Review Template

8/3/2019 Review Template

1/19

(Your Business Name)

Business Continuity Review Template


2/19

CONTENTS

1. Scope

2. BS 25999

3. Elements of the business continuity management lifecycle

4. BS 25999 Part 2 Specification

5. Business Continuity Planning and your business

6. BCM Review

7. Recommendations


3/19

1. Scope

1.1.1 The aim of this document is to assist in the review process of the business continuityplanning (BCP) process.

1.1.2 The review has been undertaken under the guidance outlined in British Standard25999 Business Continuity Management. BS 25999 has been developed bypractitioners throughout the business continuity community, drawing upon theiracademic, technical and practical experiences of business continuity management(BCM). It has been produced to define requirements for a management systems

approach to business continuity management based on good practice for use inlarge, medium and small organisations operating in industrial, commercial, public andvoluntary sectors.

1.1.3 The British Standard provides a specification for use by internal and external parties,including certification bodies, to assess the organisations ability to meet regulatory,customer, and the organisations own requirements. Demonstration of successfulimplementation of this British Standard can therefore be used by an organisation toassure interested parties that an appropriate business continuity managementsystem is in place.

2. BS 25999

2.1. 1 The British Standard specifies requirements for setting up and managing an effectivebusiness continuity management system. This emphasises the importance of:

a) understanding business continuity needs and the necessity for establishing policyand objectives for business continuity;

b) implementing and operating controls and measures for managing an

organisations overall business continuity risks;

c) monitoring and reviewing the performance and effectiveness of the process; and

d) continual improvement based on objective measurement.

2.1.2 A Business Continuity Management System (BCMS), like any other managementsystem, has the following key components:

a) a policy;

b) people with defined responsibilities;


4/19

c) management processes relating to:

policy;

planning;

implementation and operation;

performance assessment;

management review; and

improvement;

d) a set of documentation providing auditable evidence; and

e) topic specific processes relating to the subject, in this case business continuity,such as business impact analysis (BIA) and business continuity plandevelopment.

3. Elements of the business continuity management lifecycle

3.1.1 The BCM lifecycle comprises six elements, as illustrated below. The scope andstructure of a BCM programme can vary, and the effort expended will be tailored to

the needs of the individual organisation, but these essential elements still have to beundertaken.

3.1.2 BCM programme management - Programme management enables the businesscontinuity capability tobe both established (if necessary) and maintained in a mannerappropriate to the size and complexity of the organisation.

3.1.3 Understanding the organisation - The activities associated with Understanding theorganisation provideinformation that enables prioritization of an organisationsproductsand services and the urgency of the activities that are required to deliverthem. This sets the requirements that will determine the selection ofappropriate BCM

strategies.


5/19

3.1.4 Determining business continuity strategy - Determining business continuitystrategy enables a range of strategiesto be evaluated. This allows an appropriateresponse to be chosen foreach product or service, such that the organisation cancontinue todeliver those products and services:

at an acceptable level of operation; and

within an acceptable timeframe

during and following a disruption. The choice made will take account of the resilienceand countermeasure options already present within the organisation.

3.1.5 Developing and implementing a BCM response - Developing and implementing aBCM response results in the creation of a management framework and a structure ofincident management, business continuity and business recovery plans that detailthe steps to be taken during and after an incident to maintain or restore operations.

3.1.6 BCM exercising, maintaining and reviewing BCM arrangements - BCMexercising, maintenance, review and audit lead to theorganisation being able to:

demonstrate the extent to which its strategies and plans are complete, currentand accurate; and

identify opportunities for improvement.

3.1.7 Embedding BCM in the organisations culture - Embedding BCM in theorganisations culture enables BCM to become part of the organisations core valuesand instils confidence in all stakeholders in the ability of the organisation to cope withdisruptions.

4. BS 25999 Part 2 Specification

4.1.1 The British Standard provides a specification for use by internal and external parties,

including certification bodies, to assess the organisations ability to meet regulatory,customer, and the organisations own requirements. The British Standard containsonly those requirements that can be objectively audited.

4.1.2 Demonstration of successful implementation of the British Standard can therefore beused by an organisation to assure interested parties that an appropriate businesscontinuity management system is in place.


