Skip to content

Page355

BS-25999 and ISO 22301

British Standards Institution (BSI, https://www.bsigroup.com/) released BS-25999, which is in two parts:

  • “Part 1, the Code of Practice, provides business continuity management best practice recommendations. Please note that this is a guidance document only.
  • Part 2, the Specification, provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice. This is the part of the standard that you can use to demonstrate compliance via an auditing and certification process” [21].

BS-25999-2 has been replaced with ISO 22301:2012 Societal security—Business continuity management systems—Requirements. “ISO 22301 will supersede the original British standard, BS 25999-2 and builds on the success and fundamentals of this standard. BS ISO 22301 specifies the requirements for setting up and managing an effective business continuity management system (BCMS) for any organization, regardless of type or size. BSI recommends that every business has a system in place to avoid excessive downtime and reduced productivity in the event of an interruption” [22].

Comparing ISO 27031 (discussed in the previous section) and ISO 22301, ISO 27031 focuses on technical details: “ISO 22301 covers the continuity of business as a whole, considering any type of incident as a potential disruption source (e.g., pandemic disease, economic crisis, natural disaster, etc.), and using plans, policies, and procedures to prevent, react, and recover from disruptions caused by them. These plans, policies, and procedures can be classified as two main types: those to continue operations if the business is affected by a disruption event, and those to recover the information and communication infrastructure if the ICT is disrupted.

Therefore, you can think of ISO 27031 as a tool to implement the technical part of ISO 22301, providing detailed guidance on how to deal with the continuity of ICT elements to ensure that the organization’s processes will deliver the expected results to its clients” [23].

BCI

The Business Continuity Institute (BCI, https://www.thebci.org/) published a six-step Good Practice Guidelines (GPG), most recently updated in 2013: “The Good Practice Guidelines (GPG) are the independent body of knowledge for good Business Continuity practice worldwide. They represent current global thinking in good Business Continuity (BC) practice and now include terminology from ISO 22301:2012, the International Standard for Business Continuity management systems” [24]. GPG 2013 describes six Professional Practices (PP).

  • Management Practices
  • PP1 Policy & Program Management
  • PP2 Embedding Business Continuity
  • Technical Practices
  • PP3 Analysis
  • PP4 Design
  • PP5 Implementation
  • PP6 Validation [25]