[bsi] bs 25999-1 code of practice for business continuity management

1

Date: 23 June 2006

Origin: National

Latest date for receipt of comments: 31 August 2006 Project no.: 2005/02478

Responsible committee: BCM/1

Interested committees:

Title: DPC BS 25999-1 Code of practice for business continuity management

Supersession information: If this document is published as a standard, the UK implementation of it will

supersede NONE and partially supersede NONE . If you are aware of a current national standard which

may be affected, please notify the content developer (contact details below).

WARNING: THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A

BRITISH STANDARD.

THIS DRAFT IS NOT CURRENT BEYOND 31 AUGUST 2006.

This draft is issued to allow comments from interested parties; all comments will be given

consideration prior to publication. No acknowledgement will normally be sent. See overleaf

for information on commenting.

No copying is allowed, in any form, without prior written permission from BSI except as

permitted under the Copyright, Designs and Patent Act 1988 or for circulation within a

nominating organization for briefing purposes. Electronic circulation is limited to

dissemination by e-mail within such an organization by committee members.

Further copies of this draft may be purchased from BSI Customer Services, Tel: +44(0) 20

8996 9001 or email [email protected]. British, International and foreign standards are

also available from BSI Customer Services.

British Standards on CD or Online are available from British Standards Publishing Sales

Limited.

Tel: 01344 404409 or email [email protected].

Information on the co-operating organizations represented on the committees referenced

above may be obtained from the responsible committee secretary.

Cross-references

The British Standards which implement International or European publications referred to in

this draft may be found via the British Standards Online Service on the BSI web site

http://www.bsi-global.com.

Direct tel: 020 8996 7492 Responsible Committee Secretary: Mr Kevin Laverty E-mail: [email protected]

Draft for Public Comment

Head Office 389 Chiswick High Road London W4 4AL Telephone: +44(0)20 8996 9000

Fax: +44(0)20 8996 7001

www.bsi-global.com

Form 36

Version 6.1

DPC: 06/30139869 DC

2

Introduction

Your comments on this draft are welcome and will assist in the preparation of the consequent

British Standard. If no comments are received to the contrary, this draft may be implemented

unchanged as a British Standard.

Submission

The guidance given below is intended to ensure that all comments receive efficient and

appropriate attention by the responsible BSI committee. Annotated drafts are not

acceptable and will be rejected.

All comments must be submitted, preferably electronically, to:

Kevin Laverty

10 E National Content

British Standards Institution

389 Chiswick High Road

London W4 4AL

Email: [email protected]

Tel: 020 8996 7492

Fax: 020 8996 7187.

Comments should be submitted using the comments form installed at www.bsi-

global.com/bs25999. Any comments not submitted electronically should still adhere to

these format requirements.

All comments submitted should be presented as given in the example below.

Template for comments and secretariat observations Date: xx/xx/200x Document: ISO/DIS xxxxx

1 2 (3) 4 5 (6) (7)

M

B

Clause No./

Subclause No./

Annex

(e.g. 3.1)

Paragraph/

Figure/Table/N

ote

(e.g. Table 1)

Type of

com-

ment

Comment (justification for

change) by the MB

Proposed change by the MB Secretariat observations

on each comment

submitted

3.1 Definition 1 ed Definition is ambiguous and

needs clarifying.

Amend to read ‘... so that the

mains connector to which no

connection ...’

6.4 Paragraph 2 te The use of the UV photometer as

an alternative cannot be supported

as serious problems have been

encountered in its use in the UK.

Delete reference to UV

photometer.

Microsoft and MS-DOS are registered trademarks, and Windows is a trademark of Microsoft Corporation.

BS 25999-1

0630139869 3

Code of practice for business continuity management

BS 25999-1

0630139869 4

Contents

Foreword 5

1 Scope and applicability 6

2 Terms and definitions 6

3 What is business continuity management? 10

4 Overview of BCM 11

5 The business continuity management system (BCMS) 15

6 Programme management 16

7 Understanding the organization 18

8 Determining BCM options 21

9 Developing and implementing a BCM response 27

10 Exercising, maintenance, auditing and self-assessment of BCM arrangements 33

11 Embedding BCM in the organization’s culture 37

Bibliography 39

List of figures

Figure 1 — The BCM lifecycle 11

Figure 2 – Process of review and update of BCMS documentation 18

Figure 2 ― BCM options 22

List of tables

Table 1 —Types and methods of exercising BCM strategies 35

BS 25999-1

0630139869 5

Foreword

Publishing information

This British Standard was prepared by Subcommittee BCM/1/-/2, under the authority of

Technical Committee BCM/1, Business continuity management. A list of organizations

represented on this committee can be obtained on request to its secretary.

This British Standard has been developed by practitioners throughout the global community,

drawing upon their considerable academic, technical and practical experiences of business

continuity management (BCM). It has been produced to provide a system based on good

practice for business continuity management. It is intended to serve as a single reference

point for identifying the range of controls needed for most situations where business

continuity management is practised in industry and commerce, and to be used by large,

medium and small organizations in industrial, commercial, public and voluntary sectors.

BS 25999 is published in (will eventually comprise) two parts:

— Part 1: Code of practice for business continuity management;

— Part 2: Specification for business continuity management

Part 2 specifies the process for achieving certification that business continuity capability is

appropriate to the size and complexity of an organization.

Use of this document

As a code of practice, this British Standard takes the form of guidance and recommendations.

It should not be quoted as if it were a specification and particular care should be taken to

ensure that claims of compliance are not misleading.

Any user claiming compliance with this British Standard is expected to be able to justify any

course of action that deviates from its recommendations.

Presentational conventions

The provisions of this standard are presented in roman (i.e. upright) type. Its

recommendations are expressed in sentences in which the principal auxiliary verb is

“should”.

Commentary, explanation and general informative material is presented in smaller italic

type, and does not constitute a normative element.

The word “should” is used to express recommendations of this standard. The word “may” is

used in the text to express permissibility, e.g. as an alternative to the primary

recommendation of the clause. The word “can” is used to express possibility, e.g. a

consequence of an action or an event.

Notes and commentaries are provided throughout the text of this standard. Notes give

references and additional information that are important but do not form part of the

recommendations. Commentaries give background information.

Contractual and legal considerations

This publication does not purport to include all the necessary provisions of a contract. Users

are responsible for its correct application.

Compliance with a British Standard cannot confer immunity from legal obligations.

BS 25999-1

0630139869 6

1 Scope and applicability

This British Standard establishes the process, principles and terminology of business

continuity management (BCM). The purpose of this Standard is to provide a basis for

understanding, developing and implementing business continuity within an organization and

to provide confidence in business-to-business and business-to-customer dealings. It also

enables the organization to measure its BCM capability in a consistent and recognized

manner.

This Standard provides a system based on BCM good practice.

This standard is intended for use by anyone with responsibility for business operations, from

board directors and chief executives through all levels of the organization; from those with a

single site to those with a global presence; from sole traders and small-to-medium enterprises

(SMEs) to organizations employing thousands of people. It is therefore applicable to anybody

who holds responsibility for any operation, and thus the continuity of that operation.

This standard is not intended as a beginner’s guide to business continuity management.

This standard does not cover the activities of emergency planning (also known as emergency

preparedness).

NOTE In the United Kingdom, emergency planning is a management system which prepares for, protects

against, and recovers from natural or man-made incidents that affect sections of society as a whole. That is,

emergency planning pertains to activity that is conducted for the benefit of the public or society; business

continuity management pertains to activity that is conducted for the benefit of a single organization.

2 Terms and definitions

For the purposes of this part of BS 25999, the following definitions apply.

2.1 activity

process or set of processes undertaken by an organization (or on its behalf) that produces or

supports one or more products or services, for example, accounts, call centre, IT,

manufacture, distribution

2.2 benchmarking

TBS

2.3 business continuity

strategic and tactical capability, pre-approved by management, of an organization to plan for

and respond to incidents and business interruptions in order to continue business operations at

an acceptable pre-defined level

2.4 business continuity management (BCM)

holistic management process that identifies potential threats to an organization and the

impacts to business operations those threats, if realized, might cause, and which provides a

framework for building organizational resilience with the capability for an effective response

BS 25999-1

0630139869 7

that safeguards the interests of its key stakeholders, reputation, brand and value-creating

activities

NOTE Business continuity management also involves the management of recovery or continuity in the event of

an incident and management of the overall programme through training, rehearsals, and reviews, to ensure the

business continuity plan stays current and up-to-date.