6/19

5. Business Continuity Planning and your business

5.1.1 The aim of the review is to establish the status of your Business Continuity planning

in relation to BS 25999. The objectives are to:-

Identify Business Continuity documentation.

Compare the existing documentation against you business standards.

Record what has been achieved.

Identify any improvements.

Identify any outstanding issues.

5.1.2. The remainder of the document takes the form of a checklist based on therequirements of BS 25999 Part 2 and identifies those aspects of the standard forwhich there is Evidence, Partial Evidence orNo Evidence. To assist this processthe scoring is highlighted by use of a key based on Green, AmberorRed.

5.1.3 Specific aspects of the standard to be reviewed are:

BCM Policy

Provision of Resources

Competency of BCM Personnel

Embedding BCM in the Organisations Culture

BCM Documentation and Records

Control of BCM Documentation and Records

Business Impact Analysis

Risk Assessment

Determining Choices

Determining BC Strategy

Incident Response Structure

BC Plans and Incident Management Plans

BCM Exercising


7/19

Maintaining and Reviewing

Internal Audit

6.1.1 BCM Policy

ItemN

o.

BS 25999 RequirementEvidence

Partial

Evidence

NoEvidence

Corp

1 Top management shall establish and demonstratecommitment to a business continuity management policy.

2a The policy shall include or make reference to:

a) the organisations business continuity objectives; and

2b b) the scope of business continuity, including limitationsand exclusions.

3a The policy shall be:

a) approved by top management; and

3b b) communicated to all persons working for or on behalfof theorganisation; and

3c c) reviewed at planned intervals and when significantchanges occur.

6.1.2 Provision of Resources

ItemN

o.


PartialEvidence

NoEvidence

Corp

4 The organisation shall determine and provide theresources needed to establish, implement, operate andmaintain the BCMS.

5 BCM roles, responsibilities, competencies and authorities


8/19

shall be defined and documented.

6a Top management shall:

a) appoint or nominate a person with appropriate seniority

and authority to be accountable for BCM policy andimplementation;

6b b) appoint one or more persons, who, irrespective of otherresponsibilities, shall implement and maintain the BCMS.

6.1.3 Competency of BCM Personnel

ItemN

o.


Partial

Evidence

NoEvidence

Corp

7a The organisation shall ensure that all personnel who areassigned business continuity responsibilities arecompetent to perform the required tasks by:

a) determining the necessary competencies for such

personnel;

7b b) conducting training needs analysis on personnel beingassigned BCM roles and responsibilities;

7c c) providing training;

7d d) ensuring that the necessary competence has beenachieved; and

7e e) maintaining records of education, training, skills,experience and qualifications.

6.1.4. Embedding BCM in the Organisations Culture

ItemN

o.


Partial

Evide

nce

NoEvidence

Corp


9/19

8a To ensure that BCM becomes a part of its core valuesand effective management, the organisation shall:

a) raise, enhance and maintain awareness through anongoing

BCM education and information programme for allemployees and establishing a process for evaluating theeffectiveness of theBCM awareness delivery;

8b b) communicate to all employees the importance of:1) meeting business continuity managementobjectives;2) conforming to the business continuity policy; and3) continual improvement; and

8c c) ensure that all employees are aware of how theycontribute to the achievement of the organisationsbusiness continuity objectives.

6.1.5 BCM Documentation and Records

ItemN

o.


Partial

Evid

ence

N

oEvidence

Corp

9a The organisation shall have documentation covering thefollowing aspects of the BCMS:

a) the scope and objectives of the BCMS and procedures

9b b) the BCM policy

9c c) the provision of resources

9d d) the competency of BCM personnel and associatedtraining records

9e e) the business impact analysis

9f f) the risk assessment

9g g) the business continuity strategy


10/19

9h h) the incident response structure

9i i) business continuity plans and incident managementplans

9j j) BCM exercising

9k k) the maintenance and review of BCM arrangements

9l l) internal audit

9m m) management review of the BCMS

9n n) preventive and corrective actions

9o o) continual improvement

6.1.6 Control of BCM Documentation and Records

ItemNo

.


Par

tial

Evidence

NoEvidence

Corp

10a Controls shall be established over BCMS records in orderto:a) ensure that they remain legible, readily identifiable andretrievable;

10b b) provide for their identification, storage, protection andretrieval.

