This page contains a Flash digital edition of a book.
There has been a tendency to focus
Top 10 tips for implementing BS25999-2
more on the technical areas of business
continuity rather than ensuring that all
1.  Obtain a copy of BS25999 Parts 1 and 2 and read them 
(yes, really!)
the elements of the management system
2.  Implement your management system alongside your 
have been fully implemented
business continuity arrangements and select the best way 
of communicating it to staff
3.  Appoint a BC sponsor at the outset and gain top 
• Auditing your own work – If you work on a particular aspect of
the business continuity management system on a regular basis, it
management commitment to implementing BS25999 
stands to reason that you shouldn’t be auditing your own work. within the organisation (and the resources to do so)
Make sure that there is a clear line of independence throughout
4.  Consider the scope of your BCMS carefully and clearly 
the audit process. You could call upon colleagues who audit
define the boundaries
another management system within the organisation, or, if
not applicable, utilise others who are involved with business
5.  Determine BCM competencies adequately
continuity but not the area which is to be audited. Just remember 6.  Make sure that the extent of the BIA is appropriate to the 
that you need to be able to demonstrate how you have selected
size and complexity of the organisation
this resource.
7.  Ensure that risk assessments are based on threats specific 
• Avoiding confusion over what is BCM and what is BCMS
– BS25999-2 attempts to make a clear distinction between
to the organisation and its critical activities as well as 
implementing business continuity arrangements (BCM) and a universal threats such as fire and flood
business continuity management system (BCMS). The one time
8.  Follow the management review inputs and outputs in the 
that it is often confused is with the requirement to review the
standard rather than making up your own agenda
BCM arrangements through self assessment or audit (clause
4.4.3.3). This is not the same as the internal audit of the
9.  Ensure that the BCM culture is sufficiently embedded into 
management system (clause 5.1) and an organisation must be the organisation before inviting the auditors in
able to demonstrate that it is reviewing both elements of the
10.  Remember, BS25999-2 is about continual improvement. 
standard.
Rome wasn’t built in a day
• The need for action plans – There are a number of different
events that will require an action plan. Perhaps the most notable
events are: a management review meeting; after an exercise or a
real life incident; or an internal audit. Remember, preparing an from phasing implementation based on some form of business
action plan is only the start of the process. You need to monitor prioritisation? Experience shows that for larger organisations
activities to ensure that actions are completed, chase if necessary which may have multiple sites, possibly over different
and then review the actions taken and determine whether they continents, a phased implementation is the best way to proceed,
have been effective or not. This takes you into the corrective and possibly by identifying a particular product line or service. For
preventive action requirements of the standard as well as being smaller companies with only one or two sites located in the
very credible evidence of continual improvement. same region, the decision may be taken to adopt a ‘big bang’
• Applying for certification too soon – Understandably, approach to certification. There is no right or wrong approach,
organisations are keen to invite the auditors in as soon as the but it is important to be mindful of the resources at your disposal
ink is dry on the BIA and the BCPs. However, it is important and what the business drivers are for certification.
to remember that to qualify for BS25999-2 certification you
have to be able to demonstrate that your business continuity And finally, consider the benefits of undergoing a gap analysis
management system is fit for purpose. This means not only before formal certification to BS25999-2. It’s an ideal way of
ensuring that all of the requirements have been met, but also identifying any shortfalls in your system and by addressing them
that the management system has been sufficiently embedded at this stage it should make the certification process significantly
into the organisation to give the certification body confidence in smoother.
it. Typical evidence of embedding would include: internal audit
results; management review meeting minutes; exercises and
experiences learnt from any real life incidents.
HiLary ESTaLL aMBCi
• Scoping your BCMS – It is surprising how many organisations
hilary estall is managing director of Perpetual solutions limited.
enter into their BS25999-2 preparations without having clearly
identified the scope of their business continuity management
hilary.estall@pslinfo.co.uk
system. Should they include all of their products and services? www.pslinfo.co.uk
Are only some of them considered ‘key’ and is there any benefit
30  Continuity  January/February 2010
Cont Jan/Feb 2010_insides.indd 30 3/2/10 14:52:38
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44
Produced with Yudu - www.yudu.com