ASIS BSI BCM 01-2010 Business Continuity Management Systems

A S I S I N T E R N A T I O N A L
Business Continuity Management Systems:

Requirements with Guidance for Use
ASIS/BSI BCM.01-2010
AMERICAN NATIONAL
STANDARD

an American National Standard
BUSINESS CONTINUITY MANAGEMENT SYSTEMS:

REQUIREMENTS WITH GUIDANCE FOR USE
A management systems approach for preparedness and

business/operational continuity management
Approved November 2, 2010

American National Standards Institute, Inc.
ASIS International and British Standards Institution (BSI)
Abstract
Based on the BS 25999 Business continuity management (Part 1 and Part 2), this Standard specifies requirements for a
business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies,
objectives, capabilities, processes, and programs—taking into account legal and other requirements to which the
organization subscribes—to address disruptive events that might impact the organization and its stakeholders. This
Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing,
exercising, maintaining, and improving a documented BCMS within the context of managing an organization’s risks.

NOTICE AND DISCLAIMER
The information in this publication was considered technically sound by the consensus of those who engaged in the
development and approval of the document at the time of its creation. Consensus does not necessarily mean that
there is unanimous agreement among the participants in the development of this document.
ASIS International and BSI standards and guideline publications, of which the document contained herein is one, are
developed through a voluntary consensus standards development process. This process brings together volunteers
and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication.
While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it
does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of
any information or the soundness of any judgments contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its
members or anyone else. ASIS and BSI do not accept or undertake a duty to any third party because it does not have
the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public,
because its works are not obligatory and because it does not monitor the use of them.
ASIS and BSI disclaim liability for any personal injury, property, or other damages of any nature whatsoever,
whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of,
application, or reliance on this document. ASIS and BSI disclaim and make no guaranty or warranty, expressed or
implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no
warranty that the information in this document will fulfill any person’s or entity’s particular purposes or needs.
ASIS and BSI do not undertake to guarantee the performance of any individual manufacturer or seller’s products or
services by virtue of this standard or guide.
In publishing and making this document available, ASIS and BSI are not undertaking to render professional or other
services for or on behalf of any person or entity, nor are ASIS and BSI undertaking to perform any duty owed by any
person or entity to someone else. Anyone using this document should rely on his or her own independent judgment
or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any
given circumstances. Information and other standards on the topic covered by this publication may be available from
other sources, which the user may wish to consult for additional views or information not covered by this
publication.
ASIS and BSI have no power, nor does it undertake to police or enforce compliance with the contents of this
document. ASIS and British Standards have no control over which of its standards, if any, may be adopted by
governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS
and British Standards do not list, certify, test, inspect, or approve any practices, products, materials, designs, or
installations for compliance with its standards. It merely publishes standards to be used as guidelines that third
parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with
any information in this document shall not be attributable to ASIS and British Standards and is solely the
responsibility of the certifier or maker of the statement. This publication does not purport to include all the necessary
provisions of a contract. Compliance with a British Standard cannot confer immunity from legal obligations.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written
consent of the copyright owner.
Copyright © 2010 ASIS International and British Standards Institution
ISBN: 978-1-934904-07-7
ii

FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been
processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has
not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary
for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory
requirements are designated by the word shall and recommendations by the word should. Where both a mandatory
requirement and a recommendation are specified for the same criterion, the recommendation represents a goal
currently identifiable as having distinct compatibility or performance advantages.
ASIS International and BSI collaborated in the development of the Business Continuity Management Systems:
Requirements for Guidance for Use Standard. This management systems standard provides generic auditable criteria
and informative guidance on business continuity management.
About ASIS
ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members
worldwide. ASIS is dedicated to increasing the effectivenes s and productivity of security professionals by
developing educational programs and materials that address broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security
management profession to business, the media, government entities, and the public. By providing members and the
security community with access to a full range of programs and services, and by publishing the industry’s No. 1
magazine – Security Management – ASIS leads the way for advanced and improved security performance.
The work of preparing standards and guidelines is carried out through the ASIS International Standards and
Guidelines Committees , and governed by the ASIS Commission on Standards and Guidelines. The Mission of the
ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of
standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible
the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry.
About BSI
BSI is the UK’s National Standards Body, recognized globally for its independence, integrity, and innovation in the
production of standards and information products that promote and share best practices. BSI works with businesses,
consumers, and government to represent UK interests and to make sure that British, European, and international
standards are useful, relevant, and authoritative.
BSI Group is a global independent business services organization that inspires confidence and delivers assurance to
customers with standards-based solutions. Originating as the world’s first national standards body, the Group has
over 2,300 staff operating in over 120 countries through more than 50 global offices.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince
Street, Alexandria, VA 22314-2818, USA.
iii

