REV1921_BCMStandard

Business Continuity Management Systems: Requirements with Guidance for Use

A S I S I N T E R N A T I O N A L

STANDARDAMERICAN NATIONAL

1625 Prince StreetAlexandria, Virginia 22314-2818

USA+1.703.519.6200

Fax: +1.703.519.6299www.asisonline.org

ASIS/BSI BCM.01-2010

12110 Sunset Hills Road, Suite 200Reston, Virginia 20190-5902

USA1.800.862.4977

Fax: +1.703.437.9001www.bsiamerica.com

26559ASFIS_Covers-R5.indd 1-226559ASFIS_Covers-R5.indd 1-2 12/1/2010 1:12:46 PM12/1/2010 1:12:46 PM

ASIS International (ASIS) is the preeminent

organization for security professionals, with more

than 37,000 members worldwide. Founded in 1955,

ASIS is dedicated to increasing the effectiveness and

productivity of security professionals by developing

educational programs and materials that address

broad security interests, such as the ASIS Annual

Seminar and Exhibits, as well as specific security

topics. ASIS also advocates the role and value of the

security management profession to business, the

media, governmental entities, and the general public.

By providing members and the security community

with access to a full range of programs and services,

and by publishing the industrys number one

magazine, Security Management, ASIS leads the way

for advanced and improved security performance.

For more information, visit www.asisonline.org.

BSI Group is a global independent business services

organization that develops standards-based solutions

to improve management practices and promote

innovation. BSI can help businesses, governments

and other organizations around the world to raise

quality and performance in a sustainable and socially

responsible way. From its origins as the worlds first

National Standards Body, BSI Group draws upon

over 100 years experience, working with 66,000

organizations in 147 countries from its 50 offices. To

learn more, please visit www.bsigroup.com.

26559ASFIS_Covers-R5.indd 3-426559ASFIS_Covers-R5.indd 3-4 12/1/2010 1:12:48 PM12/1/2010 1:12:48 PM


an American National Standard

BUSINESS CONTINUITY MANAGEMENT SYSTEMS: REQUIREMENTS WITH GUIDANCE FOR USE

A management systems approach for preparedness and business/operational continuity management

Approved November 2, 2010

American National Standards Institute, Inc.

ASIS International and British Standards Institution (BSI)

Abstract

Based on the BS 25999 Business continuity management (Part 1 and Part 2), this Standard specifies requirements for a business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programstaking into account legal and other requirements to which the organization subscribesto address disruptive events that might impact the organization and its stakeholders. This Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS within the context of managing an organizations risks.


ii

NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document.

ASIS International and BSI standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications.

ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS and BSI do not accept or undertake a duty to any third party because it does not have the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them.

ASIS and BSI disclaim liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS and BSI disclaim and make no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any persons or entitys particular purposes or needs. ASIS and BSI do not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or guide.

In publishing and making this document available, ASIS and BSI are not undertaking to render professional or other services for or on behalf of any person or entity, nor are ASIS and BSI undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication.

ASIS and BSI have no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS and British Standards have no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS and British Standards do not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document shall not be attributable to ASIS and British Standards and is solely the responsibility of the certifier or maker of the statement. This publication does not purport to include all the necessary provisions of a contract. Compliance with a British Standard cannot confer immunity from legal obligations.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner.

Copyright 2010 ASIS International and British Standards Institution

ISBN: 978-1-934904-07-7


iii

FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages.

ASIS International and BSI collaborated in the development of the Business Continuity Management Systems: Requirements for Guidance for Use Standard. This management systems standard provides generic auditable criteria and informative guidance on business continuity management.

About ASIS ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industrys No. 1 magazine Security Management ASIS leads the way for advanced and improved security performance.

The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry.

About BSI BSI is the UKs National Standards Body, recognized globally for its independence, integrity, and innovation in the production of standards and information products that promote and share best practices. BSI works with businesses, consumers, and government to represent UK interests and to make sure that British, European, and international standards are useful, relevant, and authoritative.

BSI Group is a global independent business services organization that inspires confidence and delivers assurance to customers with standards-based solutions. Originating as the worlds first national standards body, the Group has over 2,300 staff operating in over 120 countries through more than 50 global offices.

Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA.


iv

Commission Members Jason L. Brown, Thales Australia Steven K. Bucklin, Glenbrook Security Services, Inc. John C. Cholewa III, CPP, Mentor Associates, LLC Cynthia P. Conlon, CPP, Conlon Consulting Corporation Michael A. Crane, CPP, IPC International Corporation William J. Daly, Control Risks Security Consulting Eugene F. Ferraro, CPP, PCI, CFE, Business Controls Inc. F. Mark Geraci, CPP, Purdue Pharma L.P., Chair Robert W. Jones, Socrates Ltd, Inc. Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair John F. Mallon, CPP, Mallon & Associates, LLC Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative John E. Turey, CPP, ITT Corporation Roger D. Warwick, CPP, Pyramid International

At the time it approved this document, BCM Standards Committee, which is responsible for the development of this Standard, had the following members:

Committee Members Committee Co-Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative, ASIS International Committee Co-Chairman: Kevin S. Brear, J.P. Morgan Chase Committee Secretariat: Sue Carioti, ASIS International Committee Secretariat: David Adamson, British Standards Institution

David Adamson, British Standards Institution Marene Allison, Johnson & Johnson Edgard Ansola, Mutua Asepeyo Paul H. Aube, CPP, Institut Grasset Dave Austin, Operational Resilience Limited Don Aviv, CPP, PCI, PSP, Interfor Inc. William D. Badertscher, CPP, Georgetown University Pradeep Bajaj, PRISMA Thomas Bannister, Metropolitan Police Service David Benish, Strategic BCP Alan Berman, DRI International Lyndon Bird, The Business Continuity Institute Dennis R. Blass, CPP, PSP, Secumetrics LLC John Boal, CPP, PCI, University of Akron Mark Borchers, CPP, Germanna Community College Thomas Bozek, Bozek Consulting, LLC Kevin S. Brear, J.P. Morgan Chase Patrick Brennan, BCMexperts Larry Brown, First Citizens Bank Frederick A. Budde, Ph.D., PCI, U.S. Department of Homeland Security, Federal Air Marshal Service Doyle J. Burke, CPP, DAKO Group Donald Byrne, North River Solutions Thomas Carroll, Computer Sciences Corporation Doug Cassell, Mutual of Enumclaw Insurance


