BS25999

BS25999 AUDIT STANDARD

Standard	Section	Details
4	The Business Continuity management Policy
4.1	Overview	Whether BCM activities are conducted and implemented in an agreed and controlled manner to achieve a business continuity capability that meets changing business needs. Whether ongoing maintenance, management and testing are included.
4.2	Context	Whether the BCM policy is appropriate to the nature, scale, complexity, geography and criticality of business activities and that it reflects the culture, dependencies and operating environment. Whether the BCM is integrated into the organisation's change management activity so that growth and development is taken into account.
4.3	Development of the business continuity policy	Whether the Business Continuity Policy states the objectives of BCM within the organisation which will enable the organisation to measure its actual capability against its policy objectives. The BCM policy should clearly define any limitations or exclusions that apply - eg specific products, services or systems Whether the BCM Policy, strategy, plans and solutions are reviewed regularly
4.4	Scope of the BCM Programme	Whether the scope of the BCM programme is identified within the BCM Policy
4.5	Outsourced Activities	Whether the risk accountability for products, services or activities that have been outsourced remains vested in the organisation. It is important that key suppliers or outsource partners have effective BCM arrangements in place.
5	BCM Programme Management
5.1	Overview	Whether there is a BCM programme in place supported by top management so that it is correctly introduced, adequately supported and established as part of the organisation's culture.
5.2	Governance
5.2.1	Assigning Responsibilities	Whether a person has been appointed with the appropriate seniority and authority to be accountable for BCM policy and implementation. Whether one or more individuals have been nominated to implement and maintain the BCM programme. Note that in some organisation's it may be necessary for a team of business continuity representatives with differing roles and responsibilities
5.2.2	Integration	Whether the roles, accountabilities, responsibilities and authorities are integrated into job descriptions and skill sets. The organisation's audit process should review these responsibilities.
5.3	Implementing Business Continuity in the Organisation
5.3.1	Activities to Implement the Programme	The activities to implement a business continuity programme should include the design, build and implementation of the programme. The organisation should:- Communicate the programme to stakeholders Arrange or provide appropriate training for staff Exercise the business continuity capability
5.3.2	Project Management	Whether a recognized project management methodology is used to ensure that the implementation is effectively managed.
5.4	Ongoing Management
5.4.1	Overview	Whether the ongoing management activities supporting the BCM Policy are embedded within the organisation and there is a process to review, test and update the Plan. Business continuity arrangements and plans should also be reviewed and updated when ever there is a significant change in the organisation's operating environment, personnel, processes or technology and when an exercise or incident highlights deficiencies
5.4.2	Ongoing Maintenance	Whether there are regular reviews of the activities including:- The scope, roles and responsibilities of BCM Ensuring that an appropriate person or team is appointed to management the ongoing BCM capability Keeping the business continuity programme continuity programme current through good practice Promoting business continuity across the organisation and wider where appropriate Administering the exercise programme Co-ordinating the regular review and update of the business continuity capability including reviewing or reworking risk assessments and business impact analysis Maintaining documentation appropriate to the size and complexity of the organisation Monitoring performance of the business continuity capability Managing costs associated with the business continuity capability Establishing and monitoring change management and succession management regimes
5.5	BCM Documentation
5.5.1	BCM Documentation	Whether the individuals tasked with maintaining business continuity have created and maintained the business continuity documentation including:- BCM Policy Business impact analysis Risk and threat assessment BCM strategy/strategies Awareness programmes Training programmes Incident management plans Business continuity plans Business recovery plans Exercise shcedule and reports Service level agreements and contracts
6	Understanding the Organisation
6.1	Introduction
6.1.1	The internal organisation	Whether due consideration has been given to the organisation's objectives, stakeholder obligations, statutory duties and the environment in which the organisation operates. Identification of the activities, assets and resources including those outside the organisation that support the delivery of products and services Assessment of the impact and consequences over time of the failure of these activities assets and resources Identification and evaluation of the perceived threats that could disrupt the organisation's key products and services and the critical activities, assets and resources that support them
6.1.2	Reliance and Inter-dependencies	Whether critical dependencies have been included in BCM strategies and policies including reliance on external organisations and any reliance placed upon it by others.
