Shopping Cart

No products in the cart.

BS 25999-2:2007

$79.47

Business continuity management – Specification

Published By Publication Date Number of Pages
BSI 2007 28
Guaranteed Safe Checkout
Categories: ,

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. Weā€™re here to assist you 24/7.
Email:[email protected]

PDF Catalog

PDF Pages PDF Title
3 Contents
1 Scope 4
2 Terms and definitions 4
3 Planning the business continuity management system 9
3.1 General 9
3.2 Establishing and managing the BCMS 9
3.3 Embedding BCM in the organizationā€™s culture 11
3.4 BCMS documentation and records 11
4 Implementing and operating the BCMS 12
4.1 Understanding the organization 12
4.2 Determining business continuity strategy 14
4.3 Developing and implementing a BCM response 14
4.4 Exercising, maintaining and reviewing BCM arrangements 16
5 Monitoring and reviewing the BCMS 17
5.1 Internal audit 17
5.2 Management review of the BCMS 18
6 Maintaining and improving the BCMS 19
6.1 Preventive and corrective actions 19
6.2 Continual improvement 20
Annexes
Annex A (informative) Correspondence with BS EN ISO 9001:2000, BS EN ISO 14001:2004, BS ISO/IEC 27001:2005 21
Bibliography 23
List of figures
Figure 1 – PDCA cycle applied to BCMS processes 2
Figure 2 – The business continuity management lifecycle 3
List of tables
Table A.1 – Correspondence of BS 25999-2 with other management systems standards 21
4 Foreword
5 Introduction
a) understanding business continuity needs and the necessity for establishing policy and objectives for business continuity;
b) implementing and operating controls and measures for managing an organizationā€™s overall business continuity risks;
c) monitoring and reviewing the performance and effectiveness of the BCMS; and
d) continual improvement based on objective measurement.
a) a policy;
b) people with defined responsibilities;
c) management processes relating to:
1) policy;
2) planning;
3) implementation and operation;
4) performance assessment;
5) management review; and
6) improvement;
d) a set of documentation providing auditable evidence; and
e) topic specific processes relating to the subject, in this case business continuity, such as business impact analysis (BIA) and business continuity plan development.
6 Figure 1 PDCA cycle applied to BCMS processes
7 Figure 2 The business continuity management lifecycle
8 1 Scope
2 Terms and definitions
2.1 activity
2.2 audit
2.3 business continuity
9 2.4 business continuity management (BCM)
2.5 business continuity management lifecycle
2.6 business continuity management personnel
2.7 business continuity management programme
2.8 business continuity management response
2.9 business continuity management system (BCMS)
2.10 business continuity plan (BCP)
2.11 business continuity strategy
10 2.12 business impact analysis (BIA)
2.13 consequence
2.14 cost-benefit analysis
2.15 critical activities
2.16 disruption
2.17 exercise
2.18 gain
2.19 impact
2.20 incident
2.21 incident management plan (IMP)
11 2.22 internal audit
2.23 invocation
2.24 likelihood
2.25 loss
2.26 management system
2.27 maximum tolerable period of disruption
2.28 nonconformity
2.29 organization
12 2.30 process
2.31 products and services
2.32 recovery time objective
2.33 resilience
2.34 resources
2.35 risk
2.36 risk assessment
2.37 risk management
13 2.38 stakeholders
2.39 system
2.40 top management
3 Planning the business continuity management system
3.1 General
3.2 Establishing and managing the BCMS
3.2.1 Scope and objectives of the BCMS
3.2.1.1 The organization shall define the scope of the BCMS and set business continuity objectives, with due regard to the:
a) requirements for business continuity;
b) organizational objectives and obligations;
c) acceptable level of risk;
d) statutory, regulatory and contractual duties; and
e) interests of its key stakeholders.
3.2.1.2 The organization shall identify the key products and services within the scope of the BCMS.
14 3.2.2 BCM policy
3.2.2.1 Top management shall establish and demonstrate commitment to a business continuity management policy.
3.2.2.2 The policy shall include or make reference to:
a) the organizationā€™s business continuity objectives; and
b) the scope of business continuity, including limitations and exclusions.
3.2.2.3 The policy shall be:
a) approved by top management; and
b) communicated to all persons working for or on behalf of the organization; and
c) reviewed at planned intervals and when significant changes occur.
3.2.3 Provision of resources
3.2.3.1 The organization shall determine and provide the resources needed to establish, implement, operate and maintain the BCMS.
3.2.3.2 BCM roles, responsibilities, competencies and authorities shall be defined and documented.
3.2.3.3 Top management shall:
a) appoint or nominate a person with appropriate seniority and authority to be accountable for BCM policy and implementation; and
b) appoint one or more persons, who, irrespective of other responsibilities, shall implement and maintain the BCMS.
3.2.4 Competency of BCM personnel
a) determining the necessary competencies for such personnel;
b) conducting training needs analysis on personnel being assigned BCM roles and responsibilities;
c) providing training;
d) ensuring that the necessary competence has been achieved; and
e) maintaining records of education, training, skills, experience and qualifications.
15 3.3 Embedding BCM in the organizationā€™s culture
a) raise, enhance and maintain awareness through an ongoing BCM education and information programme for all employees and establishing a process for evaluating the effectiveness of the BCM awareness delivery; and
