This document discusses various business continuity and management systems standards, including BS25999, ISO standards, and other emerging standards. It addresses the benefits of standards, guidance on different standards levels, and challenges around complexity and ensuring consistency across standards. It also provides an overview of the development and positioning of key standards like BS25999 and emerging international standards.
1. BS25999 and Other
Management Systems Standards (MSS)
Chris Green, Chair BCM/1
This Presentation is an Adaptation of a Siemens-
Insight copyright Presentation
Insight Consulting
2. Agenda
BS25999 and other standards
Benefits of the Management Systems approach
Guidance
Accreditation
Other Developments
3. Why have standards?
Common understanding
Common approach
Common sets of evidence
Promote quality in a particular subject area
Reduced risk
Reduce management overhead
Greater assurance that the topic is managed effectively
4. Which standard should we have?
Broadly speaking there are four tiers of “standards” in the
UK
PAS – guidance on best practice
BS – a standard for the UK in the form of a code of
practice
BS – a specification allowing for the achievement of
certification
ISO – an international standard superseding BS
5. Positioning BS25999-1
Supersedes PAS56
Not the specification standard which will be BS25999-2
Related guidance should be compatible with BS25999, for
instance any future PAS relating to continuity planning
Could be superseded by an International Standard, so any
ISO25999 would replace BS25999
6. Global Vision for ISO 2006 to 2010
Facilitation of global trade
Improvement in quality, safety, security, environmental and
consumer protection, as well as rational use of resources
Global dissemination of technologies and good practice
7. Issue of Complexity
Great potential for synergy between standards
The synergies are not recognised
Economies relating to synergies are not realised
8. Management Systems Standards
ISO TMB
MSS-SAG TC223 Societal
Security
RM Quality Environment Food Safety
ISO 25700 ISO 9001 ISO 14001 ISO22000
SUPPLY CHAIN
PAS 28003
BCM
BS 25999
IT DR Crisis Mgt
PAS 77 SSM/1
9. Issue - More reporting and more management time
Constant stream of people reporting to the Board
Board room time taken up with reporting not strategy
No common themes nor messages
Management want confidence and assurance (this is
exactly what the standards are aimed at providing)
Always ask for money
10. PAS99 – MS Integration
E OHS&S Q BC
E OH&S Q BC
Common Common
Common Common
COMMON
11. Management Systems
Generally the approach is:-
Standard Plan-Do-Check-Act model
BS describes establishing a Management System, its
continuing operation and a process of continuing
improvement
Subject specific information then fits into this model
13. Implications for BS25999-2
This is the specification that will allow for certification
Must weigh the benefits of commonality with other
standards and the current practices in business continuity
MSS approach will need adapting for our specialism whilst
retaining the key characteristics of a certification standard
and consistency with other related MSS
Scope statements allow application to largest and smallest
of organisations
Scope must not be allowed to imply capability where none
exists – for instance certification can only be achieved by
addressing all steps and all controls in the standard
14. 25999 Part 2
BS25999-2 has finished DPC
250 pages of comments !
Under review at present and being finalisde for the main
committee to review in October 2007
Publication will be late October
Guidance Documents underway
15. The Standards Pyramid
ISO
BS25999
BSI/CEN
FT
pl S E
Context; c 2
Framework; Scope Pu 50
Why do BCM bl – S
ic m
(benefits/drivers)?; – a
Options; Na ll
Ch
Relation to Other Implementation / Testing tio
ar
Risk Areas Specialised na
iti
Functions l/L
es
oc
/V
HR – IT – OR - Legal – Security al
ol
un
– Procurement – Ethics –
Sector Guides
ta
Supply
SM
ry
E
Sector/Industry specific guides*
Construction, Utilities
Financial Pharmaceutical Aerospace & Retail
mining, oil
Engineering
and gas
16. The Standards Pyramid
ISO
BS25999
BSI/CEN
FT
pl S E
Context; c 2
Framework; Scope Pu 50
Why do BCM bl – S
ic m
(benefits/drivers)?; – a
Options; Na ll
Ch
Relation to Other Implementation / Testing tio
ar
Risk Areas Specialised na
iti
Functions l/L
es
oc
/V
HR – IT – OR - Legal – Security al
ol
un
– Procurement – Ethics –
Sector Guides
ta
Supply
SM
ry
E
Sector/Industry specific guides*
Construction, Utilities
Financial Pharmaceutical Aerospace & Retail
mining, oil
Engineering
and gas
17. The Standards Pyramid
ISO
BS25999
BSI/CEN
FT
pl S E
Context; c 2
Framework; Scope Pu 50
Why do BCM bl – S
ic m
(benefits/drivers)?; – a
Options; Na ll
Ch
Relation to Other Implementation / Testing tio
ar
Risk Areas Specialised na
iti
Functions l/L
es
oc
/V
HR – IT – OR - Legal – Security al
ol
un
– Procurement – Ethics –
Sector Guides
ta
Supply
SM
ry
E
Sector/Industry specific guides*
Construction, Utilities
Financial Pharmaceutical Aerospace & Retail
mining, oil
Engineering
and gas
18. Accreditation Bodies
5 accreditation bodies interested
4 volunteers for pilot – however, concerns that they are “all
the same”
Competence Criteria for Auditors being developed
19. Other emerging standards
PAS77 – IT Continuity guidance
Developed in isolation from BS25999
Does not follow precepts of PAS56 or BS25999
Does not follow the management systems approach
Not clear how this fits with other related standards – e.g.
ISO 20000 (ITIL)
ISO/IEC 24762 – Recovery Site Provision
Didn’t ask any recovery site vendors !
20. Risk Management
Risk Management standard
BCM and Risk Management committees have swapped
glossaries and trying to agree common terms
Where BS25999 uses risk assessment it has tried to
reflect developments of risk management standard
21. ISO IPOCM
Commencement
Broadly similar to Programme Management
Define scope, management commitment, policy
Planning
Broadly similar to Understanding Your Business
Includes risk assessment and Impact Analysis
Also response as includes Response Management
Implementation and Operation
Includes resourcing, competence, education and awareness and
operational control structure
Performance Assessment
Evaluation of effectiveness including testing, maintenance and
audit
Broadly similar to BS25999
22. IPOCM
This is work in progress and a long way from a finalised
document
Terminology slightly different from UK common usage and
the business continuity industry as most of us have come
to know it
For the most part UK practitioners can embrace the
changes
Approach slightly different to BS25999/PAS56
But many common points
23. Room for more?
Should there be standards in specific areas of business
continuity?
PAS77 could be developed into a standard
Could there be an Incident Management standard?
Overall Governance standard?
24. What happens next?
Committee continues in operation
Focus for other related committees (e.g. risk management)
Review of BS25999 so that subsequent revisions lead to
improvements in the standard
Focus for expertise and contribution to ISO deliberations