6.2	Business Impact Analysis (BIA)
6.2.1	Documentation	Whether the impact of a disruption to the activities that support key products and services has been documented.
6.2.2	Impact Assessment	Whether the impact assessment includes the following:- Assessment over time if key activities were disrupted Maximum tolerable period of disruption of each activity including:- -Maximum time before the activity resumes -Minimum level of performance on resumption -How soon normal operations are required Identify any inter-dependent activities, assets, supporting infrastructure or resources that also have to be maintained continuously or recovered over time
6.2.3	Damage Control Considerations	Whether the impact analysis includes information relating to:- Impact on staff or public wellbeing Impact of damage to, or loss of, premises, technology or information The impact of breaches of statutory duties or regulatory requirements Damage to reputation Damage to financial viability Deterioration of product or service quality Environmental damage
6.3	Identification of Critical Activities
6.3.1	Priority for Recovery	Activities should be categorised according to their priority for recovery. Those activities having the greatest impact in the shortest time and which need to be recovered most rapidly may be termed critical activities. Planning activities should be focused on critical activities, but other activities also need to be recovered within their maximum tolerable period of disruption.
6.4	Determining Continuity Requirements
6.4.1	Resources required for recovery	Whether the organisation has taken into consideration the resources that each activity will require upon resumption including:- Staff resources including numbers, skills and knowledge Premises - the work site and facilities required Technology, plant and equipment Provision of information - electronic or paper based including work in progress, financial ledger printouts etc Supplies from external service providers and suppliers
6.5	Evaluating Threats to Critical Activities
6.5.1	Undertaking a Risk Assessment	Whether the levels of risk are understood in respect of the organisation's critical activities and the risk of a disruption to these. The threats to critical resources should be understood including the impact that would arise if a threat became an incident and caused a business disruption.
6.5.2	Risk Assessment Approach	Whether the risk assessment approach chosen is suitable and appropriate to address all of the organisation's requirements
6.5.3	The adoption of a suitable framework for risk assessment	The framework for risk assessment should contain the following typical elements:- Determination of the criteria for risk acceptance describing the circumstances under which the organisation is willing to accept risks Identification of the acceptable levels of risk Analysis of the risks
6.5.4	Specific threats	Whether the risk assessment framework includes specific threats to resources such as fire, flood, power failure, staff loss, staff absenteeism, computer viruses and hardware failure
6.5.5	Vulnerabilities and Weaknesses	Whether there are vulnerabilities and weaknesses that can be exploited by some threat - eg single point of failure, inadequate fire protection, power disruptions, staffing levels, IT security and IT resilience
6.5.6	Impacts	Whether impacts may result from the exploitation of vulnerabilities by threats (6.2.3)
6.6	Determining Choices
6.6.1	Overview	Whether the organisation has considered measures to mitigate potential loss and:- reduce the likelihood of a disruption shorten the period of disruption limit the impact of a disruption of key products and services
6.6.2	Business Continuity	Whether recovery time objectives (RTO) have been established and tested so that the organisation can continue to improve its resilience to disruption by meeting the minimum levels and timeframes stipulated within the BIA.
6.6.3	Acceptance	Whether some risks are acceptable to the organisation because the ability to mitigate or prevent risks may be limited either by cost or by the level of benefit gained. In some cases the low likelihood that the risk will occur is such that management will agree to self insure.
6.6.4	Transfer of Risk	Whether some risks are transferred either by conventional insurance or contractual arrangement or by paying a third party to take the risk in another way.
