The standard aims to achieve the following

• Provides a basis for understanding business continuity management
• Provides a means of measurement that is consistent and recognised
• Provides a system based on established good practice

It does not deal in general with emergency planning and management except in the context of an organisations role within a larger civil emergency.

• Is the standard for me?
• If I have a business continuity management plan already in place, why should I use this standard?
• Is it just for large organisations?
• Is it complicated and going to tie me up in red tape?
• Is it just a British Standard, not relevant if I live in the USA?

The standard was prepared by BSI Technical Committee BCM/1 whose membership included representatives from the financial services industry, government, academia, the emergency services, business organisations and a number of specialist practitioners from around the world.

It has been designed to be applicable to all sizes and types of organisations as the broad principles and practices described can be adapted to suite each individual organisation, considerable flexibility exists in implementation of the standard Although many industry sectors have a mature business continuity capability, many do not, particularly small to medium business.

Having a non prescriptive, moderately easy to understand and consistent set of principles will enable business continuity to mature in a greater number of businesses.

BSi have delivered a standard for the needs of the British market but it is just as applicable in New York or Munich as it is in London.

Of course, complying with the standard does not infer any immunity from problems, this must be understood clearly by any organisations looking to use it but lays down a common framework that will ultimately enable measurement, benchmarking and certification.

Measurement, benchmarking and certification will provide market assurance that the organisation is well prepared to meet a range of events that may threaten its sustainability and existence.

PS-Prep sets out to enhance nationwide resilience by improving private sector preparedness to establish a common set of criteria for private sector preparedness, including disaster management, emergency management and business continuity programs. Certification to BS 25999 US Edition will be used to confirm compliance with the voluntary preparedness scheme.

Todd VanderVen, President of BSI Americas,said:

“We are delighted to support the PS-Prep with the provision of BS 25999 US Edition. The standard has been used successfully by private businesses around the world assisting organizations of all types and size determine and invest in critical areas of the organization, protect reputation and enhance stakeholder confidence. It will now play a key role for private sector organizations in the USA wishing to demonstrate compliance with the voluntary preparedness scheme.”

Every year thousands of businesses face the risk of a disruption to their business operations, ranging from the effects of everyday disruption such as power failure, to adverse weather conditions to full scale terrorist attacks. Business interruptions can create a chain of ‘knock-on’ effects stretching as far as damaging national and international infrastructure. The need for good guidance in this field has never been stronger.

BS 25999 US Edition sets out the requirements for establishing and maintaining an effective BCM system, effectively enabling an organization to anticipate and prepare for disruption. This might mean being able to rapidly recruit temporary staff or moving premises at very short notice: risks are different for every organization but BS 25999 US Edition helps the organization to determine what they are and make the necessary arrangements. Independent certification to this standard enables an organization to demonstrate to customers, stakeholders and legislators its proactive approach to achieving best practice in the area of BCM.

BS 25999 US Edition is initially available to private businesses in the US for a one month period. At the end of this, all public comments on the standard will be examined and the DHS will evaluate the standard for permanent use in the program.

Selection of the BSI Standard does not imply DHS endorsement of BSI or any of its products or services other than the particular standard to be used for limited purposes.

For more information on BS 25999 US Edition,visit the BSI website.

www.bsiamerica.com

Titled BS 25999–2:2007 Specification for business continuity management and includes…

* Documentation Requirements
* Management responsibility
* Internal BCMS Audit
* Management review of BCMS
* BCMS Improvement

The standard was published on November 20th 2007

How does an organisation seek compliance with the standard?

As with most management standards the process will be relatively standardised using the guidelines in ISO 17021

STEP 1 — Application

Apply to a certification body, certification bodies are organisations that are accredited to certify organisations, for example BSI or LRQA (although these two examples are not the only ones). An understanding of the scope of the BCMS will need to be made. The certification body will then create a proposal detailing the number of assessment days required and costs etc. If the organisation chooses to proceed the assessment should take place.

STEP 2 — Pre Assessment

A pre assessment may be used to provide a snap shot of readiness for the full assessment. Sampling and other techniques may be used in this pre assessment. Any areas of omission will be raised and an assessment of remedial work, should any be needed, would be made. The formal assessment may be delayed if it is thought that it would be unlikely that the organisation would pass.

STEP 3 — Assessment

The formal assessment is then made during which all areas of the Part 2 Specification will be covered. In line with ISO17021 and in a similar way to other management standards the formal assessment is done in two parts.

Stage 1: This stage will cover the Business Continuity Management System and will examine BCMS documentation, the management review/audit system and evaluation of readiness for stage 2. Planning for Stage 2 will also take place.

Stage 2: This stage examines the implementation of the BCMS i.e. objective evidence. It may involve inspection of records, interviews of personnel and physical inspections.

Any observations or non conformities will be formally recorded and a recommendation for certification or not made.

STEP 4 - Recommendation and Award

If client achieves recommendation for certification body this recommendation will be forwarded to the BS25999 Certification Manager for final review and issuing of certificates. If the client fails the audit a corrective action plan is usually agreed and a second audit arranged.

STEP 5 — Continued Assessment

When the certificate has been awarded surveillance audits will be planned, typically at yearly intervals. These surveillance visits will examine the effectiveness of the BCMS, management reviews/audit, progress of continual improvement actions, change review and possibly the use of the registration marks in publicity materials etc. A full reassessment will also be carried out at longer intervals, usually 3 years although this will depend on both the organisation and the certification body.

What are the benefits of certification?

As I have mentioned the standard comes in two parts. Splitting them is designed to make it easier to understand and deploy. Part 2 or the Specification sets out the minimum that an organisation should do in order that its business continuity systems are effective.

Implementing BS25999 Part 1 or the Code Practice will undoubtedly provide many benefits to an organisation but there is no doubt that achieving certification will require significant extra work, so what are the benefits?

In a word, demonstrability.

Having certification to a known and accepted management standard such as BS25999 Part 2 avoid saying to stakeholders ‘Trust Me’