(Your Business Name) Business Continuity Review Template

CONTENTS

1. Scope 2. BS 25999

3. Elements of the business continuity management lifecycle

4. BS 25999 Part 2 Specification

5. Business Continuity Planning and your business

6. BCM Review

7. Recommendations

1. Scope 1.1.1 The aim of this document is to assist in the review process of the business continuity planning (BCP) process. 1.1.2 The review has been undertaken under the guidance outlined in British Standard 25999 Business Continuity Management. BS 25999 has been developed by practitioners throughout the business continuity community, drawing upon their academic, technical and practical experiences of business continuity management (BCM). It has been produced to define requirements for a management systems approach to business continuity management based on good practice for use in large, medium and small organisations operating in industrial, commercial, public and voluntary sectors. 1.1.3 The British Standard provides a specification for use by internal and external parties, including certification bodies, to assess the organisations ability to meet regulatory, customer, and the organisations own requirements. Demonstration of successful implementation of this British Standard can therefore be used by an organisation to assure interested parties that an appropriate business continuity management system is in place.

2. BS 25999 2.1. 1 The British Standard specifies requirements for setting up and managing an effective business continuity management system. This emphasises the importance of: a) understanding business continuity needs and the necessity for establishing policy and objectives for business continuity; b) implementing and operating controls and measures for managing an organisations overall business continuity risks; c) monitoring and reviewing the performance and effectiveness of the process; and d) continual improvement based on objective measurement. 2.1.2 A Business Continuity Management System (BCMS), like any other management system, has the following key components: a) a policy; b) people with defined responsibilities;

c) management processes relating to:

policy; planning; implementation and operation; performance assessment; management review; and improvement;

d) a set of documentation providing auditable evidence; and e) topic specific processes relating to the subject, in this case business continuity, such as business impact analysis (BIA) and business continuity plan development.

3. Elements of the business continuity management lifecycle 3.1.1 The BCM lifecycle comprises six elements, as illustrated below. The scope and structure of a BCM programme can vary, and the effort expended will be tailored to the needs of the individual organisation, but these essential elements still have to be undertaken. 3.1.2 BCM programme management - Programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.

3.1.3 Understanding the organisation - The activities associated with Understanding the organisation provide information that enables prioritization of an organisations products and services and the urgency of the activities that are required to deliver them. This sets the requirements that will determine the selection of appropriate BCM strategies.

3.1.4 Determining business continuity strategy - Determining business continuity strategy enables a range of strategies to be evaluated. This allows an appropriate response to be chosen for each product or service, such that the organisation can continue to deliver those products and services: at an acceptable level of operation; and within an acceptable timeframe

during and following a disruption. The choice made will take account of the resilience and countermeasure options already present within the organisation. 3.1.5 Developing and implementing a BCM response - Developing and implementing a BCM response results in the creation of a management framework and a structure of incident management, business continuity and business recovery plans that detail the steps to be taken during and after an incident to maintain or restore operations. 3.1.6 BCM exercising, maintaining and reviewing BCM arrangements - BCM exercising, maintenance, review and audit lead to the organisation being able to: demonstrate the extent to which its strategies and plans are complete, current and accurate; and identify opportunities for improvement.

3.1.7 Embedding BCM in the organisations culture - Embedding BCM in the organisations culture enables BCM to become part of the organisations core values and instils confidence in all stakeholders in the ability of the organisation to cope with disruptions. 4. BS 25999 Part 2 Specification 4.1.1 The British Standard provides a specification for use by internal and external parties, including certification bodies, to assess the organisations ability to meet regulatory, customer, and the organisations own requirements. The British Standard contains only those requirements that can be objectively audited. 4.1.2 Demonstration of successful implementation of the British Standard can therefore be used by an organisation to assure interested parties that an appropriate business continuity management system is in place.

5. Business Continuity Planning and your business 5.1.1 The aim of the review is to establish the status of your Business Continuity planning in relation to BS 25999. The objectives are to: Identify Business Continuity documentation. Compare the existing documentation against you business standards. Record what has been achieved. Identify any improvements. Identify any outstanding issues.

5.1.2. The remainder of the document takes the form of a checklist based on the requirements of BS 25999 Part 2 and identifies those aspects of the standard for which there is Evidence, Partial Evidence or No Evidence. To assist this process the scoring is highlighted by use of a key based on Green, Amber or Red. 5.1.3 Specific aspects of the standard to be reviewed are: BCM Policy Provision of Resources Competency of BCM Personnel Embedding BCM in the Organisations Culture BCM Documentation and Records Control of BCM Documentation and Records Business Impact Analysis Risk Assessment Determining Choices Determining BC Strategy Incident Response Structure BC Plans and Incident Management Plans BCM Exercising

 6.1.1

Maintaining and Reviewing Internal Audit

BCM Policy
EvidencePartial Evidence No Evidence Item No. Corp Corp

BS 25999 Requirement

Top management shall establish and demonstrate commitment to a business continuity management policy. The policy shall include or make reference to: a) the organisations business continuity objectives; and

2a

2b

b) the scope of business continuity, including limitations and exclusions. The policy shall be: a) approved by top management; and

3a

3b

b) communicated to all persons working for or on behalf of the organisation; and c) reviewed at planned intervals and when significant changes occur.

