Readiness Consulting
GRC Certification ISMS - ISO 27000 series
GRC Certification ITSMS - ITIL / ISO 20000
GRC Certification BCMS - BS 25999
IT Security Training
HISP GRC Certification
GRC Certification Controls Framework Development
GRC Certification Governance, Risk and Compliance (GRC)
IT Security Training
HISP GRC Certification
Independent Assessment
GRC Certification Compliance/Readiness Assessment
GRC Certification Integrated Assessment
GRC Certification Maturity Assessment
GRC Certification Management System Maintenance
GRC Certification Data Security Audit
GRC Certification Shared Assessment Audit
GRC Certification Internal Audit
GRC Certification Mock Audit
IT Security Training
HISP GRC Certification
Case Studies
GRC Certification

IT Security Training
HISP GRC Certification
GRC Certification
Readiness Consulting - BCMS - BS 25999
GRC Certification

What is BS 25999?

BS 25999 is BSI's standard in the field of Business Continuity Management (BCM). This standard replaces PAS 56, a Publicly Available Specification, published in 2003 on the same subject.

BS 25999 is a Business Continuity Management (BCM) standard in two parts.

The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.

The second, "BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.

A useful means of understanding the difference between the two is Part 1 is a guidance document and uses the term 'should', Part 2 is an independently verifiable specification that uses the word 'shall'

Certification (independent verification) to this standard is available from certification bodies accredited by the United Kingdom Accreditation Service (UKAS) and is a multi stage process usually involving a number of assessment visits. The assessor will then make a recommendation that the organization receive certification or not. After initial certification a number of surveillance visits are made as per a plan to ensure that the organization is still in compliance.

BS 25999-1
The contents of the code of practice (BS 25999-1) are as follows:

Section 1 - Scope and Applicability. This section defines the scope of the standard, making clear that it describes generic best practice that should be tailored to the organization implementing it

Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard

Section 3 - Overview of Business Continuity Management. A short overview is the subject of the standard. It is not meant to be a beginner's guide but describes the overall processes, its relationship with risk management and reasons for an organization to implement along with the benefits

Section 4 - The Business Continuity Management Policy. Central to the implementation of business continuity is having a clear, unambiguous and appropriately resourced policy

Section 5 - BCM Programme Management. Programme management is at the heart of the whole BCM process and the standard defines an approach

Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organization has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.

Section 7 - Determining BCM Strategies. Once the organization is thoroughly understood the overall business continuity strategies can be defined that are appropriate.

Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.

Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organization cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organizations goals.

Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organization is managed.

BS 25999-2
The contents of the specification (BS 25999-2) are as follows:

Section 1 - Scope. Defines the scope of the standard, the requirements for implementing and operating a documented business continuity management system (BCMS)

Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard

Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is predicated on the well established Plan-Do-Check-Act model of continuous improvement. The first step is to plan the BCMS, establishing and embedding it within the organization.

Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones plans. This section includes a number of topics that are found in Part 1 although Part 1 should only be used for general guidance and information. Only what is in Part 2 can be assessed.

Section 5 - Monitoring and Reviewing the BCMS (CHECK) To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS

Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is both maintained and improved on an ongoing basis this section looks at preventative and corrective action

The first part of BS 25999 (BS 25999-1:2006) was published by the British Standards Institution in December 2006. The second part of BS 25999 (BS 25999-2:2007) was published in November 2007.

Both parts of the standard are likely to be revised and it may ultimately be incorporated into other national or international standards.

Both parts of the standard are likely to be revised and it may ultimately be incorporated into other national or international standards.

Business continuity programs, similar to other enterprise processes, are effective when grounded in generally accepted standards and built according to the business' objectives.

Business objectives and "proven" standards together form a foundation that adds credibility and viability to a continuity program.

Some of the benefits of adopting BS 25999 for your business continuity program include:

Provides a common framework, based on international best practice, to manage business continuity.
Proactively improves your resilience when faced with disruptions to your ability to achieve key objectives.
Provides a rehearsed method of restoring your ability to supply critical products and services to an agreed level and timeframe following a disruption.
Delivers a proven response for managing a disruption.
Helps protect and enhance your reputation and brand
Opens new markets and helps you win new business
Enables a clearer understanding of how your entire organization works which can identify opportunities for improvement.
Demonstrates that applicable laws and regulations are being observed.
Creates an opportunity to reduce the burden of internal and external BCM audits and may reduce business interruption insurance premiums.

Source: Wikipedia

How can eFortresses assist?

BS 25999 Compliance

eFortresses assists organizations desiring BS 25999 compliance by providing value added services, including:

Gap Analysis / Compliance Roadmap
Business Continuity Framework Development
Business Continuity Program Development
Risk Assessments and Business Impact Assessment (BIA)
Incident Management Program Development

BS 25999 Certification

eFortresses offers a cost-effective consulting service for organizations seeking BS 25999 certification, including:

Business Continuity Management Framework development using BS 25999
Risk Assessment & Treatment process development
Compliance/Readiness Assessment / Remediation Plan / Certification Roadmap
Early Selection of Accredited Certification Body
Scoping Exercise including Scope Document, Statement of Applicability development
Regulatory Compliance Controls Mapping
Integration of BCMS with ISO/IEC 27000, ITIL/ISO 20000 COBIT, COSO etc
Mock BCMS Audit to simulate Internal and/or External audit process
Internal BCMS Audit; Desktop review of Documentation, Control Objectives and Control Evidence
Business Continuity Forum/Committee development
Preventative and Corrective Action Plan development
Facilitation of BCMS Pre-Assessment, Stage I and Stage II Audit
BCMS Maintenance including Corrective Actions, Continuous Improvement, Metrics, Surveillance Audit

For more information, please contact us by filling out this form

Name *  
Title *  
Email *  
Telephone *  
Job Title *  
Company *  
Address *  
City *  
State/Province *  
Postal/Zip *  
Country *  

Security image:

Verification (Type what you see (case-sensitive)):
Comments *  
GRC Certification

GRC Certification
GRC Certification
IT Security Training
GRC Certification HISP GRC Certification
Bookmark and Share