b) communicate to all employees the importance of:
1) meeting business continuity management objectives;
2) conforming to the business continuity policy; and
3) continual improvement; and
c) ensure that all employees are aware of how they contribute to the achievement of the organizationā€™s business continuity objectives.
3.4 BCMS documentation and records
3.4.1 General
a) the scope and objectives of the BCMS and procedures (see 3.2.1);
b) the BCM policy (see 3.2.2);
c) the provision of resources (see 3.2.3);
d) the competency of BCM personnel and associated training records (see 3.2.4);
e) the business impact analysis (see 4.1.1);
f) the risk assessment (see 4.1.2);
g) the business continuity strategy (see 4.2);
h) the incident response structure (see 4.3.2);
i) business continuity plans and incident management plans (see 4.3.3);
j) BCM exercising (see 4.4.2);
k) the maintenance and review of BCM arrangements (see 4.4.3);
l) internal audit (see 5.1);
m) management review of the BCMS (see 5.2);
n) preventive and corrective actions (see 6.1); and
o) continual improvement (see 6.2).
16 3.4.2 Control of BCMS records
a) ensure that they remain legible, readily identifiable and retrievable; and
b) provide for their identification, storage, protection and retrieval.
3.4.3 Control of BCMS documentation
a) documents are approved for adequacy prior to issue;
b) documents are reviewed and updated as necessary and reapproved;
c) changes and the current revision status of documents are identified;
d) relevant versions of applicable documents are available at points of use;
e) documents of external origin are identified and their distribution controlled; and
f) the unintended use of obsolete documents is prevented and that such documents are suitably identified if they are retained for any purpose.
4 Implementing and operating the BCMS
4.1 Understanding the organization
4.1.1 Business impact analysis
a) identify activities that support its key products and services;
b) identify impacts resulting from the disruption to these activities, and determine how these vary over time;
17 c) establish the maximum tolerable period of disruption for each activity by identifying:
1) the maximum time period after the start of a disruption within which each activity needs to be resumed;
2) the minimum level at which each activity needs to be performed upon resumption; and
3) the length of time within which normal levels of operation need to be resumed;
d) categorize its activities according to their priority for recovery and identify its critical activities;
e) identify all dependencies relevant to the critical activities, including suppliers and outsource partners;
f) for suppliers and outsource partners on whom critical activities depend, determine what BCM arrangements are in place for the relevant products and services they provide;
g) set recovery time objectives for the resumption of critical activities within their maximum tolerable period of disruption; and
h) estimate the resources that each critical activity will require for resumption.
4.1.2 Risk assessment
4.1.3 Determining choices
a) reduce the likelihood of a disruption;
b) shorten the period of disruption; and
c) limit the impact of a disruption on the organizationā€™s key products and services.
18 4.2 Determining business continuity strategy
a) define a fit-for-purpose, predefined and documented incident response structure that will enable an effective response and recovery from disruptions;
b) determine how it will recover each critical activity within its recovery time objective and the BCM arrangements, including the resources required for resumption and products and services provided by suppliers and outsource partners; and
c) determine how it will manage relationships with its key stakeholders and external parties involved in the recovery.
4.3 Developing and implementing a BCM response
4.3.1 General
4.3.2 Incident response structure
a) confirm the nature and extent of an incident;
b) trigger an appropriate business continuity response;
c) have plans, processes and procedures for the activation, operation, coordination and communication of the incident response;
d) have resources available to support the plans, processes and procedures to manage an incident; and
e) communicate with stakeholders.
4.3.3 Business continuity plans and incident management plans
19 a) have a defined purpose and scope;
b) be accessible to and understood by those who will use them;
c) be owned by a named person(s) who is responsible for their review, update and approval; and
d) be aligned with relevant contingency arrangements external to the organization.
a) identified lines of communications;
b) key tasks and reference information;
c) defined roles and responsibilities for people and teams having authority during and following an incident;
d) guidelines and criteria regarding which individuals have the authority to invoke each plan and under what circumstances;
e) a method by which each plan is invoked,
f) meeting locations with alternatives, and up-to-date contact and mobilization details for any relevant agencies, organizations and resources that might be required to support the response;
g) a process for standing down once the incident is over;
h) a reference to the essential contact details for all key stakeholders;
i) details to manage the immediate consequences of a business disruption giving due regard to:
1) the welfare of individuals;
2) strategic and operational options for responding to the disruption; and
3) prevention of further loss or unavailability of critical activities;
j) details for managing an incident including:
