BS 25999 â Perspectives & Pitfalls: Lorna's Continuity Nightmares.
BS 25999 – Perspectives & Pitfalls: Lorna’s Continuity Nightmares.
2
Introducing… • Lorna Anderson • BSI MS‟s BC Technical Expert. • 11 Years “Blue Collar” Experience in BC. • Financial Services, Insurance & Banking Environments. • Many Hats In BSI inc Assessment, Training, Promotion & Relationship Management.
• Not The Oracle!
3
Brief Agenda • Introduction To BSI • What is formal British Standard?
• • • • • • •
Why was BS 25999 developed? What is BS 25999? Who Developed It? Why It‟s Important to UK PLC. Lorna‟s Continuity Nightmares! BS 25999 – Help or Hindrance? Summary & Questions.
4
British Standards • “The National Standards Body”.
• A 'Not for Profit„, Royal Charter organisation. • Serve public policy interest as part of UK economic infrastructure.
• Facilitate formal standards development.
5
What is a standard? • An documented, agreed, repeatable way of doing things. • A full consensus of all interested parties, so not imposed. • Voluntary. • Best practice not general practice, thus aspirational to many organisations. • Consistency assessment via audit and certification. • Updated on a regular cycle.
6 6
46,000 BSI audits every rear BSI pioneered the development of assessable management system standards for: 1979
Quality Management
BS 5750
→ ISO 9001
1992
Environmental Management
BS 7750
→
ISO 14001
1995
Information Security
BS 7799
→
ISO 27001
1996
Occupational Health & Safety
BS 8800
→
BS OHSAS 18001
2000
Customer Satisfaction
BS 8600
→
ISO 10002
2002
IT Service Management
BS 15000
→
ISO 20000
2006
Integrated Management
PAS 99
2007
Business Continuity Management
PAS 56
→
BS 25999
7
What Is BS 25999? • BS25999-1 Code of Practice
November 2006
• BS25999-2 Specification
20 November 2007
8
Who developed BS 25999?
9
Why was BS 25999 developed? • Business Continuity identified as a critical issue! • Need for a best practice framework to guide business. • Need for a mechanism to demonstrate Business Continuity Management maturity.
10
Why Bother?
Source: Business Continuity Management 2008
11
Why Develop BS25999? Competitive advantage
Supply chain requirement
Respond to shareholders, investors, analysts
Financial benefits and savings (insurance, audits…)
Reduce costs of tendering
Certified businesses outperform
Recruitment and retention
Rigour and independence of the audits
Consistency across sites
Ensure staff are complying with procedures
Protect brand and reputation
Drive continuous improvement
12
Philosophically…
COLLECTIVE UK PLC RESILIENCE
MARKET / SECTOR RESILIENCE
SU P P L Y CHAIN RE S I L I E NCE
U R ES K PL C ILIE NCE
ORGANISATIONAL RESILIENCE
13
Move Over Gordon…
14
Lorna’s Continuity Nightmares… • Client hasn‟t read the BS25999:2 standard (yes, really!) • Lack of a Management System – at all! • “Interesting” scoping requirements. • Risk assessments only based on universal threats e.g., fire, flood and not specific to there organisation or their critical activities • Poor (if any) determination of competency requirements for BCM personnel. • Lack of understanding between self assessment of BCM arrangements and BCMS audits
15
Lorna’s Continuity Nightmares… • Management Review meetings do not follow the requirements of the standard (inputs and outputs). • BCM Culture is not adequately embedded within the Organisation i.e. “a project”.
• Clients assume that by having BC Plans in place that they are ready for assessment! But last and my no means least, the piece de resistance….
“surely you can audit us without seeing any of our documentation…don’t you trust us”!!!!!
16
Why The Nightmares? • Difference between BCM & BCMS. • Organisations have had to change the way they “do” BC. • BS 25999 – asks for a BCMS not just BC! • Many businesses do not use Plan, Do, Check, Act! • Change in mindset – more strategic view: risk management via management system.
17
BS 25999 – Help or Hinder? • Reputation Protection • Competitive advantage - New Markets & Tenders • Confidence in supply chain resilience • Business improvement & understanding • Continuous improvement • Compliance • Demonstration of Stewardship • Independent stakeholder protection
18
My Conclusion?