2.5 business continuity management lifecycle

series of business continuity activities which collectively cover all aspects and phases of the

business continuity management programme

NOTE The business continuity management lifecycle is illustrated in Figure 1.

2.6 business continuity management programme

ongoing management and governance process supported by senior management and

resourced to ensure that the necessary steps are taken to identify the impact of potential

losses, maintain viable recovery strategies and plans, and ensure continuity of

products/services through , training, exercising, maintenance and assurance

2.7 business continuity plan (BCP)

documented collection of procedures and information that is developed, compiled and

maintained in readiness for use in an incident to enable an organization to continue to deliver

its critical products and services

2.8 business continuity strategy

approach by an organization that will ensure its recovery and continuity in the face of a

disaster or other major incident or business interruption

2.9 business impact analysis

process of analysing business functions and the effect that a business interruption might have

upon them

2.10 business interruption

event, whether anticipated (e.g., a public service strike or hurricane) or unanticipated (e.g. a

blackout or earthquake), which disrupts the normal course of business operations

2.11 cost-benefit analysis

financial technique that measures the cost of implementing a particular solution and compares

this with the benefit delivered by that solution

NOTE The benefit may be defined in financial, reputational, service delivery, regulatory or other terms

appropriate to the organization.

BS 25999-1

0630139869 8

2.12 disruption

TBS

2.13 exercising

activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure

that the plan(s) contains the appropriate information and produces the desired result when put

into effect

NOTE An exercise can involve invoking business continuity procedures, but is more likely to involve the

simulation of a business continuity incident, announced or unannounced, in which participants role-play in

order to assess what issues might arise, prior to a real invocation.

2.14 impact

evaluated consequence of a particular outcome

2.15 incident

situation that might be, or could lead to, a business interruption, disruption, loss, emergency,

incident or crisis

2.16 incident management plan

clearly defined and documented plan of action for use at the time of an incident, typically

covering the key personnel, resources, services and actions needed to implement the incident

management process

2.17 invocation

act of declaring that an organization’s business continuity plan needs to be put into effect in

order to continue delivery of critical products or services

2.18 material

of a scale or significance that would threaten an organization’s key objectives should it not

occur

2.19 maximum tolerable period of disruption

duration after which an organization’s viability will be irrevocably threatened if product and

service delivery cannot be resumed

2.20 organization

business or administration concern united and constructed for a particular end

BS 25999-1

0630139869 9

NOTE An organization can be a company, corporation, firm, enterprise, institution, charity, sole trader or

association, or parts or combinations thereof.

2.21 products and services

beneficial outcomes provided to customers or recipients, for example manufactured items, car

insurance, regulatory compliance and community nursing

2.22 project management

TBS

2.23 recovery time objective

target time set for resumption of product, service or activity delivery after an incident

NOTE The recovery time objective has to be less than the maximum tolerable period of disruption.

2.24 resilience

ability of an organization to resist being affected by an incident

2.25 risk

combination of the probability of a perceived threat or opportunity and the magnitude of its

impact on objectives

NOTE In some situations, risk arises from the possibility of deviation from the expected outcome or event.

2.26 risk appetite

total amount of risk that an organization is prepared to accept, tolerate, or be exposed to at

any point in time

2.27 risk assessment

overall process of risk identification, analysis and evaluation

2.28 risk management

structured application of management culture, policy, procedures, and practices to the tasks

of analyzing, evaluating, and controlling risk

2.29 senior management

person or group of people who directs and controls an organization at the highest level

<MARGIN>NOTE Senior management, especially in a large multinational organization, might not be directly

involved; however senior management accountability through the chain of command is manifest. In a small

organization, senior management might be the owner or sole proprietor.

BS 25999-1

0630139869 10

2.30 stakeholders

those with an interest in an organization’s achievements, e.g. customers, partners, employees,

suppliers, shareholders, owners, government and regulators

2.31 threat

TBS

3 What is business continuity management?

Business continuity management (BCM) is an holistic management process that identifies,

in advance, the potential impacts of a wide variety of disruptions to the organization’s

ability to function, allowing that organization to tolerate the loss of part or all of its

operational capability.

BCM is a business-owned, business-driven process that establishes a fit-for-purpose strategic

and operational framework that:

• proactively improves an organization’s resilience against the disruption or interruption of

its ability to supply its products or services;

• provides a tried and proven method of restoring an organization’s ability to supply its

critical products and services to an agreed level;

• delivers a proven capability to manage a business interruption (incident) and protect the

organization’s reputation and brand.

The term BCM denotes the whole management system of providing and proving resilience

and recovery. BCM will result in the creation of one or more business continuity plans. A

small organization may have one business continuity plan that covers its entire operations. A

very large organization may have dozens of business continuity plans, each of which

specifies in detail the recovery of a particular part of its business. The degree to which BCM

is implemented in an organization will be proportionate to its size and scale, and may be

subject to such cost-benefit analysis as the organization deems appropriate.

The key elements of BCM include:

• understanding the overall context within which the organization operates;

• understanding the critical products and services that the organization has to deliver (its

objectives);

• understanding what barriers or interruptions can be encountered in trying to deliver these

critical products and services;

• understanding how the organization can continue to achieve these objectives should

interruptions occur;

• understanding the likely range of outcomes when controls and other mitigation strategies

are implemented;

• understanding the criteria or triggers for implementing incident and emergency response,

and business recovery procedures;

BS 25999-1

0630139869 11

• ensuring that all staff understand their roles and responsibilities when a major disruption

occurs;

• building consensus and commitment to the implementation, deployment and exercising of

business continuity;

• integrating business continuity as part of routine “business as usual”.

4 Overview of BCM

4.1 Elements of the business continuity management lifecycle

The BCM system comprises six elements, as illustrated by the lifecycle diagram in Figure 1.

With little modification, these can be implemented by organizations of all sizes, in all sectors:

public, private, non-profit, educational, manufacturing, etc. The scope and structure of a

BCM programme can vary, and the effort expended will be tailored to the needs of the

individual organization, but the essential steps still have to be undertaken.

Figure 1 — The BCM lifecycle

a) BCM Programme management (see Clause 6)

Programme management enables the business continuity capability to be both established

(where this is currently not the case) and maintained in a manner appropriate to the size and

complexity of the organization.

BCM

Programme Management

Developing and

implementing a BCM Response

Determining

BCM options

Exercising,

maintenance auditing and

self-assessment

Understanding the organization

BS 25999-1

0630139869 12

b) Understanding the organization (see Clause 7)

The activities associated with “Understanding the organization” provide information that

describes an organization’s critical products and services, and the activities and resources that

are required to deliver those products and services.

c) Determining BCM options (see Clause 8)

Determining BCM options enables a range of strategies and tactical options to be evaluated.

This allows an appropriate response to be chosen for each critical product or service, such

that the organization can continue to deliver those products and services at an acceptable

level of operation during and following a disruption. The choice made will take cognisance of

the resilience and countermeasure options already present within the organization

d) Developing and implementing a BCM response (see Clause 9)

Developing and implementing a BCM response results in the creation of business continuity

plans and incident management plans that detail the steps to be taken during and after an

incident to restore operations. A proactive component of BCM is to mitigate threats, which

includes eliminating or reducing the impact and likelihood of the threats.

e) Embedding BCM in the organization’s culture (see Clause 10)

Embedding BCM in the organization’s culture enables BCM to become part of the

organization’s core values and instil confidence in all stakeholders in the ability of the

organization to cope with major disruptions.

f) BCM exercising, maintenance, auditing and self-assessment (see Clause 11)

BCM exercising, maintenance and audit leads to the organization being able to demonstrate

that its strategies and plans are effective, credible, and fit-for-purpose.

<MARGIN>COMMENTARY ON 4.1f)

An incident might exceed the preparedness of an organization, even if it has carefully examined response

measures against an anticipated level of damage. It is therefore imperative that management and its supporting

structures do not adhere stubbornly to an existing plan, but use it as a basis for discussion, and make judgments

according to the circumstances. A business continuity plan is never a substitute for informed and competent

management decision-making.

4.2 BCM in a risk context

BCM is complementary to a wider risk management framework that sets out to understand

the risks to operations or business, and the consequences of those risks.

