The general requirement of the standard is that the organisation, fairly obviously, develops, implements, maintains and improves a business continuity management system in line with familiar the PLAN-DO-CHECK-ACT model

PLAN

Establish business continuity policy, objectives, targets, controls, processes and procedures. 

DO

Actually get on an implement ones plans

CHECK

Monitor and review performance against objectives and policy

ACT 

Take preventative and corrective actions to ensure continuous improvement 

Establish and Manage the BCMS

This section requires that the organisation defines its business continuity requirements in terms of its overall objectives and that the scope of the BCMS is clearly defined, for example is it just for the London office or the whole organisation.

In what is a potentially large task it also requires that the organisation assures itself, by whatever demonstrable method, that it's key suppliers and outsourced agencies also have effective BCM in place. Probably the easiest way to demonstrate that suppliers have effective business continuity is to require them to have BS25999, a somewhat difficult task to complete admittedly. Other means might include inspections, questionnaires etc

The BCMS must as a minimum contain;

• A business continuity policy
• Responsibilities
• Management Processes
• Topic Specific Processes
• Documentation  

A BCM policy is required that demonstrates commitment and details the scope and objectives of the BCMS. This policy also has to be regularly reviewed and made available to all relevant parties. Very similar to a quality policy or security policy this forms the foundation of the BCMS because it demonstrates clear management commitment and sets out responsibilities.

The organisation has to demonstrate that an appropriate level of resources are allocated and that a person is nominated to be accountable and for implementation/maintenance of the BCMS. This does not have to be the same person and in larger organisations means that a senior manager, perhaps a Board member is accountable but a Business Continuity Manager is responsible for implementation and maintenance.

Any person who is assigned responsibilities in the BCMS also has to have appropriate competency. There also has to be documented evidence to support this. How organisations choose to demonstrate competence is up to them and might include interview notes, professional qualifications, references, training records, tests, copies of published work or a mix of various items. Of course with a nod to the various professional organisations out there one of the quickest ways to demonstrate competence would be to have copies of their professional qualifications on file.

Training and competency management for those involved in the BCMS either by virtue of their day to day role or involvement in a recovery or incident is required.

Embedding Business Continuity Management in the Organisations Culture

BCM has to become a central part of its management outlook and an ongoing BCM education and information programme must be in place.

Business Continuity Management Systems Documentation and Records

The documentation that forms part of the BCMS has to be fully controlled and protected by document release and authorisation processes

As a minimum the BCMS must contain the following documentation

• Scope
• Policy
• Resource provision
• Staff competency and records
• BIA, risk assessment and BC strategy
• Incident response structure, incident response plan and business continuity plan
• Exercise arrangements
• Maintenance, review and audit procedures
• Preventative and corrective actions
• Management reviews and evidence of continual improvement 

Record management, in order to support the Plan Do Check Act model forms a key part of the standard, for example, retention, location, authorisation, issue status etc

The BCMS documentation may be maintained in hardcopy or soft copy formats.

Document Author: Harvey Fawcett

Comments (0)

Subscribe to this comment's feed