2 ― BCM options

2
Understand Product /
the Service
organization Options
Strategic
Options:
Do nothing Change, Loss Business
suspend or mitigation / Continuity
terminate risk
treatment
Document Risk Activity options

and sign off management based on
programme acceptable
operating levels
Tactical
Options:
Workforce, Workspace Supporting Data and Equipment Human
skills and facilities technologies information and supplies welfare
knowledge
0630139869 22
BS 25999-1
1 8.2 Product and service strategy options

2 There are a number of strategic options that should be considered for each product and
3 service. Both time and acceptable operating levels will determine the most appropriate
4 strategy or strategies.
5 Strategic options may include:
6 a) Do nothing
7 <MARGIN>COMMENTARY ON 8.2a)
8 To do nothing might be acceptable if senior management deems the risk to be acceptable and within the
9 organization’s risk appetite. However, this has to be done explicitly and documented. In some circumstances the
10 impact of a risk might be outside the organization’s normal risk appetite, but, due to the low likelihood of the
11 risk occurring and/or the uneconomic cost of control, senior management may accept the risk.
12 b) Loss mitigation/ risk treatment
13 If this option is to be pursued, reference should be made to the British Standard on Risk
14 Management, BS-2xxxx.
15 <MARGIN>COMMENTARY ON 8.2b)
16 Loss mitigation/ risk treatment can prevent or reduce the likelihood of an incident and/or minimize or reduce
17 the potential impact. Loss mitigation strategies can be used in conjunction with other options, as not all risks
18 can be prevented or reduced to an acceptable level.
19 The purchase of insurance may form part of a risk treatment strategy and will provide some financial
20 recompense for some losses, but will not meet all costs (e.g. uninsured events, brand, reputation, stakeholder
21 value, market share and human consequences). A financial settlement alone is unlikely to fully protect the
22 organization and satisfy stakeholder expectations. Insurance cover is more likely to be used in conjunction with
23 one or more other strategies.
24 c) Change, suspension or termination
25 <MARGIN>COMMENTARY ON 8.2c)
26 In some circumstances it might be appropriate to change, suspend or end the service, product, function or
27 process. This option can only be considered where there is no conflict with the organization’s objectives,
28 statutory compliance and stakeholder expectation. This approach is most likely to be considered where a
29 product or service has a limited lifespan.
30 d) Business continuity
31 If business continuity is the chosen strategy for a product or service, a recovery time
32 objective should be agreed and the continuity options given in 8.3 should be evaluated
33 against this objective.
34 <MARGIN>COMMENTARY ON 8.2d)
35 Continuity strategies seek to improve the organization’s resilience to an interruption by ensuring critical
36 activities continue at an acceptable minimum level and to timeframes stipulated within the BIA.
37 8.3 Continuity options
38 8.3.1 General
39 8.3.1.1 Each critical product and service within an organization is supported by one or more
40 activities. These activities may each have different tactical solutions which recognize the
41 relative urgency of continuing that activity.
0630139869 23
BS 25999-1
1 8.3.1.2 The organization should determine and select appropriate, scalable and cost effective
2 BCM solutions to maintain continuity for the activities that support products and services.
3 The essential resources required for these activities are identified through impact analysis.
4 8.3.1.3 The organization should identify tactical solutions that will support the restoration of
5 the required activities within the recovery time objective. In each case, the organization
6 should evaluate alternatives in order to minimize the likelihood of the business continuity
7 solution being affected by the same incident. These may include:
8 • workforce, skills and knowledge (see 8.3.2);
9 • work site facilities (see 8.3.3);
10 • supporting technologies (see 8.3.4);
11 • data (see 8.3.5);
12 • equipment and supplies (see 8.3.6);
13 • human welfare (see 8.3.7);
14 • stakeholders, partners and contractors.
15 It is likely that a combination of solutions will provide the most robust and economic solution
16 to deliver these products and services according to the timeframes identified in the impact
17 analysis.
18 8.3.2 Workforce, skills and knowledge

19 The organization should identify appropriate strategies for maintaining essential skills and
20 knowledge. This analysis should extend beyond employees to contractors and other
21 stakeholders who possess extensive specialist skills and knowledge. Strategies to protect or
22 provide those skills might include:
23 a) process mapping of activities;
24 b) multi-skill training of staff and contractors;
25 c) separation of key skills to reduce concentrated risk;
26 d) use of third parties to provide key skills;
27 e) succession planning; and
28 f) knowledge retention and management.
29 The organization should also consider the interests of those whose welfare might be put at
30 risk as a result of an incident [see 9.3.2c)].
31 8.3.3 Work site facilities