6.6.5	Change, Suspend or Terminate	Whether a threat can be mitigated by changing, suspending or terminating the service, product, activity, function or process.
6.7	Sign Off
6.7.1	Top Management endorsement	Whether senior management have endorsed and signed off the key products and services, the Business Impact Analysis and the Risk Assessment to ensure that the work has been appropriate and is a true reflection of the organisation.
7	Determining a Business Continuity Strategy
7.1	Introduction	Where business continuity is the chosen option the following should be considered when determining the BCM strategy:- resilience and mitigation measures Business continuity for critical activities during and following an incident account for those activities that have not been classified as critical
7.2	Strategy Options
7.2.1	Strategic Options	Whether the organisation has considered strategic options for its critical activities and the resources that each activity will require on its resumption:- the maximum tolerable period of disruption of the critical activity The cost of implementing a strategy the consequences of inaction
7.2.2	Strategies for Resources	Whether the following resources have been considered in the strategy:- People Premises Technology Information Supplies Stakeholders
7.3	People
7.3.1	Strategies for maintaining core skills and knowledge	Whether the organisation has considered how it will ensure that the appropriate core skills and knowledge are maintained taking into account:- Procedures supporting critical activities Multi-skill training of staff and contractors Separation of core skills to reduce the concentration of risk Use of third parties Succession planning Knowledge retention and management
7.4	Premises
7.4.1	Strategies for coping with the unavailability of the work place	Whether the organisation has considered its options with regard to providing an alternative work site depending upon the incident or threat:- Alternative premises within the organisation including the displacement of other less critical activities Alternative premises provided by other organisations Alternative premises provided by third party specialists Working from home or from remote sites Other agreed suitable premises Use of an alternative workforce in an established site
7.5	Technology
7.5.1	Provision of technology support	Whether technology strategies for BCM include the following:- Provision made within the organisation Services delivered to the organisation Services provided externally by a third party
7.5.2	Availability of technology	Whether the BCM strategy includes provision for acquiring technology if required at short notice:- Geographical spread of technology so that equipment is maintained at some areas will not be affected by the disruption Holding older equipment as emergency replacements or spares Additional risk mitigation for unique or long lead time equipment
7.5.3	Strategies for servicing equipment	IT systems are usually complex and alternative means of accessing systems may be considered such as:- RTOs for systems and applications which support key activities identified in the BIA Location and distance between technology sites Number of technology sites Remote access The use of un-staffed (dark) sites Telecoms connectivity and redundant routing Provision of failover and whether automatic or manual intervention is required to activate alternative IT provision
7.6	Information
7.6.1	Information Strategies	Whether vital information is known, protected and recoverable in line with specified timeframes. Special consideration should be given to the information's confidentiality, integrity, available and currency and to information which has not yet been backed up. The format of the information is also important as to whether it is in hard copy or held electronically.
7.7	Supplies
7.7.1	Inventory	Whether the organisation maintains an inventory of supplies that support its critical activities:- Storage of additional supplies at another location Arrangements with other third parties for delivery of stock at short notice Diversion of just-in-time deliveries to other locations Holding materials at warehouses or shipping sites Transfer of sub-assembly operations to an alternative location which has supplies Identification of alternative substitute supplies
7.7.2	Specialist supplies	Whether the organisation requires any specialist supplies and the ability to manage continuity of supplies especially in single source products:- Increasing the number of suppliers Requirement for suppliers to have a validated business continuity capability Contractual and/or service level agreements with key suppliers Identification of alternative, capable suppliers
7.8	Stakeholders
7.8.1	Protecting the interests of stakeholders	Whether the organisation has taken into account protecting the interests of its key stakeholders including any relevant cultural and social considerations.
7.8.2	Relationship management	How the organisation intends to manage the relationships with its key stakeholders, business or service partners and contractors.
