BS 25999 Certification: Business Continuity Management System

An increase in global threats, large-scale natural disasters, increased volume of pandemic-related concerns, and more instances of companies affected by local and regional power or internet outages have elevated the importance of business continuity.  Many organizations develop a business continuity plan, which is a one-time exercise and then file the plan on a shelf to collect dust or stored away on an unknown hard drive.  With the increasing frequency of disruptions on an increasingly  technology dependent business environment, companies must focus efforts on their ability to provide services to customers no matter the situation. British Standard 25999 (BS 25999) is a process-based standard similar to ISO 9001, which focuses on business continuity management. When implemented it will help:

  1. Prepare a common method to manage unplanned disruptions;
  2. Install a business-focused approach to keep services running or recover from an outage rapidly;
  3. Reduce the financial impact of an unplanned disruption; and
  4. Provide employees with defined roles and responsibilities in the event of a disaster.

BS 25999 benefits companies that would like to not only create a business continuity plan, but also be prepared to execute the plan if an unforeseen event occurs.  An approach that emphasizes the business impact and the associated risks to services, BS 25999 provides an organization a planning framework, which focuses on the priorities of restoring business services to minimize financial, brand and business impact.

BS 25999 is comprised of four major sections of guidance that must be implemented by an organization including:

Section Number

Expectations

3

Planning the Business Continuity Management System (BCMS)
  • Scope and Objectives
  • Define the Included Products and Services
  • Define a Business Continuity Management Policy
  • Provide Resources
  • Develop Competency of Resources
  • Develop Business Impact Analysis Methodology
  • Develop Risk Assessment Methodology
  • System for Document Control
  • System for Record Control

4

Implementing and Operating the BCMS
  • Perform Business Impact Analysis
  • Perform Risk Assessment
  • Determine Business Continuity Strategy
  • Develop Business Continuity Response
  • Create Incident Response Structure
  • Perform Business Continuity Exercises

5

Monitoring and Reviewing the BCMS
  • System for Internal Audits
  • Perform Management Reviews

6

Maintaining and Improving the BCMS
  • System for Corrective and Preventive Actions
  • Continual Review of Policies, Plans, Procedures and Results

Each one of the areas above requires specific activities to be performed. In many cases, organizations have already invested time and resources to resolve specific issues.  For example, a company has invested in cloud solutions with redundant systems to minimize the likelihood of a disruption, identified key suppliers of goods and services, as well as alternate supplier options, or created a business continuity plan that describes the activities that should occur during a disruption.  By combining the principles and practices of BS 25999, an organization will be better prepared to respond to unforeseen events.  One additional advantage of implementing BS 25999 is that the standard has been adopted by FEMA as one of the optional certification standards included in the voluntary Private Sector Preparedness and Accreditation and Certification Program (PS-Prep).  The PS-Prep program was created on the recommendations of the 9/11 Commission.  By certifying to BS 25999, an organization will gain increased recognition regarding their commitment to business continuity preparedness.

Since many organizations have started the implementation process to meet customers’ demands, the most pragmatic way to approach BS 25999 is to evaluate the current system against each of the required processes and controls.  Many early adopters of BS 25999 are already certified to one or more standards such as ISO 9001 or ISO 20000. This makes the transition to BS 25999 easier, as some of the basic requirements of a management system, such as document and record control, are already in place, allowing the company to focus on incorporating new requirements in an existing method.

After implementing the guidance of BS 25999, registration is a method in which a company can prove that it has successfully implemented the requirements. After documenting processes and performing reviews, a company can then look to an independent auditing company to review their processes and ensure that it is adhering to the developed processes. At the end of the audit, the company is presented with a certificate that it can provide to existing and potential customers as proof of its commitment to information security.

The challenge that many organizations face in BS 25999 is that the guidance is general in nature, rather than specific to a particular industry or company.  BS 25999 is risk-based situation-specific standard. Many companies review the requirements and work to fulfill every one, rather than evaluate the needs of the organization to determine which services should be considered in the business continuity management system and will improve the success of the organization. When an organization begins to apply the standard to their operations, unnecessary or complicated solutions can be created for simple challenges.  By over applying the standard to your operations, organizations expend precious resources and time, and have a less favorable opinion of the benefits of implementing BS 25999.

BS 25999 is a relatively new standard that is currently under review for adoption by ISO as ISO 22301, which is expected to occur in 2012.  This should not discourage organizations from looking at BS 25999, as many of the requirements will be similar in ISO 22301 and developing the framework now will prepare you for future changes.  Based on the level of flexibility of the standard, many companies are looking to consultants to:

  1. Reduce the timeframe for implementation to meet customer requirements;
  2. Understand how to implement practical business impact analysis and risk assessment methods;
  3. Understand the best approach to integrate BS 25999 with existing standards;
  4. Implement guidance to ensure that business continuity is a business critical activity, not a static plan; and
  5. Ensure successful initial achievement of certification.

ITG is here to help. We offer a catalog of services that are tailored to fit your budget, the experience of your team, availability of resources, and time constraints of your project. ITG believes in a work-share approach that allows you to determine how much or how little support you need to achieve your objectives.

ITG provides flexible solutions—from complete system development to company specific augmentation—providing valuable insight, advice, and troubleshooting along the way.  Our goal is to ensure that you understand your system, support you in any way possible, and leave you with the tools to manage your system after implementation. Our job is to understand your needs and provide you with the services that will meet your organizational goals, budget and timeframe.

Core to our success is the concept of “the ITG Advantage,” which means we:

  • Believe in what we do, comply with the standards we promote, and improve every day;
  • Are a small business that understands the cost of the commitment and work to keep investment and retention costs reasonable;
  • Invest in training and tools to keep our techniques current;
  • Strive to understand your needs and create solutions that are functional and effective;
  • Adapt to what you need to ensure success;
  • Create relationships of mutual benefit that are based on customer satisfaction; and
  • Focus on making your system user- friendly rather than compliance-driven.

Please contact us today to discover how we can help you achieve success.