32 <MARGIN>COMMENTARY ON 8.3.3
33 Worksite strategies can vary significantly and a range of options might be available. Different types of incident
34 or threat might require the implementation of different or multiple worksite options. The correct strategies will
35 in part be determined by the organization’s size, sector and spread of activities, stakeholders and geographical
36 base. For example, public authorities will need to maintain a frontline service delivery in their communities.
37 In all circumstances, it is important for the organization to apply health and safety and adequate provision of
38 facilities deemed essential, such as transport, ergonomic arrangements and security.
39 The organization should devise a strategy for reducing the impact of the unavailability of its
40 normal work site(s). This may include one or all of the following:
0630139869 24
BS 25999-1
1 a) alternative locations within the organization;

2 b) alternative locations provided by related organizations;
3 c) alternative locations provided by third party specialists; and
4 d) working from home or at remote sites.
5 NOTE If staff are to be moved to an alternative location, the alternative location ought to be close enough that
6 staff are willing and able to travel to it, taking into account any possible difficulties caused by the incident.
7 However, the alternative location ought not to be so close that it is likely to be affected by the same incident.
8 8.3.4 Supporting technologies
9 8.3.4.1 The organization should identify all relevant technology assets that directly enable
10 and support the activities undertaken by the organization.
11 NOTE Technology implies the use of assets in the broadest sense and as relative to the organization.
12 Technology might include IT hardware, telecommunications equipment, lathes, food preparation machines or
13 vacuum sealing machinery.
14 8.3.4.2 Technology strategies will depend on the nature of the technology employed and its
15 relationship to critical products and services, but will typically be one or a combination of:
16 • provision made within the organization;
17 • services delivered to the organization; and
18 • services provided externally by a third party.
19 <MARGIN>COMMENTARY ON 8.3.4.2
20 Supporting technologies will vary significantly between organizations according to the size, nature and
21 complexity of business. Strategies may be developed to safeguard specialized or custom built technologies (for
22 example, plant or machinery essential to manufacturing and production capabilities).
23 The organization may need to make provision for manual operations before full IT services are recovered.
24 8.3.5 Information
25 Information security strategies should be such as to ensure that information vital to the
26 organization’s operation is appropriately protected and recoverable.
27 NOTE Further information is given in BS ISO/IEC 17799.
28 Any remote copy of information required to reinstate lost records should have appropriate:
29 • confidentiality;
30 • integrity (between different data sources); and
31 • availability to be used for reinstatement.
32 Information strategies should be documented for the recovery of work-in-progress
33 information, i.e. data that are not present on the remote copy.
34 Information strategies should extend to include:
35 • physical (hardcopy) formats,
36 • virtual (electronic) formats, etc.
37
0630139869 25
BS 25999-1
1 8.3.6 Equipment and supplies

3 In office-based environments, equipment and supplies might constitute forms, headed paper, stationary, etc.
4 Other industries might identify retail stock or just-in-time supplies. The provision of bulk storage, such as
5 vehicle fuels, might also be considered in light of the potential for disruption to fuel supplies.
6 8.3.6.1 The organization should identify, and maintain an inventory of, the equipment and
7 supplies that support its critical products and services. Strategies to provide these may include
8 one or all of the following:
9 • storage of additional supplies at another location;
10 • arrangements with third parties for delivery of stock at short notice;
11 • diversion of just-in-time deliveries to other locations;
12 • holding of materials at warehouses or shipping sites;
13 • transfer of sub-assembly operations to an alternate location;
14 • holding of older equipment as emergency replacement or spares;
15 • additional risk mitigation for unique or long lead time equipment; and
16 • geographic diversity of critical processes.
17 8.3.6.2 Where activities are dependent upon key suppliers, these should be identified.
18 Strategies to manage these may include:
19 • multiple suppliers;
20 • encouraging or requiring suppliers to have a business continuity capability;
21 • contractual agreements with key suppliers; and
22 • identified alternate suppliers.
23 8.3.7 Human welfare activities

24 When determining appropriate BCM options, the organization should satisfy the interests of
25 those whose welfare might be put at risk as a result of an incident.
26 The organization should:
27 • assess the requirements of the business continuity programmes in respect of welfare
28 issues,
29 • develop plans and programmes based on that assessment, and
30 • provide support for the implementation and maintenance of the human welfare plans,
31 taking into account relevant social and cultural considerations.
33 Organizations have a direct responsibility to safeguard the welfare of employees, contractors, visitors and
34 customers where an incident poses a direct risk to life, livelihood and welfare. Special attention will need to be
35 paid to any groups with disabilities or other specific needs (e.g. pregnancy, temporary disability due to injury,
36 etc). Planning in advance to meet these requirements can reduce risk and reassure those affected.
37 The organization should identify the person or persons who will assume responsibility for
38 welfare issues following an incident, including:
39 a) site evacuation (inclusive of internal evacuations) and accounting for staff;
0630139869 26
BS 25999-1
1 b) ongoing employee/customer communications and safety briefings;