Risk management embraces the need to manage risk around the critical activities that enable

an organization to survive. BCM encompasses the identification and risk management of

those products and services on which the organization depends for its survival, and which

need to be accessible in time to enable the organization to retain credibility and continue to

meet its responsibilities. Through BCM, an organization can recognize what needs to be done

before an incident occurs to ensure its people, reputation, assets, systems and information are

secure.

With that recognition, the organization can then take a realistic view on the responses that are

likely to be needed as and when an interruption occurs, so that it can be confident that it will

manage through any consequences without unacceptable delay in delivering its products or

services.

BS 25999-1

0630139869 13

4.3 BCM in the context of organizational strategy

All organizations, whether large or small, have aims and objectives, such as to grow, to

diversify, to acquire other businesses and so on. These aims and objectives are generally met

via strategic plans to achieve the organization’s short, medium and long term goals.

As business practices and their sensitivities change, BCM is increasingly a central and crucial

strategic issue for organizations. BCM awareness and integration at the organization’s highest

level will help to ensure that any continuity risks associated with new business opportunities

are identified, and assessed for their acceptability.

The consequences of an incident vary and can be far-reaching. These consequences might

involve loss of life, loss of assets or income, or the failure of a critical activity on which the

organization’s reputation or survival might depend.

The consequences might not be to the organization. Examples of consequences include, but

are not restricted to:

• damage to the physical environment;

• interruptions to the technological infrastructure;

• interruptions to supply of a public utility, such as electricity, water, transport or phone

services;

• a requirement to undertake a fundamental change to the legal, regulatory and political

environment in which the organization operates; or

• a supply chain failure, where an urgently needed “just-in-time” supplier or distributor

might be directly affected by an incident, and whose failure to deliver could have an

equally serious impact on the organization’s own ability to continue to deliver products

and services.

BCM also needs to recognize the strategic importance of stakeholders. Examples of

stakeholders include, but are not restricted to, internal and “outsourced” employees,

customers, suppliers, distributors, investors and shareholders. Furthermore, as the

consequences of a damaging incident unfold, new stakeholders emerge and have a direct

impact on the eventual extent of the damage. Examples of these include competitors,

environmentalists, regulators, and the media. In some cases, issue groups may attempt to

apply negative pressure on the organization facing an interruption.

All these issues are of strategic concern to the organization, and are thus necessarily key

drivers for any effective management of risk exposures. Whilst the individual processes of

business continuity can change with an organization’s size, structures and responsibilities, the

basic principles remain exactly the same for voluntary, private or public sector organizations,

regardless of their size, scope or complexity.

4.4 Why should an organization undertake BCM?

BCM forms an important element of good business management, service provision and

entrepreneurial prudence.

Managers and owners have the responsibility to maintain the ability of the organization to

function continuously. Organizations constantly make promises or have a duty to deliver

products and services, i.e. they enter into contracts and otherwise raise expectations. All

organizations have moral and social responsibilities, particularly where they provide an

emergency response or a public or voluntary service. In some cases, organizations have a

BS 25999-1

0630139869 14

statutory duty to undertake BCM, e.g. those subject to the relevant provisions of the Civil

Contingencies Act.

Prudent management therefore recognizes the need for adequate risk recognition and risk

management. BCM delivers the ability to conduct core business and provides the capability

to adequately react to incidents or operational interruption, whilst protecting staff welfare and

safety. In any organization, all business activity inevitably leads to risks and to the possibility

of adverse circumstances arising from those risks. In addition to business risks, there are

internal operational risks, such as process breakdown and technology failure, and external

risks, such as flooding, utility disruption and terrorism.

Progressive organizations now regard BCM not as a costly planning process, but as a key

value added improvement process firmly integrated with risk management.

4.5 The benefits of an effective BCM programme

The benefits of a BCM programme are that the organization:

• is able to proactively identify risks to its operation, and have in place a capability to

mitigate and manage those risks;

• maintains an ability to manage uninsurable risks, such as risk to reputation;

• has in place an effective response to major disruptions;

• is able to demonstrate that the programme is credible through a process of exercising and

auditing;

• may have a competitive advantage, conferred by the demonstrated ability to maintain

customer service, profitability and employment of its staff; and

• is able to demonstrate that the programme is iterative and is embedded as good business

practice.

4.6 The outcomes of an effective BCM programme

The outcomes of an effective BCM programme are that:

• critical activities are identified and protected, ensuring their continuity;

• an incident management capability is enabled to avoid incidents becoming a crisis;

• the organization’s understanding of itself, and its relationships with other organizations,

relevant regulators or government departments, local authorities and the emergency

services, is properly developed, documented and understood;

• staff are trained to respond effectively to an incident or business interruption through

appropriate exercising;

• staff are properly supported and communicated with in the event of business interruption;

• stakeholder requirements are understood and satisfied through effective delivery of these

outcomes;

• the organization’s reputation is protected; and

• the organization remains legal and compliant.

BS 25999-1

0630139869 15

5 The business continuity management system (BCMS)

5.1 Overview

<MARGIN>COMMENTARY ON 5.1

The purpose of establishing a business continuity programme is:

— to ensure that all BCM activities are conducted and implemented in an agreed and controlled manner;

— to achieve a business continuity capability that meets the changing business needs and is appropriate to the

size, complexity and nature of the organization; and

— to put in place a clearly defined framework for the ongoing management of the BCM capability.

The BCM system incorporates the following processes:

• the set-up activities to implement a business continuity capability; and

• ongoing management and maintenance of the business continuity capability.

The set-up activities, which may take the form of a project, incorporate the end-to-end

design, build, implementation and initial exercising of the business continuity capability.

The ongoing maintenance and management activities include embedding business continuity

within the organization, exercising it regularly, and updating it, particularly when there is a

significant change in personnel, process, technology or organizational structure.

In summary, the BCM system represents the set-up, organization and ongoing management

of the business continuity capability.

5.2 Context

The organization should ensure that its BCMS is appropriate to the nature, scale, complexity,

geography and criticality of its business activities and that it reflects its culture, dependencies

and operating environment. The BCMS is an ongoing process designed to ensure that

business continuity arrangements continue to meet the needs of the business in the event of a

major incident or operationally disruptive event. This system should ensure that a business

continuity capability is embedded in the organization’s business culture.

5.3 Development of a business continuity policy

The organization should develop a business continuity policy stating the objectives of the

BCM programme. Initially, this may be at a high level with further refinement and

enhancement as the capability is developed. The policy should be regularly reviewed and

updated in line with business needs.

The business continuity policy should provide the organization with documented principles to

which it will aspire and against which its business continuity capability should be measured.

The BCM policy should be owned at a high level, e.g. a board director or elected

representative.

The organization may consider the following when developing its BCM policy.

• Defining the scope of BCM within the organization.

• Defining the BCM principles, guidelines and minimum standards for the organization.

• Referencing any relevant standards, regulations or policies that should be included or can

be benchmarked.

BS 25999-1

0630139869 16

Business continuity should be incorporated in the development of new products and services

that are critical to the organization’s continued success and into the change management

process for existing products and services.

The organization should maintain and review its BCM policy, strategies, plans and solutions

on a regular basis.

An organization may chose to limit the application of this British Standard to specific

products, services or one or more geographic locations. Any such limitation in scope should

be documented in the policy.

6 Programme management

6.1 Overview

BCM programme management involves three steps:

• assign responsibilities (see 6.2);

• project management (see 6.3); and

• ongoing management (see 6.4).

6.2 Assign responsibilities (governance)

The organization’s management should:

• appoint or nominate a competent person to be accountable for BCM policy and

implementation; and

• appoint or nominate an individual to implement the BCM programme (this person may be

known as the BC manager).

If the organization’s structure so indicates, the BC manager may nominate representatives

within business units to assist in the implementation of the BCM programme.

The roles, accountabilities, responsibilities and authorities should be integrated into job

descriptions and skill sets.

The organization’s audit process should review these responsibilities.

These responsibilities may be reinforced by including them in the organization’s appraisal,

reward and recognition policy.

6.3 Project management

The project management activities should include the design, build, implementation and

initial exercising of the business continuity capability. The organization may adopt a

recognized project management methodology to ensure that the project is effectively

managed.

