1

BSBS 2599925999Business ContinuityBusiness Continuity

ManagementManagement

By. Mr. Chomnaphas TangsookBusiness DirectorBSI Group ( Thailand) Co., Ltd

BSI British StandardsContents slide

2006BS 25999(Business Continuity)

1979BS 5750 -> ISO 9001

1992BS 7750 -> ISO 14001

1995BS 7799 -> ISO/IEC 27001

1996BS 8800 -> OHSAS 18001

2000BS 8600 -> ISO 10002

2002BS 15000 -> ISO/IEC 20000

3

Is your business ready to face thefollowing situations ?

It may not be from you butfrom your neighbors orsuppliers?

6

6

Not just about managing the high profile disasters but also the dayto day business disruptions

Not an IT standard and not about Disaster Recovery

A ‘business-owned, business-driven process that establishesa fit-for-purpose strategic and operational framework’.

BS 25999

7

Defining BusinessContinuity Management

Holistic management process that identifies potentialthreats to an organization and the impacts to business

operations that those threats, if realized, might cause andwhich provides a framework for building organizationalresilience with the capability for an effective response

that safeguards the interests of its key stakeholders,reputation, brand and value-creating activities

BS 25999-2:2007, 2.4

8

8

Publication dates

• BS25999-1 Code of Practice

– December 2006

• BS25999-2 Specification

– Mid November 2007

• Certification process

– BSI develops certification process

9

9

Why was BS 25999 developed?• Business Continuity identified as a critical issue

• Need for a best practice framework to guidebusiness.

• Need for a mechanism to demonstrate BusinessContinuity Management maturity

10

10

Who developed BS 25999?

• Committee Profile:–33 members

11

11

Institute of Directors

Who developed BS 25999?

Association of British Insurers

Association of Insurance & Risk Managers

12

12

Who developed BS 25999?

Association of Chief Police Officers

Chief Fire Officers’ Association (CFOA)

Society of Industrial Emergency Services

Metropolitan Police

13

13

Who developed BS 25999?

Business Continuity Institute

Institute of Emergency Management

Institute of Risk Management

Continuity Forum

14

14

Suppliers

Subcontractors

Vendors

Your

Organization

Clients /

Customers

Conduit

Organizations

Infrastructure Dependence (power, telecom, etc.)

System Up Time (computing, data,networks, etc.)

15

16

17

Within minutes to days:• Contact staff, customers,

suppliers, etc.• Recovery of critical business

processes• Rebuild lost work-in-progress

Within minutes to hours:• Staff and visitors

accounted for• Casualties dealt with• Damage containment/

limitation• Damage assessment• Invocation of BCP

Sequence of Events of an Incident

Within weeks to months:• Damage repair/replacement• Relocation to permanent

place of work• Recovery of costs from

insurers

Timeline

Incident!

Incident Response

Business continuity

Recovery/resumption – back to normal

Overall recovery objective:back-to-normal as quickly as possible

1818

Business continuity lifecycle andthe Plan-Do-Check-Act cycle

Businesscontinuity

requirementsand

expectations

Managedbusinesscontinuity

Maintainand

improve

Interestedparties

Interestedparties

Establish

Implementand

operate

Plan

Check

Act Do

Monitorand

review

Continual improvement of the businesscontinuity management system

BS 25999-2 :2007 Figure 2

1919

– Scoping of BCM

– Policy agreement & signoff

– Identification &engagement ofstakeholders

– Approach agreed

– Roles & responsibilities

BCM programme management

2020

Understanding the organisation

21

Understanding the organization

Identify key productsand services

Identify activitiesthat support keyproduct and services

Identify impacts fromdisruption to activities

Establish MTPD foreach activity

Scope, policy,stakeholders,regulatory

Identify criticalactivities according topriority for recovery

Identify impact ofthreat to criticalactivities

Estimate resourcesrequired to recovereach critical activity

Set recovery timeobjectives for criticalactivities

Determine choices forcritical activities

Define and documentmethod for riskassessment

2222

– Identify key products and services and criticalactivities which support them

– Identify organisations objectives, obligations,duties

– Identify supporting activities, assets andresources

– Assess impact of failure of activities, assets andresources

– Identify and evaluate threats

– Identify all interdependencies of activities

– Understand 3rd party reliance's

23

MTPD and RTOService Level

Time

MTPD

RTO

Normal level of service

Minimum level of service

Incident management plan

Business continuity plan

OK!

24

MTPD and RTOService Level

Time

MTPD

RTO

Normal level of service

Minimum level of service

Incident management plan

Business continuity plan

Disaster!

2525

– Definition of incident responsestructure enabling an effectiveresponse & recovery

– Identification of restarttimescales and service levelsfollowing a disruption

– Agreement of timescales torestore normal service levels

– Stakeholder relationshipmanagement

– Strategy may be modified as anoutput of management review inresponse to internal or externalevents

Determining BCM strategy

2626

– Aligned to the objectives of theorganisation’s BCM strategy

– Development of plans toeffectively manage a businessdisruption to the point it iscontained

– Creation of business continuityplans designed to facilitate theresumption of critical activities

– Detailed plans covering people,communication, roles &responsibilities, locations,resources etc

Developing and implementing a BCMresponse

27

Contents of an incident management plan include:

• Task and action lists

• Emergency contacts

• People activities

• Media response

• Stakeholder management

• Incident management location

• Contact information for emergency responders that supportresponse strategies

Incident Management Plan

28

Business Continuity Plan

Contents of a business continuity plan include:

• Action plans / task lists

• Resource requirements

• Responsible person(s)

• Incident log / decision record

• A plan to resume back to normal operations (business recoveryplan)

2929

– Validates effectiveness ofplans

– Ensures understanding ofplans, roles &responsibilities

– Identifies improvementopportunities

– Maintains relevance ofplans as result of businesschanges

Exercising, reviewing and maintaining

3030

Exercising plans

• Different types of exercise

• Desk check

• Walk through

• Simulation

• Component/activity

• Full test

• Exercising supports

– awareness programme

– competency development

BS 25999-2:2007, 4.4.2

3131

Structure of BS 25999-21 Scope2 Terms and definitions3 Planning the BCMS

• General requirements, establishing and managing, embeddingBCM in the organisation’s culture, documentation and records

4 Implementing and operating the BCMS• Understanding the organisation, determining strategy, developing

and implementing a response, exercising, maintaining andreviewing

5 Monitoring and reviewing the BCMS• Internal audit, management review

6 Maintaining and improving the BCMS• Continual Improvement, preventive and corrective actions

32

Implementing and operating theBCMS

4.1 Understanding the organisation

4.2 Determining business continuity strategy

4.3 Developing and implementing a BCMresponse

4.4 Exercising, maintaining and reviewing BCMarrangements

33

Monitoring and reviewing theBCMS

5.1 Internal audit

5.2 Management review of the BCMS

34

Maintaining and improving theBCMS

6.1 Preventive and corrective actions

6.2 Continual improvement

35

35

36

36

BS 25999 Clients