2 c) contact with a chosen emergency contact or next-of-kin;
3 d) locating displaced workforce or contractors;
4 e) rehabilitation services (physical and emotional);
5 f) family support;
6 g) translation services;
7 h) transport assistance;
8 i) telephone helpline for informing employees and relatives;
9 j) assisting displaced staff or visitors to obtain temporary accommodation, e.g. hotel rooms.
10 The organization should deploy staff with appropriate levels of authority to liaise with the
11 emergency services.
12 NOTE 1 Emergency services play a significant part in protecting life and relieving suffering during
13 emergencies. Therefore, early liaison, pre-planning and real-time incident coordination between the
14 organization and its first responders and the emergency services can improve the efficiency of an incident
15 response. Instructions from the emergency services will take precedence over the actions described in the IMP
16 and BCP.
17 The organization may retain a means to provide services to debrief and counsel affected staff
18 after an incident. Services may be sourced externally or may be provided as a pre-planned
19 extension to existing occupational health and employee assistance programmes.
20 NOTE 2 The long-term impacts of incidents and the value of human welfare cannot be underestimated.
21 Developing appropriate strategies in support of human welfare can directly support and speed financial,
22 physical and emotional recovery within the organization.
23 8.4 Sign-off
24 Senior management should sign off the documented solutions to confirm that these activities
25 have properly mitigated or catered for the likely causes and effects of a business interruption.
26 <MARGIN>COMMENTARY ON 8.4
27 Implementation of a particular alternative has to support the overall organizational objectives and thus needs to
28 have acceptance and support at the highest level.
29 9 Developing and implementing a BCM response
30 9.1 Introduction
31 A major incident can result in serious disruptions in the organization’s ability to meet its
32 obligations.
33 It is vital that the organization is able to respond to such incidents and the resulting
34 disruptions at a speed that meets the expectations of its stakeholders as identified in the
35 business impact analysis.
36 Clause 8 described the various means by which business activities can be protected from
37 intolerable disruption. This Clause gives recommendations for harnessing and coordinating
38 these resources to create an effective response.
39 The successful management of an incident has two main components:
0630139869 27
BS 25999-1
1 • a coordinated organization-wide response to the incident, including communication with

2 the stakeholders, such as staff, customers, shareholders and the media (incident
3 management plan – see 9.3);
4 • restoration of the organization’s activities [the business continuity plan(s) – see 9.4].
5 9.2 Content of plans

6 All plans, whether incident management plans, business continuity plans, or detailed recovery
7 plans, should contain the following.
9 Small organizations may have only a single plan that encompasses all requirements for the business, whereas
10 larger organizations may have a number of scenario specific plans with separate documentation for incident
11 management, continuity and recovery.
12 a) Purpose and scope
13 The purpose and scope of each specific plan should be defined, agreed and understood.
14 Each incident and continuity plan should set out its objectives in terms of the products and
15 services to be recovered over a particular timescale, the situation in which each plan can be
16 utilized, and the activities to be undertaken.
17 Each plan should also state what it does not intend to achieve and why.
18 b) Roles and responsibilities
19 The roles and responsibility of the people and teams having authority (both in terms of
20 decision-making and authority to spend), during and following an incident should be clearly
21 documented. Deputies should be nominated for persons in key roles.
22 The following may also be included where appropriate:
23 • the interface with external organizations or agencies, and between any internal business
24 continuity, response teams or support teams;
25 • responsibilities and procedures to be used in the event of an escalation or second incident;
26 • the process for ensuring a smooth transition from the acute phase of the incident to the
27 more controlled project phase including the retention of records;
28 • procedures/ checklists for the post-incident review process.
29 The persons or groups covered by a BCP should be clearly defined.
30 c) Invocation/ mobilization procedures
31 The method by which an incident management or business continuity plan is invoked should
32 be clearly documented.
33 The organization should have a clearly defined process for invoking the relevant plan in the
34 shortest possible time following the occurrence of a disruptive incident.
35 There should be guidelines as to who is responsible for activating the plan and under what
36 circumstances.
37 The invocation process may require the immediate mobilization of organizational resources.
38 The plan should include a description of exactly how to mobilize the team(s), where they are
39 to meet and details of an alternate meeting location (in larger organizations, these meeting
40 places may be referred to as command centres).
0630139869 28
BS 25999-1
1 The organization should document a clear process for standing down the team(s) once the
2 incident is over, and returning to business as usual.
3 <MARGIN>COMMENTARY ON 9.2c)
4 Time lost during a response can never be regained. It is almost always better to mobilize the response team and
5 subsequently stand it down than to miss an opportunity to contain an incident early and prevent escalation.
6 d) Document owner and maintainer
7 The organization should nominate the primary owner of the plan, and identify and document
8 who is responsible for reviewing, amending and updating the plan at regular intervals.
9 A system of version control should be employed, and changes formally notified to all
10 interested parties.
11 9.3 Incident management plans
12 9.3.1 Introduction
13 The purpose of an incident management plan (IMP) is to allow the organization to manage
14 the acute phase of an incident. The IMP addresses the stakeholder and external issues facing
15 an organization during an incident. The IMP should be flexible, feasible, relevant and easy to
16 read and understand, and provide the basis for managing all possible issues arising from any
17 threat to the business. The primary aims of the IMP should be:
18 • to ensure the safety of all affected individuals; and
19 • to contain the incident to minimize further loss.
20 The IMP should:
21 • have senior management support, including a board sponsor where applicable; and
22 • be supported by an appropriate budget for development, maintenance and training.
23 9.3.2 Contents of the IMP

