Our FAQ's
This is a list of questions we are frequently asked.
Show All
Hide All
What is BS 25777?
To be truly resilient, an organisation must consider the continuity of its information and communications technology services. BS 25777 is the British Standard for ICT Continuity Management published in 2008 as a code of practice (BS 25777-1:2008). It gave clear recommendations for ICT Continuity Management within the framework of business continuity management provided by BS 25999. It has since been superseded by ISO/IEC 27031:2011 and withdrawn.
What is BS 25999?
BS 25999 is the British Standard for Business Continuity Management first published in 2006 as a code of practice (BS25999-1:2006) and followed in 2007 by the specification (BS25999-2:2007). Steelhenge is one of the few consultancies that has been certified to BS25999-2:2007, with practical experience of implementing its own business continuity management system in line with the standard, and demonstrating our capability to achieve this for clients. With the publication in May 2012 of ISO 22301 which supersedes BS 25999-2, Steelhenge will be transitioning to the new ISO.
What is ISO/IEC 27031?
Published in March 2011 and superseding BS 25777, the International Standard describes the concepts and principles of ICT readiness for business continuity and provides a framework of methods and processes to identify and specify all aspects for improving an organisation's ICT readiness to ensure business continuity.
What are ISO 22301 and ISO 22313?
ISO 22301 is the newly published (May 2012) International Standard on Societal Security - Business Continuity Management Systems. ISO 22301 is the specification document against which organisations will seek certification. ISO 22301 supersedes BS 25999-2 which will be withdrawin in November 2012.
ISO 22313 is the guidance document to support the specification document ie ISO 22301 and will be published later than ISO 22301; currently expected in early 2013.
What is the relationship between Business Continuity Management and Enterprise-wide Risk Management?
Business Continuity Management is complementary to a risk management framework that sets out
to understand the risks to operations or business, and the consequences of those risks. Risk management seeks to manage risk around the key products and services that an organisation delivers. Product and service delivery can be disrupted by a wide variety of incidents, many of which are difficult to predict or analyse by cause. By focusing on the impact of disruption, BCM identifies those products and services on which the organisation depends for its survival, and can identify what is required for the organisation to continue to meet its obligations, whatever the cause of the disruption.
Who should own the BC planning process?
Individuals tasked with implementing and maintaining the business continuity programme may reside in many areas of an organisation depending on its size, scale and complexity. It is essential, however, that a person with appropriate authority (e.g. owner, board director or elected representative) has overall responsibility for BCM and is directly accountable for ensuring the continued success of this capability.
Why should I have Business Continuity and Crisis Management plans?
Business Continuity and Crisis Management should not be separate from normal business processes, but should be in support of them, providing planning and preparation to ensure key value generating activities will continue in the event of a disruption. It has been found repeatedly that those organisations that are prepared for major crisis not only recover substantially faster, but with significantly less damage than organisations that are not prepared. Whilst plans will not protect you from crisis events occurring, the planning process and the consideration of how your organisation will deal with the potential impacts makes the recovery considerably smoother and faster.
How frequently should I review my crisis and continuity plans?
BS 25999 does not specify an interval for plan reviews, although it does recommend a deskcheck or walkthrough of each plan at least annually. An annual review should be a minimum schedule and should be complemented by proactive reviews driven by organisational changes.
Is business continuity and crisis management relevant to SMEs?
SMEs are frequently more vulnerable to an unanticipated incident than larger organisations. Both resources, skills and knowledge tend to be concentrated leading to potentially business threatening 'single points of failure'. SMEs may also be less able to sustain periods of business interruption. BS 25999 is designed to be applicable to organisations of all sizes and with the right skills and knowledge implementing a business continuity programme does not have to be onerous or expensive. Demonstration of business continuity planning is increasingly a requirement of supply chain resilience and it is a common prerequisite in the procurement process.
Why do I need to run an exercise for my organisation?
An exercise is an opportunity to practise or rehearse putting your Business Continuity Plan or Crisis Management Procedures into action. The exercise offers the opportunity to simulate the pressure and stress of a crisis event in order to rehearse your staff and validate your plans and responses in a controlled environment. The exercise can take many forms from a simple walk through of the plan to a full live "dress rehearsal” of your response to a simulated event.
What should I hope to achieve from an exercise?
When setting the scope of an exercise, the objectives should be realistic and achievable. The complexity of the exercise and the ultimate objectives will depend on levels of preparedness and experience within the Crisis Management or Business Continuity teams. While exercises are used to validate plans and responses the level of pressure and stress imposed can be graduated from simple walk throughs of the plan to full scale simulation exercises. While exercises will highlight areas for improvement and further rehearsal, they should be seen as positive experiences and not negative "pass or fail tests” where every disaster imaginable occurs in a morning. Well conducted exercises will support the development of plans and procedures, support the embedding of business continuity within and organisations culture and most importantly ensure a level of preparedness should the worst case occur.
What are the options for running an exercise?
The most simple exercise is a Plan Walk Through, which allows a plan to be reviewed and staff to be familiarised with procedures and is usually conducted with no external pressures. Workshops use a more detailed scenario to define plans and outputs and focus on the response, but again with no external pressures. Simulation exercises allow one or more teams to respond to a scenario as it unfolds, providing a more vigorous means of validating plans and procedures under the increased pressure of time and realistic decision making cycles. Exercises can also focus on very specific areas of an organisation's response capability such as the crisis communications teams or crisis operations room staff, allowing them to rehearse their plans and responses in isolation, usually ahead of a much larger event. Exercises can range in scale from multi-agency, multi-national involvement or dealing with a National crisis response involving hundreds of players at all levels, through to specific exercises for strategic management teams of two or three key people. Steelhenge offers the full range of exercise options.
How often should I exercise my plan and my people?
An organisation should have a programme approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur such as introduction of a new service line.
What is the difference between an exercise and a test?
An exercise is an opportunity to practise putting your Business Continuity Plan or Crisis Management Procedures into action and is regarded as a learning opportunity. A test is also a learning opportunity, but success criteria are set and results are measured against these resulting in a pass/fail outcome. Tests are usually associated with ICT recovery when a component or system can definably pass or fail.
What is awareness training?
Awareness training is designed to create a basic understanding of business continuity and crisis management such that staff recognise issues and know how to react and who to contact. It is generally targeted at all staff in an organisation.
What are the PDs supporting BS 25999 (PD 25111, PD 25666 and PD 25888)?
These Published Documents (PDs) have been created by BSI to provide additional guidance and insight to parts of BS 25999, the British Standard in Business Continuity Management. They are not British Standards in themselves and it is not possible to seek certification to a PD.
PD 25111 provides guidance on the human aspects of business continuity in terms of the pre-planning and development of human resources requirements and policies for the stages following an incident.
PD 25666 provides guidance on exercising and testing for continuity and contingency programmes.
PD 25888 provides guidance on how best to develop and implement an organization's recovery in response to a disruptive incident.
