BS 25999 Business Continuity Management

MINIMIZING DISRUPTION
MAXIMIZING RECOVERY

raising standards worldwide

WHAT COULD PUT A STOP

TO YOUR BUSINESS?
A framework for resilience and success
Continued operations in the event of a
disruption, whether due to a major disaster
or a minor incident, are a fundamental
requirement for any organization. Business
Continuity Management (BCM) is an evolving
discipline which covers this critical subject.
BCM programmes, similar to other enterprise
processes, are most effective when grounded
in generally accepted standards and built
according to the business objectives. These
objectives and proven standards together
form a foundation that adds credibility and
viability to your BCM programme.

BS 25999 is a visionary standard for BCM which

provides you with a mature, repeatable and
actionable framework to reduce the likelihood of
an incident affecting your organization and to
help you recovery quickly from an interruption to
your operation. When combined with
certification through BSI Management Systems,
BS 25999 also provides you with global
consistency in managing business continuity, a
framework for continual improvement and the
opportunity to demonstrate to your stakeholders
that your BCM programmes meet best practice.

Who is it relevant to?

BS 25999 is suitable for any organization, large
or small, from any sector. Its scalability is one of
its key benefits. It is particularly relevant if your
organization operates in a high risk
environment such as finance,

telecommunications, transport, utilities and the

public sector, where the ability to continue
operating is paramount for the organization as
well as for your customers and stakeholders.

Managing business
continuity
The purpose of BS 25999 is to provide a
basis for understanding, developing and
implementing business continuity within
an organization and to provide confidence
in business-to-business and business-tocustomer dealings. This management
approach to business continuity is achieved
through the adoption of the tried and tested
management systems methodology.
A significant advantage of BS 25999 is
that it goes beyond simple formalized
Business Continuity planning to include
the establishment of a business continuity
management system (BCMS). This applies
the Plan-Do-Check-Act (PDCA) method
which includes planning, testing, training,
and the constant evaluation of the people,
processes, facilities, technologies related to
a BCMS. This approach ensures continual
improvement and allows for the alignment
and integration with other management
system standards such as
ISO 9001 and ISO/IEC 27001.

The Business Continuity Management System

A BCMS takes as input the business continuity needs and expectations of your
stakeholders, or interested parties, and, through the necessary actions and
processes, produces BC outcomes or managed business continuity - that meet
those needs and expectations.

The Business Continuity

Management Lifecycle
BS 25999 certification through
BSI Management Systems, an independent
third-party, reduces the cost of evaluating
suppliers, helps manage the supply chain
and allows you to differentiate yourself by
demonstrating a competitive edge.

BSI Management Systems Business Continuity Management

A widely accepted approach that

incorporates the PDCA model within each
activity is recommended in BS 25999 Part 2.
This iterative process ensures that business
continuity is established and continually
managed in an organization. The PDCA
process ensures continual management of
the BCMS is synonymous with the BCM
programme management shown in the
lifecycle. The following section of the guide
provides guidance on each element of the
lifecycle.

The BCM lifecycle

BSI Management Systems Business Continuity Management

Now you understand the principles of BS 25999 you are in a much better position
to implement a robust Business Continuity Management System. Once this has
been achieved you can prepare for BS 25999 certification - the ultimate assurance
to all your stakeholders that you are compliant with best practice.

MANAGING BUSINESS
CONTINUITY
Understanding, Implementing and Certifying to BS 25999
BCM programme management
Purpose - programme management is at
the heart of the BCM process. Effective
programme management establishes the
organizations approach to business
continuity and helps achieve the objectives
which are defined in the BCM policy.
Involves three steps:
assigning responsibilities (governance);
implementing business continuity in the
organization; and
ongoing management of business continuity.

Understanding the organization

Purpose - to assist the understanding of the
organization through the identification of its
key products and services, and the critical
activities and resources that support them.
Involves the following steps:
Business Impact Analysis (BIA) the process
of analysing business functions and the
effect that a business disruption might
have upon them;
Identification of critical activities;
Determination of continuity requirements;
Evaluation of threats to critical activities;
Undertaking of a risk assessment;
Determination of measures to treat or
mitigate these risks;
Approvals.

During this part of the cycle it is important

that the organization understands the
interdependencies of its activities, and any
reliance it has on external organizations.