24 In addition to the content recommended in 9.2, an IMP should include the following:
25 a) Action plans
26 The IMP should include initial response strategies, in the form of prompts for actions, to be
27 followed for each of the consequences of disruptions identified during the business impact
28 analysis.
29 b) Personnel response
30 A description of how the organization will communicate with staff and their relatives, friends
31 and “emergency contacts” should be included. In some cases, it may be appropriate to include
32 detail in a separate document.
33 <MARGIN>COMMENTARY ON 9.3.2b)
34 Depending upon the scale of the organization and the size of the incident, a number of competent, trained
35 people may be required to respond to telephone enquiries about the incident.
36 Next-of-kin and emergency contact information for all personnel should be kept up to date
37 and available for prompt use.
38 c) Media response
39 The organization should document in the IMP its media response, including:
0630139869 29
BS 25999-1
1 • the incident communications strategy and description of the organization’s preferred

2 interface with the media;
3 • a guideline or template for the drafting of a statement to be provided to the media at the
4 earliest practicable opportunity following the incident;
5 NOTE Consideration may be given to pre-preparing media statements for reasonably foreseeable events.
6 • appropriate numbers of trained, competent, spokespeople nominated and authorized to
7 release information to the media.
8 In some cases, it may be appropriate to:
9 • provide supporting detail in a separate document;
10 • establish a number of competent, trained people to answer enquiries from the press;
11 • prepare background material about the organization and its operations (this information
12 should be pre-agreed for release);
13 • ensure that all media information is made available via the organization’s web-site
14 without undue delay.
15 <MARGIN>COMMENTARY ON 9.3.2c)
16 Pre-prepared information can be especially useful in the early stages of an incident. It enables an organization
17 to provide details about the organization and its business while details of the incident are still being established.
18 d) Stakeholder management
19 A process for identifying and prioritizing communications with other key stakeholders should
20 be included. It may be necessary to develop a separate stakeholder management plan to
21 provide criteria for setting priorities and allocating a manager to each stakeholder or group of
22 stakeholders.
23 e) Meeting location (command centre)
24 The organization should define a predetermined location, room or space from which an
25 incident will be managed. Once established, this location should be the focal point for the
26 organization’s response. An alternate meeting point should also be nominated in case access
27 to the primary location is denied.
28 NOTE Initially, it may be necessary to hold a virtual meeting, for example by telephone, teleconference or
29 videoconference, so that key decisions can be made promptly.
30 Command centre facilities should be fit for purpose and include:
31 • effective primary and secondary means of communication;
32 • a process for accessing and sharing information, including the monitoring of electronic,
33 broadcast media.
34 <MARGIN>COMMENTARY ON 9.3.2e)
35 A command centre provides a known focal point from which the incident can be managed. Use of displays and
36 other tools assist in capturing and sharing key information, setting objectives, tasks, managing resources,
37 identifying issues, tracking actions and making informed decisions. Good communications are essential. The use
38 of a meeting point overcomes the situations where telephone networks are overloaded.
39 f) Annexes
40 Where appropriate, the IMP should also include up-to-date contact and mobilization details
41 for relevant agencies, organizations and resources that might be required to support the
42 selected response strategies.
0630139869 30
BS 25999-1
1 The IMP should include an incident log or forms for the recording of vital information in
2 respect of event details, decisions made, details of casualties, damage assessments,
3 communications issued, etc.
4 The IMP may also include:
5 • maps/ charts/ plans/ photographs and other information that might be relevant in the event
6 of an incident;
7 • documented response strategies agreed with third parties as appropriate (joint venture
8 partners, contractors, suppliers, etc.);
9 • details of equipment staging areas;
10 • site access plans; and
11 • a claims management procedure that ensures all insurance and legal claims for or against
12 the organization meet regulatory and contractual requirements.
13 9.4 Business continuity plans
14 9.4.1 Introduction
15 The purpose of a business continuity plan (BCP) is to enable an organization to recover or
16 maintain its activities in the event of a major interruption affecting normal business
17 operations.
18 Business continuity plans are activated based on the strategy selected to manage the incident.
19 They may be invoked in whole or part and at any stage of the response to an incident.
21 The components and contents of BCPs vary from organization to organization and have a different level of
22 detail based on the scale, environment, culture and technical complexity of the industries and associated
23 solutions, risk profile and environment in which they operate.
24 Large organizations might require separate documents for each of their critical business areas/functions,
25 whereas smaller organizations might be able to cover what is critical to them within a single document.
26 9.4.2 Contents of the BCP