v

Sharon Caudle Ph.D., The Bush School of Government and Public Service Chee Seng Chan, Becton Dickinson Critical Care Systems Pte Ltd Ian Charters, Continuity Systems Ltd Telva Chase, Regence Group Ian Clark, East Neuk Consultants Ltd Justin Clarke, Gobanza, Inc. Mike Claver, State Farm Insurance Companies William Coffey, American Society of Safety Engineers Andrew Collins, Baylor Health Care System Malcolm Cornish, RMI (UK) Limited Robert J. Coullahan, CEM, CPP, CBCP, Readiness Resource Group Georges Cowan, Business Continu-IT Partners Kevin Cunningham, UBS Merlyn Demaine, Imperial College NHS Trust Indrajit Dimyati, Business Continuity Planning Asia Pte Ltd Brian Dixon, Moody International Lisa DuBrock, The Radian Group, LLC Robert Duncan, Consultant Edward Eaton, Warner Gudlaugsson LLC Henry Ee, Business Continuity Planning Asia Pte Ltd Jorge Escalera, Risk Mexico Greig Fennell, Sprint Patti Fitzgerald, Disaster Recovery Journal Windom Fitzgerald, Pendulum Walter Fountain, CPP, Schneider National, Inc. Christopher Frampton, SRCN Limited Barry Freedman, FCS Consulting Services Peter French, CPP, SSR Personnel Robin Gaddum, IBM Paul Genzburg, Soros Fund Management/Open Society Institute Robert Giffin, Avalution Consulting Stephen Giordano, HCA Inc. Matthew Gneuhs, Cincinnati Children's Hospital Medical Center Julia Graham, DLA Piper UK LLP Briane Grey, U.S. Drug Enforcement Administration Wayne Harrop, Centre for Disaster Management: Coventry University Ronald Hauri, Northwestern University John Hele, British Standards Institution Michael Hill, Nokia Andrea Hollman, United Space Alliance, LLC Simon Honey, Mitsubishi UFJ Securities International plc. Roger Housner, WPS Insurance Corporation C.J. Howard, Deere & Company Terri Howard, FEI Behavioral Health David Huynh, Ross Stores, Inc. Brian Kaye, Control Risks Group David Kaye, Risk Reality Michael Keating, Doulos Business Consulting James Kennedy, Recovery-Solutions Penelope Killow, HFC Bank (HSBC Group) Steven King, CPP, U.S. Department of Homeland Security, Office of Infrastructure Protection Paul Kirvan, Paul Kirvan Associates Donald E. Knox, CPP, Caterpillar Inc.


vi

Richard Kobylar, Capgemini John Kunert, First Restoration Michael Kuras, American Imaging Management, Inc. Bill Lang, VCPI Lince Lawrence, Allianz Cornhill Information Services Grant Lecky, Citizenship and Immigration Canada James J. Leflar Jr., CPP, CBCP, Johns Hopkins Bloomberg School of Public Health Hugh Leighton, Aon Global Risk Consulting Victoria Leighton, Avanade, Inc. Eric Levine, Wellpoint Wayne Lewis, Global Consulting Judy Little, TSYS William Lloyd, City National Bank David Lloyd, The Business Continuity Institute James Lukaszewski, The Lukaszewski Group Inc. Bruce Lundeen, AT&T Tracy Male, Bristol-Myers Squibb Bill Marotz, Schneider National, Inc. Andrew Mason, PricewaterhouseCoopers LLP Diana McClure, Institute for Business & Home Safety Richard McGlave, Continuity Ltd Jim McMahon, CPP, Align Technology Mohamed Fadhel Meddeb, Efla Consultants Engineers Cynthia Miller, Abbott Murray Mills, CPP, New Zealand Ministry of Health Susan Mitchell, Wilmer Cutler Pickering Hale and Dorr LLP Goh Moh Heng, BCM Institute Lawrence Mondschein, Consultant Ashley Moore, Federal Emergency Management Agency, U.S. Department of Homeland Security Dennis Morgan, CPP, International Consortium for Organizational Resilience Richard Moulton, AlliedBarton James Murphy, North Carolina Department of Health and Human Services James Murray, Blue Cross and Blue Shield of Florida Doug Nelson, Business Continuity Solutions James Nelson, International Consortium for Organizational Resilience Alan M. Nutes, CPP, Consultant Kevin O'Donnell, UBS Augustine O. Okereke, CPP, Statoil Nigeria Ltd Philip Oppenheim, International Continuity Oversight Board Mary Parrish, University of North Carolina at Chapel Hill John A. Petruzzi Jr., CPP, Andrews International Abigail Pollard, Blake Emergency Services Jeanne Powell, IBM Ren Powers, City National Bank Werner Preining, CPP, Interpool Security Ltd Russell Price, Continuity Forum Daniel Puente Prez, Sociedad de Prevencin Asepeyo Heidi Raffanello, KTM Strategies Joseph Rector, CPP, PCI, PSP, United States Air Force George Richards, CPP, Edinboro University of Pennsylvania Robert Roberts, Federal Home Loan Bank of Atlanta Jean Rowe, Verisign Inc. Craig Rydalch, American Imaging Management, Inc.


vii

Marilyn Saiewitz, Bristol-Myers Squibb Angie Santiago, Contingency Planning Association of the Carolinas Steve Schulze, WPS Insurance Corporation Robert Sena, CPP, Kings College Chris Servia, University Health Systems of Eastern Carolina John Sharp, Kiln House Associates Ltd Daniel Shellenberger, Kinder Morgan Robert Sherwood, North American Security Products Organization Jeffrey Slotnick, CPP, PSP, Setracon Inc. Lisa Smallwood, Comprehensive Emergency Management Professionals LLC Thomas Smith, Comcast Wolf Smith-Butz, Computer Sciences Corporation Kurt Sohn, Capgemini Ian Speirs, North Yorkshire County Council Sam Stahl, EMC Jim Stephens, The Royal Bank of Scotland Stuart Sterling, HM Government (UK) Civil Contingencies Secretariat, Cabinet Office Richard Taylor, Abu Dhabi Accountability Authority Darryl Thibault, CPP, Pexis Corporation Mike Thomson, Association of Contingency Planners Raymond Trombley, Bank of Hawaii Dave Tyson, CPP, Pacific Gas and Electric Eric Van Balen, McKesson Corp. Ray Van Hook, CPP, The School of The Art Institute Suzanne Warner Hart, Delaware Department of Transportation Lee Webster, Society for Human Resource Management Douglas Weldon, Thomson Reuters Renee Wentworth, Union First Market Bankshares Carl Wertman, Mantech SRS Technologies Robert Whitcher, BSI Management Systems America Inc. Dan Wilder, Danalie Partners Frederick Wilson, CBCP, Consulting Amanda Witt, Booz Allen Hamilton Zechariah Wei Ning Wong, Atkins Mark Wright, Brookfield Properties Tim Wright, Institute of Internal Auditors Richard Wright, Wright Security, Inc. Roberta Yang, The Yang Group Lisa Zammit, Bank of England Brian Zawada, Avalution Consulting

Working Group Members Working Group Co-Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative, ASIS International Working Group Co-Chairman: Kevin S. Brear, J.P. Morgan Chase

David Adamson, British Standards Institution Pradeep Bajaj, PRISMA Dennis R. Blass, CPP, PSP, Secumetrics LLC Mark Borchers, CPP, Germanna Community College Thomas Bozek, Bozek Consulting, LLC


viii

Kevin S. Brear, J.P. Morgan Chase Patrick Brennan, BCMexperts Donald Byrne, North River Solutions Chee Seng Chan, Becton Dickinson Critical Care Systems Pte Ltd Ian Charters, Continuity Systems Ltd Lisa DuBrock, The Radian Group, LLC Edward Eaton, Warner Gudlaugsson LLC John Hele, British Standards Institution Brian Kaye, Control Risks Group Michael Keating, Doulos Business Consulting Penelope Killow, HFC Bank (HSBC Group) Paul Kirvan, Paul Kirvan Associates Donald E. Knox, CPP, Caterpillar Inc. Richard Kobylar, Capgemini Bill Lang, VCPI Lince Lawrence, Allianz Cornhill Information Services Mohamed Fadhel Meddeb, Efla Consultants Engineers James Murphy, North Carolina Department of Health and Human Services Doug Nelson, Business Continuity Solutions James Nelson, International Consortium for Organizational Resilience Alan M. Nutes, Consultant Philip Oppenheim, International Continuity Oversight Board Russell Price, Continuity Forum Robert Roberts, Federal Home Loan Bank of Atlanta Jean Rowe, Verisign Inc. Angie Santiago, Contingency Planning Association of the Carolinas Lisa Smallwood, Comprehensive Emergency Management Professionals LLC Thomas Smith, Comcast Kurt Sohn, Capgemini Ian Speirs, North Yorkshire County Council Stuart Sterling, HM Government (UK) Civil Contingencies Secretariat, Cabinet Office Mike Thomson, Association of Contingency Planners Suzanne Warner Hart, Delaware Department of Transportation Renee Wentworth, Union First Market Bankshares Dan Wilder, Danalie Partners Zechariah Wei Ning Wong, Atkins Brian Zawada, Avalution Consulting


ix

TABLE OF CONTENTS

TABLE OF CONTENTS............................................................................................................................................. IX