Determining your business

continuity strategy
Purpose - now that you have a better
understanding of your organizations critical
activities, you will be in a position to choose
the appropriate continuity strategy to enable
your organization to meet its objectives.
Strategy options will depend on a range of
factors:
Maximum tolerable period of disruption
of the critical activity;
Specific set of actions to be taken to
support a strategy
Costs of implementing a strategy
or strategies;
Consequences of inaction.
Strategies may be required that involve the
following:
People
Premises
Technology
Information
Supplies
Stakeholders
Civil emergencies

Developing and implementing a BCM

response
Purpose the development and
implementation of appropriate plans and
arrangements to ensure continuity of critical
activities, and the management of an incident.
Involves the following steps:
Development of an incident response
structure to respond and recover from
disruptions. This structure could be known
as, for example, an Incident Management
Team (IMT).
Development of plans with each one,
whether its an incident management
(IMP), business continuity (BCP) and
business recovery plan (BRP), setting
out prioritized objectives in terms of:
the critical activities to be recovered;
the timescales in which they are to
be recovered;
the recovery levels needed for each
critical activity; and
the situation in which each plan can
be utilized.
A small organization may have a single plan
that encompasses all requirements for the
business and which covers its entire operation
while a very large organization may have many
plans, each of which specifies in detail the
recovery of: a particular part of its business;
particular premises; or a particular scenario.
May include separate documentation for the
incident, continuity and recovery phases.

Exercising, maintaining and reviewing

your BCM arrangements
Purpose - to ensure that an organizations
BCM arrangements are validated by exercise
and review and that they are kept up-todate. Links to the Check and Act elements
of the management system.
Exercises provide demonstrable evidence of
a BCM competence and capability. Time and
resources spent proving BCM strategies by
exercising BCPs will lead to a fit-for-purpose
capability. No matter how well designed and
thought-out a BCM strategy or BCP appears
to be, a series of robust and realistic
exercises will identify areas that require
amendment and improvement.
Specific benefits include:
Practices your organizations ability to
recover from an incident
Verifies that your BCP incorporates all critical
activities, their dependencies and priorities
Highlights any assumptions which need
to be questioned
Instills confidence among those
participating in the exercise
Raises awareness of business continuity in
the organization by publicizing the exercise
Validates the effectiveness and timeliness
of the restoration of critical activities
Demonstrates competence of the primary
response teams and their alternatives

Embedding BCM in the

organizations culture
Purpose to establish a BCM culture
at the heart of an organization. To be
successful, business continuity has to
become part of the way that an
organization is managed. At each stage
of the BCM process, opportunities exist
to introduce and enhance an
organizations BCM culture.
Building, promoting and embedding a
BCM culture within an organization
ensures that it becomes part of the
organizations core values and steps taken
to achieve these goals typically include
awareness programmes and skills training.
Raising and maintaining awareness of
BCM with all the organizations staff is
important to ensure that they are aware
of why BCM is important to the
organization. They will need to be shown
that this is a lasting initiative that has the
ongoing support of top management.

The Incident Management

Plan (IMP)
Purpose - to allow an organization to
manage the initial or acute phase of
an incident.

The Business Continuity Plan

Purpose - to enable an organization to
recover, or maintain, its activities in the
event of a disruption to normal business
operations. BCPs are activated (invoked)
to support the critical activities required
to deliver the organization's objectives.

BS 25999 is written in two parts. Part 1 is the Code of

Practice which outlines the standards overall objectives,
guidance and recommendations. Part 2, the Specification,
details the requirements and the activities that must be
completed in order to meet business continuity objectives
within the context of an organizations overall business risks.

BSI Management Systems Business Continuity Management

BSI Management Systems Business Continuity Management

"Becoming certified to BS 25999 is the ultimate

assurance you can give your stakeholders"

Becoming certified
Make contact
Tell us what you need and well outline a
solution detailing the best services for you,
along with a proposal for costs and timings.
Your assessment team
Well assign you a Client Manager, who will
be your main point of contact throughout
the process and beyond. Over that time,
they will develop an in-depth knowledge
of your business and support you through
each stage of assessment.
Consider relevant training and gap analyses
These are optional steps, but can really
enhance the whole process. Whether youre
looking to implement a management system
or simply increase your general awareness
of the standard, we have a range of
workshops, seminars and training courses
some of which are available as open or
e-learning courses, either off-site or on your
premises. See www.bsi-global.com/training
for the latest details. Additionally, a gap
analysis can help you with the

Independent certification against BS 25999 will project a favourable

corporate image as a "well-prepared" and proactive organization and
assures your partners of continuity of supply of products and services.