27 In addition to the items recommended in 9.2, a BCP should contain the following.
28 a) Action plans/ task lists
29 The action plan should include a structured checklist of actions and tasks in a chronological
30 order, highlighting:
31 • how the action plan is invoked;
32 • the person who should determine the requirement for invocation of the business
33 continuity plan;
34 • the procedure that person should adopt in taking that decision;
35 • the persons who should be consulted before such a decision is taken;
36 • the persons who should be informed once a decision has been taken;
37 • who goes where, and when;
38 • what services are available where, and when; including how external and third-party
39 resources are mobilized;
0630139869 31
BS 25999-1
1 • how this information is communicated, and when; and

2 • if relevant, detailed procedures for manual workarounds, system recovery, etc.
3 <MARGIN>COMMENTARY ON 9.4.2a)
4 These points are consistent with the requirements of the UK Civil Contingencies Act Guidelines, Emergency
5 Preparedness, Section 6.20.
6 Plans will reference the resources, facilities, tools and procedures identified in the strategies phase. Clear
7 assumptions and details of any resources required to implement plans ought to be included. In the event that the
8 lack of a service or resource makes the plan’s goals unachievable, a clear procedure for escalating the issue
9 has to be defined.
10 b) Resource requirements
11 The resources required for business recovery should be identified at different points in time.
12 These may include:
13 • personnel;
14 • facilities and supplies;
15 • technology, communications and data;
16 • security;
17 • transportation logistics;
18 • welfare needs; and
19 • emergency expenses.
20 c) Vital information
21 The BCP should define vital information sources and how they should be accessed. Examples
22 of vital information might include:
23 • financial (e.g. payroll) details;
24 • customer account records;
25 • supplier and stakeholder details;
26 • legal documents (e.g. contracts, insurance policies, title deeds, etc.);
27 • other service documents (e.g. service level agreements).
28 d) Responsible person(s)
29 The organization should identify a nominated person(s) who will assume responsibility for
30 human welfare issues following an incident, such as:
31 • site evacuation (inclusive of internal evacuations);
32 • ongoing employee/customer communications and safety briefings;
33 • emergency contact with a chosen next of kin contact;
34 • locating displaced workforce or contractors;
35 • rehabilitation services (physical and emotional);
36 • family support;
37 • translation services;
38 • transport assistance.
0630139869 32
BS 25999-1
1 The organization should deploy staff to liaise with the emergency services.
2 <MARGIN>COMMENTARY ON 9.4.2d)
3 Emergency services play a significant part in protecting life and relieving suffering during emergencies.
4 Therefore, early liaison, pre-planning and real-time incident coordination between the organization and its first
5 responders can improve the efficiency of an incident response.
6 e) Forms and annexes
7 Where appropriate, the business continuity plan should list up-to-date contact details for
8 relevant internal and external agencies, organizations and providers that might be required to
9 support the organization.
10 The business continuity plan should include an incident log or forms for the recording of vital
11 information, especially in respect of decisions made.
12 The plan may also include:
13 • forms for recording administrative data, e.g. resources used, expenses etc.;
14 • maps, drawings, and site and office plans, especially those relating to any alternate
15 facilities such as work site recovery areas and storage locations.
16 10 Exercising, maintenance, auditing and self-assessment of BCM arrangements
17 10.1 Introduction
18 An organization’s business continuity arrangements are preserved as fit-for-purpose and
19 continually challenged through exercising and assurance processes.
20 An organization’s business continuity management arrangements cannot be considered
21 reliable until exercised. Exercising is essential to developing teamwork, competence,
22 confidence and knowledge which is vital at the time of an incident.
23 Arrangements should be verified through exercising, audit and self assurance processes to
24 ensure that they are fit-for-purpose.
25 10.2 Exercise programme

