The new British Standard for Business Continuity - BS25999

Category Business Continuity Management - BCM - BS25999 - press release


Standards deliver framework for growth


Increasing numbers of organisations in the UK recognise the need for BCM. This may be driven by customers, regulators, statutory requirements or even a desire to improve organisational governance.

However what the senior managers of these organisations lack is guidance of how BCM should be implemented. 50% of managers responding to the annual Chartered Management Institutes BCM survey, carried out in association with Continuity Forum, made this their highest requirement.

Those of us who have been working in the BCM arena for many years appreciate that a uniform approach to BCM, particularly across the supply network is essential. When quality management was first introduced the major commercial companies imposed their own quality standards on their suppliers. Any supplier serving a group of major customers was obliged to introduce a range of quality management methodologies to meet customer demands. Although this added to their costs it could be accommodated. We realised that if the same approach was taken with business continuity there would be serious issues. Whilst customers can assess the quality of goods and services delivered at anytime, the effectiveness of BCM is, in reality, only fully tested if and when an organisation is disrupted for whatever reason. It is therefore essential that there should be a way of assessing a BC programme in a non-disruptive situation. For this to happen there needed to be a benchmark against which measurement can take place. A recognised BCM standard was the goal.

In the autumn of 2002 an opportunity arose to create a British Standards Public Available Specification for BCM. A representative group of practitioners, drawn from public and private sectors, came together under the chairmanship of John Sharp, Policy and Development Director of Continuity Forum, to develop PAS 56 which built upon existing BCM guidance documents.

This was subsequently published in March 2003. By 2006 BSI had sold over 6000 copies of PAS 56 worldwide and many organisations began to base their BCM practices upon this specification.

In 2005 the Civil Contingencies Act was introduced which was designed to improve the UK's resilience to disruptive events. For the first time BCM was included, placing an obligation on public bodies to put in place effective BCM to protect their capabilities at the time of an emergency. Local authorities are also required to promote BCM to the wider community. The Act is supported by guidelines designed to establish some uniformity in delivery across England & Wales. BCM experts, including the Continuity Forum, assisted in the creation of these guidelines and it was insisted by those involved, that the sections covering BCM should follow accepted practices and PAS 56 was used as a foundation. Whilst not being perfect, PAS 56 is seen by many as a defacto standard for BCM. Because of the level of interest in the PAS, BSI canvassed opinion as to the need for a full BSI standard for BCM. The outcome was the establishment in July 2005 of a Technical Committee to start work on a full standard.

The Technical Committee consisted of approx 36 members drawn from representative organisations and industry sectors. Key elements have been incorporated into the standard which are designed to develop effective BCM in organisations, these are:

Identification of critical services and products which, if disrupted, have the greatest impact on the organisation 
Identification of the critical activities and resources that are used to support the key products and services
Development of appropriate BC plans to minimise the disruption to the critical products and services  
Exercising of the plans
 
The lessons learnt from the exercises that are then incorporated into modified plans.
The initial draft of the new BCM standard, BS25999-1, a Code of Practice for BCM, was available for public consultation in July 2006.
 
5000 people downloaded the draft, the highest number of requests for download of a draft standard ever received by BSI, 4750 more than the previous highest. Over 1000 comments were received and considered by the Technical Committee. BS25999-1 was published at the end of November 2006 and within 8 weeks 3000 copies had been sold.
 
Work is now progressing on BS25999-2, a Specification for BCM, against which organisations will be able to be certified. The draft of Part 2 is expected to be available for consultation by April 2007 and the target is to publish June/July this year. Already organisations are making enquiries about certification and are keen to be involved in any pilot scheme.
 
The awareness of the new standard is high, the forthcoming 2007 CMI BCM research shows that 32% of those who already have BCM know of its existence. 38% plan to use it as guidance and a further 30% will seek some form of accreditation.
 
The United Kingdom Accreditation Service (UKAS) has been so impressed with the reaction to this new standard that they will be commencing development of a pilot accreditation scheme at the time that BS25999-2 is published. They hope to have auditing bodies accredited to certify organisations against the new standard by the end of the year. By the end of 2007 the UK will have in place a BCM standard together with an accredited auditing regime. The standard will have been built upon the best practices of UK
 
BCM practitioners and the methodologies used by private, public and voluntary sectors. Certification against the standard will give assurance to regulators, insurers, investors and customers that those on whom they rely are better able to minimise the effects of disruptive events and will in turn lead to a more resilient UK.