Home   |   Resources   |   BS25999 - What it’s all about

BS25999 - What it’s all about

If you’d like to know more about BS 25999, the first British Standard in business continuity management, and how to create a business continuity culture within your business, you’ll find this summary helpful.

BS 25999 is the British Standard for business continuity and is intended to provide guidance to organisations either in creating business continuity (BC) programmes or to check what they already have in place. It comes in two parts. Part 1 – the Code of Practice - provides broad guidance and the overall framework for good practice in business continuity management, while Part 2 – the Specification - details the control framework of the Standard and describes what you need to have in place for compliance purposes.

The Standard applies to all industry sectors and to organisations of all sizes so for the first time there is an objective benchmark against which organisations can compare the adequacy (or otherwise) of their business continuity management.

At the heart of the Standard is the business continuity lifecycle:

The business continuity management lifecycle is a methodical process that breaks the development of a business continuity management system into manageable bite-sized chunks. Understanding your business is key to beginning the process of putting in place a business continuity plan (BCP) that will enable you to respond effectively to any unexpected circumstances that threaten the well-being of your business. The Standard states that you should be able to obtain good understanding of your business through a Business Impact Analysis and a Risk Assessment. These will enable you to identify:

• The critical business activities you need recover to ensure your business’s survival
• The timescales these activities should be resumed within
• The basic business resources you require to maintain the minimum acceptable level of operation for your business
• The dependence of your business on IT systems and applications
• Key internal and external business dependencies
• Potential threats to your business and your options to deal with those threats.

 

The guidance Standard states that you should use this to decide which business continuity strategies you should put in place. Every business is different and while the Standard does not seek to prescribe what you should do it does say that you need to take account of:

• People
• Premises
• Technology
• Information
• Supplies
• Stakeholders

 

SunGard can help you choose the most appropriate and cost-effective strategies for your business.

Once you have decided on your chosen strategies you need to implement them and have measures in place that take care of incident management, as well as recovering your critical business activities.

The Standard gives a whole host of guidance on the sorts of things you should consider putting in place, from dealing with staff welfare, to ensuring the press and media interest is contained, incident control locations etc. It also suggests the sort of material that can go into plans and who should be responsible for a variety of activities.

While it’s all very well putting in the effort of getting plans and other measures in place, to adhere to the Standard you should exercise, maintain and review your business continuity arrangements. The Standard gives some excellent guidance on the sorts of activities you should be undertaking. It recognises that any plan is going to be long on theory and short on practice unless the latter is carried out and it is vital that you do so to identify gaps in plans and assumptions and to ensure people are familiar with roles and responsibilities when dealing with a major incident.

It is just as important to ensure that your plan’s contingency arrangements remain up-to-date and relevant to your business as it evolves and so the Standard states that there should be a regular review and maintenance regime, which goes hand-in-hand with the exercising and testing of your plans.

Finally, if you are carrying out all of the lifecycle activities and following the guidance contained within the Standard, you will be creating a business continuity management culture within your business.

If you are considering formal certification under the Standard, as one of the first two companies in the world to gain BS 25999 certification, SunGard is well-placed to guide you through the process.