26 An exercise programme should be consistent with the scope of the business continuity
27 plan(s), giving due regard to any relevant regulation. Exercises may include tests which
28 anticipate a predetermined outcome.
30 Exercises provide demonstrable evidence of a business continuity and incident management competence and
31 capability. Time and resources spent proving BCM strategies by exercising BC plans will lead to a fit-for-
32 purpose capability. No matter how well designed and thought-out a BCM strategy or BCP appears, a series of
33 robust and realistic exercises that test their implementation will identify areas that could require amendment.
34 An exercise program should be devised that, over a period of time, leads to objective
35 assurance that the BCP will work as anticipated when required. In addition, it might lead to
36 the improvement of BCM capability by:
37 • practising the organization’s ability to recover from an incident;
38 • verifying that the BCP incorporates all organizational critical activities and their
39 dependencies and priorities;
0630139869 33
BS 25999-1
1 • exercising the technical, logistical, administrative, procedural and other operational

2 systems of the BCP;
3 • exercising the BCM organization and infrastructure (including roles, responsibilities, and
4 any command centres and work areas, etc.);
5 • validating the technology and telecommunications resource recovery, availability and
6 relocation of staff;
7 • highlighting assumptions which need to be questioned;
8 • providing information and instilling confidence in exercise participants;
9 • raising awareness of business continuity throughout the organization by publicizing the
10 exercise; and
11 • validating the effectiveness and timeliness of restoration of business as usual at the end of
12 the exercise.
13 10.3 Exercises
14 If exercises use scenarios, these should be realistic and carefully planned and agreed with
15 stakeholders, so that there is minimum risk of disruption to business processes. An exercise
16 should never be allowed to become an incident.
17 Every exercise should have clearly defined aims and objectives and a post-exercise report
18 that contains recommendations. This report should be used to improve business continuity
19 arrangements in a timely manner.
20 The scale and complexity of exercises should reflect the organization’s recovery objectives.
21 Exercises should prove, through their success, that the organization’s business continuity and
22 incident management plans are able to be executed, and contain the appropriate detail and
23 instructions.
24 <MARGIN>NOTE A range of approaches to exercising BCM strategies is shown in Table 1.
25
0630139869 34
BS 25999-1
1 Table 1 —Types and methods of exercising BCM strategies

Complexity Exercise Process Variants Good practice
frequency A)
Simple Desk check Review/ amendment of Update/ validation At least annually
content
Challenge content of BC plan Audit/ verification Annually
Walk-through of Challenge content of BC plan Include interaction Annually
plan and validate
participants’ roles
More Simulation Use “artificial” situation to Incorporate Annually or
complex validate that the BC plan(s) associated plans biannually
contain both necessary and
sufficient information to
facilitate successful recovery
Exercise critical Invocation in a controlled Single-day defined Annually or less
activities situation that does not operations from
jeopardize business as usual recovery site for a
operation fixed time
Most Exercise full BC Building-/ campus-/ exclusion Annually or less
complex plan, including zone-wide exercise
incident
management
A)
The frequency of exercises should depend upon both the organization’s need and the environment in which it
operates. However, the exercising programme should be flexible, taking into account the rate of change within
the organization and the outcome of previous exercises.
2
3 The exercise programme should consider the roles of all parties, including key third party
4 providers, outsource and other partners who would be expected to participate in recovery
5 activities. A debriefing that captures learning points should be held following each exercise.
6 10.4 Outsourced activities

7 If a product, service or activity has been outsourced, the risk accountability for that product,
8 service or activity remains vested within the organization. Consequently, an organization
9 should assure itself that its material suppliers or outsource partners demonstrate readiness to
10 cope with disruption by exercising their own BC plans.
11 An organization should obtain evidence of the viability of their material suppliers’
12 contingency plans and their exercising and maintenance programmes.
13 10.5 BCM maintenance

