BS 25999

Business Continuity
Management
By. Mr. Chomnaphas Tangsook
Business Director
BSI Group ( Thailand) Co., Ltd

1
 Contents slide

BSI British Standards

2006
BS 25999(Business Continuity)
2002
BS 15000 -> ISO/IEC 20000
2000
BS 8600 -> ISO 10002
1979
BS 5750 -> ISO 9001
1996
BS 8800 -> OHSAS 18001
1995
BS 7799 -> ISO/IEC 27001
1992
BS 7750 -> ISO 14001
 Is your business ready to face the
following situations ?

It may not be from you but

from your neighbors or
suppliers?

3
 6

BS 25999

Not just about managing the high profile disasters but also the day
to day business disruptions

Not an IT standard and not about Disaster Recovery

A business-owned, business-driven process that establishes

a fit-for-purpose strategic and operational framework.

6
 Defining Business
Continuity Management

Holistic management process that identifies potential

threats to an organization and the impacts to business
operations that those threats, if realized, might cause and
which provides a framework for building organizational
resilience with the capability for an effective response
that safeguards the interests of its key stakeholders,
reputation, brand and value-creating activities

BS 25999-2:2007, 2.4

7
 8

Publication dates
BS25999-1 Code of Practice
December 2006

BS25999-2 Specification
Mid November 2007

Certification process
BSI develops certification process

8
 9

Why was BS 25999 developed?

Business Continuity identified as a critical issue

Need for a best practice framework to guide

business.

Need for a mechanism to demonstrate Business

Continuity Management maturity

9
 10

Who developed BS 25999?

Committee Profile:
33 members

10
 11

Who developed BS 25999?

Association of British Insurers

Association of Insurance & Risk Managers

Institute of Directors

11
 12

Who developed BS 25999?

Association of Chief Police Officers

Metropolitan Police

Chief Fire Officers Association (CFOA)

Society of Industrial Emergency Services

12
 13

Who developed BS 25999?

Business Continuity Institute

Continuity Forum

Institute of Emergency Management

Institute of Risk Management

13
 14

Infrastructure Dependence (power, telecom, etc.)

Suppliers
Clients /
Customers
Your
Subcontractors
Organization
Conduit
Organizations
Vendors

System Up Time (computing, data,networks, etc.)

14
15
16
 Sequence of Events of an Incident
17

Overall recovery objective:

Incident! back-to-normal as quickly as possible

Timeline

Within weeks to months:

Incident Response Damage repair/replacement
Relocation to permanent
place of work
Recovery of costs from
Business continuity insurers
Within minutes to hours:
Staff and visitors
accounted for Within minutes to days: Recovery/resumption back to normal
Casualties dealt with Contact staff, customers,
Damage containment/ suppliers, etc.
limitation Recovery of critical business
Damage assessment processes
Invocation of BCP Rebuild lost work-in-progress
Business continuity lifecycle and
18

the Plan-Do-Check-Act cycle

Continual improvement of the business
continuity management system

Interested Plan Interested

parties parties
Establish

Act Do
Maintain Implement
and and
improve operate
Business
continuity Check
requirements Managed
Monitor
and and business
expectations review continuity

BS 25999-2 :2007 Figure 2

 BCM programme management
19

Scoping of BCM
Policy agreement & sign
off
Identification &
engagement of
stakeholders
Approach agreed
Roles & responsibilities
Understanding the organisation
20
 Understanding the organization

Scope, policy, Identify activities

Identify key products
stakeholders, that support key
and services
regulatory product and services

Identify critical
Establish MTPD for Identify impacts from
activities according to
each activity disruption to activities
priority for recovery

Set recovery time Identify impact of Estimate resources

objectives for critical threat to critical required to recover
activities activities each critical activity

Define and document

Determine choices for
method for risk
critical activities
assessment
21
 22

Identify key products and services and critical

activities which support them
Identify organisations objectives, obligations,
duties
Identify supporting activities, assets and
resources
Assess impact of failure of activities, assets and
resources
Identify and evaluate threats
Identify all interdependencies of activities
Understand 3rd party reliance's
 23

Service Level
MTPD and RTO
Normal level of service

MTPD
OK!
RTO

Minimum level of service

Time
Incident management plan

Business continuity plan

 24

MTPD and RTO

Service Level
Normal level of service

MTPD Disaster!
RTO

Minimum level of service

Time
Incident management plan

Business continuity plan

 Determining BCM strategy
25

Definition of incident response

structure enabling an effective
response & recovery
Identification of restart
timescales and service levels
following a disruption
Agreement of timescales to
restore normal service levels
Stakeholder relationship
management
Strategy may be modified as an
output of management review in
response to internal or external
events
 Developing and implementing a BCM
26

response
Aligned to the objectives of the
organisations BCM strategy
Development of plans to
effectively manage a business
disruption to the point it is
contained
Creation of business continuity
plans designed to facilitate the
resumption of critical activities
Detailed plans covering people,
communication, roles &
responsibilities, locations,
resources etc
 Incident Management Plan
Contents of an incident management plan include:

Task and action lists

Emergency contacts
People activities
Media response
Stakeholder management
Incident management location
Contact information for emergency responders that support
response strategies

27
 Business Continuity Plan
Contents of a business continuity plan include:

Action plans / task lists

Resource requirements
Responsible person(s)
Incident log / decision record
A plan to resume back to normal operations (business recovery
plan)

28
Exercising, reviewing and maintaining
29

Validates effectiveness of
plans
Ensures understanding of
plans, roles &
responsibilities
Identifies improvement
opportunities
Maintains relevance of
plans as result of business
changes
 30

Exercising plans
Different types of exercise
Desk check
Walk through
Simulation
Component/activity
Full test
Exercising supports
awareness programme
competency development
BS 25999-2:2007, 4.4.2
 Structure of BS 25999-2
31

1 Scope
2 Terms and definitions
3 Planning the BCMS
General requirements, establishing and managing, embedding
BCM in the organisations culture, documentation and records
4 Implementing and operating the BCMS
Understanding the organisation, determining strategy, developing
and implementing a response, exercising, maintaining and
reviewing
5 Monitoring and reviewing the BCMS
Internal audit, management review
6 Maintaining and improving the BCMS
Continual Improvement, preventive and corrective actions
 Implementing and operating the
32

BCMS
4.1 Understanding the organisation
4.2 Determining business continuity strategy
4.3 Developing and implementing a BCM
response
4.4 Exercising, maintaining and reviewing BCM
arrangements
 Monitoring and reviewing the
33

BCMS
5.1 Internal audit
5.2 Management review of the BCMS
 Maintaining and improving the
34

BCMS
6.1 Preventive and corrective actions
6.2 Continual improvement
 35

35
 36

BS 25999 Clients

36