This document discusses various business continuity and management systems standards, including BS25999, ISO standards, and other emerging standards. It addresses the benefits of standards, guidance on different standards levels, and challenges around complexity and ensuring consistency across standards. It also provides an overview of the development and positioning of key standards like BS25999 and emerging international standards.

1. BS25999 and Other
Management Systems Standards (MSS)
Chris Green, Chair BCM/1
This Presentation is an Adaptation of a Siemens-
Insight copyright Presentation
Insight Consulting

2. Agenda
 BS25999 and other standards
 Benefits of the Management Systems approach
 Guidance
 Accreditation
 Other Developments

3. Why have standards?
 Common understanding
 Common approach
 Common sets of evidence
 Promote quality in a particular subject area
 Reduced risk
 Reduce management overhead
 Greater assurance that the topic is managed effectively

4. Which standard should we have?
 Broadly speaking there are four tiers of “standards” in the
UK
 PAS – guidance on best practice
 BS – a standard for the UK in the form of a code of
practice
 BS – a specification allowing for the achievement of
certification
 ISO – an international standard superseding BS

5. Positioning BS25999-1
 Supersedes PAS56
 Not the specification standard which will be BS25999-2
 Related guidance should be compatible with BS25999, for
instance any future PAS relating to continuity planning
 Could be superseded by an International Standard, so any
ISO25999 would replace BS25999

6. Global Vision for ISO 2006 to 2010
 Facilitation of global trade
 Improvement in quality, safety, security, environmental and
consumer protection, as well as rational use of resources
 Global dissemination of technologies and good practice

7. Issue of Complexity
 Great potential for synergy between standards
 The synergies are not recognised
 Economies relating to synergies are not realised

8. Management Systems Standards
ISO TMB
MSS-SAG TC223 Societal
Security
RM Quality Environment Food Safety
ISO 25700 ISO 9001 ISO 14001 ISO22000
SUPPLY CHAIN
PAS 28003
BCM
BS 25999
IT DR Crisis Mgt
PAS 77 SSM/1

9. Issue - More reporting and more management time
 Constant stream of people reporting to the Board
 Board room time taken up with reporting not strategy
 No common themes nor messages
 Management want confidence and assurance (this is
exactly what the standards are aimed at providing)
 Always ask for money

10. PAS99 – MS Integration
E OHS&S Q BC
E OH&S Q BC
Common Common
Common Common
COMMON

11. Management Systems
 Generally the approach is:-
 Standard Plan-Do-Check-Act model
 BS describes establishing a Management System, its
continuing operation and a process of continuing
improvement
 Subject specific information then fits into this model

12. PDCA Model

13. Implications for BS25999-2
 This is the specification that will allow for certification
 Must weigh the benefits of commonality with other
standards and the current practices in business continuity
 MSS approach will need adapting for our specialism whilst
retaining the key characteristics of a certification standard
and consistency with other related MSS
 Scope statements allow application to largest and smallest
of organisations
 Scope must not be allowed to imply capability where none
exists – for instance certification can only be achieved by
addressing all steps and all controls in the standard

14. 25999 Part 2
 BS25999-2 has finished DPC
 250 pages of comments !
 Under review at present and being finalisde for the main
committee to review in October 2007
 Publication will be late October
 Guidance Documents underway

15. The Standards Pyramid
ISO
BS25999
BSI/CEN
FT
pl S E
Context; c 2
Framework; Scope Pu 50
Why do BCM bl – S
ic m
(benefits/drivers)?; – a
Options; Na ll
Ch
Relation to Other Implementation / Testing tio
ar
Risk Areas Specialised na
iti
Functions l/L
es
oc
/V
HR – IT – OR - Legal – Security al
ol
un
– Procurement – Ethics –
Sector Guides
ta
Supply
SM
ry
E
Sector/Industry specific guides*
Construction, Utilities
Financial Pharmaceutical Aerospace & Retail
mining, oil
Engineering
and gas

16. The Standards Pyramid
ISO
BS25999
BSI/CEN
FT
pl S E
Context; c 2
Framework; Scope Pu 50
Why do BCM bl – S
ic m
(benefits/drivers)?; – a
Options; Na ll
Ch
Relation to Other Implementation / Testing tio
ar
Risk Areas Specialised na
iti
Functions l/L
es
oc
/V
HR – IT – OR - Legal – Security al
ol
un
– Procurement – Ethics –
Sector Guides
ta
Supply
SM
ry
E
Sector/Industry specific guides*
Construction, Utilities
Financial Pharmaceutical Aerospace & Retail
mining, oil
Engineering
and gas

17. The Standards Pyramid
ISO
BS25999
BSI/CEN
FT
pl S E
Context; c 2
Framework; Scope Pu 50
Why do BCM bl – S
ic m
(benefits/drivers)?; – a
Options; Na ll
Ch
Relation to Other Implementation / Testing tio
ar
Risk Areas Specialised na
iti
Functions l/L
es
oc
/V
HR – IT – OR - Legal – Security al
ol
un
– Procurement – Ethics –
Sector Guides
ta
Supply
SM
ry
E
Sector/Industry specific guides*
Construction, Utilities
Financial Pharmaceutical Aerospace & Retail
mining, oil
Engineering
and gas

18. Accreditation Bodies
 5 accreditation bodies interested
 4 volunteers for pilot – however, concerns that they are “all
the same”
 Competence Criteria for Auditors being developed

19. Other emerging standards
 PAS77 – IT Continuity guidance
 Developed in isolation from BS25999
 Does not follow precepts of PAS56 or BS25999
 Does not follow the management systems approach
 Not clear how this fits with other related standards – e.g.
ISO 20000 (ITIL)
 ISO/IEC 24762 – Recovery Site Provision
 Didn’t ask any recovery site vendors !

20. Risk Management
 Risk Management standard
 BCM and Risk Management committees have swapped
glossaries and trying to agree common terms
 Where BS25999 uses risk assessment it has tried to
reflect developments of risk management standard

21. ISO IPOCM
 Commencement
 Broadly similar to Programme Management
 Define scope, management commitment, policy
 Planning
 Broadly similar to Understanding Your Business
 Includes risk assessment and Impact Analysis
 Also response as includes Response Management
 Implementation and Operation
 Includes resourcing, competence, education and awareness and
operational control structure
 Performance Assessment
 Evaluation of effectiveness including testing, maintenance and
audit
 Broadly similar to BS25999

22. IPOCM
 This is work in progress and a long way from a finalised
document
 Terminology slightly different from UK common usage and
the business continuity industry as most of us have come
to know it
 For the most part UK practitioners can embrace the
changes
 Approach slightly different to BS25999/PAS56
 But many common points

23. Room for more?
 Should there be standards in specific areas of business
continuity?
 PAS77 could be developed into a standard
 Could there be an Incident Management standard?
 Overall Governance standard?

24. What happens next?
 Committee continues in operation
 Focus for other related committees (e.g. risk management)
 Review of BS25999 so that subsequent revisions lead to
improvements in the standard
 Focus for expertise and contribution to ISO deliberations