6.4 Ongoing management

6.4.1 Overview

The ongoing management activities should include ensuring that business continuity is

embedded within the organization, and is regularly exercised and updated. Business

continuity arrangements and plans should be reviewed and updated whenever there is a

BS 25999-1

0630139869 17

significant change in personnel, process or technology, and when an exercise or incident

highlights deficiencies.

6.4.2 Ongoing maintenance

Individuals tasked with maintaining the business continuity management system may reside

in many areas of an organization depending on its size, scale and complexity. It is essential,

however, that a person with appropriate responsibility, e.g. board director or elected

representative, has overall responsibility for BCM and is directly accountable for ensuring the

continued success of this capability.

COMMENTARY ON 6.4.2

In large organizations there might be a need for a team of business continuity representatives

with differing roles and responsibilities. In smaller organizations, responsibility for business

continuity may reside with one or more individuals.

However BCM is resourced, there are activities that should be carried out both initially and

on an ongoing basis. These should include:

• defining the scope, roles and responsibilities for BCM;

• appointing a person or team to manage the BCM capability;

• monitoring performance of the business continuity capability;

• promoting business continuity across the organization and wider, where appropriate;

• managing costs associated with the business continuity capability;

• administering the exercise programme;

• coordinating the regular review and update of the business continuity capability;

• maintaining documentation appropriate to the size and complexity of the organization

(see 6.5); and

• establishing and monitoring a change and succession management regime.

6.5 BCMS documentation

Individuals tasked with maintaining the business continuity management system should be

responsible for coordinating the business continuity documentation. This may include the

following:

• BCMS scope statement;

• BCMS terms of reference;

• BCM policy;

• business impact analysis;

• risk assessment;

• BCM strategy/ strategies;

• statement of applicability;

• training programme;

• incident management plans;

• business continuity plans;

BS 25999-1

0630139869 18

• SLAs, contracts and other evidence.

Figure 2 shows the process by which BCMS documentation might be reviewed and updated.

Figure 2 – Process of review and update of BCMS documentation

7 Understanding the organization

7.1 Introduction

7.1.1 The aim of this element of the BCM lifecycle is to set the requirements that will

determine BCM options (see Clause 8) and develop a BCM response (see Clause 9). It

establishes a BCM understanding of the organization and ensures that the BCM programme

is aligned to its objectives, obligations and statutory duties.

7.1.2 A BCM understanding of the organization comes from:

• identifying the organization’s objectives and stakeholder obligations;

• requiring senior management to identify critical products and services that support these

objectives and obligations (which determine the BCM scope);

• identifying the activities, assets and resources that support the delivery of these products

and services;

• assessing the impact and consequences over time of the failure of these activities (see

7.2); and

BCMS documentation

� BCMS scope statement

� BCMS terms of reference

� BCM policy

� Business impact analysis

� Risk assessment

� BCM strategy / strategies

� Statement of applicability

� Training programme

� Incident management plans

� Business continuity plans

� SLAs, contracts and other evidence

Review and update

Catalyst for change Incidents

Malfunctions Failures

Risk management reports Test results

Self audit observations External audit observations

Change or asset management

BS 25999-1

0630139869 19

• identifying and evaluating the perceived threats that could disrupt its activities (see 7.5).

7.1.3 It is important that the organization understands the interdependencies of its activities

and any reliance on external organizations.

7.2 Analysing the impact of disruption

7.2.1 The organization should determine and document the impact of a disruption to the

activities that support its critical products and services. This process is commonly referred to

as a business impact analysis (BIA).

7.2.2 For each activity supporting the delivery of products and services within the BCM

scope, the organization should:

a) assess the impacts over time that its loss or disruption would have;

b) establish the maximum tolerable period of disruption of each activity by identifying:

• the maximum time period after an interruption within which it needs to be resumed,

• the minimum level at which the activity needs to be performed on its resumption,

• the length of time before normal levels of operation need to be resumed; and

c) identify any inter-dependent activities, assets or resources that have also to be recovered.

7.2.3 When assessing impacts, the organization should consider those that relate to its

business aims and objectives, its values and its stakeholders. These may include:

• threats to staff or public safety and welfare;

• breaches of statutory and regulatory requirements;

• damage to reputation;

• damage to financial viability;

• deterioration to product or service quality;

• environmental damage.

The organization should document its approach to assessing the impact of disruption and its

findings and conclusions.

<MARGIN>COMMENTARY ON 7.2.3

During a disruption, impacts generally increase over time and affect each activity differently. Impacts might

also vary depending on the day, month or point in the business lifecycle.

7.3 Identification of critical activities

The organization may categorize its activities according to their priority for recovery. Those

activities whose loss, as identified during the impact assessment, would have the greatest

impact in the shortest time and which need to be recovered most rapidly, may be termed

“critical activities”. Other activities that require advance arrangements to be in place in order

to ensure that they can be recovered within their maximum tolerable period of disruption,

may also be termed critical. The organization may wish to focus its planning activities on

critical activities, but should recognize that other (“non-critical”) activities will also need to

be recovered within their maximum tolerable period of disruption.

BS 25999-1

0630139869 20


Time periods

The maximum time period for resuming activities can vary between seconds and several months depending on

the nature of the activity. Activities that are time-sensitive might need to be specified with a great degree of

accuracy, for example, to the minute or the hour. Less time-sensitive activities might require less accuracy.

Maximum tolerable period of disruption

The maximum tolerable period of disruption will influence each activity’s recovery time objective when

determining BCM options (see Clause 8).

7.4 Estimating recovery requirements

The organization should estimate the resources, facilities and services that each activity will

require at resumption. These may include:

a) staff resources, including numbers, skills and knowledge;

b) supporting equipment and supplies;

c) the works site and facilities required;

d) external services and suppliers; and

e) provision of electronic or paper records, or information about work-in-progress, all of

which are sufficiently up-to-date and accurate to allow the activity to continue unimpaired.


If records or work in progress information are unavailable, inaccurate, or not sufficiently-up–to-date, this could

prevent or critically delay the resumption of activities. This information is used to formulate appropriate back-

up and records management strategies when determining BCM options (see Clause 8).

7.5 Review of the business impact analysis

The business impact analysis should be reviewed and updated as the organization or the

environment in which it operates changes.


A business impact analysis can also be used to understand future recovery strategy requirements by

incorporating planned changes to products, services, processes or organizations (e.g. mergers).

7.6 Evaluating threats to organizational activities (risk assessment)

7.6.1 The organization should understand how specific threats could disrupt its activities.

This information should be used to identify ways of preventing the loss of or disruption to the

organization’s critical products and services. This process is commonly referred to as risk

assessment. The organization should, in particular, identify threats and vulnerabilities specific

to its critical activities.

7.6.2 The organization should consider:

• internal threats, such as fire and staff loss; and

• external threats, such as flooding and nearby hazard sites.

7.6.3 The purpose of the risk assessment is to identify measures that would:

• reduce the likelihood of a disruptive event;

• shorten the period of disruption; and

BS 25999-1

0630139869 21

• limit the impact on the organization’s critical products and services.


It might be beneficial to consult risk registers that have already been established elsewhere in the organization

or by external bodies.

7.7 Sign-off

Senior management should sign off the documented business impact analysis and risk

assessment to ensure that these activities have been properly undertaken and subsequent

solutions and plans provide the correct level of continuity response.

8 Determining BCM options

8.1 Introduction

8.1.1 This element of the business continuity management system logically follows the

“understanding the organization” element. Selected options should remain applicable to the

organization, regardless of its size and sector, and have regard for associated stakeholders

who would suffer the consequences of an unplanned interruption to products or services.

8.1.2 The organization’s approach to determining BCM options should:

a) provide continuity for the products or services of the organization following an incident,

and

b) implement appropriate measures to prevent incidents occurring, and/or reduce the potential

effects of those incidents;

c) take due cognisance of the resilience and countermeasure options already present within

the organization, in order to avoid the development of duplicate controls.

NOTE Figure 2 identifies the context and relationship between strategic and tactical planning for all

organizations.


The business impact analysis and risk assessment form the primary basis by which the organization will

determine appropriate, scalable and cost effective strategic and tactical BCM options.