15 The purpose of the BCM maintenance process is to ensure that the organization’s BCM competence and
16 capability remains effective, fit-for purpose and up-to-date.
17 Maintenance activities ought to modify existing exercise schedules when they indicate that there has been a
18 significant change in the strategy, solution or business process.
19 A clearly defined and documented BCM maintenance programme should be established. This
20 programme should ensure that any changes (internal or external) that impact the organization
21 are reviewed in relation to BCM. It should also identify any new critical activities that need
22 to be included in the BCM maintenance programme.
23 As a result of the BCM maintenance programme, the organization should:
24 • review and challenge any assumptions made in any components of BCM throughout the
25 organization; and
0630139869 35
BS 25999-1
1 • distribute updated, amended or changed BCM policy, strategies, solutions, processes and
2 plans to key personnel under a formal change (version) control process.
3 NOTE If there are major business changes then a revision of the BIA might be indicated. The other
4 components of the BCM programme may be amended to take account of these changes.
5 The outcomes from the BCM maintenance process should include:
6 • documented evidence of the proactive management and governance of the organization’s
7 business continuity programme;
8 • verification that key people who are to implement the BCM strategy and plans are trained
9 and competent;
10 • verification of the monitoring and control of the BCM risks faced by the organization;
11 and
12 • documented evidence that material changes to the organization’s structure, activities,
13 purpose, staff and objectives have been incorporated into the BCM and incident
14 management plans.
15 10.6 Audit
17 The purpose of a BCM audit is to review an organization’s existing BCM competence and capability, and verify
18 these against predefined standards and criteria. It has two key functions:
19 — to verify that compliance with the organization’s BCM policy ensures compliance with applicable
20 laws, standards, strategies, framework and good practice guidelines; and
21 — to highlight key material deficiencies and issues and ensure their resolution.
22 The frequency and timing of audit activity can be influenced by laws and regulations, depending on the size,
23 nature and legal status of the organization. They might also be influenced by the requirements of stakeholders.
24 The organization should provide for the independent audit of its BCM to identify actual and
25 potential shortcomings. It should establish, implement and maintain procedures for dealing
26 with these.
27 10.7 Self-assessment
29 BCM self-assessment process plays a role in ensuring that an organization has a robust, effective and fit-for-
30 purpose BCM competence and capability. It provides the qualitative verification of an organization’s ability to
31 recover from an incident. Self-assessment is regarded as good practice.
32 Actions taken should be appropriate to the magnitude of the problems and the organizational
33 impacts encountered.
34 The audit or self-assessment of the organization’s BCM programme should verify that:
35 • all critical products and services, their dependent activities and their supporting resources
36 have been identified and included in the organization’s BCM strategy;
37 • the organization’s BCM policy, strategies, framework and plans continue to accurately
38 reflect its priorities and requirements;
39 • the organization’s BCM competence and its BCM capability are effective and fit-for-
40 purpose and will permit management, command, control and coordination of a BCM
41 incident;
0630139869 36
BS 25999-1
1 • the organization’s BCM solutions are effective, up-to-date and fit-for-purpose, and
2 appropriate to the level of risk faced by the organization;
3 • the organization’s BCM maintenance and exercising programmes have been effectively
4 implemented;
5 • BCM strategies and plans incorporate lessons learned from exercises, as contained in a
6 post-exercise report, and amendments arising from the maintenance programme;
7 • the organization has an ongoing programme for BCM training and awareness; and
8 • change control processes are in place and operate effectively.
9 Self-assessment should be conducted against the organization’s objectives. It should also take
10 into account relevant industry standards and good practice.
11 11 Embedding BCM in the organization’s culture
12 11.1 General
13 Building, promoting and embedding a BCM culture within an organization ensures that it
14 becomes part of the organization’s core values and effective management.
15 A BCM culture will ensure that an organization can:
16 • develop a BCM programme more efficiently;
17 • instil confidence in its stakeholders (especially staff and customers) in its ability to handle
18 disruptions;
19 • increase its resilience over time by ensuring BCM implications are considered in
20 decisions at all levels; and
21 • minimize the impact and likelihood of disruptions.
23 Creating and embedding a BCM culture within an organization can be a lengthy and difficult process which
24 might encounter a level of resistance that was not anticipated. An understanding of the existing culture within
25 the organization will assist in the development of an appropriate BCM culture programme.
26 All staff have to understand that business continuity management is a serious issue for the organization and that
27 they have an important role to play in maintaining the delivery of products and services to their clients and
28 customers.
29 Development of a BCM culture is achieved by:
30 • assignment of responsibilities (see 6.2);
31 • skills training; and
32 • awareness training.
33 11.2 Training
34 The organization should have a process for identifying and delivering the BCM training
35 requirements of relevant participants and evaluate the effectiveness of its delivery.
36 The organization should undertake training of:
37 a) BCM staff for such tasks as:
38 • programme management,
0630139869 37
BS 25999-1
1 • conducting a business impact analysis,