11a Controls shall be established over BCMS documentationto ensure that:a) documents are approved for adequacy prior to issue;

11b b) documents are reviewed and updated as necessaryand re-approved;

11c c) changes and the current revision status of documentsare identified;


11/19

11d d) relevant versions of applicable documents areavailable at points of use;

11e e) documents of external origin are identified and their

distribution controlled; and

11f f) the unintended use of obsolete documents is preventedand that such documents are suitably identified if they areretained for any purpose.

6.1.7. Business Impact Analysis

ItemN

o.


PartialEvidence

NoEvidence

Corp

12a The organisation shall:

a) identify activities that support its key products andservices;

12b b) identify impacts resulting from the disruption to theseactivities, and determine how these vary over time;

12c c) establish the maximum tolerable period of disruption foreach activity by identifying:

1) the maximum time period after the start of a disruptionwithin which each activity needs to be resumed;

2) the minimum level at which each activity needs to beperformed upon resumption; and

3) the length of time within which normal levels ofoperation need to be resumed;

12d d) categorize its activities according to their priority forrecovery and identify its critical activities;

12e e) identify all dependencies relevant to the criticalactivities, including suppliers and outsource partners;

12f f) for suppliers and outsource partners on whom critical

activities depend, determine what BCM arrangements arein place for the relevant products and services theyprovide;


12/19

12g g) set recovery time objectives for the resumption ofcritical activities within their maximum tolerable period ofdisruption;

12h h) estimate the resources that each critical activity willrequire for resumption.

6.1.8 Risk Assessment

ItemN

o.

BS 25999 RequirementEvidenc

e

PartialEvidenc

e

NoEvidenc

e

Cor

p

13a There shall be a defined, documented and appropriatemethod for risk assessment that will enable theorganisation to understand the threats to andvulnerabilities of its critical activities and supportingresources, including those provided by suppliers and

outsource partners.

13b The organisation shall understand the impact that wouldarise if an identified threat became an incident andcaused a business disruption.

6.1.9 Determining Choices

ItemNo.

BS 25999 RequirementEvid

ence

PartialEvid

ence

NoEvid

ence

Corp

14a For each of its critical activities, the organisation shallidentify available risk treatments that:

a) reduce the likelihood of a disruption;

14b b) shorten the period of disruption; and


13/19

14c c) limit the impact of a disruption on the organisations keyproducts and services.

15 The organisation shall choose and implement appropriaterisk treatments for each critical activity in accordance with

its level of risk acceptance.

6.1.10 Determining BC Strategy

ItemN

o.


PartialEvidence

NoEvidence

Corp


a) define a fit-for-purpose, predefined and documentedincident response structure that will enable an effectiveresponse and recovery from disruptions;

16b b) determine how it will recover each critical activity withinits recovery time objective and the BCM arrangements,including the resources required for resumption andproducts and services provided by suppliers andoutsource partners;

16c c) determine how it will manage relationships with its keystakeholders and external parties involved in therecovery.

6.1.11 Incident Response Structure

ItemN

o.


PartialEvidence

N

oEvidence

Corp


14/19

17 The organisation shall nominate incident responsepersonnel with the necessary responsibility, authority andcompetence to manage an incident.

18a The incident response structure shall provide forpersonnel to:

a) confirm the nature and extent of an incident;

18b b) trigger an appropriate business continuity response;

18c c) have plans, processes and procedures for theactivation, operation, coordination and communication ofthe incident response;

18d d) have resources available to support the plans,processes and procedures to manage an incident;

18e e) communicate with stakeholders.

6.1.12 BC Plans and Incident Management Plans

ItemN

o.


PartialEvidence

NoEvidence

Corp

19 The organisation shall have documented plans that detailhow the organisation will manage an incident and how itwill recover or maintain its activities to a predeterminedlevel in the event of a disruption.

20a Each plan shall:

a) have a defined purpose and scope;

20b b) be accessible to and understood by those who will usethem;

20c c) be owned by a named person(s) who is responsible fortheir review, update and approval; and


15/19

20d d) be aligned with relevant contingency arrangementsexternal to the organisation.

