Driven by recent industry demands for a common, generally accepted framework, British Standard 25999 originated as an attempt to provide an industry-wide process that was consistent in regards to business continuity analysis and response techniques. The British Standard Institute met this demand by convening a committee of professionals with experience in several different fields of business from around the world. It was this diverse group of professionals that developed a widely reaching yet actionable set of guidelines and processes.
BS 25999 is built upon a six element life-cycle:
- Business Continuity Program Management
- Understanding the Organization
- Determining Strategy
- Developing a Business Continuity Management Response
- Exercising, Maintaining and Reviewing
- Embedding into Culture
These six elements define not only a planning structure, but an entire program structure, incorporating all of the elements needed to maintain a viable recovery solution. BS 25999 refers to a business continuity management system or BCMS, reinforcing the importance of solidifying business continuity efforts within a consistent and overarching program or system. In the past, business continuity standards have tended to focus on one aspect of a program or system, such as impact analysis or recovery planning. BS 25999 provides a framework for all of the areas as a whole so that an organization can ensure the longevity of their program. This holistic approach attacks the risks and impacts of an interruption from all angles, as opposed to just from the response or recovery side.
The six elements of the BS 25999 structure are defined using common BC terminology and a format that is consistent and easy to understand. Making it even easier to follow, the framework is written for the business continuity planner, focusing on system objectives. This approach allows the standard to provide objectives for all aspects of a system such as the activities within it, the reporting that results, and the personnel involved. Until now, most standards have focused on one of these areas, such as the knowledge that personnel should have or the structure that reports should have. This framework provides value for both the most experienced and the most inexperienced business continuity professionals. Inexperienced professionals are able to understand the terminology and follow the structure to begin building a program while experienced professionals can find value by benchmarking their system against the standard to find areas of weakness to build upon.
Adding to this easy to follow format, BS 25999 provides not only the standards or objectives to achieve but also the activities or tasks to meet them. BS 25999 offers a Part One and Part Two. Part One offers the code of practice, a set of ‘good practices’ that can be used to provide overall guidance for the development of a program. Part Two is the specifications, which defines the minimum requirements for a effective business continuity management system. The content of both Part One and Part Two, is structured in an outline format, that is consistent between both parts. Also provided are graphical displays and additional commentary on important points.
The British Standard Institute states that BS 25999 is for: “anyone with the responsibility for business operations and the continuity of such operations from board directors and chief executives through all levels of the organization.” This statement reinforces that the standard is written for any professional tasked with mitigating the risk and impact of an interruption to their business. The British Standard Institute has succeeded in developing a standard that is straight forward and versatile, providing a framework to manage interruption risk from all sides.