This is a short introduction to the world of Standards outlining how they are developed.
A standard is a document defining best practice, established by consensus and approved by a recognized body (such as BSI, ANSI or ISO). Each standard is kept current through a process of maintenance and review whereby it is updated, revised or withdrawn as necessary.
In November the member countries of the International Standards Organisation (ISO) have been meeting in Beijing to discuss the proposed ISO for Business Continuity ISO22301.
Earlier in the week doubts had been cast on its future following concerns expressed by a number of countries that the development of an Organizational Resilience Standard had the potential to adversely impact on the consistency and application of both Standards.
After two years the revision of the Civil Contingencies Act (CCA) through the Enhancement Programme (EP) is nearing completion with the final consultations closing on 27th September 2011.
The Enhancement Programme to the Civil Contingencies Act covers most areas of the legislation and has been split into phases. The phase has delivered updates centred primarily on Emergency Response and Recovery across the country and builds on the lessons learnt since the introduction of the Act. Clarification and updates have also been made on Good Practice Guidance, Mutual Aid and the fit with other legislation. (Summary of Phase One work)
The work continues with consultation on the changes proposed in the following areas:
Local Responder Risk Assessment Duty
Business Continuity Management
Communicating with the Public
Business Continuity Advice and Assistance to Business and the Voluntary Sector);
Arrangements for London
If you have yet to review these changes to the Act time is running out. You can use the links below to see and comment on the changes proposed.
The Continuity Forum welcomes the revision process, particularly the aligning of Business Continuity arrangements with the British Standard BS25999 that we feel the revisions significantly clarify the expectations of the Act within all Category One and Two Responders. Another Major plus for the revised Act are the expectations relating to communications which we feel is a major step forward, providing greater clarity and removing much of the ambiguity that previously existed. It is clear to us that the CCA team has worked hard to a balanced review that provides flexibility in delivering appropriate solutions and processes, whilst maintaining clear direction on the expectations of the Act.
The alignment with BS25999 is of particular importance to the sector and our communities as the Civil Contingencies Act preceded the launch of the Standard. Whilst many of those within the sector had aligned with BS25999 principles the now revisions make this expectation far clearer. We would hope that those planing in Category One and Two organisations will quickly move to assess and adapt their planning to meet this expectation, in particular the aspects that address their supply chain. Many BCM professionals working within organisations covered by the CCA have found this area to be a difficult area to address with management and has led to numerous avoidable problems.
One area that we feel may need to be strengthened is the verification and audit of of the Business Continuity arrangements in place. Whilst we accept that some aspects of the BCM capabilities within Category One organisations may need a degree of adaption (and indeed BS25999 allows for this) this should not undermine the intent of either the Act or BS25999. Consequently, we would to see a condition added to justify variance from the standard. This would not undermine the flexibility of either the Act or standard, but would result in evidence for the need to vary from accepted Good Practice to be justified more clearly. We also feel that a little more focus should be given to the audit and assessment of the plans developed and deployed as could be argued as fundamental to delivery of value from the investment being made.
With regards to Category Two responders, we feel that the regulators for these sectors need to pay far more attention to the Business Continuity arrangements developed by the companies they are responsible for regulating and should demand similar levels of detail and regular updates. The Continuity Forum is working in this area and we are hoping to meet with the primary regulators shortly to discuss this issue further.
Links to more information is shown below: (Opens in new window)
The British Standards Institute has awarded Vocal, best known for its iModus notification system, full BS25999 accreditation – the British standard of business continuity management. The accreditation incorporates the entire organisation and including the iModus system.
The American National Standards Institute (ANSI) has approved the ASIS/BSI BCM.01 2010 standard for Business Continuity Management.
The full name for the standard is ANSI/ASIS/BSI BCM.01:2010, Business Continuity
Dr Marc Siegel
Management Systems - Requirements with Guidance for Use (Joint ASIS International and British Standards Institute (BSI) Standard) and whilst a mouthful it reflects the very close collaboration throughout the whole development process between ASIS and the BSI. This approach led to a multi-national team being involved with committee formed responsible for the development being co-chaired by Dr Marc Siegel (US) and Kevin Brear (UK) and that also included Russell Price from the Continuity Forum.