TABLE OF FIGURES ................................................................................................................................................. X

TABLE OF TABLES .................................................................................................................................................. XI

0 INTRODUCTION .............................................................................................................................................. XIII

0.1 GENERAL ..................................................................................................................................................... XIII 0.2 PLAN-DO-CHECK-ACT (PDCA) CYCLE ................................................................................................................... XV

1 SCOPE OF STANDARD ........................................................................................................................................ 1

2 NORMATIVE REFERENCES ................................................................................................................................. 2

2.1 GENERAL REFERENCE ........................................................................................................................................ 2

3 TERMS AND DEFINITIONS .................................................................................................................................. 2

4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) REQUIREMENTS ......................................................... 2

4.1 GENERAL REQUIREMENTS ................................................................................................................................... 2 4.2 ESTABLISHING THE CONTEXT .............................................................................................................................. 4

4.2.1 Scope of the BCMS ............................................................................................................................... 4 4.2.2 Legal and Other Requirements ............................................................................................................. 4

4.3 POLICY AND MANAGEMENT COMMITMENT ........................................................................................................... 4 4.3.1 Policy .................................................................................................................................................. 5 4.3.2 Management Commitment .................................................................................................................. 5

4.4 PLANNING ..................................................................................................................................................... 6 4.4.1 Business Impact Analysis and Risk Assessment ..................................................................................... 6 4.4.1.1 Business Impact Analysis (BIA)........................................................................................................... 6 4.4.1.2 Risk Assessment ................................................................................................................................ 7 4.4.2 Business Continuity Objectives and Targets .......................................................................................... 7 4.4.3 Business Continuity Strategies .............................................................................................................. 7

4.5 IMPLEMENTATION AND OPERATION ..................................................................................................................... 8 4.5.1 Resources ............................................................................................................................................ 8 4.5.2 Roles, Responsibility, and Authority ...................................................................................................... 8 4.5.3 Competence, Training, and Awareness ................................................................................................. 9 4.5.4 Documentation .................................................................................................................................. 10 4.5.5 Control of Documents ........................................................................................................................ 10 4.5.6 Developing and Implementing a Business Continuity Response ........................................................... 10 4.5.6.1 Response Structure ......................................................................................................................... 11 4.5.6.2 Business Continuity Plans ................................................................................................................ 11 4.5.7 Communication and Consultation ...................................................................................................... 12

4.6 CHECKING AND CORRECTIVE ACTION .................................................................................................................. 12 4.6.1 Monitoring and Measurement ........................................................................................................... 13 4.6.2 Evaluation of Conformance and System Performance ......................................................................... 13 4.6.2.1 Evaluation of Conformance ............................................................................................................. 13 4.6.2.2 Exercises and Testing ...................................................................................................................... 13 4.6.3 Non-conformity, Corrective Action, and Preventive Action .................................................................. 14 4.6.4 Control of Records.............................................................................................................................. 14 4.6.5 Internal Audits ................................................................................................................................... 15

4.7 MANAGEMENT REVIEW .................................................................................................................................. 15


x

4.7.1 General .............................................................................................................................................. 15 4.7.2 Review Input ...................................................................................................................................... 15 4.7.3 Review Output ................................................................................................................................... 16 4.7.4 Opportunities for Improvement .......................................................................................................... 16

A GUIDANCE ON THE USE OF THE STANDARD .................................................................................................... 17

A.0 INTRODUCTION ............................................................................................................................................... 17 A.4.1 GENERAL REQUIREMENTS............................................................................................................................... 17 A.4.2 ESTABLISHING THE CONTEXT ........................................................................................................................... 18

A.4.2.1 Scope of the BCMS............................................................................................................................ 19 A.4.2.2 Legal and Other Requirements .......................................................................................................... 19

A.4.3 POLICY AND MANAGEMENT COMMITMENT ........................................................................................................ 20 A.4.4 PLANNING .................................................................................................................................................. 21

A.4.4.1 Business Impact Analysis and Risk Assessment .................................................................................. 21 A.4.4.2 Business Continuity Objectives and Targets ....................................................................................... 27 A.4.4.3 Business Continuity Strategies .......................................................................................................... 27

A.4.5 IMPLEMENTATION AND OPERATION .................................................................................................................. 30 A.4.5.1 Resources ......................................................................................................................................... 30 A.4.5.2 Roles, Responsibility, and Authority .................................................................................................. 31 A.4.5.3 Competence, Training, and Awareness.............................................................................................. 33 A.4.5.4 Documentation ................................................................................................................................ 34 A.4.5.5 Control of Documents ....................................................................................................................... 35 A.4.5.6 Developing and Implementing a Business Continuity Response.......................................................... 35 A.4.5.7 Communication and Consultation ..................................................................................................... 37

A.4.6 CHECKING AND CORRECTIVE ACTION ................................................................................................................. 39 A.4.6.1 Monitoring and Measurement .......................................................................................................... 39 A.4.6.2 Evaluation of Compliance and System Performance .......................................................................... 40 A.4.6.3 Non-conformity, Corrective Action and Preventive Action .................................................................. 41 A.4.6.3.1 General ......................................................................................................................................... 41 A.4.6.3.2 Corrective Action ........................................................................................................................... 42 A.4.6.3.3 Preventive Action........................................................................................................................... 42 A.4.6.4 Control of Records ............................................................................................................................ 43 A.4.6.5 Internal Audits .................................................................................................................................. 44

A.4.7 MANAGEMENT REVIEW ................................................................................................................................. 44

B COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS AND THE DHS PS-PREP STANDARDS ......................... 47

C TERMINOLOGY CONVENTIONS ........................................................................................................................ 51

D GLOSSARY ....................................................................................................................................................... 52

E BIBLIOGRAPHY ................................................................................................................................................ 60

E.1 ASIS INTERNATIONAL PUBLICATIONS .................................................................................................................. 60 E.2 BRITISH STANDARDS INSTITUTE PUBLICATIONS ...................................................................................................... 60 E.3 ISO STANDARDS PUBLICATIONS ......................................................................................................................... 60 E.4 NATIONAL STANDARDS PUBLICATIONS................................................................................................................. 60 E.5 OTHER REFERENCED PUBLICATIONS .................................................................................................................... 61

TABLE OF FIGURES FIGURE 1: PDCA CYCLE APPLIED TO BCMS PROCESSES ....................................................................................................... XVFIGURE 2: BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) FRAMEWORK ....................................................................... 3


xi

TABLE OF TABLES TABLE 1: CORRESPONDENCE BETWEEN THIS STANDARD OF BEST PRACTICES, BS 25999-1:2006, ISO 9001:2000, ISO 14001:2004,

AND ISO 27001:2005 ..................................................................................................................................... 47TABLE 2: VERBAL FORMS FOR THE EXPRESSION OF PROVISIONS ............................................................................................. 51


xii

This page intentionally left blank


xiii

0 INTRODUCTION 0.1 General A business continuity management system (BCMS) is an organization-wide process that establishes a fit-for-purpose, strategic, and operational framework that upon implementation by the organizations leadership:

Improves an organizations ability to withstand disruptive events that may jeopardize the achievement of its purpose, mission, and strategic objectives.