7.8.3	Welfare	Whether a person or persons has been identified to take care of welfare issues following an incident.
7.9	Civil Emergencies
7.9.1	Familiarity with Civil Defence Strategies	Whether there is any communication and/or interaction with Civil Defence personnel on a regular basis. Local bodies may legally be required to provide business continuity advice and guidance to both commercial and voluntary organisations operating within their jurisdiction
7.9.2	Key Responder	Whether the organisation has taken into consideration the provisions and requirements of local body Civil Defence Plans especially where the organisation may be expected to provide input in the event of a civil emergency. Whether the organisation has any interaction with key responders who are responsible for:- Pre or post incident advice Warning and information procedures Community recovery arrangements following a civil emergency.
7.10	Sign Off
7.10.1	Sign off documented strategies	Confirmation that senior management have signed off the documented strategies to confirm that the determination of continuity strategies has been properly undertaken and caters for likely causes and effects of disruption and that the chosen strategies are appropriate to meet the organisation's objectives within the organisation's risk appetite.
8	Developing and Implementing a BCM Response
8.1	Introduction	The organisation should:- Identify its critical activities Evaluate threats to these critical activities Choose appropriate strategies to reduce the likelihood and impacts of incidents Chose appropriate strategies that provide for the continuity or recovery of its critical activities
8.2	Incident Response Structure
8.2.1	Define incident response structure	Where an incident response structure is defined and documented to enable an effective response and recovery from disruption.
8.2.2	Usability of the incident response structure	Confirmation that the incident response structure is simple to use and enables the organisation to:- Confirm the nature and extent of the situation Contain the incident Communicate with stakeholders
8.2.3	Plans, processes and procedures	The team involved in the management of an incident should have plans, processes and procedures to enable them to manage the incident. These plans should be supported by business continuity tools to enable continuity and recovery of critical activities.
8.2.4	Activation and operations	The team should have plans for the activation, operation, co-ordination and communication of the incident response.
8.2.5	Specific Plans	There may be specific plans to recover or resume operations back to a normal state. However in some situations it may not be possible to know what "normal" is until some time after the incident. Therefore business continuity plans must be capable of extended operation giving time for the development of recovery plans.
8.3	Content of Plans
8.3.1	Introduction	Content of plans should be concise and accessible to those requiring them. Responsibilities should be documented in the plans. Small organisations may only have one plan, but larger, more complex businesses may have multiple plans.
8.3.2	Purpose and Scope	The purpose and scope of each specific plan should be defined and agreed by top management. It must be understood by those who will be putting the plans into effect. Each plan should set out prioritized objectives in terms of:- the critical activities to be recovered The timescales in which they are to be recovered The recovery levels needed for each critical activity The situation in which each plan can be utilised
8.3.3	Roles and Responsibilities	The persons or groups covered by a plan should be clearly defined. Those with the authority in terms of decision making and spending should be clearly documented.
8.3.4	Plan Invocation	The method by which an incident management, business continuity or business recovery plan is invoked must be documented in order to ensure that the shortest possible time elapses between the business disruption and the plan invocation. The plan must include:- How to mobilize the teams Immediate rendezvous points Subsequent team meeting locations and the details of any alternative meeting locations (command centres) Process for standing down teams once the incident is over
8.3.5	Document Owner and Maintainer	Identification of the primary owner of the plan and who is responsible for review, amendment and updating of the plan at regular intervals.
8.3.6	Contact details	Ensure that each plan contains or provides a reference to the essential contact details for all key stakeholders.
8.4	The incident management plan (IMP)
8.4.1	Purpose	Ensuring that the IMP is:- Flexible, feasible and relevant Easy to read and understand provides the basis for managing all possible issues including the stakeholder and external issues facing the organisation during an incident.