19
Lorna Anderson Business Continuity Technical Expert [email protected]
2
Introducing… • Lorna Anderson • BSI MS‟s BC Technical Expert. • 11 Years “Blue Collar” Experience in BC. • Financial Services, Insurance & Banking Environments. • Many Hats In BSI inc Assessment, Training, Promotion & Relationship Management.
• Not The Oracle!
3
Brief Agenda • Introduction To BSI • What is formal British Standard?
• • • • • • •
Why was BS 25999 developed? What is BS 25999? Who Developed It? Why It‟s Important to UK PLC. Lorna‟s Continuity Nightmares! BS 25999 – Help or Hindrance? Summary & Questions.
4
British Standards • “The National Standards Body”.
• A 'Not for Profit„, Royal Charter organisation. • Serve public policy interest as part of UK economic infrastructure.
• Facilitate formal standards development.
5
What is a standard? • An documented, agreed, repeatable way of doing things. • A full consensus of all interested parties, so not imposed. • Voluntary. • Best practice not general practice, thus aspirational to many organisations. • Consistency assessment via audit and certification. • Updated on a regular cycle.
6 6
46,000 BSI audits every rear BSI pioneered the development of assessable management system standards for: 1979
Quality Management
BS 5750
→ ISO 9001
1992
Environmental Management
BS 7750
→
ISO 14001
1995
Information Security
BS 7799
→
ISO 27001
1996
Occupational Health & Safety
BS 8800
→
BS OHSAS 18001
2000
Customer Satisfaction
BS 8600
→
ISO 10002
2002
IT Service Management
BS 15000
→
ISO 20000
2006
Integrated Management
PAS 99
2007
Business Continuity Management
PAS 56
→
BS 25999
7
What Is BS 25999? • BS25999-1 Code of Practice
November 2006
• BS25999-2 Specification
20 November 2007
8
Who developed BS 25999?
9
Why was BS 25999 developed? • Business Continuity identified as a critical issue! • Need for a best practice framework to guide business. • Need for a mechanism to demonstrate Business Continuity Management maturity.
10
Why Bother?
Source: Business Continuity Management 2008
11
Why Develop BS25999? Competitive advantage
Supply chain requirement
Respond to shareholders, investors, analysts
Financial benefits and savings (insurance, audits…)
Reduce costs of tendering
Certified businesses outperform
Recruitment and retention
Rigour and independence of the audits
Consistency across sites
Ensure staff are complying with procedures
Protect brand and reputation
Drive continuous improvement
12
Philosophically…
COLLECTIVE UK PLC RESILIENCE
MARKET / SECTOR RESILIENCE
SU P P L Y CHAIN RE S I L I E NCE
U R ES K PL C ILIE NCE
ORGANISATIONAL RESILIENCE
13
Move Over Gordon…
14
Lorna’s Continuity Nightmares… • Client hasn‟t read the BS25999:2 standard (yes, really!) • Lack of a Management System – at all! • “Interesting” scoping requirements. • Risk assessments only based on universal threats e.g., fire, flood and not specific to there organisation or their critical activities • Poor (if any) determination of competency requirements for BCM personnel. • Lack of understanding between self assessment of BCM arrangements and BCMS audits
15
Lorna’s Continuity Nightmares… • Management Review meetings do not follow the requirements of the standard (inputs and outputs). • BCM Culture is not adequately embedded within the Organisation i.e. “a project”.
• Clients assume that by having BC Plans in place that they are ready for assessment! But last and my no means least, the piece de resistance….
“surely you can audit us without seeing any of our documentation…don’t you trust us”!!!!!
16
Why The Nightmares? • Difference between BCM & BCMS. • Organisations have had to change the way they “do” BC. • BS 25999 – asks for a BCMS not just BC! • Many businesses do not use Plan, Do, Check, Act! • Change in mindset – more strategic view: risk management via management system.
17
BS 25999 – Help or Hinder? • Reputation Protection • Competitive advantage - New Markets & Tenders • Confidence in supply chain resilience • Business improvement & understanding • Continuous improvement • Compliance • Demonstration of Stewardship • Independent stakeholder protection
18
My Conclusion?
19
Lorna Anderson Business Continuity Technical Expert [email protected]