BS 25999-1

0630139869 22

Figure 2 ― BCM options 1 2

3

Document and sign off

Risk management programme

Activity options based on

acceptable operating levels

Workforce, skills and

knowledge

Workspace facilities

Supporting technologies

Data and information

Equipment and supplies

Human welfare

Strategic Options:

Tactical Options:

Do nothing Loss mitigation /

risk treatment

Change, suspend or terminate

Business Continuity

Product / Service

Options

Understand the

organization

BS 25999-1

0630139869 23

8.2 Product and service strategy options 1

There are a number of strategic options that should be considered for each product and 2

service. Both time and acceptable operating levels will determine the most appropriate 3

strategy or strategies. 4

Strategic options may include: 5

a) Do nothing 6

<MARGIN>COMMENTARY ON 8.2a) 7

To do nothing might be acceptable if senior management deems the risk to be acceptable and within the 8 organization’s risk appetite. However, this has to be done explicitly and documented. In some circumstances the 9 impact of a risk might be outside the organization’s normal risk appetite, but, due to the low likelihood of the 10 risk occurring and/or the uneconomic cost of control, senior management may accept the risk. 11

b) Loss mitigation/ risk treatment 12

If this option is to be pursued, reference should be made to the British Standard on Risk 13

Management, BS-2xxxx. 14

<MARGIN>COMMENTARY ON 8.2b) 15

Loss mitigation/ risk treatment can prevent or reduce the likelihood of an incident and/or minimize or reduce 16 the potential impact. Loss mitigation strategies can be used in conjunction with other options, as not all risks 17 can be prevented or reduced to an acceptable level. 18

The purchase of insurance may form part of a risk treatment strategy and will provide some financial 19 recompense for some losses, but will not meet all costs (e.g. uninsured events, brand, reputation, stakeholder 20 value, market share and human consequences). A financial settlement alone is unlikely to fully protect the 21 organization and satisfy stakeholder expectations. Insurance cover is more likely to be used in conjunction with 22 one or more other strategies. 23

c) Change, suspension or termination 24

<MARGIN>COMMENTARY ON 8.2c) 25

In some circumstances it might be appropriate to change, suspend or end the service, product, function or 26 process. This option can only be considered where there is no conflict with the organization’s objectives, 27 statutory compliance and stakeholder expectation. This approach is most likely to be considered where a 28 product or service has a limited lifespan. 29

d) Business continuity 30

If business continuity is the chosen strategy for a product or service, a recovery time 31

objective should be agreed and the continuity options given in 8.3 should be evaluated 32

against this objective. 33

<MARGIN>COMMENTARY ON 8.2d) 34

Continuity strategies seek to improve the organization’s resilience to an interruption by ensuring critical 35 activities continue at an acceptable minimum level and to timeframes stipulated within the BIA. 36

8.3 Continuity options 37

8.3.1 General 38

8.3.1.1 Each critical product and service within an organization is supported by one or more 39

activities. These activities may each have different tactical solutions which recognize the 40

relative urgency of continuing that activity. 41

BS 25999-1

0630139869 24

8.3.1.2 The organization should determine and select appropriate, scalable and cost effective 1

BCM solutions to maintain continuity for the activities that support products and services. 2

The essential resources required for these activities are identified through impact analysis. 3

8.3.1.3 The organization should identify tactical solutions that will support the restoration of 4

the required activities within the recovery time objective. In each case, the organization 5

should evaluate alternatives in order to minimize the likelihood of the business continuity 6

solution being affected by the same incident. These may include: 7

• workforce, skills and knowledge (see 8.3.2); 8

• work site facilities (see 8.3.3); 9

• supporting technologies (see 8.3.4); 10

• data (see 8.3.5); 11

• equipment and supplies (see 8.3.6); 12

• human welfare (see 8.3.7); 13

• stakeholders, partners and contractors. 14

It is likely that a combination of solutions will provide the most robust and economic solution 15

to deliver these products and services according to the timeframes identified in the impact 16

analysis. 17

8.3.2 Workforce, skills and knowledge 18

The organization should identify appropriate strategies for maintaining essential skills and 19

knowledge. This analysis should extend beyond employees to contractors and other 20

stakeholders who possess extensive specialist skills and knowledge. Strategies to protect or 21

provide those skills might include: 22

a) process mapping of activities; 23

b) multi-skill training of staff and contractors; 24

c) separation of key skills to reduce concentrated risk; 25

d) use of third parties to provide key skills; 26

e) succession planning; and 27

f) knowledge retention and management. 28

The organization should also consider the interests of those whose welfare might be put at 29

risk as a result of an incident [see 9.3.2c)]. 30

8.3.3 Work site facilities 31

<MARGIN>COMMENTARY ON 8.3.3 32

Worksite strategies can vary significantly and a range of options might be available. Different types of incident 33 or threat might require the implementation of different or multiple worksite options. The correct strategies will 34 in part be determined by the organization’s size, sector and spread of activities, stakeholders and geographical 35 base. For example, public authorities will need to maintain a frontline service delivery in their communities. 36

In all circumstances, it is important for the organization to apply health and safety and adequate provision of 37 facilities deemed essential, such as transport, ergonomic arrangements and security. 38

The organization should devise a strategy for reducing the impact of the unavailability of its 39

normal work site(s). This may include one or all of the following: 40

BS 25999-1

0630139869 25

a) alternative locations within the organization; 1

b) alternative locations provided by related organizations; 2

c) alternative locations provided by third party specialists; and 3

d) working from home or at remote sites. 4

NOTE If staff are to be moved to an alternative location, the alternative location ought to be close enough that 5 staff are willing and able to travel to it, taking into account any possible difficulties caused by the incident. 6 However, the alternative location ought not to be so close that it is likely to be affected by the same incident. 7

8.3.4 Supporting technologies 8

8.3.4.1 The organization should identify all relevant technology assets that directly enable 9

and support the activities undertaken by the organization. 10

NOTE Technology implies the use of assets in the broadest sense and as relative to the organization. 11 Technology might include IT hardware, telecommunications equipment, lathes, food preparation machines or 12 vacuum sealing machinery. 13

8.3.4.2 Technology strategies will depend on the nature of the technology employed and its 14

relationship to critical products and services, but will typically be one or a combination of: 15

• provision made within the organization; 16

• services delivered to the organization; and 17

• services provided externally by a third party. 18

<MARGIN>COMMENTARY ON 8.3.4.2 19

Supporting technologies will vary significantly between organizations according to the size, nature and 20 complexity of business. Strategies may be developed to safeguard specialized or custom built technologies (for 21 example, plant or machinery essential to manufacturing and production capabilities). 22

The organization may need to make provision for manual operations before full IT services are recovered. 23

8.3.5 Information 24

Information security strategies should be such as to ensure that information vital to the 25

organization’s operation is appropriately protected and recoverable. 26

NOTE Further information is given in BS ISO/IEC 17799. 27

Any remote copy of information required to reinstate lost records should have appropriate: 28

• confidentiality; 29

• integrity (between different data sources); and 30

• availability to be used for reinstatement. 31

Information strategies should be documented for the recovery of work-in-progress 32

information, i.e. data that are not present on the remote copy. 33

Information strategies should extend to include: 34

• physical (hardcopy) formats, 35

• virtual (electronic) formats, etc. 36

37

BS 25999-1

0630139869 26

8.3.6 Equipment and supplies 1


In office-based environments, equipment and supplies might constitute forms, headed paper, stationary, etc. 3 Other industries might identify retail stock or just-in-time supplies. The provision of bulk storage, such as 4 vehicle fuels, might also be considered in light of the potential for disruption to fuel supplies. 5

8.3.6.1 The organization should identify, and maintain an inventory of, the equipment and 6

supplies that support its critical products and services. Strategies to provide these may include 7

one or all of the following: 8

• storage of additional supplies at another location; 9

• arrangements with third parties for delivery of stock at short notice; 10

• diversion of just-in-time deliveries to other locations; 11

• holding of materials at warehouses or shipping sites; 12

• transfer of sub-assembly operations to an alternate location; 13

• holding of older equipment as emergency replacement or spares; 14

• additional risk mitigation for unique or long lead time equipment; and 15

• geographic diversity of critical processes. 16

8.3.6.2 Where activities are dependent upon key suppliers, these should be identified. 17

Strategies to manage these may include: 18

• multiple suppliers; 19

• encouraging or requiring suppliers to have a business continuity capability; 20