3c

6.1.2
Item No.

Provision of Resources
Evidence Partial Evidence No Evidence

BS 25999 Requirement

The organisation shall determine and provide the resources needed to establish, implement, operate and maintain the BCMS. BCM roles, responsibilities, competencies and authorities

shall be defined and documented. 6a Top management shall: a) appoint or nominate a person with appropriate seniority and authority to be accountable for BCM policy and implementation;

6b

b) appoint one or more persons, who, irrespective of other responsibilities, shall implement and maintain the BCMS.

6.1.3

Competency of BCM Personnel

BS 25999 Requirement

7a

The organisation shall ensure that all personnel who are assigned business continuity responsibilities are competent to perform the required tasks by: a) determining the necessary competencies for such personnel;

7b

b) conducting training needs analysis on personnel being assigned BCM roles and responsibilities; c) providing training; d) ensuring that the necessary competence has been achieved; and e) maintaining records of education, training, skills, experience and qualifications.

7c 7d

7e

6.1.4. Embedding BCM in the Organisations Culture

BS 25999 Requirement

8a

To ensure that BCM becomes a part of its core values and effective management, the organisation shall: a) raise, enhance and maintain awareness through an ongoing BCM education and information programme for all employees and establishing a process for evaluating the effectiveness of the BCM awareness delivery;

8b

b) communicate to all employees the importance of: 1) meeting business continuity management objectives; 2) conforming to the business continuity policy; and 3) continual improvement; and c) ensure that all employees are aware of how they contribute to the achievement of the organisations business continuity objectives.

8c

6.1.5

BCM Documentation and Records

BS 25999 Requirement

9a

The organisation shall have documentation covering the following aspects of the BCMS: a) the scope and objectives of the BCMS and procedures

9b 9c 9d

b) the BCM policy c) the provision of resources d) the competency of BCM personnel and associated training records e) the business impact analysis f) the risk assessment g) the business continuity strategy

9e 9f 9g

9h 9i

h) the incident response structure i) business continuity plans and incident management plans j) BCM exercising k) the maintenance and review of BCM arrangements

9j 9k

9l 9m 9n 9o

l) internal audit m) management review of the BCMS n) preventive and corrective actions o) continual improvement

6.1.6

Control of BCM Documentation and Records

BS 25999 Requirement

10a

Controls shall be established over BCMS records in order to: a) ensure that they remain legible, readily identifiable and retrievable; b) provide for their identification, storage, protection and retrieval. Controls shall be established over BCMS documentation to ensure that: a) documents are approved for adequacy prior to issue; b) documents are reviewed and updated as necessary and re-approved; c) changes and the current revision status of documents are identified;

10b

11a

11b

11c

11d

d) relevant versions of applicable documents are available at points of use; e) documents of external origin are identified and their distribution controlled; and f) the unintended use of obsolete documents is prevented and that such documents are suitably identified if they are retained for any purpose.

11e

11f

6.1.7. Business Impact Analysis

BS 25999 Requirement

12a

The organisation shall: a) identify activities that support its key products and services;

12b

b) identify impacts resulting from the disruption to these activities, and determine how these vary over time; c) establish the maximum tolerable period of disruption for each activity by identifying: 1) the maximum time period after the start of a disruption within which each activity needs to be resumed; 2) the minimum level at which each activity needs to be performed upon resumption; and 3) the length of time within which normal levels of operation need to be resumed;

12c

12d

d) categorize its activities according to their priority for recovery and identify its critical activities; e) identify all dependencies relevant to the critical activities, including suppliers and outsource partners; f) for suppliers and outsource partners on whom critical activities depend, determine what BCM arrangements are in place for the relevant products and services they provide;

12e

12f

12g

g) set recovery time objectives for the resumption of critical activities within their maximum tolerable period of disruption; h) estimate the resources that each critical activity will require for resumption.

12h

6.1.8

Risk Assessment
Evidence No Evidence Partial Evidence Item No. Corp Corp

BS 25999 Requirement

13a

There shall be a defined, documented and appropriate method for risk assessment that will enable the organisation to understand the threats to and vulnerabilities of its critical activities and supporting resources, including those provided by suppliers and outsource partners. The organisation shall understand the impact that would arise if an identified threat became an incident and caused a business disruption.

13b

6.1.9

Determining Choices
Evidence Partial Evidence No Evidence Item No.

BS 25999 Requirement

14a

For each of its critical activities, the organisation shall identify available risk treatments that: a) reduce the likelihood of a disruption;

14b

b) shorten the period of disruption; and

14c

c) limit the impact of a disruption on the organisations key products and services. The organisation shall choose and implement appropriate risk treatments for each critical activity in accordance with its level of risk acceptance.

