BS 25999 and other business

continuity standards

Avoiding disaster before it happens is something every business would like to achieve. Andy Tomkinson gives an outline of standards around the world that can help achieve this aim and Lyndon Bird breaks down the new standard that's taken the world by storm

Standards around the world

There are few business continuity standards around the world, mainly as it is still considered to be a relatively new concept. Due to this gap in the market, the newly published BS 25999 is selling like hot cakes.

However, within the standards/legislation/regulatory guidance that do exist around the world, many make reference to business continuity management (BCM), although they do not necessarily use the same terminology. Some standards that exist are:

• NFPA 1600 – the National Fire Protection Association in the US. It has been developed from dealing with fire and looks at business continuity from a denial of access perspective, with some prescriptive conditions unlike BS 25999
• ISO 17799 – a standard for information security management systems that manages and minimises threats to information
• ISO 22399– guidelines for incident awareness and operational continuity management
• HB 221 and HB 292/293 – Australia’s BCM standard and guide to BCM
• AS/NZS  4360:2004 – shared by Australia and New Zealand, it works with HB 436 to provide risk-management guidelines
• SPRING TR 19– the Singapore technical reference to BCM, which mainly deals with the technical aspects of systems
• The King II report of Corporate Governance – these South African guidelines for risk management look at BCM from a governance perspective
• The Civil Contingencies Act 2004 – the act received Royal Assent in 2004 in the UK, providing guidance on BCM

BS 25999

The Business Continuity Institute is the world’s premier BC institute offering professional accreditation in the discipline of business continuity with over 4,000 members in more than 85 countries. In 2002, the institute issued its first Good Practice Guidelines written in conjunction with many industry experts.

This formed the basic framework for the original BSI activities in the BCM field, leading to a publicly available specification for BCM called PAS 56. BS 25999 replaced PAS 56, but the link between the standard and the BCI Guidelines has been maintained.

BS 25999 contains two parts. Part one is the ‘code of practice,’ giving guidance and the objectives of the standard as well as explaining what exactly BCM covers. Part two is the specification, which is what companies can be certified against. It details the requirements for implementing, documenting and improving a BCM system. In simple terms, part one is ‘should’ and part two is ‘shall’.

The launch of BS 25999-1, the code of practice, certainly changed the commonly-held belief that BCM has no advantages over other management disciplines. A new standard rarely generates excessive enthusiasm in the business community, often being perceived as worthy rather than exciting, more ‘red-tape’ than entrepreneurial. However, not since the emergence of ISO 9001 has a formal standards-based approach to a management discipline made such an impact.

To put it in perspective, when the initial draft of the code of practice was released for public consultation there were 5,000 downloads from all around the world. Previously the BSI in its 100-plus year history had never had more than a few hundred. There were enormous volumes of comment to absorb and incorporate before it could be released. Much of the feedback was positive but some of it was violently opposed to any form of standard in this field.

Similarly BS 25999-2, which is the specification standard against which firms can be audited and certified, also created massive interest, so much so that BSI had to organize a world tour of major cities, eager to hear about the new standard.

Apart from the work of the BCI and the BSI, much work is currently being undertaken around the world to get a clearer and more standardized acceptance for BCM. This is difficult because what is applicable in one sector or country might not be acceptable in another. In the US, the National Fire Protection Association (NFPA) has a standard for emergency management and disaster response. It is not, however, a specification standard and so organizations cannot get the coveted certification.

About the authors

Andy Tomkinson is a partner of Adtapt delivering business continuity, incident management and disaster recovery across all sectors. He was elected board director of the Business Continuity Institute until 2006 and has chaired the Survive Personnel SIG. www.adtapt.com  

Lyndon Bird is technical and international director at the Business Continuity Institute. www.thebci.org

Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums.