Implementing business continuity

with

BS25999 standard

Presenter Dennis Kaburu

What is BS 25999?• BS 25999 is a two-part British Standard that illustrates

what organisations should do to establish demonstrably robust business continuity processes, and how they can evaluate their own processes or those of others who they depend on.

• Part 1: Code of Practice (BS 25999-1:2006) was published in November 2006. It is in the form of guidance and recommendations that illustrate how to develop and maintain a robust BCM system based on good practice.

• Part 2: Specification (BS 25999-2:2007) was published in November 2007. It defines requirements for a management systems approach to BCM, against which organisations can be measured formally or informally.

BS25999-1:code of Practice• Provides guidance on the implementation of the

standard• It establishes the process, principles and terminology

of BCM.

• It provides a basis for understanding, developing and implementing business continuity within an organisation and in that organisation’s dealings with suppliers, customers and other organisations.

• It applies to organisations of all sizes and sectors and is intended to be used by anyone who has responsibilities for business operations or the provision of services.

What does BS25999-1 do?• BS25999-1 establishes the process, principles and

terminology of BCM.

• It provides a basis for understanding, developing and implementing business continuity within an organisation and in that organisation’s dealings with suppliers, customers and other organisations.

• It enables the organisation to measure its own and others BCM capabilities in a consistent and recognised manner.

• It applies to organisations of all sizes and sectors and is intended to be used by anyone who has responsibilities for business operations or the provision of services.

What are the outcomes of BS25999-1?• It establishes that the outcomes of an effective BCM programme will be:

• key products and services are identified and protected, ensuring their continuity

• an incident management capability is enabled to provide an effective response

• the organisation’s understanding of itself and its relationships with other organisations, relevant regulators or government departments, local authorities and the emergency services is properly developed, documented and understood

• staff are trained to respond effectively to an incident or disruption through appropriate exercising

• stakeholder requirements and staff receive adequate support and communications in the event of a disruption

• an organisation’s supply chain is secured

• the organisation’s reputation is protected and

• the organisation remains compliant with its legal and regulatory obligations

BS25999-2:Specification• BS 25999-2 specifies requirements for

“planning, establishing, implementing, operating, monitoring, reviewing and improving a documented Business Continuity

• Establishes Management System (BCMS) within the context of managing an organisation’s overall business risks”. It contains requirements that can be audited against, thus establishing an ability to evaluate the robustness of the BCMS in a consistent manner.

How BS25999-2 does this?In particular it emphasises the importance of:

a) understanding business continuity needs and the necessity for establishing policy and objectives for business continuity

b) implementing and operating controls and measures for managing an organisation’s overall business continuity risks

c) monitoring and reviewing the performance and effectiveness of the BCMS and

d) continual improvement based on objective measurement.

The BCM lifecycle as contained in BS 25999 is illustrated below

1. BCM CultureCulture- Values and behaviors demonstrated

by the business-transmitted and replicated throughtout the organisation

Development of a BCM culture is supported by: leadership from senior personnel in the organization;assignment of responsibilities;awareness raising;skills training; andexercising plans.

BCM CultureAn organization with a positive BCM culture

will:

Develop a BCM programme more efficiently;

Instil confidence in its stakeholders (especially staff and customers) in its ability to handle business disruptions;

Increase its resilience over time by ensuring BCM implications are considered in decisions at all levels;

Minimize the likelihood and impact of disruptions..

Embedding BCM in the Embedding BCM in the organization's cultureorganization's culture

To be successful, business continuity has to become part of the way that an organization

is managed, regardless of size or sector

BCM DocumentationScope and objectives of the BCM and proceduresBCM policyProvision of resourceCompetnency of BCM personnel and associated

training recordsBusiness Impact AnalysisRisk AssessmentBusiness Continuity strategyIncident response structureBusiness continuity plans and incident management

plansBCM Exercising

BCM Documentation (contd)Maintainance and review of BCM

arrangementsPreventive and corrective actionsContinual improvement

BCM PolicyStates the organisation’s BCM objectivesProvides documented principles,guidelines and

minimum standards for BCMDefines the scope of BCM

Determining BC StrategyPeopleLocationsTechnologyInformationSuppliesStakeholdersCivil emergencies

Determining BC StrategyPeopleDocumentation of the way in which critical

activities are performedMulti-skill training of staff and contractorsseparation of core skills to reduce the

concentration of risk use of third partiessuccession planningknowledge retention and management

Determining BC StrategyLocationsalternative premises (locations) within the

organizationalternative premises provided by other alternative premises provided by third-party

specialistsworking from home or at remote sitesother agreed suitable premisesuse of an alternative workforce in an

established site

Determining BC StrategyTechnologyTechnology strategies will depend on the nature of

thetechnology employed and its relationship to critical activities, but will typically be one or a combination of the following:

provision made within the organization;services delivered to the organization; andservices provided externally by a third party

Determining BC StrategyTechnology strategies may include:

geographical spread of technology, i.e. maintaining the same technology at different locations that will not be affected by the same business disruption;holding older equipment as emergency replacement

or spares; andadditional risk mitigation for unique or long lead time equipment.

Determining BC StrategyInformation technology (IT) services frequently need complexcontinuity strategies. "Where such strategies are required, consideration should be given to:recovery time objectives (RTOs) for systems and applications which support the key activities identified in the BIA; location and distance between technology sites;number of technology sites;remote access; the use of un-staffed (dark) sites as opposed to staffed sites; telecoms connectivity and redundant routing; the nature of "failover” third-party connectivity and external links.

Determining BC StrategyInformationAny information required for enabling the delivery of the

organization's critical activities should have appropriate:Confidentiality ; integrity; availability; currency.

Information strategies should be documented for the recovery of information; Information strategies should extend to include:physical (hardcopy) formats; andvirtual (electronic) formats, etc.

Determining BC StrategySuppliesThe organization should identify and maintain an inventory of the core supplies;storage of supplies at another location;arrangements with third parties for delivery of stock at short notice;diversion of just-in-time deliveries holding of materials at warehouses or shipping sites; transfer of sub-assembly operations to an alternative location which has supplies; identification of alternative/substitute supplies

Determining BC StrategyWhere critical activities are dependent upon specialist

supplies,the organization should identify the key suppliers and single sources of supply. Strategies to manage continuity of supply may include: increasing the number of suppliers;encouraging or requiring suppliers to have a validated business continuity capability;contractual and /or service level agreements with key suppliers; or the identification of alternative, capable suppliers.

Determining BC StrategyStakeholdersWhen determining appropriate BCM strategies. These strategies should take into account relevant ssocial and cultural considerations.The organization should identify appropriate strategies to

managerelationships with key stakeholders, business or service partners and contractors. The organization should identify a person or persons who will discharge responsibility for welfare issues following an incident.

Determining BC StrategyCivil emergenciesOrganizations seeking to determine, implement or validate strategies for incident management and business continuity management should become familiar with official local responder bodies at an early stage.Key responders will be instrumental in officially declaring that a civil emergency has occurred and in providing:pre- or post-incident advice (e.g. risk assessments);warning and informing procedures; andcommunity recovery arrangements following a civil

emergency.

Developing and implementing a Developing and implementing a BCM responseBCM response

1. Introduction2. Incident response structure3. Content of plans4. The incident management plan

(IMP)5. The business continuity plan(s)

[BCP(s)]7. Contents of the BCP

1. Introduction;

Organization should;Identify its critical activities,Evaluate threats to these critical activities,Choose appropriate strategies to reduce the

likelihood and impacts of incidents,Choose appropriate strategies that provide

for the continuity or recovery of its critical activities.

2. Incident Response Structure;The organization should define an incident response

structure

In any incident situation there should be a simple and quickly-formed structure that will enable the organization to:

confirm the nature and extent of the incident,take control of the situation,contain the incident, andcommunicate with stakeholders.

This structure may be referred to as the incident management team (IMT) or crisis management team (CMT).

The team should have plans, processes and procedures to manage the incident and these should be supported by business continuity tools to enable continuity and recovery of critical activities.

The team should have plans for the activation, operation, coordination and communication of the incident response.

There are three main phases over time of an incident, and the relationship between incident management and business continuity.

Incident TimelineIncident Timeline

Organizations may develop specific plans to recover or resume operations back to a "normal" state (recovery plans). However, in some incidents it might not be possible to define what "normal" looks like until some time after the incident, so that it might not be possible to implement recovery plans immediately.

4. The Incident Management Plan (IMP)The IMP should:be flexible, feasible, and relevant;be easy to read and understand; andprovide the basis for managing all possible

issues, including the stakeholder and external issues, facing the organization during an incident.

have top management support, including a board sponsor where applicable; and

be supported by an appropriate budget for development, maintenance and training.

6. The Business Continuity Plan(s) [BCP(s)]PURPOSE:Business continuity plan (BCP) is to enable an

organization to recover or maintain its activities in the event of a disruption to normal business operations.

BCPs are activated (invoked) to support the critical activities required to deliver the organization's objectives.

7. Contents of the BCPAction plans/ task listsThe action plan should include a structured

checklist of actions and tasks in an order of priority, highlighting:

a.how the BCP is invoked;b.the person(s) responsible for invoking the

business continuity plan;c.the procedure that person should adopt in taking

that decision;d.the person(s) who should be consulted before

such a decision is taken;

7. Contents of the BCPe. the person(s) who should be informed once a

decision has been taken;f. who goes where, and when;g. what services are available where, and when;

including how the organization mobilizes external and third-party resources;

h. how and when this information is communicated; and

i. if relevant, detailed procedures for manual workarounds, system recovery, etc.

