BS 25999-2:2007
8 Jan, 2015. 0 Comments. . Posted By: Jennifer Jackson

Business Continuity Management

It is critical that businesses plan for the potential disruptions to operations that can be caused by everything from minor accidents to major disasters. Maintaining business continuity has become a vital requirement of all organizations. The BS 25999-2:2007 standard for Business Continuity Management (BCM) was developed to establish the minimum standards for an effective BCM system (BCMS).

By identifying and outlining the elements of an effective BCMS, the standard is designed around keeping a business operating at required levels during any emergency. An effective BCMS will help you safeguard critical resources and staff, protect your reputation and brand value, and keep your critical business functions operating. The outcome is protection of shareholder value and the bottom line.

Business continuity, risk management, and disaster recovery have existed for a long time. BS 25999-2 provides a more comprehensive means to BCM, supported by enterprise-wide planning and procedures, and it introduces a full lifecycle and PDCA approach. It is an auditable standard, so organizations have a framework for continual improvement and demonstrating to stakeholders that they meet best practice.

Who needs BS 25999-2?

BS 25999-2 was developed by experts from a cross-section of industry and government bodies. It can be applied to small or large organizations, and it is particularly valuable for high risk industries such as information service providers, banking, telecom, and utilities where high availability is crucial. For organizations with less risk, BS 25999-2 can meet the BCM needs of critical groups, divisions, and support functions. Since Risk Assessment is a fundamental piece of your BCM strategy, any organization can utilize BS 25999-2 to develop a proportionate and effective implementation (of the standard and best practice) and ensure operations are sustainable given an unexpected event.

What are the benefits?

An effective and certified BCMS:

  • Outlines a proven framework on which an organization can base its BCM system
  • Improves an organization’s resilience when encountering unexpected events
  • Provides a measured and planned response organization-wide when an event occurs
  • Creates competitive advantage, reputation, and brand value in the marketplace through reliability and high availability
  • Identifies opportunities for improvement by developing a clearer understanding of the organization and risk levels
  • Demonstrates compliance and commitment to contracts, applicable laws, and government regulations
  • Reduces costs by eliminating or minimizing the lost productivity that results from interrupted operations

How does BS 25999-2 help?

The standard specifies how an organization develops a BCMS. It specifies the requirements for designing, implementing, and managing a BCMS. It reinforces:

  • Understanding the business and risks that underlie an effective BCMS
  • Operational controls and measurements that help an organization manage business continuity
  • Management, monitoring, and review of performance and effectiveness of an organization’s BCMS
  • Continual improvement based on an effective strategy and objective measurement of the system

How is a BCMS like other management systems?

Like other management systems, such as ISO 9001, ISO 27001, and ISO 14001, a BCMS has the following elements:

  • A BCM policy
  • Identification of resources, competency, and responsibilities
  • Management processes that address BCM policy, system planning, implementation and operation of the BCMS, performance assessment and measurement, management review, continual improvement, and documentation and auditable evidence of effectiveness
  • Business and organization –specific processes and outcomes such as risk assessment, business impact, contingency planning, response, and overall BCM plan development
  • The Plan-Do-Check-Act (PDCA) cycle for establishing, implementing, operating, monitoring, maintaining, and improving the effectiveness of an organization’s BCMS

The Certification Process

Certification can happen once your management system is ready. The typical certification process involves an on-site pre-assessment (gap analysis) if you desire, readiness review of your BCMS documentation, the certification audit itself, closure of any open issues, a review by the registrar, and issuance of your certificate. Certification costs are typically small compared to the cost of implementing the system. Fees are typically driven by the size of your company, complexity, and audit days required. With some basic information about your company, SRI can easily provide a no-obligation, detailed cost proposal.