Delivers a demonstrable capability to manage a disruption and protect stakeholder interests.

Provides a structured and rehearsed method of restoring an organizations productive ability within a planned timeframe after a disruption.

Enables an organization to return to its normal state more quickly and safely than would otherwise be possible.

Supports maintenance and continuous improvement of the organizations BCMS. Promotes the safety and security of internal and external stakeholders.

An actively engaged top management team that directs and embraces a BCMS enables an organization to create and maintain an effective and efficient business continuity program (processes, strategies, and solutions). The BCMS enables the organization to systematically address its stakeholder business continuity needs.

This Standard may be used by private, public, not-for-profit, and voluntary organizations, regardless of their size, scope, or complexity. The Standard accommodates diverse jurisdictional, geographical, cultural, operational, and social environments.

The success of a BCMS depends on the active engagement, endorsement, and commitment of organizational leadership to the BCMS. A BCMS enables an organization to develop a business continuity management policy, establish objectives and processes to achieve the policy commitments, and take action as needed for continual improvement of business continuity performance. A management system is a dynamic and iterative process; therefore, many of the requirements in this Standard may be addressed concurrently or revisited at any time.

A BCMS has the following base components:

a) A policy providing a framework for managements business continuity objectives and expectations;

b) A definition of roles, responsibilities, and resources; c) A description of required management process relating to:

i. Policy; ii. Strategic planning;

iii. Business continuity planning and procedural implementation and operation;


xiv

iv. Performance assessment; v. Management review; and

vi. Continual improvement. d) A set of documentation providing auditable evidence demonstrating process

implementation and repeatability. The adoption and implementation of a range of business continuity management techniques in a systematic manner can contribute to optimal outcomes for all stakeholders and affected parties. However, adoption of this Standard will not by itself guarantee optimal preparedness, continuity, and response outcomes. In order to achieve its objectives, the BCMS should incorporate the best available practices, techniques, and technologies, where appropriate and where economically viable. The cost-effectiveness of such practices, techniques, and technologies should be taken fully into account.

This Standard does not establish absolute requirements for preparedness, response, continuity, or recovery performance beyond commitments in the organizations policy to:

a) Comply with applicable legal requirements and with other requirements to which the organization subscribes;

b) Support risk minimization and mitigation; and c) Promote continual improvement.

The main body of this Standard contains only those generic criteria that may be objectively audited. Guidance on supporting BCM techniques is contained in the annexes of this document.

This Standard, like other management standards, is not intended to be used to create non-tariff trade barriers or to increase or change an organizations legal obligations. Indeed, conformance with a standard does not in itself confer immunity from legal obligations. Verification of an organization's conformance to this Standard may be performed through an external or internal auditing process. Verification may be by a first-, second-, or third-party mechanism. Verification does not require third-party certification.

This Standard does not include requirements specific to other management systems such as those for quality, occupational health and safety, or financial risk managementthough its elements can be aligned or integrated with those of other management systems. It is possible for an organization to adapt its existing management system(s) in order to establish a BCMS that conforms to the criteria of this Standard. It should be understood, however, that the application of various elements of the management system might differ depending on the intended purpose and the stakeholder involved.

The level of detail and complexity of the BCMS, the extent of documentation, and the resources devoted to it will be dependent on a number of factorssuch as the scope of the system; the


xv

size of an organization; and the nature of its activities, products, and services. This may be the case in particular for small and medium-sized enterprises.

0.2 Plan-Do-Check-Act (PDCA) cycle The management systems approach encourages organizations to analyze organizational and stakeholder requirements and define processes that contribute to success. This Standard applies the Plan-Do-Check-Act (PDCA) cycle to establishing, implementing, operating, monitoring, exercising, maintaining, and improving the effectiveness of an organizations BCMS.

Use of the PDCA model ensures a degree of consistency with other management systems standards, such as ISO 9001:2008 (Quality Management Systems), ISO 14001:2004 (Environmental Management Systems), ISO/IEC 27001:2005 (Information Security Management Systems), ISO 28000 (Security in the Supply Chain) and ISO/IEC 20000:2005 (IT Service Management), thereby supporting consistent and integrated implementation and operation with related management systems. A suitably designed management system can thus satisfy the requirements of all these standards (see Annex B). Organizations that have adopted an ISO approach to management systems may be able to use their existing management system as a foundation for the business continuity management system.

Figure 1 illustrates how a BCMS takes as inputs the business continuity requirements and expectations of the interested parties and, through the necessary actions and processes, produces business continuity outcomes (i.e., managed business continuity) that meet those requirements and expectations.

NOTE: In practice, a PDCA cycle is applied to each stage of the BCMS process in an iterative approach.

Figure 1: PDCA cycle applied to BCMS processes

Business continuity

requirements and

expectations

Interested parties

Interested parties

Managed business

continuity

Establish

Monitor and review

Implement and operate

Maintain and improve

Continual improvement of the business continuity

management system


xvi

Plan (establish the management system)

Establish management system policy, objectives, processes, and procedures relevant to managing business continuity risks and improving response and recovery processes that deliver results in accordance with the organizations strategic needs.

Do (implement and operate the management system)

Implement and operate the management system policy, controls, processes, and procedures.

Check (monitor and review the management system)

Monitor, assess, measure, and review performance against management system policy, objectives, and practical experience; report the results to management for review; and determine and authorize actions for remediation and improvement.

Act (maintain and improve the management system)

Take corrective and preventive actions, based on the results of the internal management system audit and management review, re-appraising the scope of the BCMS and business continuity policy and objectives to achieve continual improvement of the management system.

Conformance with this Standard can be verified by the auditing process described in ISO 19011:2002 that is compatible and consistent with the methodology used for ISO 9001:2008, ISO 14001:2004, ISO 28000:2007, and/or ISO/IEC 27001:2005, and the PDCA Model.

AMERICAN NATIONAL STANDARD ASIS/BSI BCM.01-2010

an American National Standard

Business Continuity Management Systems: Requirements with Guidance for Use

1

1 SCOPE OF STANDARD This Standard specifies requirements for a business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programstaking into account legal and other requirements to which the organization subscribes or is governed byto address disruptive events that might impact the organization and its stakeholders. This Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS within the context of managing an organizations risks.

The requirements specified in this Standard are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size, and nature of the organizational mission. The scope of these requirements depends on the organizations operating environment and complexity.

This Standard seeks to offer a flexible management systems approach to address and minimize the consequences associated with disruptive events.

This Standard addresses all aspects of the organization deemed essential to meeting commitments (as agreed to by top management), consistent with the scope of the BCMS. The Standard does not itself state specific performance criteria.

The intent of this Standard is to position an organization to design a BCMS that is appropriate to its needs. These needs are shaped by customer and other stakeholder, regulatory, and operational requirements; the products and services; the processes employed; the size and structure of the organization; and jurisdictional and geographic areas of operation.

This Standard is applicable to any organization that chooses to:

a) Establish, implement, maintain, and improve a BCMS. b) Assure itself of its conformity with its stated business continuity management policy. c) Demonstrate conformity with this Standard by:

i. Making a self-determination and self-declaration. ii. Seeking confirmation of its conformance by parties having an interest in the

organization (such as customers and supply chain partners). iii. Seeking confirmation of its self-declaration by a party external to the

organization. iv. Seeking certification/registration of its BCMS by an external organization.


2

Annex A provides informative guidance on management system planning, implementation, testing, maintenance, and improvement of a business continuity program.

2 NORMATIVE REFERENCES The following standards contain provisions which, through reference in this text, constitute provisions of this American National Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below.

2.1 General Reference1ISO Guide 73:2002, Risk management Vocabulary Guidelines for use in standards.

3 TERMS AND DEFINITIONS An extensive Glossary of terms appears in Annex D.

NOTE: The reader is encouraged to read through the terms and definitions prior to reading the body of the document.

4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) REQUIREMENTS 4.1 General Requirements The organization shall establish, implement, operate, monitor, review, maintain, and improve a documented BCMS within the context of the organizations overall operational activities and the risks it faces. Figure 2 outlines the process specified by this Standard.

1 This document is available from the International Organization for Standardization. < http://www.iso.ch/iso/en/prods-services/ISOstore/store.html >


3

Figure 2: Business Continuity Management System (BCMS) Framework

The BCMS shall ensure that:

a) Processes and strategies appropriately provide for the safety and security of all stakeholders.

b) Business continuity management objectives are clearly stated, understood, and communicated to stakeholders.

c) Top management defines and communicates the organizations strategic goals and objectives for inclusion in the BCMS.

d) Resources are allocated to meet the goals and objectives of the program. e) Those with BCMS management roles and responsibilities are competent to perform their

tasks. f) There is a continual assessment of the BCMS elements.

4.5 Implementation & Operation Resources Roles, Responsibility and Authorities Competence, Training, Awareness Documentation Control of Documents Developing and Implementing a BCM Response Response Structure Business Continuity Plans and Procedures Communication and Consultation

4.4 Planning BIA & Risk Assessment Business Continuity Objectives & Targets Business Continuity Strategies

4.6 Checking & Corrective ActionMonitoring & Measurement Evaluation of Conformance & System Performance Exercises & Testing Nonconformity, Corrective, & Preventive ActionControl of Records Internal Audits

4.7 Management Review Review Input Review Output Opportunities for Improvement

4.3 Policy & Management Commitment Policy Management Commitment

Continual Improvement

4.2 Establishing the Context Define Scope of the BCMS Legal and Other Requirements


4

4.2 Establishing the Context 4.2.1 Scope of the BCMS The organization shall define and document the scope of the BCMS considering its internal and external context. The organization shall:

a) Establish the organizational boundaries to be included in the BCMS, being the whole organization or one or more of its internal entities.

b) Establish BCMS requirements, considering the organizations mission, goals, internal and external obligations (including those related to stakeholders), and legal responsibilities.

c) Identify products and services and all related activities within the scope of the BCMS. d) Take into account internal and external stakeholders needs and interests. e) Define the scope of the BCMS in terms of and appropriate to the size, nature, and

complexity of the organization.

When defining the scope, the organization shall document any exclusions; where such exclusions do not affect the organizations ability and/or responsibility to provide continuity of business and operations that meet the BCMS requirements (determined by impact analysis or risk assessment and applicable legal, regulatory, and contractual requirements).

4.2.2 Legal and Other Requirements The organization shall establish, document, and maintain a procedure(s) to:

a) Identify and assess legal, regulatory, contractual, and any other relevant requirements to which the organization subscribes or is governed by related to the continuity of its operations, products and services, and stakeholder interests.

b) Assess the impacts of non-conformance. c) Determine how these requirements apply to organizations risks and their potential

impacts.

The organization shall ensure that these applicable legal and other requirements to which the organization subscribes or is governed by are taken into account in establishing, implementing, and maintaining its BCMS.

The organization shall keep information required herein, up-to-date.

4.3 Policy and Management Commitment Top management shall establish, document, provide resources, and demonstrate commitment to a business continuity management policy within the defined scope of the BCMS.


5

4.3.1 Policy Top management shall define the business continuity management policy in terms of the characteristics of the organization, its location(s) and operating environment, its stakeholders, obligations, and assets.

The policy shall include or make reference to:

a) Alignment with the organizations mission, strategic objectives, and risk management approach as it pertains to the BCMS and BCM program;

b) Commitment to proactively manage the impact of disruptive events;

c) A framework for setting objectives, direction, and principles for action;

d) Legal, regulatory, and contractual requirements;

e) The scope of business continuity management system, including limitations and exclusions;

f) A commitment to leadership oversight; and

g) Continual improvement.

The policy shall be: a) Approved by top management; b) Communicated to all persons working for or on behalf of the organization deemed

within the scope of the BCMS; c) Available to stakeholders as approved by management; and d) Reviewed at defined intervals and when significant changes occur.

4.3.2 Management Commitment Top management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the BCMS by:

a) Establishing a BCM policy; b) Ensuring that BCMS objectives and plans are established; c) Establishing roles, responsibilities, and competencies for BCM; d) Appointing one or more persons to be responsible for the BCMS with the appropriate

authority and competencies to be accountable for the implementation and maintenance of the management system;

e) Communicating and promoting awareness within the organization the importance of meeting BCMS objectives and conforming to BCM policy, its responsibilities under the law, and the need for continual improvement;


6

f) Providing sufficient resources to establish, implement, operate, monitor, review, maintain, and continually improve the BCMS;

g) Defining the criteria for accepting risks and the acceptable levels of risk; h) Actively engaging in exercises and testing; i) Ensuring that internal BCMS audits are conducted; j) Conducting management reviews of the BCMS; and k) Demonstrating its commitment to continual improvement.

4.4 Planning 4.4.1 Business Impact Analysis and Risk Assessment The organization shall establish, implement, and maintain a formal and documented evaluation process to systematically analyze risk and impacts, and establish business continuity objectives consistent with the scope and policy of the BCMS.

The organization shall:

a) Evaluate the impact of disruptive events within its internal and external context; b) Define and establish business continuity and recovery objectives and priorities; c) Evaluate the direct and indirect benefits and costs of options to reduce risk; d) Identify programs required to ensure achievement of its objectives prior to, during, and

following a disruption; e) Assess risks and impacts following the changes within the organization's environment

caused by internal or external factors; and f) Document and keep this information updated, secured (as appropriate), and readily

available for authorized use.

4.4.1.1 Business Impact Analysis (BIA) The organization shall establish, implement, and maintain a formal documented process and methodology for conducting a business impact analysis (BIA). The organizations BIA shall assess and prioritize organizational activities, and resources required to deliver its products and services (including interdependencies and time and/or event-driven variations) by:

a) Identifying the potential impacts over time of disruptions resulting from uncontrolled, non-specific events on the organizations activities and resources;

b) Identifying legal, regulatory, and contractual requirements for the organizations activities and resources;

c) Based on the impacts, estimating maximum allowable downtime for each product, service, and activity; and

d) Set recovery time objectives for resuming, at a specified acceptable level, the organizations activities and resources; taking into consideration the time within which the impacts of not resuming them would become unacceptable.