8.5	Contents of the IMP
8.5.1	General	Points covered in 8.3 and 8.5.2-8.5.8 are included.
8.5.2	Task and Action Lists	Does the IMP include task and action lists to manage the immediate consequences of a business disruption. These tasks should:- Ensure the safety of individuals is addressed first Be based upon the results of the organisation's BIA Be structured so that they deliver the strategic and tactical options chosen by the organisation (clause 7) Help prevent the further loss or unavailability of critical activities and supporting resources (clause 7)
8.5.3	Emergency contacts	Content should include a description of how and under what circumstances the organisation will communicate with staff and their relatives, friends and emergency contacts should be included.
8.5.4	People Activities	The IMP should satisfy the interests of those whose welfare might be put at risk as a result of an incident taking into account social and cultural considerations (7.8.2). The IMP should identify the person(s) who will discharge responsibility for welfare issues following an incident (7.8.3):- Site evacuation Mobilization of safety, first aid or evacuation assistance teams Location and accounting for those who were on site or in the immediate vicinity Ongoing employee/customer communications and safety briefings Identify the means by which the organisation means to provide services to debrief and counsel affected staff after an incident. This service may be outsourced.
8.5.5	Media Response	Whether the media response is documented in the IMP including:- The incident communications strategy The organisation's preferred interface with the media A guideline or template for the drafting of a statement to be provided to the media at the earliest practicable opportunity Appropriate numbers of trained, competent, spokespeople authorised to release information to the media Establishment of a suitable venue to support liaison with the media Provision of separate documentation and supporting details Dealing with telephone calls from the press The preparation of background material about the organisation and its operations The availability of information to the media
8.5.6	Stakeholder management	Whether there is a process for identifying and prioritizing communication with key stakeholders. A separate plan may be required for this purpose.
8.5.7	Incident Management Location	The identification of a nominated robust and predetermined location, room or space from which an incident will be managed. A secondary backup location should also be nominated in case the first location is unavailable. The location must be fit for purpose and include:- Effective primary and secondary means of communication Facilities for accessing and sharing information, including the monitoring of the news media
8.5.8	Annexes	Whether supporting documentation is included within the IMP providing vital logs or forms to record items such as the incident timeline, casualties, decisions made, money spent, damage assessments, communications issued and all other information deemed essential to conduct a post incident review. The IMP may also include:- Maps, charts, plans, photographs and other information Documented response strategies agreed with third parties Details of equipment storage and staging areas Site access plans A claims management procedure that ensures all insurance and legal claims for or against the organisation meet regulatory and contractual requirements
8.6	The Business Continuity Plans
8.6.1	General	BCPs may vary from organisation to organisation. Ensure that the BCP purpose is stated within the BCP.
8.7	Contents of the BCP
8.7.1	General	Points covered in 8.3 and 8.7.2-8.7.5 are included.
8.7.2	Task and Action Lists	Does the BCP include task and action lists with order of priority including:- How the BCP is invoked The peron(s) responsible for invoking the plan The procedure that person should adopt in taking that decision The person(s) who should be consulted before the decision is taken The person(s) who should be informed once the decision has been made Who goes where, and when What services are available, where and when including how the organisation mobilizes external and third parties How and when this information is communicated Any relevant detailed procedures for manual workarounds, system recovery etc
8.7.3	Resource requirements	Whether the plan indicates the resources required for business continuity and business recovery at different points of time including:- People (security, transportation, logistics, welfare and emergency expenses) Premises Technology including communications Information (financial, customer account records, supplier and stakeholder details, legal documents and other service documents such as SLAs) Supplies Management of stakeholders
8.7.4	Responsible Person(s)	Whether there is a nominated person(s) to management the business continuity and business recovery phases of a disruption
8.7.5	Forms and Annexes	Whether the plan includes up to date contact details for relevant internal and external agencies, organisations and providers needed for support. Ensure that the plan includes any relevant incident log or forms for the recording of vital information especially in respect of decisions made.
9	Exercising, maintaining and reviewing BCM arrangements
9.1	Introduction	Exercising is essential to developing teamwork, competence, confidence and knowledge which is vital at the time of an incident. The arrangements for testing the plan should be verified through exercise, audit and self assessment processes to ensure that it is fit for purpose.