1) provision for managing issues during an incident; and
2) processes to enable continuity and recovery of critical activities;
k) details on how and under what circumstances the organization will communicate with employees and their relatives, key stakeholders and emergency contacts;
l) details on the organizationā€™s media response following an incident, including:
1) the incident communications strategy;
2) preferred interface with the media;
3) guideline or template for drafting a statement for the media; and
4) appropriate spokespeople;
m) a method for recording key information about the incident, actions taken and decisions made;
20 n) details of actions and tasks that need to be performed;
o) details of the resources required for business continuity and business recovery at different points in time; and
p) prioritized objectives in terms of the critical activities to be recovered, the timescales in which they are to be recovered and the recovery levels needed for each critical activity.
4.4 Exercising, maintaining and reviewing BCM arrangements
4.4.1 General
4.4.2 BCM exercising
a) develop exercises that are consistent with the scope of the BCMS;
b) have a programme approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur;
c) carry out a range of different exercises that taken together validate the whole of its business continuity arrangements;
d) plan exercises so that the risk of an incident occurring as a direct result of the exercise is minimized;
e) define the aims and objectives of every exercise;
f) carry out a post-exercise review of each exercise that will assess the achievement of the aims and objectives of the exercise; and
g) produce a written report of the exercise, outcome and feedback, including required actions.
4.4.3 Maintaining and reviewing BCM arrangements
21 a) identify the nature and cause of the incident;
b) assess the adequacy of managementā€™s response;
c) assess the organizationā€™s effectiveness in meeting its recovery time objectives;
d) assess the adequacy of the BCM arrangements in preparing employees for the incident; and
e) identify improvements to be made to the BCM arrangements.
5 Monitoring and reviewing the BCMS
5.1 Internal audit
a) determine whether the BCMS:
1) conforms to planned arrangements for BCM, including the requirements of this BCM standard; and
2) has been properly implemented and is maintained; and
3) is effective in meeting the organizationā€™s BCM policy and objectives; and
b) provide information on the results of audits to management.
a) the responsibilities, competencies and requirements for planning and conducting audits, reporting results and retaining associated records; and
b) the determination of audit criteria, scope, frequency and methods.
22 5.2 Management review of the BCMS
5.2.1 General
5.2.2 Review input
a) results of BCMS audits and reviews, including where appropriate those of key suppliers and outsource partners;
b) feedback from interested parties, including independent observations;
c) techniques, products or procedures, which could be used in the organization to improve the BCMS performance and effectiveness;
d) status of preventive and corrective actions;
e) level of residual risk and acceptable risk;
f) vulnerabilities or threats not adequately addressed in the previous risk assessment;
g) follow-up actions from previous management reviews;
h) any internal or external changes that could affect the BCMS;
i) recommendations for improvement;
j) exercise results;
k) emerging good practice and guidance;
l) lessons from incidents; and
m) results of the education and awareness training programme.
5.2.3 Review output
a) varying the scope of the BCMS;
b) improving the effectiveness of the BCMS;
23 c) modification of BCM strategy and procedures, as necessary, to respond to internal or external events that could impact on the BCMS, including changes to:
1) business requirements;
2) resilience requirements;
3) business processes affecting the existing business requirements;
4) statutory, regulatory and contractual requirements; and
5) levels of risk and/or levels of risk acceptance;
d) resource needs; and
e) funding and budget requirements.
6 Maintaining and improving the BCMS
6.1 Preventive and corrective actions
6.1.1 General
6.1.2 Preventive action
a) identifying potential nonconformities and their causes;
b) determining and implementing preventive action needed;
c) recording results of action taken;
d) reviewing preventive action taken;
e) identifying changed risks and ensuring that attention is focused on significantly changed risks;
f) ensuring that all those who need to know are informed of the nonconformity and preventive action put in place; and
g) the priority of preventive actions based on the results of the risk assessment and the BIA.
24 6.1.3 Corrective action
a) identifying any nonconformities;
b) determining the causes of nonconformities;
c) evaluating the need for actions to ensure that nonconformities do not recur;
d) determining and implementing the corrective action needed;
e) recording the results of action taken; and
f) reviewing the corrective action taken.
6.2 Continual improvement
25 Annex A (informative) Correspondence with BS EN ISO 9001:2000, BS EN ISO 14001:2004, BS ISO/IEC 27001:2005
Table A.1 Correspondence of BS 25999-2 with other management systems standards
26 Table A.1 Correspondence of BS 25999-2 with other management systems standards (continued)
27 Bibliography
[1] OECD. OECD Guidelines for the Security of Information Systems and Networks – Towards a Culture of Security. Paris: OECD, July 2002. www.oecd.org
BS 25999-2:2007
$79.47