2 • developing and implementing BC plans,
3 • running an exercise programme;
4 b) non-BCM staff requiring skills to undertake their nominated roles in incident response or
5 business recovery.
6 Response skills throughout the organization should be developed by practical training,
7 including active participation in exercises.
8 11.3 Awareness
9 The organization should have a process for identifying and delivering the BCM awareness
10 requirements of the organization and evaluating the effectiveness of its delivery.
11 <MARGIN>NOTE Raising and maintaining awareness of BCM with all the organization’s staff is important
12 to ensure that they are aware of why BCM is important to the organization. They will need to be convinced that
13 this is a lasting initiative that has the ongoing support of the executive.
14 The organization should raise, enhance and maintain awareness by maintaining an ongoing
15 BCM education and information programme for existing and new staff.
16 Such a programme may include:
17 • a consultation process with staff throughout the organization, concerning the
18 implementation of the BCM programme;
19 • discussion of BCM in the organization’s newsletters, briefings or journals;
20 • inclusion of BCM on relevant web pages or intranets;
21 • learning from internal and external incidents;
22 • BCM as an item at team meetings;
23 • exercising continuity plans at an alternate location (e.g. a recovery site);
24 • visits to any designated alternate location (e.g. a recovery site).
25 The organization may extend its BCM awareness programme to its suppliers and other
26 stakeholders.
0630139869 38
BS 25999-1
1 Bibliography
2 BS ISO/IEC 17799, Information technology ― Security techniques — Code of practice for
3 information security management.
4
0630139869 39

(BSI) BS 25999-1 Code of Practice For Business Continuity Management

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

(BSI) BS 25999-1 Code of Practice For Business Continuity Management

Încărcat de

Drepturi de autor:

Formate disponibile

Draft for Public Comment Form 36

Title: DPC BS 25999-1 Code of practice for business continuity management

Supersession information: If this document is published as a standard, the UK implementation of it will

WARNING: THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A

1 2 (3) 4 5 (6) (7)

Code of practice for business continuity management

1 Scope and applicability

2 Terms and definitions

3 What is business continuity management?

4.1 Elements of the business continuity management lifecycle

a) BCM Programme management (see Clause 6)

b) Understanding the organization (see Clause 7)

4.2 BCM in a risk context

4.3 BCM in the context of organizational strategy

4.4 Why should an organization undertake BCM?

4.5 The benefits of an effective BCM programme

4.6 The outcomes of an effective BCM programme

5 The business continuity management system (BCMS)

5.3 Development of a business continuity policy

6.2 Assign responsibilities (governance)

6.3 Project management

6.4 Ongoing management

significant change in personnel, process or technology, and when an exercise or incident

6.4.2 Ongoing maintenance

6.5 BCMS documentation

• SLAs, contracts and other evidence.

Figure 2 – Process of review and update of BCMS documentation

BCMS scope statement

Review and update

7 Understanding the organization

7.1.2 A BCM understanding of the organization comes from:

7.3 Identification of critical activities

7.6.2 The organization should consider:

• limit the impact on the organization’s critical products and services.

8 Determining BCM options

8.1.2 The organization’s approach to determining BCM options should:

1 Figure 2 ― BCM options

Document Risk Activity options

1 8.2 Product and service strategy options

37 8.3 Continuity options

18 8.3.2 Workforce, skills and knowledge

31 8.3.3 Work site facilities

1 a) alternative locations within the organization;

8 8.3.4 Supporting technologies

1 8.3.6 Equipment and supplies

23 8.3.7 Human welfare activities

1 b) ongoing employee/customer communications and safety briefings;

29 9 Developing and implementing a BCM response

1 • a coordinated organization-wide response to the incident, including communication with

5 9.2 Content of plans

11 9.3 Incident management plans

23 9.3.2 Contents of the IMP

1 • the incident communications strategy and description of the organization’s preferred

13 9.4 Business continuity plans

26 9.4.2 Contents of the BCP

1 • how this information is communicated, and when; and

16 10 Exercising, maintenance, auditing and self-assessment of BCM arrangements

25 10.2 Exercise programme

1 • exercising the technical, logistical, administrative, procedural and other operational

1 Table 1 —Types and methods of exercising BCM strategies

6 10.4 Outsourced activities

13 10.5 BCM maintenance