bs25999 2 advisory board

BS25999 and Other Management Systems Standards (MSS)

Chris Green, Chair BCM/1

This Presentation is an Adaptation of a Siemens-Insight copyright Presentation

Insight Consulting

Agenda

BS25999 and other standards

Benefits of the Management Systems approach

Guidance

Accreditation

Other Developments

Why have standards?

Common understanding

Common approach

Common sets of evidence

Promote quality in a particular subject area

Reduced risk

Reduce management overhead

Greater assurance that the topic is managed effectively

Which standard should we have?

Broadly speaking there are four tiers of “standards” in the UK

PAS – guidance on best practice

BS – a standard for the UK in the form of a code of practice

BS – a specification allowing for the achievement of certification

ISO – an international standard superseding BS

Positioning BS25999-1

Supersedes PAS56

Not the specification standard which will be BS25999-2

Related guidance should be compatible with BS25999, for instance any future PAS relating to continuity planning

Could be superseded by an International Standard, so any ISO25999 would replace BS25999

Global Vision for ISO 2006 to 2010

Facilitation of global trade

Improvement in quality, safety, security, environmental and consumer protection, as well as rational use of resources

Global dissemination of technologies and good practice

Issue of Complexity

Great potential for synergy between standards

The synergies are not recognised

Economies relating to synergies are not realised

Management Systems Management Systems StandardsStandards

BCM

BS 25999

RM

ISO 25700

Quality

ISO 9001

Environment

ISO 14001

Food Safety

ISO22000

IT DR

PAS 77

SUPPLY CHAIN

PAS 28003

MSS-SAG

Crisis Mgt

SSM/1

TC223 Societal Security

ISO TMB

Issue - More reporting and more management time

Constant stream of people reporting to the Board

Board room time taken up with reporting not strategy

No common themes nor messages

Management want confidence and assurance (this is exactly what the standards are aimed at providing)

Always ask for money

PAS99 – MS Integration

COMMON

E OH&S Q BC

E OHS&S Q

Common CommonCommon Common

BC

Management Systems

Generally the approach is:-

Standard Plan-Do-Check-Act model

BS describes establishing a Management System, its continuing operation and a process of continuing improvement

Subject specific information then fits into this model

PDCA Model

Implications for BS25999-2

This is the specification that will allow for certification

Must weigh the benefits of commonality with other standards and the current practices in business continuity

MSS approach will need adapting for our specialism whilst retaining the key characteristics of a certification standard and consistency with other related MSS

Scope statements allow application to largest and smallest of organisations

Scope must not be allowed to imply capability where none exists – for instance certification can only be achieved by addressing all steps and all controls in the standard

25999 Part 2

BS25999-2 has finished DPC

250 pages of comments !

Under review at present and being finalisde for the main committee to review in October 2007

Publication will be late October

Guidance Documents underway

The Standards PyramidThe Standards Pyramid

Sector/Industry specific guides*

Specialised Functions

SME

Public – National/Local

Charities / VoluntaryFTSE 250 – Small

plc

Relation to Other Risk Areas

FinancialConstruction,

mining, oil and gas

Pharmaceutical Aerospace & Engineering

Retail Utilities

ISO

Context; Framework; Scope

Why do BCM (benefits/drivers)?;

Options;Implementation / Testing

HR – IT – OR - Legal – Security – Procurement – Ethics – Supply

BS25999

Sector Guides

BSI/CEN

Accreditation Bodies

5 accreditation bodies interested

4 volunteers for pilot – however, concerns that they are “all the same”

Competence Criteria for Auditors being developed

Other emerging standards

PAS77 – IT Continuity guidance

Developed in isolation from BS25999

Does not follow precepts of PAS56 or BS25999

Does not follow the management systems approach

Not clear how this fits with other related standards – e.g. ISO 20000 (ITIL)

ISO/IEC 24762 – Recovery Site Provision

Didn’t ask any recovery site vendors !

Risk Management

Risk Management standard

BCM and Risk Management committees have swapped glossaries and trying to agree common terms

Where BS25999 uses risk assessment it has tried to reflect developments of risk management standard

ISO IPOCM

Commencement Broadly similar to Programme Management Define scope, management commitment, policy

Planning Broadly similar to Understanding Your Business Includes risk assessment and Impact Analysis Also response as includes Response Management

Implementation and Operation Includes resourcing, competence, education and awareness and

operational control structure Performance Assessment

Evaluation of effectiveness including testing, maintenance and audit

Broadly similar to BS25999

IPOCM

This is work in progress and a long way from a finalised document

Terminology slightly different from UK common usage and the business continuity industry as most of us have come to know it

For the most part UK practitioners can embrace the changes

Approach slightly different to BS25999/PAS56

But many common points

Room for more?

Should there be standards in specific areas of business continuity?

PAS77 could be developed into a standard

Could there be an Incident Management standard?

Overall Governance standard?

What happens next?

Committee continues in operation

Focus for other related committees (e.g. risk management)

Review of BS25999 so that subsequent revisions lead to improvements in the standard

Focus for expertise and contribution to ISO deliberations

bs25999 2 advisory board

Documents

related standards

messages management

tiers of standards

positioning bs25999

agenda bs25999

specification standard

risk management committees

standard plan