7

4.4.1.2 Risk Assessment The organization shall establish, implement, and maintain a formal documented risk assessment process to systematically identify, analyze, and evaluate the risk of disruptive events to the organization. The organization shall:

a) Identify risks (and their sources) that may lead to unacceptable levels of disruption to the activities needed to achieve the organizations objectives associated with activities, processes, facilities, people, systems, information, resources, assets (tangible and intangible), and partner and supplier relationships;

b) Systematically analyze risk; c) Evaluate which risks require treatment; and d) Identify treatments commensurate with business continuity and recovery objectives,

resource availability, related costs, and stakeholder expectations.

4.4.2 Business Continuity Objectives and Targets The organization shall establish and maintain documented business continuity objectives consistent with the business continuity expectations for organizational activities, dependency relationships outside the organization (such as suppliers), and stakeholder requirements. Business continuity objectives and targets shall be measurable qualitatively and/or quantitatively, and consistent with the BCM policy. When establishing and reviewing its objectives and targets, an organization shall consider the legal, regulatory, and contractual requirements; the significant risks and impacts; risk tolerance; resource options; financial, operational, contractual, and organizational requirements; and the views of stakeholders.

4.4.3 Business Continuity Strategies The organization shall establish and maintain strategies for achieving its business continuity objectives and targets to prevent, prepare for, mitigate, respond to, and recover from disruptive incidents. Such strategies shall include:

a) A designation of responsibility and resources for achieving objectives and targets at relevant activities and levels of the organization; and

b) A means and timeframe by which the strategies are to be achieved.

The organization shall: a) Define a fit-for-purpose, predefined, and documented response structure that will

promote a safe and secure workplace, and an effective response and recovery effort following a disruptive event. The response structure shall address appropriate relationships and liaise with local authorities and assure the availability of necessary


8

communications with internal and external stakeholders regardless of the operating environment.

b) Determine how it will recover each activity, and resource based on its business continuity and recovery objectives.

c) Determine arrangements needed with suppliers and outsource partners to ensure the timely delivery of their products and services.

d) Determine how it will manage relationships with its stakeholders and external parties involved in the recovery effort, including coordination with public authorities.

4.5 Implementation and Operation 4.5.1 Resources Management shall ensure the availability of resources essential for the implementation and maintenance of the business continuity management system and the business continuity strategies (see 4.4.3). Resources include facilities, human resources , equipment, infrastructure and other services, technology, information, intelligence, and financial resources. The organization shall determine and provide the resources needed to:

a) Establish, implement, operate, monitor, review, maintain, and continually improve the BCMS and its business continuity strategies;

b) Assess and participate in agreements related to interdependencies and mutual aid, if applicable; and

c) Maintain adequate proactive and reactive capacity. The organization shall develop and document financial, logistical and administrative procedures to support the business continuity strategies before, during, and after an incident. Procedures shall be:

a) Established to ensure that fiscal decisions can be expedited; and b) In accordance with established authority levels, governance, and accounting principles.

4.5.2 Roles, Responsibility, and Authority Roles, responsibilities, and authorities shall be defined, documented, and communicated to facilitate effective business continuity management. The organizations top management shall assume the following responsibilities or shall:

a) Designate a management representative(s) with appropriate authority and accountability for the BCMS, irrespective of other responsibilities, who will ensure that the business continuity management system is established, communicated, implemented, and maintained in accordance with the policy requirements, and report


9

on the performance of the business continuity management system to top management for review and as the basis for improvement;

b) Ensure all management, staff, and other stakeholders (internal and external) are aware and accountable to support the BCMS;

c) Identify personnel with the authority to invoke business continuity plans and procedures based on triggers and escalation criteria, as well as terminate response and recovery operations following the conclusion of the event; and

d) Identify appropriate business continuity management teams with appropriate authority and responsibility to oversee and execute response and recovery efforts as documented in the BCMS plan(s).

4.5.3 Competence, Training, and Awareness The organization shall ensure that any person(s) assigned business continuity responsibilities under the BCMS framework is (are) competent to perform the required tasks by:

a) Determining the necessary competencies for such persons;

b) Conducting a training needs analysis on personnel being assigned business continuity management roles and responsibilities;

c) Providing training based on the competency requirements;

d) Ensuring that the necessary competence has been achieved and maintained; and

e) Maintaining associated records of education, training, skills, experience, and qualifications.

The organization shall establish, implement, and maintain awareness, competence, and training procedures to ensure persons working for it or on its behalf are aware of:

a) Applicable strategies and procedures specific to business continuity, including mitigation, response, communication, recovery, and resumption;

b) The importance of conformity with the business continuity management policy and with the requirements of the BCMS;

c) Their roles and responsibilities in achieving conformity with the requirements of the business continuity management system; and

d) The significant risks, and actual or potential impacts, associated with their work; and e) The benefits of improved personal performance.

The organization shall promote awareness to build a culture that ensures business continuity becomes part of its core values and governance, and makes its stakeholders aware of its BCM policy and their roles in any plans.

The organization shall evaluate the efficacy of business continuity awareness, competence, and training procedures and retain associated records.


10

4.5.4 Documentation BCMS documentation shall include:

a) A description of the purpose and scope of the BCMS;

b) The BCM policy, objectives, targets, and measures;

c) A description of the main elements of the BCMS and their interaction; and

d) Documents, including records, required by this Standard; or determined by the organization to be necessary to ensure the effective planning, operation, and maintenance of processes that relate to its identified risks and their impacts and the business continuity plans.

BCMS documentation shall be reviewed and updated on a regular basis; however, significant organizational or process changes should be addressed promptly.

4.5.5 Control of Documents Records are a special type of document and shall be maintained in accordance with the requirements given in 4.6.4.

The organization shall establish, implement, and maintain a procedure(s) to ensure:

a) Documents are approved for adequacy prior to being marked as a final, approved copy; b) Documents are reviewed and updated with each significant change impacting the

validity of the document and re-approved; c) Summaries of document change and the current revision status of each document are

identified; d) Relevant versions of applicable documents are available at points of use; e) Documents of external origin are identified and their distribution controlled; f) Unintended use of obsolete documents is prevented and that such documents are

marked as such, if they are to be retained for any purpose; g) Documents remain legible, readily identifiable, and retrievable; h) Provisions for document identification, storage, protection, and retrieval; i) Only authorized personnel have access to documents in order to protect individuals

personal sensitive data and adherence to legal and jurisdictional requirements; and j) Documents are tamper-resistant; securely backed-up; and protected from damage,

deterioration, or loss.

4.5.6 Developing and Implementing a Business Continuity Response The organization shall establish, implement, and maintain business continuity plans and procedures to manage a disruptive event and continue its activities based on recovery objectives


11

identified in the business impact analysis. The organization shall document plans and procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive event. The plans and procedures shall be:

a) Establishing the appropriate internal and external communications protocol; b) Specific regarding the immediate steps that should be taken during a disruption; c) Flexible to respond to unanticipated threat scenarios and changing internal and external

conditions; d) Focused on the impact of events that could potentially disrupt operations; e) Developed based on stated assumptions and an analysis of interdependencies; and f) Effective in minimizing consequences through implementation of appropriate

mitigation strategies.

4.5.6.1 Response Structure The organization shall establish, document, and implement procedures and a management structure to prepare for, mitigate, and respond to a disruptive event using personnel with the necessary authority, experience, and competence.