Why BSI?
implementation of your BCMS by identifying
any gaps in your management system.
Assessment and review
The assessment will have two stages. First, well
do a desktop review of your management
system against the requirements of BS 25999,
and identify any omissions or weaknesses that
need resolving before formal assessment. Once
these have been addressed, we can move on to
a full on-site assessment (Stage 2), after which
well make our detailed recommendations.
Certification and beyond
Once the assessment has been successfully
completed, well issue a certificate of
registration which is valid for three years
and explains the full scope of your
management system. But the relationship
doesnt end there. As long as youre
certified with BSI, you can contact your
assessor any time for advice and support
and they will visit regularly to ensure your
systems keep on improving. In this way, you
will be able to demonstrate a continual
commitment to meeting BCM best practice.

There is no more authoritative and

experienced partner than BSI. For more
than a century, we have pioneered the
whole concept of standards. Today, we
provide assessment, certification, training
and software to organizations across the
world, with over 60,000 certified locations
in over 100 countries.
With more full-time assessors than any other
certification body, each carefully matched to
your sector and needs. We can ensure
consistency of experience, expertise and
engagement. We also invest heavily in internal
training, ensuring that our assessors can go far
beyond the technical scope of the audit itself,
and are proactive in helping you improve your
organizations performance.
As you would expect, were an accredited
body ourselves which means were
completely independent, with no vested
interests other than to help you build a better
business. Like you, were always looking for
ways to improve and innovate. Here are just
a few of the latest developments:

Next steps
We now offer electronic certificates and
reports through our secure client extranets.
These allow us to continue a close
relationship online, complementing our
regular member events and newsletter. We
have also introduced a range of software
solutions to help you implement and manage
your business continuity management
system. Entropy is a market-leading, webbased product that allows you to manage
data more efficiently to improve performance
management, corporate reporting,
information and document management

Contact us about your needs and we can

arrange the services that suit you best.
There are a number of ways to move
towards securing a more resilient future
for your organization.
If you want to know how close you are to the
requirements of BS 25999 and certification we
can conduct a pre-assessment to establish any
issues with your management system prior to
a future certification audit.
For further information on our BS 25999
services, please visit:

www.bsi-global.com/bs25999ms

BSI SERVICES SUMMARY

Information, guidance and advice
Standards and publications
Tailored customer events
Training
Business improvement tools

Management systems gap analysis,

second party audits, assessment,
certification, continual assessment
Entropy Software for enterpriselevel risk and business continuity
management compliance.

THE BENEFITS OF BS 25999

AND CERTIFICATION
The benefits of BS 25999 and certification are widespread and cover many areas:
RESILIENCE
Proactively improves your organizations
resilience when faced with disruptions to
the ability to achieve key objectives.

DELIVERY
Provides a rehearsed method of restoring
your ability to supply critical products and
services to an agreed level and timeframe
following a disruption.

MANAGEMENT
Delivers a proven and proactive response
for managing a disruption.
The above three benefits form the key
pillars of BS 25999 and are directly related
to enhancing your organizations BCM
capability. There are numerous additional
commercial benefits:

BSI Management Systems Business Continuity Management

CONTINUAL BUSINESS
IMPROVEMENT
Meeting the requirements of BS 25999
results in a clearer understanding of how your
entire organization works thereby potentially
identifying areas for improvement.

REPUTATION
Helps protect and enhance an organizations
reputation and brand while building
confidence with all stakeholders.

COMPETITIVE ADVANTAGE

COMPLIANCE

INSURANCE

Enables you to promote the resilience of your

organization which can open new markets,
both local and international, and help win
new customers. Additionally, certification can
be used as a differentiator when you apply for
new business through a tender process.

Can help you demonstrate that applicable

laws and regulations are being observed
which can lead to an enhanced corporate
governance regime.

May reduce business interruption insurance

premiums as you will be able to prove to
your insurance company that you have
adopted BCM best practices.

COST SAVINGS

SUPPLY CHAIN

Creates an opportunity to reduce internal

and external BCM audits while reducing the
wider overhead of managing risk as well as
streamlining business activities.

Helps to provide you with confidence in your

supply chain, including outsourced services,
since you can use the standard and particularly
certification against it. Insisting on BS 25999
will help you to reduce the likelihood of your
suppliers causing a disruption to your business.

FRAMEWORK
Provides a common fit-for-purpose
framework to manage business continuity.

BSI Management Systems Business Continuity Management

BSI/UK/56/MS/1207/CW

BSI Management Systems

389 Chiswick High Road
London W4 4AL
United Kingdom
T: +44 (0)20 8996 6325
F: +44 (0)20 8996 7852
E: international@bsi-global.com
www.bsi-emea.com

The BSI certification mark can be used on your stationery, literature

and vehicles when you have successfully achieved certification.

BSI Group:

Standards

Information

Training

Inspection

Testing

Assessment

Certification