1. Managing Business Continuity with
BS25999 – Beyond Technologies
Dr. Almerindo Graziano
CEO, Silensec
al@silensec.com
© 2011

2. About Silensec
• IT Governance
– Approved BSI
Associate
Consultants
• Penetration Testing
• Security Training
• E-fraud and
Cybercrime Services
• Computer Forensics
Services
© 2011

3. Offices
Sheffield (UK)
Bucharest (Romania)
Nairobi (Kenya)
© 2011

4. Business Continuity
Strategic and tactical capability of the
organization to plan for and respond to
incidents and business disruptions in order
to continue business operations at an
acceptable predefined level
© 2011

5. BCM and Incident Management
© 2011

6. BCM is NOT Disaster Recovery
• Disaster Recovery is an integral part of a Business
Continuity plan
– REACTIVE process focused on restoring the
organization to business as usual after a disaster occurs
• Business Continuity is PROACTIVE
– its focus is to avoid or mitigate the impact of a risk
© 2011

7. BCMS
• A Business Continuity Management System (BCMS) is
the set of processes, people and controls aimed at
guaranteeing the continuity of a business in case of a
disaster
© 2011

8. BS25999-2
• Business continuity management – Part 2: Specification
(Nov 2007)
• Specifies requirements for:
– planning, establishing, implementing, operating, monitoring,
reviewing, exercising, maintaining and improving a
documented BCMS within the context of managing an
organization’s overall business risks
It can be used for assessment and certification
© 2011

9. BS25999-1
• Business continuity management – Part 1: Code of
practice (Dec 2006)
• Provides guidance on the implementation of the standard
It cannot be used for assessment and certification
© 2011

10. BS25999-2 management clauses
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS
© 2011

11. BS25999-2 Implementation
3 Planning the business
continuity management
system
4 Implementing and 3.1 General
3.2 Establishing and managing the BCMS
operating the BCMS 3.2.1 Scope and objectives of the BCMS
3.2.2 BCM Policy
5 Monitoring and 3.2.3 Provision of resources
3.2.4 Competency of BCM personnel
reviewing the BCMS 3.3. Embedding BCM in the organization’s culture
3.4 BCMS documentation and records
6 Maintaining and 3.4.1 General
3.4.2 Control of BCMS records
improving the BCMS 3.4.3 Control of BCMS documentation
© 2011

12. BS25999-2 Implementation
3 Planning the business
continuity management 4.1 Understanding the organization
system 4.1.1 Business impact analysis
4.1.2 Risk assessment
4.1.3 Determining choices
4 Implementing and 4.2 Determining business continuity strategy
4.3 Developing and implementing a BCM response
operating the BCMS 4.3.1 General
4.3.2 Incident response structure
5 Monitoring and reviewing 4.3.3 Business continuity plans and incident
management plans
the BCMS 4.4 Exercising, maintaining and reviewing BCM
arrangements
6 Maintaining and improving 4.4.1 General
4.4.2 BCM exercising
the BCMS 4.4.3 Maintaining and reviewing BCM
arrangements
© 2011

13. 4.1 Understanding the Organization
Output
Identify Whom do we want to satisfy?
Stakeholders What are they interested in?
Identify Key What are the required activities,
Products & Services assets and resources?
What is the impact of disruption to
Business Impact those activities?
4.1.1 Analysis (BIA) What are the critical activities?
What are the risks to those activities
4.1.2 Risk Assessment (especially to the critical ones)
What are the chosen risk
4.1.3 Determine Choices treatments?
© 2011

14. BS25999-2 Implementation
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS 5.1 Internal audit
5.2 Management review
of the BCMS
5.2.1 General
5.2.2 Review input
5.2.2 Review output
© 2011

15. BS25999-2 Implementation
3 Planning the business continuity management system
4 Implementing and operating the BCMS
5 Monitoring and reviewing the BCMS
6 Maintaining and improving the BCMS
6.1 Preventive and corrective actions
6.1.1 General
6.1.2 Preventive action
6.1.3 Corrective action
6.2 Continual improvement
© 2011

16. BCM Documentation
Scope and objectives of the BCMS and procedures
BCM policy
Provision of resource
Competency of BCM personnel and associated training records
Business impact analysis
Risk assessment
Business continuity strategy
Incident response structure
Business continuity plans and incident management plans
BCM exercising
Maintenance and review of BCM arrangements
Internal audit
Management review of the BCMS
Preventive and corrective actions
Continual improvement BS25999-2 Clause 3.4.1
© 2011

17. ISO/IEC 27001:2005 controls for BCP
Annex A – Control Objective A.14
– Business Continuity Management Process
– Business Continuity and Risk Assessment
– Developing and Implementing Continuity Plans
– Business Continuity Planning Framework
– Testing, Maintaining and Reassessing Business Continuity
Plans
• ISO/IEC 27031 Information technology - Security techniques -
Guidelines for information and communications technology
readiness for business continuity (FDIS – Final Draft International
Standard)
© 2011

18. Benefits of BS25999 Certification
• Most highly recognized
BCM standard
– Competitive advantage,
image, improved client
confidence
• Ensure effective and
efficient use of business
continuity technologies
• Compliance with legal,
regulatory, contractual
requirements
© 2011

19. BS/ISO Guidelines
• BS 25777:2008, Information and communications
technology continuity management - Code of practice ($)
• BS ISO/IEC 24762:2008, Information technology - Security
techniques - Guidelines for information and
Communications technology disaster recovery services ($)
• ISO/PAS 22399:2007 – Guideline for incident
preparedness and operational continuity management ($)
© 2011

20. BCM Related Standards
and Guidelines (1)
• Australia Standards/New Zeland Standars
– AS/NZS 5050 : Business Continuity Managing
disruption-related risk (Jun 2010) ($)
– HB 221:2004 – Business Continuity Management
Handbook ($)
• Part One: What is Business Continuity Management
• Part Two: The BCM Manual
– HB 292-2006 – A practitioners guide to business
continuity management
– HB 293-2006 – Executive guide to business
continuity management
© 2011

21. BCM Related Standards
and Guidelines (2)
• North America
– National Fire Protection Association (NFPA)
1600:2007 Standard on Disaster/Emergency
Management and Business Continuity Programs
– American Society for Industrial Security ASIS
SPC.1-2009 Organizational Resilience: Security
Preparedness, and Continuity Management
Systems
• Singapore
– SS540:2008 – Singapore Standard for Business
continuity management (BCM) ($)
© 2011