bs25999 2 advisory board
Post on 08-Jun-2015
578 Views
Preview:
DESCRIPTION
TRANSCRIPT
BS25999 and Other Management Systems Standards (MSS)
Chris Green, Chair BCM/1
This Presentation is an Adaptation of a Siemens-Insight copyright Presentation
Insight Consulting
Agenda
BS25999 and other standards
Benefits of the Management Systems approach
Guidance
Accreditation
Other Developments
Why have standards?
Common understanding
Common approach
Common sets of evidence
Promote quality in a particular subject area
Reduced risk
Reduce management overhead
Greater assurance that the topic is managed effectively
Which standard should we have?
Broadly speaking there are four tiers of “standards” in the UK
PAS – guidance on best practice
BS – a standard for the UK in the form of a code of practice
BS – a specification allowing for the achievement of certification
ISO – an international standard superseding BS
Positioning BS25999-1
Supersedes PAS56
Not the specification standard which will be BS25999-2
Related guidance should be compatible with BS25999, for instance any future PAS relating to continuity planning
Could be superseded by an International Standard, so any ISO25999 would replace BS25999
Global Vision for ISO 2006 to 2010
Facilitation of global trade
Improvement in quality, safety, security, environmental and consumer protection, as well as rational use of resources
Global dissemination of technologies and good practice
Issue of Complexity
Great potential for synergy between standards
The synergies are not recognised
Economies relating to synergies are not realised
Management Systems Management Systems StandardsStandards
BCM
BS 25999
RM
ISO 25700
Quality
ISO 9001
Environment
ISO 14001
Food Safety
ISO22000
IT DR
PAS 77
SUPPLY CHAIN
PAS 28003
MSS-SAG
Crisis Mgt
SSM/1
TC223 Societal Security
ISO TMB
Issue - More reporting and more management time
Constant stream of people reporting to the Board
Board room time taken up with reporting not strategy
No common themes nor messages
Management want confidence and assurance (this is exactly what the standards are aimed at providing)
Always ask for money
PAS99 – MS Integration
COMMON
E OH&S Q BC
E OHS&S Q
Common CommonCommon Common
BC
Management Systems
Generally the approach is:-
Standard Plan-Do-Check-Act model
BS describes establishing a Management System, its continuing operation and a process of continuing improvement
Subject specific information then fits into this model
PDCA Model
Implications for BS25999-2
This is the specification that will allow for certification
Must weigh the benefits of commonality with other standards and the current practices in business continuity
MSS approach will need adapting for our specialism whilst retaining the key characteristics of a certification standard and consistency with other related MSS
Scope statements allow application to largest and smallest of organisations
Scope must not be allowed to imply capability where none exists – for instance certification can only be achieved by addressing all steps and all controls in the standard
25999 Part 2
BS25999-2 has finished DPC
250 pages of comments !
Under review at present and being finalisde for the main committee to review in October 2007
Publication will be late October
Guidance Documents underway
The Standards PyramidThe Standards Pyramid
Sector/Industry specific guides*
Specialised Functions
SME
Public – National/Local
Charities / VoluntaryFTSE 250 – Small
plc
Relation to Other Risk Areas
FinancialConstruction,
mining, oil and gas
Pharmaceutical Aerospace & Engineering
Retail Utilities
ISO
Context; Framework; Scope
Why do BCM (benefits/drivers)?;
Options;Implementation / Testing
HR – IT – OR - Legal – Security – Procurement – Ethics – Supply
BS25999
Sector Guides
BSI/CEN
The Standards PyramidThe Standards Pyramid
Sector/Industry specific guides*
Specialised Functions
SME
Public – National/Local
Charities / VoluntaryFTSE 250 – Small
plc
Relation to Other Risk Areas
FinancialConstruction,
mining, oil and gas
Pharmaceutical Aerospace & Engineering
Retail Utilities
ISO
Context; Framework; Scope
Why do BCM (benefits/drivers)?;
Options;Implementation / Testing
HR – IT – OR - Legal – Security – Procurement – Ethics – Supply
BS25999
Sector Guides
BSI/CEN
The Standards PyramidThe Standards Pyramid
Sector/Industry specific guides*
Specialised Functions
SME
Public – National/Local
Charities / VoluntaryFTSE 250 – Small
plc
Relation to Other Risk Areas
FinancialConstruction,
mining, oil and gas
Pharmaceutical Aerospace & Engineering
Retail Utilities
ISO
Context; Framework; Scope
Why do BCM (benefits/drivers)?;
Options;Implementation / Testing
HR – IT – OR - Legal – Security – Procurement – Ethics – Supply
BS25999
Sector Guides
BSI/CEN
Accreditation Bodies
5 accreditation bodies interested
4 volunteers for pilot – however, concerns that they are “all the same”
Competence Criteria for Auditors being developed
Other emerging standards
PAS77 – IT Continuity guidance
Developed in isolation from BS25999
Does not follow precepts of PAS56 or BS25999
Does not follow the management systems approach
Not clear how this fits with other related standards – e.g. ISO 20000 (ITIL)
ISO/IEC 24762 – Recovery Site Provision
Didn’t ask any recovery site vendors !
Risk Management
Risk Management standard
BCM and Risk Management committees have swapped glossaries and trying to agree common terms
Where BS25999 uses risk assessment it has tried to reflect developments of risk management standard
ISO IPOCM
Commencement Broadly similar to Programme Management Define scope, management commitment, policy
Planning Broadly similar to Understanding Your Business Includes risk assessment and Impact Analysis Also response as includes Response Management
Implementation and Operation Includes resourcing, competence, education and awareness and
operational control structure Performance Assessment
Evaluation of effectiveness including testing, maintenance and audit
Broadly similar to BS25999
IPOCM
This is work in progress and a long way from a finalised document
Terminology slightly different from UK common usage and the business continuity industry as most of us have come to know it
For the most part UK practitioners can embrace the changes
Approach slightly different to BS25999/PAS56
But many common points
Room for more?
Should there be standards in specific areas of business continuity?
PAS77 could be developed into a standard
Could there be an Incident Management standard?
Overall Governance standard?
What happens next?
Committee continues in operation
Focus for other related committees (e.g. risk management)
Review of BS25999 so that subsequent revisions lead to improvements in the standard
Focus for expertise and contribution to ISO deliberations
top related