• contractual agreements with key suppliers; and 21

• identified alternate suppliers. 22

8.3.7 Human welfare activities 23

When determining appropriate BCM options, the organization should satisfy the interests of 24

those whose welfare might be put at risk as a result of an incident. 25

The organization should: 26

• assess the requirements of the business continuity programmes in respect of welfare 27

issues, 28

• develop plans and programmes based on that assessment, and 29

• provide support for the implementation and maintenance of the human welfare plans, 30

taking into account relevant social and cultural considerations. 31


Organizations have a direct responsibility to safeguard the welfare of employees, contractors, visitors and 33 customers where an incident poses a direct risk to life, livelihood and welfare. Special attention will need to be 34 paid to any groups with disabilities or other specific needs (e.g. pregnancy, temporary disability due to injury, 35 etc). Planning in advance to meet these requirements can reduce risk and reassure those affected. 36

The organization should identify the person or persons who will assume responsibility for 37

welfare issues following an incident, including: 38

a) site evacuation (inclusive of internal evacuations) and accounting for staff; 39

BS 25999-1

0630139869 27

b) ongoing employee/customer communications and safety briefings; 1

c) contact with a chosen emergency contact or next-of-kin; 2

d) locating displaced workforce or contractors; 3

e) rehabilitation services (physical and emotional); 4

f) family support; 5

g) translation services; 6

h) transport assistance; 7

i) telephone helpline for informing employees and relatives; 8

j) assisting displaced staff or visitors to obtain temporary accommodation, e.g. hotel rooms. 9

The organization should deploy staff with appropriate levels of authority to liaise with the 10

emergency services. 11

NOTE 1 Emergency services play a significant part in protecting life and relieving suffering during 12 emergencies. Therefore, early liaison, pre-planning and real-time incident coordination between the 13 organization and its first responders and the emergency services can improve the efficiency of an incident 14 response. Instructions from the emergency services will take precedence over the actions described in the IMP 15 and BCP. 16

The organization may retain a means to provide services to debrief and counsel affected staff 17

after an incident. Services may be sourced externally or may be provided as a pre-planned 18

extension to existing occupational health and employee assistance programmes. 19

NOTE 2 The long-term impacts of incidents and the value of human welfare cannot be underestimated. 20 Developing appropriate strategies in support of human welfare can directly support and speed financial, 21 physical and emotional recovery within the organization. 22

8.4 Sign-off 23

Senior management should sign off the documented solutions to confirm that these activities 24

have properly mitigated or catered for the likely causes and effects of a business interruption. 25

<MARGIN>COMMENTARY ON 8.4 26

Implementation of a particular alternative has to support the overall organizational objectives and thus needs to 27 have acceptance and support at the highest level. 28

9 Developing and implementing a BCM response 29

9.1 Introduction 30

A major incident can result in serious disruptions in the organization’s ability to meet its 31

obligations. 32

It is vital that the organization is able to respond to such incidents and the resulting 33

disruptions at a speed that meets the expectations of its stakeholders as identified in the 34

business impact analysis. 35

Clause 8 described the various means by which business activities can be protected from 36

intolerable disruption. This Clause gives recommendations for harnessing and coordinating 37

these resources to create an effective response. 38

The successful management of an incident has two main components: 39

BS 25999-1

0630139869 28

• a coordinated organization-wide response to the incident, including communication with 1

the stakeholders, such as staff, customers, shareholders and the media (incident 2

management plan – see 9.3); 3

• restoration of the organization’s activities [the business continuity plan(s) – see 9.4]. 4

9.2 Content of plans 5

All plans, whether incident management plans, business continuity plans, or detailed recovery 6

plans, should contain the following. 7


Small organizations may have only a single plan that encompasses all requirements for the business, whereas 9 larger organizations may have a number of scenario specific plans with separate documentation for incident 10 management, continuity and recovery. 11

a) Purpose and scope 12

The purpose and scope of each specific plan should be defined, agreed and understood. 13

Each incident and continuity plan should set out its objectives in terms of the products and 14

services to be recovered over a particular timescale, the situation in which each plan can be 15

utilized, and the activities to be undertaken. 16

Each plan should also state what it does not intend to achieve and why. 17

b) Roles and responsibilities 18

The roles and responsibility of the people and teams having authority (both in terms of 19

decision-making and authority to spend), during and following an incident should be clearly 20

documented. Deputies should be nominated for persons in key roles. 21

The following may also be included where appropriate: 22

• the interface with external organizations or agencies, and between any internal business 23

continuity, response teams or support teams; 24

• responsibilities and procedures to be used in the event of an escalation or second incident; 25

• the process for ensuring a smooth transition from the acute phase of the incident to the 26

more controlled project phase including the retention of records; 27

• procedures/ checklists for the post-incident review process. 28

The persons or groups covered by a BCP should be clearly defined. 29

c) Invocation/ mobilization procedures 30

The method by which an incident management or business continuity plan is invoked should 31

be clearly documented. 32

The organization should have a clearly defined process for invoking the relevant plan in the 33

shortest possible time following the occurrence of a disruptive incident. 34

There should be guidelines as to who is responsible for activating the plan and under what 35

circumstances. 36

The invocation process may require the immediate mobilization of organizational resources. 37

The plan should include a description of exactly how to mobilize the team(s), where they are 38

to meet and details of an alternate meeting location (in larger organizations, these meeting 39

places may be referred to as command centres). 40

BS 25999-1

0630139869 29

The organization should document a clear process for standing down the team(s) once the 1

incident is over, and returning to business as usual. 2

<MARGIN>COMMENTARY ON 9.2c) 3

Time lost during a response can never be regained. It is almost always better to mobilize the response team and 4 subsequently stand it down than to miss an opportunity to contain an incident early and prevent escalation. 5

d) Document owner and maintainer 6

The organization should nominate the primary owner of the plan, and identify and document 7

who is responsible for reviewing, amending and updating the plan at regular intervals. 8

A system of version control should be employed, and changes formally notified to all 9

interested parties. 10

9.3 Incident management plans 11

9.3.1 Introduction 12

The purpose of an incident management plan (IMP) is to allow the organization to manage 13

the acute phase of an incident. The IMP addresses the stakeholder and external issues facing 14

an organization during an incident. The IMP should be flexible, feasible, relevant and easy to 15

read and understand, and provide the basis for managing all possible issues arising from any 16

threat to the business. The primary aims of the IMP should be: 17

• to ensure the safety of all affected individuals; and 18

• to contain the incident to minimize further loss. 19

The IMP should: 20

• have senior management support, including a board sponsor where applicable; and 21

• be supported by an appropriate budget for development, maintenance and training. 22

9.3.2 Contents of the IMP 23

In addition to the content recommended in 9.2, an IMP should include the following: 24

a) Action plans 25

The IMP should include initial response strategies, in the form of prompts for actions, to be 26

followed for each of the consequences of disruptions identified during the business impact 27

analysis. 28

b) Personnel response 29

A description of how the organization will communicate with staff and their relatives, friends 30

and “emergency contacts” should be included. In some cases, it may be appropriate to include 31

detail in a separate document. 32

<MARGIN>COMMENTARY ON 9.3.2b) 33

Depending upon the scale of the organization and the size of the incident, a number of competent, trained 34 people may be required to respond to telephone enquiries about the incident. 35

Next-of-kin and emergency contact information for all personnel should be kept up to date 36

and available for prompt use. 37

c) Media response 38

The organization should document in the IMP its media response, including: 39

BS 25999-1

0630139869 30

• the incident communications strategy and description of the organization’s preferred 1

interface with the media; 2

• a guideline or template for the drafting of a statement to be provided to the media at the 3

earliest practicable opportunity following the incident; 4

NOTE Consideration may be given to pre-preparing media statements for reasonably foreseeable events. 5

• appropriate numbers of trained, competent, spokespeople nominated and authorized to 6

release information to the media. 7

In some cases, it may be appropriate to: 8

• provide supporting detail in a separate document; 9

• establish a number of competent, trained people to answer enquiries from the press; 10