The response structure shall:

a) Identify impact thresholds that justify initiation of formal response;

b) Assess the nature and extent of a disruptive event or the potential impact;

c) Initiate an appropriate business continuity response;

d) Have plans, processes, and procedures for the activation, operation, coordination, and communication of the response;

e) Have resources available to support the plans, processes, and procedures to manage a disruptive event or work to minimize impact before realized; and

f) Communicate with stakeholders and authorities, as well as the media.

4.5.6.2 Business Continuity Plans The organization shall establish documented plans that detail how the organization will manage a disruptive event and how it will recover or maintain its activities to a predetermined level, based on management-approved recovery objectives.

Each plan shall define:

a) Purpose and scope;

b) Objectives, targets and metrics;

c) Activation criteria and procedures;

d) Implementation procedures;


12

e) Roles, responsibilities, and authorities;

f) Communication requirements and procedures;

g) Internal and external interdependencies and interactions;

h) Resource requirements; and

i) Information flow and documentation processes.

The organization shall periodically test, review, and (where necessary) revise its business continuity plansin particular, after the occurrence of the disruptive event and its associated post-event review.

4.5.7 Communication and Consultation The organization shall establish, implement, and maintain procedure(s) for:

a) Internal communication amongst stakeholders and employees within the organization; b) External communication with customers, partner entities, local community, and other

stakeholders including the media; c) Receiving, documenting, and responding to communication from internal and external

stakeholders; d) Taking into advisement external and/or internal threat advisory system in planning and

operational use; e) Alerting stakeholders potentially impacted by an actual or impending disruptive event; f) Ensuring availability of the means of communication during a disruptive event; g) Facilitating structured communication with appropriate authorities and ensuring the

interoperability of multiple responding organizations and personnel, where appropriate; and

h) Operating and testing of communications capabilities intended for use during disruption of normal communications.

4.6 Checking and Corrective Action The organization shall evaluate the BCMSincluding the efficacy of business continuity strategies, capabilities, and plansthrough periodic assessments, testing/exercises, post-event analyses, other lessons learned, and performance evaluations. Significant findings should be reflected in strategies and plans as soon as practical. The organization shall keep records of the results of the periodic evaluations.


13

4.6.1 Monitoring and Measurement The organization shall establish and maintain procedures to monitor and measure the management system performance on a periodic basis. The procedure(s) shall document the information associated with BCMS performance monitoring, including applicable operational controls and other means of ensuring conformity with the organization's BCMS objectives.

The organization shall establish and maintain procedure(s) for maintaining and reviewing business continuity strategies and plans. It shall:

a) At defined intervals, review BCMS documentation to ensure continuing suitability, adequacy, and effectiveness; and

b) Ensure its business continuity capability and appropriateness is reviewed at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.

4.6.2 Evaluation of Conformance and System Performance The organization shall ensure that the business continuity policy, objectives, strategies, and plans meet the organizations strategic requirements. This evaluation of business continuity conformance and performance will ensure the BCMS remains aligned to and provides the organization with the means to be prepared for a process or service disruption, thus allowing the organization to meet its legal, regulatory, and contractual requirements and minimizing the impact to stakeholders.

4.6.2.1 Evaluation of Conformance The organization shall establish and maintain procedure(s) for periodically evaluating conformance with applicable legal, regulatory, and contractual requirements to which the organization subscribes in order to meet the organizations commitment to conformance. The organization shall keep records of the results of the periodic evaluations.

4.6.2.2 Exercises and Testing The organization shall ensure that its BCMS specifically its business continuity plans, teams, and resources are validated by exercise and review and are kept current.

The organization shall:

a) Establish a program, approved by top management, to ensure exercises are carried out at planned intervals and as significant changes occur due to internal and external factors;

b) Develop exercises that are consistent with the scope of the BCMS;

c) Define the objectives and targets of every exercise;

d) Plan exercises to prevent a disruptive event occurring as a direct result of the exercise;


14

e) Exercise its business continuity plans, teams, and facilities to ensure that they meet organizational requirements;

f) Carry out a range of different exercises that taken together validate the whole of its business continuity arrangements;

g) Carry out a post-exercise review that will assess the achievement of the objectives and targets of the exercise, lessons learned, and opportunities for improvement; and

h) Submit to top management a written report of the exercise, outcomes, and feedback, including recommended corrective and preventative actions.

4.6.3 Non-conformity, Corrective Action, and Preventive Action The organization shall improve its BCMS through the identification of non-conformities and application of preventive and corrective actions. Changes arising from preventive and corrective actions shall be reflected in appropriate BCMS documentation.

The organization shall take action to eliminate the cause of non-conformities associated with the implementation and operation of the BCMS to prevent their occurrence as well as take action to prevent potential non-conformities from occurring.

These actions include:

a) Identification and correction of each actual non-conformity, together with the mitigation of their business impact;

b) Investigation and elimination of the cause of each actual non-conformity, in order to prevent recurrence;

c) Determination of actions to eliminate the causes of potential non-conformities to prevent their occurrence;

d) Any action taken to identify, correct, mitigate, prevent, or eliminate the causes or effects of each actual and potential non-conformity appropriate to the magnitude of problems and the business impact encountered;

e) The organization shall document non-conformities identified, as well as corrective and preventative actions taken; and

f) A review of corrective and preventative actions taken and implemented within the context of the BCM policy and risk and impact assessment.

4.6.4 Control of Records The organization shall establish and maintain records to demonstrate conformity to the requirements of its BCMS and the results achieved.


15

The organization shall establish, implement, and maintain a procedure(s) to protect the integrity of records including access to, identification, storage, protection, retrieval, retention, and disposal of records.

Records shall be and remain legible, identifiable, and traceable.

4.6.5 Internal Audits The organization shall plan and conduct internal audits of the BCMS periodically such that the:

a) Audit programs shall be planned, established, implemented, and maintained by the organization, taking into account the business impact analysis, risk assessment, control and mitigation measures, plan documentation, exercises, management involvement, and the results of previous audits;

b) Audits shall determine whether the BCMS: i. Conforms to planned arrangements, including the requirements of this Standard;

ii. Has been properly implemented and is maintained; and iii. Is effective in meeting the organizations business continuity policy and

objectives; c) Information on the results of audits shall be provided to top management in order to

drive BCMS improvement; and d) Audit procedure(s) shall be established, implemented, and maintained that address:

i. Responsibilities, competencies, and requirements for planning and conducting audits, reporting results, and retaining associated records;

ii. Determination of audit criteria, scope, frequency, and methods; and iii. Selection of auditors and conduct of audits so as to ensure objectivity and the

impartiality of the audit process.

4.7 Management Review 4.7.1 General Top management shall review the organizations BCMS at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the BCMS, including policy, objectives, and targets. Results of management reviews shall be documented.

4.7.2 Review Input The input to a management review shall include:

a) Follow-up actions from previous management reviews; b) Results of BCMS audits and reviews;


16

c) Results of education and awareness training programs; d) Any internal or external changes that could affect the BCMS; e) Communication with stakeholders; f) Techniques, products, or procedures that could be used in the organization to improve

BCMS performance and effectiveness; g) Emerging good practice and guidance; h) Status of preventive and corrective actions; i) Level of residual risk and acceptable risk; j) Vulnerabilities and threats not adequately addressed in previous risk assessments; k) Results and lessons learned from exercises, tests, and incidents; l) Current resource allocation to treat risks as needed to meet the organizations BCM

policy and objectives; and m) Recommendations for improvement.

