BS25999-2:2007 requires a Business Continuity Management System (BCMS) be implemented, maintained and improved.
An organisations business continuity programme is defined in a management system, termed the Business Continuity Management System or shortened to BCMS (sorry, another acronym to learn)
The general requirement of the standard is that the organisation, fairly obviously, develops, implements, maintains and improves a business continuity management system in line with familiar the PLAN-DO-CHECK-ACT model.
BS25999 — Plan Do Check Act
PLAN: Establish business continuity policy, objectives, targets, controls, processes and procedures.
DO: Actually get on an implement ones plans
CHECK: Monitor and review performance against objectives and policy
ACT: Take preventative and corrective actions to ensure continuous improvement
Establish and Manage the BCMS [PLAN]
This section requires that the organisation defines its business continuity requirements in terms of its overall objectives and that the scope of the BCMS is clearly defined, for example is it just for the London office or the whole organisation.
In what is a potentially large task it also requires that the organisation assures itself, by whatever demonstrable method, that it’s key suppliers and outsourced agencies also have effective BCM in place. Probably the easiest way to demonstrate that suppliers have effective business continuity is to require them to have BS25999, a somewhat difficult task to complete admittedly. Other means might include inspections, questionnaires etc
The BCMS must as a minimum contain;
* A business continuity policy
* Responsibilities
* Management Processes
* Topic Specific Processes
* Documentation
A BCM policy is required that demonstrates commitment and details the scope and objectives of the BCMS. This policy also has to be regularly reviewed and made available to all relevant parties. Very similar to a quality policy or security policy this forms the foundation of the BCMS because it demonstrates clear management commitment and sets out responsibilities.
The organisation has to demonstrate that an appropriate level of resources are allocated and that a person is nominated to be accountable and for implementation/maintenance of the BCMS. This does not have to be the same person and in larger organisations means that a senior manager, perhaps a Board member is accountable but a Business Continuity Manager is responsible for implementation and maintenance.
Any person who is assigned responsibilities in the BCMS also has to have appropriate competency. There also has to be documented evidence to support this. How organisations choose to demonstrate competence is up to them and might include interview notes, professional qualifications, references, training records, tests, copies of published work or a mix of various items. Of course with a nod to the various professional organisations out there one of the quickest ways to demonstrate competence would be to have copies of their professional qualifications on file.
Training and competency management for those involved in the BCMS either by virtue of their day to day role or involvement in a recovery or incident is required.
Embedding Business Continuity Management in the Organisations Culture
BCM has to become a central part of its management outlook and an ongoing BCM education and information programme must be in place.
Business Continuity Management Systems Documentation and Records
The documentation that forms part of the BCMS has to be fully controlled and protected by document release and authorisation processes
As a minimum the BCMSmust contain the following documentation
* Scope
* Policy
* Resource provision
* Staff competency and records
* BIA, risk assessment and BC strategy
* Incident response structure,incident response plan and business continuity plan
* Exercise arrangements
* Maintenance, review and audit procedures
* Preventative and corrective actions
* Management reviews and evidence of continual improvement
Record management, in order to support the Plan Do Check Act model forms a key part of the standard, for example, retention, location, authorisation, issue status etc
The BCMS documentation may be maintained in hard copy or soft copy formats.
Implement and Operate BCMS [DO]
Get out there and put those plans into action.
Understand the Organisation
This section essentially formalises what is in Part 1; that is carry out a BIA in a structured and documented manner recording the results. Using a documented risk assessment process the organisation shall analyse the threats it faces and vulnerabilities to those threats, these being measured against its critical activities and resources. The, decide how the organisation is going to address those risks. One of the key elements of this section is that the risk assessment process must be documented so again organisations can simply document how they do it or just use a recognised method and refer to that in their BCMS.Once the organisation is understood in terms of impacts, risks and likelihoods a reasonable strategy can be decided upon.
Develop and Implement a BCM Response
Once a strategy has been decided upon, implement it. This also includes the incident response structure.
Exercising and Maintaining BCM Arrangements
When the BCM response has been implemented it has to be tested with an exercise programme that is appropriate for the organisation.
Monitor and Review the BCMS [CHECK]
To ensure that the BCMS is effective a monitoring and review process shall be implemented.
Broadly split into 2 elements
Internal Audit
If the organisation already has an internal audit function it may make sense to utilise the processes and procedures already being used. Even personnel not specifically trained in business continuity may be used as internal audit should be an objective process.
Management Review
Management review would ordinarily be an annual exercise involving review of internal and external audit activity, resources and other inputs and outputs. The overal objective of the management review is to determine if the the BCMS continues to meet the organisations needs. A management review may also take place in light of significant organisational change.
Maintain and Improve the BCMS [ACT]
One of the goals of any management standard is that of continuous improvement.
The standard requires that organisations continually improve the general effectiveness of the BCMS with a mixture of both preventative and corrective actions. Preventative and corrective actions are identified by a range of activities such as audits, event analysis or management reviews. They have to be formally recorded and acted upon and these records held for inspection.
The management review will determine a range of actions that need to be taken.