• prepare background material about the organization and its operations (this information 11

should be pre-agreed for release); 12

• ensure that all media information is made available via the organization’s web-site 13

without undue delay. 14

<MARGIN>COMMENTARY ON 9.3.2c) 15

Pre-prepared information can be especially useful in the early stages of an incident. It enables an organization 16 to provide details about the organization and its business while details of the incident are still being established. 17

d) Stakeholder management 18

A process for identifying and prioritizing communications with other key stakeholders should 19

be included. It may be necessary to develop a separate stakeholder management plan to 20

provide criteria for setting priorities and allocating a manager to each stakeholder or group of 21

stakeholders. 22

e) Meeting location (command centre) 23

The organization should define a predetermined location, room or space from which an 24

incident will be managed. Once established, this location should be the focal point for the 25

organization’s response. An alternate meeting point should also be nominated in case access 26

to the primary location is denied. 27

NOTE Initially, it may be necessary to hold a virtual meeting, for example by telephone, teleconference or 28 videoconference, so that key decisions can be made promptly. 29

Command centre facilities should be fit for purpose and include: 30

• effective primary and secondary means of communication; 31

• a process for accessing and sharing information, including the monitoring of electronic, 32

broadcast media. 33

<MARGIN>COMMENTARY ON 9.3.2e) 34

A command centre provides a known focal point from which the incident can be managed. Use of displays and 35 other tools assist in capturing and sharing key information, setting objectives, tasks, managing resources, 36 identifying issues, tracking actions and making informed decisions. Good communications are essential. The use 37 of a meeting point overcomes the situations where telephone networks are overloaded. 38

f) Annexes 39

Where appropriate, the IMP should also include up-to-date contact and mobilization details 40

for relevant agencies, organizations and resources that might be required to support the 41

selected response strategies. 42

BS 25999-1

0630139869 31

The IMP should include an incident log or forms for the recording of vital information in 1

respect of event details, decisions made, details of casualties, damage assessments, 2

communications issued, etc. 3

The IMP may also include: 4

• maps/ charts/ plans/ photographs and other information that might be relevant in the event 5

of an incident; 6

• documented response strategies agreed with third parties as appropriate (joint venture 7

partners, contractors, suppliers, etc.); 8

• details of equipment staging areas; 9

• site access plans; and 10

• a claims management procedure that ensures all insurance and legal claims for or against 11

the organization meet regulatory and contractual requirements. 12

9.4 Business continuity plans 13

9.4.1 Introduction 14

The purpose of a business continuity plan (BCP) is to enable an organization to recover or 15

maintain its activities in the event of a major interruption affecting normal business 16

operations. 17

Business continuity plans are activated based on the strategy selected to manage the incident. 18

They may be invoked in whole or part and at any stage of the response to an incident. 19


The components and contents of BCPs vary from organization to organization and have a different level of 21 detail based on the scale, environment, culture and technical complexity of the industries and associated 22 solutions, risk profile and environment in which they operate. 23

Large organizations might require separate documents for each of their critical business areas/functions, 24 whereas smaller organizations might be able to cover what is critical to them within a single document. 25

9.4.2 Contents of the BCP 26

In addition to the items recommended in 9.2, a BCP should contain the following. 27

a) Action plans/ task lists 28

The action plan should include a structured checklist of actions and tasks in a chronological 29

order, highlighting: 30

• how the action plan is invoked; 31

• the person who should determine the requirement for invocation of the business 32

continuity plan; 33

• the procedure that person should adopt in taking that decision; 34

• the persons who should be consulted before such a decision is taken; 35

• the persons who should be informed once a decision has been taken; 36

• who goes where, and when; 37

• what services are available where, and when; including how external and third-party 38

resources are mobilized; 39

BS 25999-1

0630139869 32

• how this information is communicated, and when; and 1

• if relevant, detailed procedures for manual workarounds, system recovery, etc. 2

<MARGIN>COMMENTARY ON 9.4.2a) 3

These points are consistent with the requirements of the UK Civil Contingencies Act Guidelines, Emergency 4 Preparedness, Section 6.20. 5

Plans will reference the resources, facilities, tools and procedures identified in the strategies phase. Clear 6 assumptions and details of any resources required to implement plans ought to be included. In the event that the 7 lack of a service or resource makes the plan’s goals unachievable, a clear procedure for escalating the issue 8 has to be defined. 9

b) Resource requirements 10

The resources required for business recovery should be identified at different points in time. 11

These may include: 12

• personnel; 13

• facilities and supplies; 14

• technology, communications and data; 15

• security; 16

• transportation logistics; 17

• welfare needs; and 18

• emergency expenses. 19

c) Vital information 20

The BCP should define vital information sources and how they should be accessed. Examples 21

of vital information might include: 22

• financial (e.g. payroll) details; 23

• customer account records; 24

• supplier and stakeholder details; 25

• legal documents (e.g. contracts, insurance policies, title deeds, etc.); 26

• other service documents (e.g. service level agreements). 27

d) Responsible person(s) 28

The organization should identify a nominated person(s) who will assume responsibility for 29

human welfare issues following an incident, such as: 30

• site evacuation (inclusive of internal evacuations); 31

• ongoing employee/customer communications and safety briefings; 32

• emergency contact with a chosen next of kin contact; 33

• locating displaced workforce or contractors; 34

• rehabilitation services (physical and emotional); 35

• family support; 36

• translation services; 37

• transport assistance. 38

BS 25999-1

0630139869 33

The organization should deploy staff to liaise with the emergency services. 1

<MARGIN>COMMENTARY ON 9.4.2d) 2

Emergency services play a significant part in protecting life and relieving suffering during emergencies. 3 Therefore, early liaison, pre-planning and real-time incident coordination between the organization and its first 4 responders can improve the efficiency of an incident response. 5

e) Forms and annexes 6

Where appropriate, the business continuity plan should list up-to-date contact details for 7

relevant internal and external agencies, organizations and providers that might be required to 8

support the organization. 9

The business continuity plan should include an incident log or forms for the recording of vital 10

information, especially in respect of decisions made. 11

The plan may also include: 12

• forms for recording administrative data, e.g. resources used, expenses etc.; 13

• maps, drawings, and site and office plans, especially those relating to any alternate 14

facilities such as work site recovery areas and storage locations. 15

10 Exercising, maintenance, auditing and self-assessment of BCM arrangements 16

10.1 Introduction 17

An organization’s business continuity arrangements are preserved as fit-for-purpose and 18

continually challenged through exercising and assurance processes. 19

An organization’s business continuity management arrangements cannot be considered 20

reliable until exercised. Exercising is essential to developing teamwork, competence, 21

confidence and knowledge which is vital at the time of an incident. 22

Arrangements should be verified through exercising, audit and self assurance processes to 23

ensure that they are fit-for-purpose. 24

10.2 Exercise programme 25

An exercise programme should be consistent with the scope of the business continuity 26

plan(s), giving due regard to any relevant regulation. Exercises may include tests which 27

anticipate a predetermined outcome. 28


Exercises provide demonstrable evidence of a business continuity and incident management competence and 30 capability. Time and resources spent proving BCM strategies by exercising BC plans will lead to a fit-for-31 purpose capability. No matter how well designed and thought-out a BCM strategy or BCP appears, a series of 32 robust and realistic exercises that test their implementation will identify areas that could require amendment. 33

An exercise program should be devised that, over a period of time, leads to objective 34

assurance that the BCP will work as anticipated when required. In addition, it might lead to 35

the improvement of BCM capability by: 36

• practising the organization’s ability to recover from an incident; 37

• verifying that the BCP incorporates all organizational critical activities and their 38

dependencies and priorities; 39

BS 25999-1

0630139869 34

• exercising the technical, logistical, administrative, procedural and other operational 1

systems of the BCP; 2

• exercising the BCM organization and infrastructure (including roles, responsibilities, and 3

any command centres and work areas, etc.); 4

• validating the technology and telecommunications resource recovery, availability and 5

relocation of staff; 6

• highlighting assumptions which need to be questioned; 7

• providing information and instilling confidence in exercise participants; 8

• raising awareness of business continuity throughout the organization by publicizing the 9

exercise; and 10

• validating the effectiveness and timeliness of restoration of business as usual at the end of 11

the exercise. 12

10.3 Exercises 13

If exercises use scenarios, these should be realistic and carefully planned and agreed with 14

stakeholders, so that there is minimum risk of disruption to business processes. An exercise 15

should never be allowed to become an incident. 16

Every exercise should have clearly defined aims and objectives and a post-exercise report 17

that contains recommendations. This report should be used to improve business continuity 18

arrangements in a timely manner. 19

The scale and complexity of exercises should reflect the organization’s recovery objectives. 20

Exercises should prove, through their success, that the organization’s business continuity and 21

incident management plans are able to be executed, and contain the appropriate detail and 22

instructions. 23

<MARGIN>NOTE A range of approaches to exercising BCM strategies is shown in Table 1. 24

25

BS 25999-1

0630139869 35

Table 1 —Types and methods of exercising BCM strategies 1 Complexity Exercise Process Variants Good practice

frequency A)

Simple Desk check Review/ amendment of

content

Update/ validation At least annually

Challenge content of BC plan Audit/ verification Annually

Walk-through of

plan

Challenge content of BC plan Include interaction

and validate

participants’ roles

Annually

More

complex

Simulation Use “artificial” situation to

validate that the BC plan(s)

contain both necessary and

sufficient information to

facilitate successful recovery

Incorporate

associated plans

Annually or

biannually

Exercise critical

activities

Invocation in a controlled

situation that does not

jeopardize business as usual

operation

Single-day defined

operations from

recovery site for a

fixed time

Annually or less

Most

complex

Exercise full BC

plan, including

incident

management

Building-/ campus-/ exclusion

zone-wide exercise

Annually or less

A) The frequency of exercises should depend upon both the organization’s need and the environment in which it

operates. However, the exercising programme should be flexible, taking into account the rate of change within

the organization and the outcome of previous exercises.

