Radian Compliance Management Services

The recent release of part two of the British Standard for Business Continuity Management (BS25999) has given planners another avenue to explore when designing their business continuity program.

The British Standards Institution (BSI) released the second part of BS25999 in late October 2007 and it has been well received by global organizations.

BS25999 actually includes two standards, BS25999-1 and BS25999-2. The first was released in 2006 and addresses practices and policies; the second specifies procedures for business continuity management. The standard’s intent is to provide guidelines for implementing business continuity management within an organization.

According to BSI, BS25999 is the world’s first internationally recognized standard for Business Continuity Management (BCM). It includes requirements covering the whole BCM lifecycle, based on BCM best practices.

The standard has garnered much attention from businesses around the world. It has become the most downloaded standard from the BSI website. In fact, thousands of companies in the United Kingdom are implementing BS25999.

The basic intent of the standard is to provide best practices for an organization’s personnel, infrastructure and information technology in order to get back in business with minimal disruption if disaster strikes.

While it may seem this is similar to other standards in the market, there are some notable differences.

“BS25999 is unlike other directives, policies or standards that are prescriptive in nature,” said Bob Reilly, senior associate at Booz Allen Hamilton. “It is a management standard that audits processes and procedures to establish and maintain a continuity program.”

Those who complete the BS25999 procedures can apply for certification through BSI. External auditors will evaluate an organization’s business continuity management process. If certification is achieved, it can provide suppliers, investors and clients assurance that rigorous methods will be used to protect the organization in the event of a disruption.

“The standard audits continuous process improvement and compliance to corporate policies, unlike other certifications or audits that just represent a snap-shot in time,” said Reilly.

According to the BSI website, the auditors will be looking for documented evidence that processes are in place and will bring technical experts with them to ask why particular decisions were made.  

Whether the BS25999 standard becomes a hit in North America remains to be seen. Organizations who are interested should discern the differences between this standard and others that are available on the market and make decisions on what, if any, works best in their organization.  

For further input and comparison on the BS25999 standard, visit the ongoing discussion at www.drj.com.