9.2	Exercise Programme
9.2.1	Scope of the exercise programme	Whether the exercise program can provide assurance to the organisation that the BCP will work as anticipated when required. The programme should:- Exercise the technical, logistical, administrative, procedural and other operational systems of the BCP Exercise the BCM arrangements and infrastructure Validate the technology and telecommunications recovery Test objectives should also include:- Practising the organisation's ability to recover from an incident Verifying that the BCP incorporates all organisational critical activities and their dependencies and priorities Highlighting assumptions which may need to be questioned Instilling confidence amongst exercise participants Raising awareness of business continuity throughout the organisation by publicising the exercise Validating the effectiveness and timeliness of restoration of critical activities Demonstrating competence of the primary response teams and alternatives
9.3	Exercising BCM Arrangements
9.3.1	Managing the risks of exercise arrangements	Whether the exercise program is realistic, carefully planned and agreed with stakeholders so that there is minimum risk of disruption to business processes.
9.3.2	Aims and objectives of exercise	Identification of the aims and objectives. A post exercise debriefing and analysis should be undertaken.
9.3.3	Scale	The scale of the exercises should be appropriate to the organisation's recovery objectives
9.3.4	Identification of deficiencies	Whether there is documented evidence that the plans can be executed correctly and contain the appropriate detail and instructions.
9.3.5	Roles and responsibilities	Whether the plan considers the roles of all parties including key third party providers, outsource partners and others who would be expected to participate in recovery activities. These parties may also be included in exercises.
9.4	Maintaining BCM Arrangements
9.4.1	Maintenance Programme	Whether there is a clearly defined and documented BCM maintenance programme.
9.5	Reviewing BCM Arrangements
9.5.1	Review	Top Management should review the BCM at appropriate intervals. These reviews should be documented.
9.5.2	Compliance	Whether the review verifies compliance with any applicable laws, standards, strategies, frameworks and good practice guidelines
9.5.3	Changes	Whether the review process identifies the potential for change to policy, strategy, objective and other element of the BCM
9.5.4	Form of the Review	Confirmation that the review process is supported by internal or external audit and/or self assessments in order to verify that:- Key products and services and their supporting critical activities and resources have been identified and included The BCM policy, strategies, framework and plans accurately reflect priorities Plans are fit for purpose BCM solutions are effective, up to date and appropriate to the level of risk Maintenance and exercise programmes have been effectively implemented Strategies and plans incorporate improvements identified during incidents and exercises in the maintenance programme Ongoing programme for training and awareness Procedures have been communicated to relevant staff Change processes are in place and operate effectively
9.5.5	Audit	Provision for the independent audit of BCM competence and capability
9.5.6	Self-Assessment	Documented qualitative verification of the organisation's ability to recover from an incident.
10	Embedding BCM in the Organisation's Culture
10.1	General	Proof that the organisation has adopted the BCM into it's culture including leadership and support from senior management, assignment of responsibilities, awareness by staff, skills training and exercising the plans.
10.2	Awareness	Whether there are processes for identifying and delivering the BCM awareness requirements and evaluating the effectiveness of the delivery including:- Consultation with staff throughout the organisation BCM mentioned in newsletters, briefings, induction programme etc Inclusion of BCM on web pages or intranets Learning from internal and external incidents BCM discussed at team meetings Exercising continuity plans at alternative locations Visits to designated alternative locations Inclusion of awareness programmes to stakeholders
10.3	Skills Training	Whether there is a process for identifying and delivering training requirements to relevant participants and evaluating the effectiveness of delivery including:- BCM Programme Management Conducting a business impact analysis Developing and implementing BCPs Running a BCP exercise programme Risk and threat assessment Media communications Non-BCM staff requiring skills to undertake their nominated roles in incident response or business recovery