Over the course of 2011 we have witnessed global events that have affected millions of people including natural disasters, civil unrest, terrorism and war. Such events not only cost lives but can also destroy businesses which provide security and employment. One of the certification standards that has been created to help businesses plan for such events is BS25999 and it is at the heart of Business Continuity Planning.
Business Continuity Planning (BCP) has a number of definitions but can best be summarised as something that “identifies an organisation’s exposure to internal and external threats and synthesises hard and soft assets to provide effective prevention and recovery for the organisation, whilst maintaining competitive advantage and system integrity.” Although the definition is a bit long-winded what it means essentially is having a strategy in place to deal with a crisis, whether natural or man-made. The concept is also sometimes referred to as “Business Continuity and Resiliency Planning” (BCRP) or, in the US, “Continuity of Operations Planning (COOP). Whichever terminology is chosen however, it broadly means the same thing.
A business continuity plan is therefore a roadmap for continuing operations under adverse conditions as well as an ongoing state, or methodology, governing how business is conducted through a difficult or challenging period. BCP is all about working out how to continue operations under adverse conditions from incidents such as fire, theft, and vandalism to regional incidents like earthquakes and floods but would also embrace wider national incidents like pandemic illnesses etc. Any event though, that could impact operations should be considered when putting together a BCP. In the corporate world issues like supply chain interruption, loss of or damage to critical infrastructure including IT systems networks or major machinery can also cause widespread problems and should have some kind of backup or contingency plan. A good Risk Management Plan is therefore an essential and integral part of any BCP.
In 2004, the UK Government implemented the “Civil Contingencies Act 2004”, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have a legal obligation under this act to actively lead promotion of business continuity practices in their respective geographical areas.
In December 2006, the British Standards Institution (BSI) released a new independent standard for BCP (BS 25999-1). Prior to the introduction of BS 25999, BCP professionals relied on BSI information security standard predecessor – BS 7799, which was lacking some important elements like information security compliance. The newly improved BS 25999 though, now extends to organisations of all types, sizes, and missions whether governmental or private, profit or non-profit, large or small and is applicable across all business sectors.
The second part of the standard – BS 25999-2 “Specification for Business Continuity Management”, introduced in 2007 specifies requirements for implementing, operating and improving a documented business continuity management system (BCMS).
Among other things the standard includes all the key elements that a business needs to carefully consider when planning for ‘worst-case scenarios’. These would be things like ‘ Business Impact analysis’(BIA) Threat Analysis’, ‘Definition of Impact’, ‘Recovery Requirements’, ‘Solution Planning’, ‘Solution Design Testing’ and ‘Organisational Acceptance’.