BS 25999 Certification Essentials Andrew Pettitt Business Continuity Senior Consultant SunGard Availability Services Professional Services
BS 25999 Certification Essentials
Andrew PettittBusiness Continuity Senior ConsultantSunGard Availability Services Professional Services
Essentials
Getting the fundamentals rightStrategies - covering all the basesImplementation – birth pains?Learning to walk then runWeaving continuity into the fabric of your organisation
BCM Lifecycle (BS25999)
understanding the organisation
developing and implementing
a BCM response
exercising, maintenance
and review
determining BCM
strategies
BCMprogramme
management
Getting the fundamentals right?
What to plan for? – Business-type functions?– Statutory obligations?– Emergency-type activities?
Silo approach evident in many organisationsApproach to BC disjointed
– Left hand doesn’t know what right hand is doing
– Wasteful– Time-consuming
understanding the organisation
developing and implementing
a BCM response
exercising, maintenance
and review
determining BCM
strategies
BCMprogramme
management
Jumping the gun
Pharmaceutical Company
IT Recovery Contracts in place
Workplace Recovery in place
BUT– No BIA completed
– No strategy development
Jumping the gun
BIA showed
Inappropriate RTOs and RPOs for IT
Existing recovery “plans” beyond capabilities of staff
Fundamental misunderstandings of business processes at senior level
Unnecessary expenditure– Paying for a Ferrari solution– Needed a motorbike-sidecar
and a Transit van instead
Jumping the gun
Understanding the organisation is fundamental to success of BC management
Shortcuts to implementation result in bad planning that won’t work and expensive mistakes
BS25999– Restates what we know anyway
and yet is often ignored – Top management should sign
this off– External review can pick up
mistakes BUT…
understanding the organisation
developing and implementing
a BCM response
exercising, maintenance
and review
determining BCM
strategies
BCMprogramme
management
Strategies – covering all the bases
People– Continuity of core skills &
knowledgePremises
– Where do you go?Technology
– Appropriate RTOs and RPOsInformation
– Confidentiality, integrity, availability & currency
Stakeholders SuppliesTop management signs these off!
Suppliers
Supplier dependencies– Ignore them?
– Accept vague assurances?
– Eliminate by bringing everything in-house?
– Carry out audit of their BCM?
Mostly ignore or accept “it’ll be alright on the night”
Get them to use BS25999!
understanding the organisation
developing and implementing
a BCM response
exercising, maintenance
and review
determining BCM
strategies
BCMprogramme
management
Implementation
Time Line
Tim
e Ze
ro
Disaster Event!
Overall recovery objective:Back to normal as quickly as possible
The Disaster Timeline
Within minutes to hours:Staff & visitors accounted forCasualties dealt withDamage containment / limitationDamage assessmentInvocation of BCP
Emergency Response
Within hours to days:Contact staff, customers, suppliers, etc.Recovery of critical business processesRebuild lost work-in-progress
Business Continuity
Within weeks to months:Damage repair / replacementRelocation to permanent place of workRecovery of costs from insurers
Recovery - back to normal
© SunGard Availability Services (UK) Ltd
Implementation
Incident Management Plans– Must be flexible, easy to use
and understandableContinuity Plans
– Often over-complex– “Never mind the quality, feel
the width” Implementing your response
– Not just about plans– People, technology,
communications etc.
Walking then running
ExerciseTestRehearsePracticeKeep on doing it!!!
The BCM fitness cycle
Develop Continuity
Update
Implement
Live Test
Exercise
Train
Update
Update
Audit BCP© SunGard Availability Services (UK) Ltd
If you don’t……..
BCM atrophies
It becomes “mummified
It’s inaccurate, invalid, irrelevant
BS25999
Audit and self assessment
Suggested programme for exercising BCM strategies
I used to be aBusiness ContinuityManager…
coming to a business
near you
Dodgy Continuity presents:
Weaving continuity into the fabric
Tell people about it!!!– Awareness training– Skills training– Leadership!
Involve people!– Build roles– Give responsibilities– Devolve– Involve in testing
Going forward
BS25999 provides level playing field– Applicable to public, private and voluntary sectors
– Size doesn’t matter
– Links with CCA 2004, Companies Act 2006 & FSA Guidelines
– Being adopted in many EU countries and further afield as a de facto standard
Part 1 provides roadmap to improved BCM– Can be used to enhance current BCM
– Incentive for senior management to take it more seriouslyHelps get buy-in within an organisation
– Window of opportunity prior to Part 2
Thank you