21a The plans shall collectively contain:

a) identified lines of communications;

21b b) key tasks and reference information;

21c c) defined roles and responsibilities for people and teamshaving authority during and following an incident;

21d d) guidelines and criteria regarding which individualshave the authority to invoke each plan and under whatcircumstances;

21e e) a method by which each plan is invoked,

21f f) meeting locations with alternatives, and up-to-datecontact and mobilisation details for any relevantagencies, organisations and resources that might berequired to support the response;

21g g) a process for standing down once the incident is over;

21h h) a reference to the essential contact details for all keystakeholders;

21i i) details to manage the immediate consequences of abusiness disruption giving due regard to:

1) the welfare of individuals;

2) strategic and operational options for responding to thedisruption; and

3) prevention of further loss or unavailability of criticalactivities;

21j j) details for managing an incident including:

1) provision for managing issues during an incident; and

2) processes to enable continuity and recovery of criticalactivities;

21k k) details on how and under what circumstances theorganisation will communicate with employees and theirrelatives, key stakeholders and emergency contacts;


16/19

21l l) details on the organisations media response followingan incident, including:

1) the incident communications strategy;

2) preferred interface with the media;

3) guideline or template for drafting a statement for themedia; and

4) appropriate spokespeople;

21m m) a method for recording key information about theincident, actions taken and decisions made;

21n n) details of actions and tasks that need to be performed;

21o o) details of the resources required for businesscontinuity and business recovery at different points intime; and

21p p) prioritized objectives in terms of the critical activities tobe recovered, the timescales in which they are to berecovered and the recovery levels needed for eachcritical activity.

6.1.13. BCM Exercising

ItemN

o.


P

artialEvidence

NoEvidence

Corp


a) develop exercises that are consistent with the scope ofthe BCMS;

22b b) have a programme approved by top management toensure exercises are carried out at planned intervals andwhen significant changes occur;

22c c) carry out a range of different exercises that takentogether validate the whole of its business continuity


17/19

arrangements;

22d d) plan exercises so that the risk of an incident occurringas a direct result of the exercise is minimized;

22e e) define the aims and objectives of every exercise;

22f f) carry out a post-exercise review of each exercise thatwill assess the achievement of the aims and objectives ofthe exercise; and

22g g) produce a written report of the exercise, outcome andfeedback, including required actions.

6.1.14. Maintaining and Reviewing

ItemN

o.


PartialEvidence

NoEvidence

Corp

23 The organisation shall, at defined intervals, review itsBCM arrangements to ensure their continuing suitability,adequacy and effectiveness.

24 The organisation shall ensure its business continuitycapability and appropriateness is reviewed at plannedintervals and when significant changes occur to ensure itscontinuing suitability, adequacy and effectiveness.

25 The review of BCM arrangements shall be regular andconducted either through self-assessment or audit.

26a In the event of an incident that results in the invocation ofthe BCP or the IMP, a post-incident review shall beundertaken to:


18/19

a) identify the nature and cause of the incident;

26b b) assess the adequacy of managements response;

26c c) assess the organisations effectiveness in meeting itsrecovery time objectives;

26d d) assess the adequacy of the BCM arrangements inpreparing employees for the incident; and

26e e) identify improvements to be made to the BCMarrangements.

6.1.15 Internal Audit

ItemN

o.


PartialEvidence

NoEvidence

Corp

27a The organisation shall ensure that internal audits of theBCMS are conducted at planned intervals to:

a) determine whether the BCMS:

1) conforms to planned arrangements for BCM, includingtherequirements of this BCM standard; and

2) has been properly implemented and is maintained; and

3) is effective in meeting the organisations BCM policyandobjectives; and

27b b) provide information on the results of audits tomanagement.


19/19

28 Any audit programme(s) shall be planned, established,implemented and maintained by the organisation, takinginto account the BIA, risk assessment, control andmitigation measures and the results of previous audits.

29a Audit procedure(s) shall be established, implemented andmaintained that address:

a) the responsibilities, competencies and requirements forplanning and conducting audits, reporting results andretaining associated records; and

29b b) the determination of audit criteria, scope, frequencyand methods.

30 Selection of auditors and conduct of audits shall ensureobjectivity and the impartiality of the audit process.

Review Template

Documents