15

6.1.10 Determining BC Strategy

BS 25999 Requirement

16a

The organisation shall: a) define a fit-for-purpose, predefined and documented incident response structure that will enable an effective response and recovery from disruptions;

16b

b) determine how it will recover each critical activity within its recovery time objective and the BCM arrangements, including the resources required for resumption and products and services provided by suppliers and outsource partners; c) determine how it will manage relationships with its key stakeholders and external parties involved in the recovery.

16c

6.1.11 Incident Response Structure

BS 25999 Requirement

17

The organisation shall nominate incident response personnel with the necessary responsibility, authority and competence to manage an incident. The incident response structure shall provide for personnel to: a) confirm the nature and extent of an incident;

18a

18b 18c

b) trigger an appropriate business continuity response; c) have plans, processes and procedures for the activation, operation, coordination and communication of the incident response; d) have resources available to support the plans, processes and procedures to manage an incident;

18d

18e

e) communicate with stakeholders.

6.1.12 BC Plans and Incident Management Plans

BS 25999 Requirement

19

The organisation shall have documented plans that detail how the organisation will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption. Each plan shall: a) have a defined purpose and scope;

20a

20b

b) be accessible to and understood by those who will use them; c) be owned by a named person(s) who is responsible for their review, update and approval; and

20c

20d

d) be aligned with relevant contingency arrangements external to the organisation. The plans shall collectively contain: a) identified lines of communications;

21a

21b 21c

b) key tasks and reference information; c) defined roles and responsibilities for people and teams having authority during and following an incident; d) guidelines and criteria regarding which individuals have the authority to invoke each plan and under what circumstances; e) a method by which each plan is invoked, f) meeting locations with alternatives, and up-to-date contact and mobilisation details for any relevant agencies, organisations and resources that might be required to support the response; g) a process for standing down once the incident is over; h) a reference to the essential contact details for all key stakeholders; i) details to manage the immediate consequences of a business disruption giving due regard to: 1) the welfare of individuals; 2) strategic and operational options for responding to the disruption; and 3) prevention of further loss or unavailability of critical activities;

21d

21e 21f

21g 21h

21i

21j

j) details for managing an incident including: 1) provision for managing issues during an incident; and 2) processes to enable continuity and recovery of critical activities;

21k

k) details on how and under what circumstances the organisation will communicate with employees and their relatives, key stakeholders and emergency contacts;

21l

l) details on the organisations media response following an incident, including: 1) the incident communications strategy; 2) preferred interface with the media; 3) guideline or template for drafting a statement for the media; and 4) appropriate spokespeople;

21m

m) a method for recording key information about the incident, actions taken and decisions made; n) details of actions and tasks that need to be performed; o) details of the resources required for business continuity and business recovery at different points in time; and

21n 21o

21p

p) prioritized objectives in terms of the critical activities to be recovered, the timescales in which they are to be recovered and the recovery levels needed for each critical activity.

6.1.13. BCM Exercising

BS 25999 Requirement

22a

The organisation shall: a) develop exercises that are consistent with the scope of the BCMS;

22b

b) have a programme approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur; c) carry out a range of different exercises that taken together validate the whole of its business continuity

22c

arrangements; 22d d) plan exercises so that the risk of an incident occurring as a direct result of the exercise is minimized; e) define the aims and objectives of every exercise; f) carry out a post-exercise review of each exercise that will assess the achievement of the aims and objectives of the exercise; and g) produce a written report of the exercise, outcome and feedback, including required actions.

22e 22f

22g

6.1.14. Maintaining and Reviewing

BS 25999 Requirement

23

The organisation shall, at defined intervals, review its BCM arrangements to ensure their continuing suitability, adequacy and effectiveness. The organisation shall ensure its business continuity capability and appropriateness is reviewed at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy and effectiveness. The review of BCM arrangements shall be regular and conducted either through self-assessment or audit. In the event of an incident that results in the invocation of the BCP or the IMP, a post-incident review shall be undertaken to:

24

25

26a

a) identify the nature and cause of the incident; 26b 26c b) assess the adequacy of managements response; c) assess the organisations effectiveness in meeting its recovery time objectives; d) assess the adequacy of the BCM arrangements in preparing employees for the incident; and e) identify improvements to be made to the BCM arrangements.

26d

26e

6.1.15 Internal Audit

BS 25999 Requirement

27a

The organisation shall ensure that internal audits of the BCMS are conducted at planned intervals to: a) determine whether the BCMS: 1) conforms to planned arrangements for BCM, including the requirements of this BCM standard; and 2) has been properly implemented and is maintained; and 3) is effective in meeting the organisations BCM policy and objectives; and

27b

b) provide information on the results of audits to management.

28

Any audit programme(s) shall be planned, established, implemented and maintained by the organisation, taking into account the BIA, risk assessment, control and mitigation measures and the results of previous audits. Audit procedure(s) shall be established, implemented and maintained that address: a) the responsibilities, competencies and requirements for planning and conducting audits, reporting results and retaining associated records; and

29a

29b

b) the determination of audit criteria, scope, frequency and methods. Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.

30