EC Group has become the first promotional handling and fulfilment company to be awarded BS 25999 certification in Business Continuity Management from BSI. EC Group provides outsourced marketing services.
Kim and Charlie Maclean-Bristol Directors of PlanB Consulting were awarded their BS25999 (the British Standard for business continuity) Certificate by Gordon Stewart of the British Standards Institute at the Resilient Scotland Conference in Edinburgh on 22 November 2010.
ASIS International released ASIS SPC.1-2009 - Organisational Resilience: Security, Preparedness and Continuity Management Systems - Requirements with Guidance for Use a little over a year ago and it is shorty going to come under the spotlight once again as the latest Business Continuity standard comes to market - ANSI/ASIS/BSI BCM.01:2010.
The summary report will be issued in the 1st Qtr of 2011. If you would like more information please contact us directly.
Survey on BS25999 Usage
Some working in the field of Business Continuity may not remember a time before standards, but for many of us in the field for longer, the work of the BCM Committee of the BSI to create the world's first BCM standard was instrumental in developing much-needed consistency and credibility across the sector. The outcome of this work, BS25999, has been at the heart of much of the subsequent development in the discipline, and the BSI has one of the most successful Management Standards ever issued.
As BS25999 approaches its fourth birthday, the BSI BCM/1 committee, is looking to assess the experience and opinions of hundreds of practitioners and BCM managers all around the world on how they are applying BS25999 and its family of related standards and Published Documents in their organisations.
Consequently, the BCM/1 committee has developed the BS25999 2010 Survey, in conjunction with the Business Continuity Institute and the Continuity Forum, which they hope you will find the time to contribute to.
Interxion, a leading European provider of carrier-neutral colocation data centre services, today announced that it has achieved the highly regarded certification of BS 25999, the British Standards Institution (BSI) standard for Business Continuity Management. This has been integrated with Interxion’s existing Information Security Management System certification, ISO 27001.
The BSI, BCI and Continuity Forum are coming together to undertake an industry-wide survey on how the worlds most successful Business Continuity Standard, BS25999, is being used by organisations around the world.
Chris Green, Chairman of the BSI BCM/1 Committee that is responsible for the standard, comments “This survey will really help guide our thoughts on how the profession has responded to BS25999, and what we should be considering in the future.”
Continuity Forum Chairman, Russell Price said "BS25999 has been remarkably successful and is well established in the field ... but as the BCM sector evolves and experience grows we should regularly review the fit between standards and organisational needs."
BS25999 survey can be accessed by clicking the link below:
All contributions are made in confidence and a report on the findings will be available on completion of the project.
PD 25666 gives appropriate guidance to all organizations on performing exercising, including testing activities, for continuity and contingency programmes. Arrangements for information technology (IT) systems also fall under this general guidance.
This Published Document provides a framework for, or signposts to, good practice for any organization that wishes to engage in exercising activities. Although there are operational differences between contingency and continuity programmes, it is suggested that there is synergy in exercising activities between these disciplines.
PD 25666 establishes the principles and terminology of exercising and gives guidance on the processes and methods for developing or improving continuity and contingency capabilities.
Vodafone UK has recently been undergoing a thorough audit by the BSI as part of the retention process for its BS25999 certification for Business Continuity Management. The successful outcome demonstrates the capability of the Vodafone approach and in achieving recertification demonstrates to customers the added resilience of the services provided by Vodafone.
This is a point not lost on Vodafone's management. In their press statement they make reference to the clear responsibility they have as a telecommunications company to other organisations and particularly their BCM plans. Peter Kelly, Enterprise Director Vodafone UK says “We know that mobile communications are an essential service for all businesses – retaining BS 25999 certification demonstrates that we continue to deliver the most reliable and highest quality network for our customers, no matter what.”