2

The exercise programme should consider the roles of all parties, including key third party 3

providers, outsource and other partners who would be expected to participate in recovery 4

activities. A debriefing that captures learning points should be held following each exercise. 5

10.4 Outsourced activities 6

If a product, service or activity has been outsourced, the risk accountability for that product, 7

service or activity remains vested within the organization. Consequently, an organization 8

should assure itself that its material suppliers or outsource partners demonstrate readiness to 9

cope with disruption by exercising their own BC plans. 10

An organization should obtain evidence of the viability of their material suppliers’ 11

contingency plans and their exercising and maintenance programmes. 12

10.5 BCM maintenance 13


The purpose of the BCM maintenance process is to ensure that the organization’s BCM competence and 15 capability remains effective, fit-for purpose and up-to-date. 16

Maintenance activities ought to modify existing exercise schedules when they indicate that there has been a 17 significant change in the strategy, solution or business process. 18

A clearly defined and documented BCM maintenance programme should be established. This 19

programme should ensure that any changes (internal or external) that impact the organization 20

are reviewed in relation to BCM. It should also identify any new critical activities that need 21

to be included in the BCM maintenance programme. 22

As a result of the BCM maintenance programme, the organization should: 23

• review and challenge any assumptions made in any components of BCM throughout the 24

organization; and 25

BS 25999-1

0630139869 36

• distribute updated, amended or changed BCM policy, strategies, solutions, processes and 1

plans to key personnel under a formal change (version) control process. 2

NOTE If there are major business changes then a revision of the BIA might be indicated. The other 3 components of the BCM programme may be amended to take account of these changes. 4

The outcomes from the BCM maintenance process should include: 5

• documented evidence of the proactive management and governance of the organization’s 6

business continuity programme; 7

• verification that key people who are to implement the BCM strategy and plans are trained 8

and competent; 9

• verification of the monitoring and control of the BCM risks faced by the organization; 10

and 11

• documented evidence that material changes to the organization’s structure, activities, 12

purpose, staff and objectives have been incorporated into the BCM and incident 13

management plans. 14

10.6 Audit 15


The purpose of a BCM audit is to review an organization’s existing BCM competence and capability, and verify 17 these against predefined standards and criteria. It has two key functions: 18

— to verify that compliance with the organization’s BCM policy ensures compliance with applicable 19 laws, standards, strategies, framework and good practice guidelines; and 20

— to highlight key material deficiencies and issues and ensure their resolution. 21

The frequency and timing of audit activity can be influenced by laws and regulations, depending on the size, 22 nature and legal status of the organization. They might also be influenced by the requirements of stakeholders. 23

The organization should provide for the independent audit of its BCM to identify actual and 24

potential shortcomings. It should establish, implement and maintain procedures for dealing 25

with these. 26

10.7 Self-assessment 27


BCM self-assessment process plays a role in ensuring that an organization has a robust, effective and fit-for-29 purpose BCM competence and capability. It provides the qualitative verification of an organization’s ability to 30 recover from an incident. Self-assessment is regarded as good practice. 31

Actions taken should be appropriate to the magnitude of the problems and the organizational 32

impacts encountered. 33

The audit or self-assessment of the organization’s BCM programme should verify that: 34

• all critical products and services, their dependent activities and their supporting resources 35

have been identified and included in the organization’s BCM strategy; 36

• the organization’s BCM policy, strategies, framework and plans continue to accurately 37

reflect its priorities and requirements; 38

• the organization’s BCM competence and its BCM capability are effective and fit-for-39

purpose and will permit management, command, control and coordination of a BCM 40

incident; 41

BS 25999-1

0630139869 37

• the organization’s BCM solutions are effective, up-to-date and fit-for-purpose, and 1

appropriate to the level of risk faced by the organization; 2

• the organization’s BCM maintenance and exercising programmes have been effectively 3

implemented; 4

• BCM strategies and plans incorporate lessons learned from exercises, as contained in a 5

post-exercise report, and amendments arising from the maintenance programme; 6

• the organization has an ongoing programme for BCM training and awareness; and 7

• change control processes are in place and operate effectively. 8

Self-assessment should be conducted against the organization’s objectives. It should also take 9

into account relevant industry standards and good practice. 10

11 Embedding BCM in the organization’s culture 11

11.1 General 12

Building, promoting and embedding a BCM culture within an organization ensures that it 13

becomes part of the organization’s core values and effective management. 14

A BCM culture will ensure that an organization can: 15

• develop a BCM programme more efficiently; 16

• instil confidence in its stakeholders (especially staff and customers) in its ability to handle 17

disruptions; 18

• increase its resilience over time by ensuring BCM implications are considered in 19

decisions at all levels; and 20

• minimize the impact and likelihood of disruptions. 21


Creating and embedding a BCM culture within an organization can be a lengthy and difficult process which 23 might encounter a level of resistance that was not anticipated. An understanding of the existing culture within 24 the organization will assist in the development of an appropriate BCM culture programme. 25

All staff have to understand that business continuity management is a serious issue for the organization and that 26 they have an important role to play in maintaining the delivery of products and services to their clients and 27 customers. 28

Development of a BCM culture is achieved by: 29

• assignment of responsibilities (see 6.2); 30

• skills training; and 31

• awareness training. 32

11.2 Training 33

The organization should have a process for identifying and delivering the BCM training 34

requirements of relevant participants and evaluate the effectiveness of its delivery. 35

The organization should undertake training of: 36

a) BCM staff for such tasks as: 37

• programme management, 38

BS 25999-1

0630139869 38

• conducting a business impact analysis, 1

• developing and implementing BC plans, 2

• running an exercise programme; 3

b) non-BCM staff requiring skills to undertake their nominated roles in incident response or 4

business recovery. 5

Response skills throughout the organization should be developed by practical training, 6

including active participation in exercises. 7

11.3 Awareness 8

The organization should have a process for identifying and delivering the BCM awareness 9

requirements of the organization and evaluating the effectiveness of its delivery. 10

<MARGIN>NOTE Raising and maintaining awareness of BCM with all the organization’s staff is important 11 to ensure that they are aware of why BCM is important to the organization. They will need to be convinced that 12 this is a lasting initiative that has the ongoing support of the executive. 13

The organization should raise, enhance and maintain awareness by maintaining an ongoing 14

BCM education and information programme for existing and new staff. 15

Such a programme may include: 16

• a consultation process with staff throughout the organization, concerning the 17

implementation of the BCM programme; 18

• discussion of BCM in the organization’s newsletters, briefings or journals; 19

• inclusion of BCM on relevant web pages or intranets; 20

• learning from internal and external incidents; 21

• BCM as an item at team meetings; 22

• exercising continuity plans at an alternate location (e.g. a recovery site); 23

• visits to any designated alternate location (e.g. a recovery site). 24

The organization may extend its BCM awareness programme to its suppliers and other 25

stakeholders. 26

BS 25999-1

0630139869 39

Bibliography 1

BS ISO/IEC 17799, Information technology ― Security techniques — Code of practice for 2

information security management. 3

4

[bsi] bs 25999-1 code of practice for business continuity management

Documents