4.7.3 Review Output The output from a management review shall include any decisions and actions related to:

a) Varying the scope of the BCMS; b) Improving the effectiveness of the BCMS; c) Modifying business continuity strategies and plans, as necessary, to respond to internal

or external events that could impact the BCMS, including changes to: i. Business requirements;

ii. Statutory, regulatory, and contractual requirements; iii. Levels of risk and/or levels of risk acceptance; iv. Resource needs; and v. Funding and budget requirements.

4.7.4 Opportunities for Improvement The organization shall continually improve the effectiveness of the BCMS through the review of the business continuity policy and objectives, audit results, analysis of monitored exercises and events, preventive and corrective actions, and management review.


17

Annex A

(informative)

A GUIDANCE ON THE USE OF THE STANDARD A.0 Introduction Natural disasters, environmental accidents, technology mishaps, and man-made crises have historically demonstrated that disruptive incidents will happen, impacting the public and private sectors alike. The challenge to organizations goes beyond most emergency response plans or disaster management activities previously deployed. Organizations should engage in a comprehensive and systematic process to manage the continuity of operations. It is no longer enough to draft a response plan that anticipates disasters or emergency scenarios. Todays threats require the creation of an on-going, dynamic, and interactive management process that serves to assure the continuation of an organizations core activities before, during, and after a major disruptive incident.

This Standard provides:

a) Organizations of all sizes and types (private, not-for-profit, and public sectors) with the elements needed to achieve and demonstrate proactive risk reduction and business continuity.

b) A framework to aid organizations in successfully managing a disruptive incident by developing a strategy and action plan to safeguard its interests and those of its stakeholders; and

c) A holistic management process to help avoid and minimize the suspension of service and operations and having procedures to allow a return to normal services and operations as rapidly as possible.

It is good practice for an organization to protect its physical, virtual, and human assets. The success of the management system depends on the commitment at all levels and activities in the organization, especially the organizations top management. Decision makers should be prepared to budget and secure the necessary resources to support the BCMS. It is necessary that an appropriate structure be implemented to effectively deal with prevention, mitigation, and management. Regardless of the organization for profit, not for profit, faith-based, non-governmental its leadership has a duty to stakeholders to plan for its continued operation.

A.4.1 General Requirements The additional text given in this annex is strictly information and is provided to assist the understanding of requirements contained in Section 4 of this Standard. While this information addresses and is consistent with the requirements of Section 4, it is not intended to add to, subtract from, or in any way modify those requirements.


18

The implementation of a BCMS specified by this Standard is intended to result in improved business continuity integrated with the organizations other policies and plans such as privacy, security, and safety. Therefore, this Standard is based on the premise that the organization should periodically review and evaluate its BCMS to identify opportunities for improvement and their implementation. The organization should determine the rate, extent, and timescale of this continual improvement process in the context of economic and other circumstances. Improvements in its business continuity management system are intended to result in further improvements in business performance.

This Standard requires an organization and its management to:

a) Define and document the scope of the BCMS considering its internal and external context;

b) Take into account applicable legal and other requirements when establishing the BCMS;

c) Demonstrate continuing commitment to business continuity management policy;

d) Maintain a formal process to analyze priorities, impacts, and risks, and establish business continuity objectives consistent with the scope and policy of the BCMS;

e) Ensure the availability of resources (including financial and empowered, competent human resources) to implement and maintain the business continuity management system, and a system of BCMS records including a management structure, plans, and procedures to maintain business continuity during and after disruptive incidents; and

f) Evaluate the efficacy of the BCMS, business continuity strategies, capabilities, and plans.

A.4.2 Establishing the Context The organization establishes the context of its BCMS by identifying and understanding the internal and external influences and environment in which it operates. By establishing the context, an organization can define the scope of its BCMS and design a fit-for-purpose framework for business continuity management. This should assure that the organization meets the objectives, needs and concerns of internal and external stakeholders.

When initiating a BCMS, the organization should conduct an analysis or review to help establish the context of its operations and determine the boundaries of its scope. For example, when conducting the analysis or review, the organization should consider:

Assets, activities, products, and services; Risks associated with normal, abnormal, and emergency situations (actual and

potential); Applicable legal and other requirements; Supply chain, contractual, community, and mutual aid agreements; Interdependencies and supporting infrastructure; Previous disruptions, accidents, incident reports, and exercise reports;


19

Audit reports; Government advisories; and Political and social operating environment.

A.4.2.1 Scope of the BCMS An organization has the freedom to define the boundaries for implementing its BCMS. It may choose to implement the BCMS across the entire organization, specific operating units, discrete geographic locations, or clearly defined supply chain flows. These scoping boundaries reflect top management objectives for the BCMS, and the size and nature and complexity of the organization and its activities. Once top management defines the BCMS scope, all assets, activities, products, and services within that scope become elements of concern within the BCMS.

Outsourced activities and supply chain remain the organizations responsibility and should be within the BCMS. If an outsourced product, service, activity, or part of the organizations supply chain remains under the organizations risk accountability and management control, then top management should place it within the scope of the BCMS. The organization should make appropriate agreements and take appropriate measures to assure effective BCM agreements are in place with its suppliers and outsource partners.

The organization should justify all exclusions from the scope of the BCMS using risk assessment and impact analysis in the justification. Exclusions may include the inability of an organization to provide the continuity of its business and operations, or meet its legal and other requirements and obligations. The scope should ensure the integrity and continuity of operations. The credibility of the BCMS depends on the choice of organizational boundaries defined in the scope.

The level of detail and complexity of the BCMS, the extent of documentation required, and resources committed to the BCMS should guide the BCMS scope statement. When the organization implements the Standard for a specific operating unit, then the organization may use applicable policies, plans, and procedures developed by other parts of the organization to satisfy the requirements of this Standard.

A.4.2.2 Legal and Other Requirements The organization should identify and understand legal, regulatory, and contractual requirements that affect its business continuity intentions. These may include national, international, state, local, legal, and regulatory requirements. Identifying and understanding these requirements should help to ensure legal compliance, prevent litigation, minimize liability, improve the organizations image, and meet its obligations to society.

Examples of other requirements to which the organization may subscribe include, if applicable:

Business and other contractual obligations;


20

Agreements with public authorities, community groups, or non-governmental organizations;

Agreements with customers; Non-regulatory guidelines; Voluntary principles or codes of practice; Product or service stewardship commitments (e.g., warranties); Requirements of trade associations; Public commitments of the organization or its parent organization; Non-binding protocols; Healthcare requirements; Financial obligations; Social responsibility and environmental commitments; and Identity information and privacy requirements.

Legal obligations vary by jurisdiction, as well as geographic location, and the type and nature of operations, as well as the location, type, and nature of the organizations customers. Therefore, it is important that the organization be aware of its obligations within the context of its operating environment.

The organization should identify all relevant statutory, regulatory, contractual, and other requirements and communicate this information to appropriate stakeholders. The organization should evaluate which requirements apply and where they apply, and identify who should receive this information. The organization should explicitly define, document, and keep current its approach to accessing and addressing these requirements. Similarly, the organization should define and document specific business continuity methods and controls as well as individual responsibilities to meet these requirements.

A.4.3 Policy and Management Commitment The BCMS management

REV1921_BCMStandard

Documents

Transcript of REV1921_BCMStandard