BS 25999 Certification Essentials

Andrew PettittBusiness Continuity Senior ConsultantSunGard Availability Services Professional Services

Essentials

Getting the fundamentals rightStrategies - covering all the basesImplementation – birth pains?Learning to walk then runWeaving continuity into the fabric of your organisation

BCM Lifecycle (BS25999)

understanding the organisation

developing and implementing

a BCM response

exercising, maintenance

and review

determining BCM

strategies

BCMprogramme

management

Getting the fundamentals right?

What to plan for? – Business-type functions?– Statutory obligations?– Emergency-type activities?

Silo approach evident in many organisationsApproach to BC disjointed

– Left hand doesn’t know what right hand is doing

– Wasteful– Time-consuming

understanding the organisation

developing and implementing

a BCM response

exercising, maintenance

and review

determining BCM

strategies

BCMprogramme

management

Jumping the gun

Pharmaceutical Company

IT Recovery Contracts in place

Workplace Recovery in place

BUT– No BIA completed

– No strategy development

Jumping the gun

BIA showed

Inappropriate RTOs and RPOs for IT

Existing recovery “plans” beyond capabilities of staff

Fundamental misunderstandings of business processes at senior level

Unnecessary expenditure– Paying for a Ferrari solution– Needed a motorbike-sidecar

and a Transit van instead

Jumping the gun

Understanding the organisation is fundamental to success of BC management

Shortcuts to implementation result in bad planning that won’t work and expensive mistakes

BS25999– Restates what we know anyway

and yet is often ignored – Top management should sign

this off– External review can pick up

mistakes BUT…

understanding the organisation

developing and implementing

a BCM response

exercising, maintenance

and review

determining BCM

strategies

BCMprogramme

management

Strategies – covering all the bases

People– Continuity of core skills &

knowledgePremises

– Where do you go?Technology

– Appropriate RTOs and RPOsInformation

– Confidentiality, integrity, availability & currency

Stakeholders SuppliesTop management signs these off!

Suppliers

Supplier dependencies– Ignore them?

– Accept vague assurances?

– Eliminate by bringing everything in-house?

– Carry out audit of their BCM?

Mostly ignore or accept “it’ll be alright on the night”

Get them to use BS25999!

understanding the organisation

developing and implementing

a BCM response

exercising, maintenance

and review

determining BCM

strategies

BCMprogramme

management

Implementation

Time Line

Tim

e Ze

ro

Disaster Event!

Overall recovery objective:Back to normal as quickly as possible

The Disaster Timeline

Within minutes to hours:Staff & visitors accounted forCasualties dealt withDamage containment / limitationDamage assessmentInvocation of BCP

Emergency Response

Within hours to days:Contact staff, customers, suppliers, etc.Recovery of critical business processesRebuild lost work-in-progress

Business Continuity

Within weeks to months:Damage repair / replacementRelocation to permanent place of workRecovery of costs from insurers

Recovery - back to normal

© SunGard Availability Services (UK) Ltd

Implementation

Incident Management Plans– Must be flexible, easy to use

and understandableContinuity Plans

– Often over-complex– “Never mind the quality, feel

the width” Implementing your response

– Not just about plans– People, technology,

communications etc.

Walking then running

ExerciseTestRehearsePracticeKeep on doing it!!!

The BCM fitness cycle

Develop Continuity

Update

Implement

Live Test

Exercise

Train

Update

Update

Audit BCP© SunGard Availability Services (UK) Ltd

If you don’t……..

BCM atrophies

It becomes “mummified

It’s inaccurate, invalid, irrelevant

BS25999

Audit and self assessment

Suggested programme for exercising BCM strategies

I used to be aBusiness ContinuityManager…

coming to a business

near you

Dodgy Continuity presents:

Weaving continuity into the fabric

Tell people about it!!!– Awareness training– Skills training– Leadership!

Involve people!– Build roles– Give responsibilities– Devolve– Involve in testing

Going forward

BS25999 provides level playing field– Applicable to public, private and voluntary sectors

– Size doesn’t matter

– Links with CCA 2004, Companies Act 2006 & FSA Guidelines

– Being adopted in many EU countries and further afield as a de facto standard

Part 1 provides roadmap to improved BCM– Can be used to enhance current BCM

– Incentive for senior management to take it more seriouslyHelps get buy-in within an organisation

– Window of opportunity prior to Part 2

Thank you