The British Standards Institution (BSI), which is a non-profit organization that produces standards in the U.K., had brought forth the BS 25999 in 2003 to replace the Publicly Available Specification (PAS) 56. Though both standards are used in Business Continuity Management, the main purpose of creating them is risk assessment.
Basically, the BS 25999 was developed to help organizations counter the following problems which reduce its efficiency:
With the help of the BS 25999, even natural disasters and terrorist attacks won’t be able to affect the business operations of the organization implementing this best practice.
The BS 25999 is divided into two parts, each of which has its own contents. The first part is the BS 25999 – 1. This is a Code of Practice for Business Continuity Management. Within it, the following sections have been specified:
Section 1: Scope and Applicability – This part describes the general framework of the standard. Organizations will need to tailor this based on their needs.
Section 2: Terms and Definitions – This section defines the terms used throughout the standard.
Section 3: Overview of Business Continuity Management – This section describes the processes of the standard and how it is related to risk management.
Section 4: The Business Continuity Management Policy – This part focuses on highlighting the need of having and implementing a clear policy.
Section 5: BCM Program Management – This part defines the approach to be used while handling the BCM process.
Section 6: Understanding the Organization – This section emphasizes on the need to understand the organization’s processes, resources, threats and risks to apply the right business continuity strategy.
Section 7: Determining BCM Strategies – This sector follows understanding the organization, and defines the right business continuity strategies.
Section 8: Developing and implementing a BCM response – This section defines the tactics needed to deliver business continuity, such as incident management structures.
Section 9: Exercising, maintenance, audit, and self-assessment of the BCM culture – This section defines a way to test the effectiveness of BCM, and ensure that it continues to meet a company’s aims.
Section 10: Embedding BCM into the organization culture – This sector explains how BCM should be implemented in every aspect of the company’s management.
As for BS 25999-2, this is a Specification for a Management Scheme. Launched in 2007, the following sections are included in this practice:
Section 1: Scope – This part defines the scope of BS 25999, and the requirements of a business continuity management system (BCMS).
Section 2: Terms and definitions – This part defines the terms used in the standard.
Section 3: Planning the business continuity management system – From this point onwards, the standard Plan-Do-Check-Act model is followed. This section plans the BCMS, how to initiate it, and how to add it to the organization.
Section 4: Implementing and operating the BCMS – This section continues by providing ways of implementing the contents of the previous section.
Section 5: Monitoring and reviewing the BCMS – This sector highlights the need to monitor the BCMS and perform audits and management reviews.
Section 6: Maintaining and improving the BCMS – This part shines the light on the need to make sure that the BCMS is maintained and improved regularly.