|
BS 25999 - Summary of Requirements
This briefly summarises the key requirements of the BS 25999 in order to prepare for certification.
In essence, the standard requires its adherents to describe how they consider, implement and maintain business continuity plans relevant to the scope of operation. In common with other standards BS 25999 requires evidential records to demonstrate compliance with the Standard as well as the organisation’s own requirements.
Some of the general requirements are in common with ISO 9001 (e.g. management review, internal auditing, training and competence etc.) and as such can be easily integrated into an existing management system. The BCM specific elements are outlined below:
Business Continuity Policy, Scope and Objectives
It is necessary at the outset to define the Policy, Scope and Objectives of the BCM and this then will help provide direction to the business continuity planning work. A key element of this exercise would be to identify all products and services within the scope.
Business Impact Analysis
It would be necessary to understand the potential impact(s) of disruptions to the critical activities (processes) and resources that support normal business operations and the organisation’s products and services in order to determine appropriate risk treatments.
Risk Assessment
A risk assessment of the entire operation should be used to enable the organisation to understand the threats and vulnerabilities relating to its critical activities as well as its supporting resources and suppliers. It would need to understand the Impact on the organisation should the identified threat actually materialise.
Business Continuity Strategy
Based upon the outcomes of the above, the organisation would define an overall strategy that describes how it will respond to and recover from any disruptions affecting its critical activities, and how it will manage its own resources, as well as its relationships with suppliers and other relevant third parties.
Business Continuity Plans
It would then be necessary for the organisation to develop, document and implement specific Business Continuity Plans in order to provide a response to each envisaged threat (risk) and to enable it to continue with its critical business operations based on its BC strategy. This requires the documenting of an overall Incident Response Structure which will include any requirements on third parties, as well as communication planning.
Exercising and Reviewing the BCPs
Once the Plans are in place it is then be necessary to test and validate them through realistic exercises of the arrangements so as to ensure that they meet the organisation’s requirements. The scale and frequency of such exercises will depend on the levels of threats posed, as well as the risks inherent in the exercises themselves. Each exercise would be followed by a review to analyse the results, ensure that the plans are kept up to date and make improvements wherever necessary.
If you want to just ask a question or two, or wish to discuss further how we can help with Business Continuity Planning then do call or email.
|