7. Contents of the BCPResource requirementsThe resources required for business continuity and

business recovery should be identified at different points in time.

a) People, which may include:security, transportation logistics,welfare needs, andemergency expenses;

b) Premises;c) Technology, including communications;

7. Contents of the BCPResource requirements

d) Information, which may include: financial (e.g. payroll) details, customer account records, supplier and stakeholder details, legal documents (e.g. contracts, insurance policies, title deeds,

etc.), other services documents (e.g. service level agreements);

e) Supplies;

f) Management of, and communication with, stakeholders.

7. Contents of the BCPResponsible person(s);The organization should identify a nominated

person(s) to manage the business continuity and business recovery phases of a disruption.

Forms;The business continuity plan should include an

incident log or forms for the recording of vital information, especially in respect of decisions made.

Creating a BCP Is an on-going process, not a project with a beginning and an end

Creating, testing, maintaining, and updating“Critical” business functions may evolve

The BCP team must include both business and IT personnelRequires the support of senior management

The five BCP phasesProject management & initiationBusiness Impact Analysis (BIA)Recovery strategiesPlan design & developmentTesting, maintenance, awareness, training

I - Project management & initiation

Establish need (risk analysis)Get management supportEstablish team (functional, technical, BCC – Business Continuity Coordinator)Create work plan (scope, goals, methods, timeline)Initial report to managementObtain management approval to proceed

II - Business Impact Analysis (BIA)

Goal: obtain formal agreement with senior management on the MTD for each time-critical business resourceMTD – maximum tolerable downtime, also known as MAO (Maximum Allowable Outage)

II - Business Impact Analysis (BIA)

Quantifies loss due to business outage (financial, extra cost of recovery, embarassment)Does not estimate the probability of kinds of incidents, only quantifies the consequences

II - BIA phases Choose information gathering methods (surveys, interviews, software tools)Select intervieweesCustomize questionnaireAnalyze informationIdentify time-critical business functions

II - BIA phases (continued)Assign MTDs Rank critical business functions by MTDsReport recovery optionsObtain management approval

III – Recovery strategiesRecovery strategies are based on MTDsPredefinedManagement-approved

III – Recovery strategiesDifferent technical strategiesDifferent costs and benefitsHow to choose?Careful cost-benefit analysisDriven by business requirements

III – Recovery strategiesStrategies should address recovery of:

Business operationsFacilities & suppliesUsers (workers and end-users)Network, data center (technical)Data (off-site backups of data and applications)

III – Recovery strategiesTechnical recovery strategies –data

Backups of data and applicationsOff-site vs. on-site storage of mediaHow fast can data be recovered?How much data can you lose?Security of off-site backup mediaTypes of backups (full, incremental, differential, etc.)

IV – BCP development / implementation

Detailed plan for recoveryBusiness & service recovery plansMaintenanceAwareness & trainingTesting

IV – BCP development / implementation

Sample plan phasesInitial disaster responseResume critical business operationsResume non-critical business opsRestoration (return to primary site)Interacting with external groups (customers, media, emergency responders)

V – BCP final phaseTestingMaintenanceAwarenessTraining

V – BCP final phase - testingUntil it’s tested, you don’t have a planKinds of testing

Structured walk-throughChecklistSimulationParallel Full interruption

V – BCP final phase - maintenance

Fix problems found in testingImplement change managementAudit and address audit findingsAnnual review of planBuild plan into organization

V – BCP final phase Self-assessmentA BCM self-assessment process plays a role in

ensuring that an organization has a robust, effective fit-for-purpose BCM competence and capability

Self-assessment should be conducted against the organization's objectives. It should also take into account relevant industry standards and good practice.

V – BCP final phaseAuditThe organization should provide for the

independent audit of its BCM competence and capability to identify actual and potential shortcomings.

It should establish, implement and maintain procedures for dealing with these.

Independent audits should be conducted by competent persons, whether internal or external.

BCM AwarenessThe organization should raise, enhance and maintain

awareness by maintaining an ongoing BCM education and information program for all staff.

Such a program may include:

A consultation process with staff throughout the organization concerning the implementation of the BCM program;

Discussion of BCM in the organization's newsletters, briefings, induction program or journals;

BCM AwarenessInclusion of BCM on relevant web pages or

intranets;

Learning from internal and external incidents;

BCM as an item at team meetings;

Exercising continuity plans at an alternative location (e.g. a recovery site); and

Visits to any designated alternative location (e.g. a recovery site).