Commission Members
Jason L. Brown, Thales Australia
Steven K. Bucklin, Glenbrook Security Services, Inc.
John C. Cholewa III, CPP, Mentor Associates, LLC
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
Michael A. Crane, CPP, IPC International Corporation
William J. Daly, Control Risks Security Consulting
Eugene F. Ferraro, CPP, PCI, CFE, Business Controls Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
Robert W. Jones, Socrates Ltd, Inc.
Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair
John F. Mallon, CPP, Mallon & Associates, LLC
Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
John E. Turey, CPP, ITT Corporation
Roger D. Warwick, CPP, Pyramid International
At the time it approved this document, BCM Standards Committee, which is responsible for the development of this
Standard, had the following members:
Committee Members
Committee Co-Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative, ASIS International
Committee Co-Chairman: Kevin S. Brear, J.P. Morgan Chase
Committee Secretariat: Sue Carioti, ASIS International
Committee Secretariat: David Adamson, British Standards Institution
David Adamson, British Standards Institution

Marene Allison, Johnson & Johnson
Edgard Ansola, Mutua Asepeyo
Paul H. Aube, CPP, Institut Grasset
Dave Austin, Operational Resilience Limited
Don Aviv, CPP, PCI, PSP, Interfor Inc.
William D. Badertscher, CPP, Georgetown University
Pradeep Bajaj, PRISMA
Thomas Bannister, Metropolitan Police Service
David Benish, Strategic BCP
Alan Berman, DRI International
Lyndon Bird, The Business Continuity Institute
Dennis R. Blass, CPP, PSP, Secumetrics LLC
John Boal, CPP, PCI, University of Akron
Mark Borchers, CPP, Germanna Community College
Thomas Bozek, Bozek Consulting, LLC
Kevin S. Brear, J.P. Morgan Chase
Patrick Brennan, BCMexperts
Larry Brown, First Citizens Bank
Frederick A. Budde, Ph.D., PCI, U.S. Department of Homeland Security, Federal Air Marshal Service
Doyle J. Burke, CPP, DAKO Group
Donald Byrne, North River Solutions
Thomas Carroll, Computer Sciences Corporation
Doug Cassell, Mutual of Enumclaw Insurance
iv

Sharon Caudle Ph.D., The Bush School of Government and Public Service
Chee Seng Chan, Becton Dickinson Critical Care Systems Pte Ltd
Ian Charters, Continuity Systems Ltd
Telva Chase, Regence Group
Ian Clark, East Neuk Consultants Ltd
Justin Clarke, Gobanza, Inc.
Mike Claver, State Farm Insurance Companies
William Coffey, American Society of Safety Engineers
Andrew Collins, Baylor Health Care System
Malcolm Cornish, RMI (UK) Limited
Robert J. Coullahan, CEM, CPP, CBCP, Readiness Resource Group
Georges Cowan, Business Continu-IT Partners
Kevin Cunningham, UBS
Merlyn Demaine, Imperial College NHS Trust
Indrajit Dimyati, Business Continuity Planning Asia Pte Ltd
Brian Dixon, Moody International
Lisa DuBrock, The Radian Group, LLC
Robert Duncan, Consultant
Edward Eaton, Warner Gudlaugsson LLC
Henry Ee, Business Continuity Planning Asia Pte Ltd
Jorge Escalera, Risk Mexico
Greig Fennell, Sprint
Patti Fitzgerald, Disaster Recovery Journal
Windom Fitzgerald, Pendulum
Walter Fountain, CPP, Schneider National, Inc.
Christopher Frampton, SRCN Limited
Barry Freedman, FCS Consulting Services
Peter French, CPP, SSR Personnel
Robin Gaddum, IBM
Paul Genzburg, Soros Fund Management/Open Society Institute
Robert Giffin, Avalution Consulting
Stephen Giordano, HCA Inc.
Matthew Gneuhs, Cincinnati Children's Hospital Medical Center
Julia Graham, DLA Piper UK LLP
Briane Grey, U.S. Drug Enforcement Administration
Wayne Harrop, Centre for Disaster Management: Coventry University
Ronald Hauri, Northwestern University
John Hele, British Standards Institution
Michael Hill, Nokia
Andrea Hollman, United Space Alliance, LLC
Simon Honey, Mitsubishi UFJ Securities International plc.
Roger Housner, WPS Insurance Corporation
C.J. Howard, Deere & Company
Terri Howard, FEI Behavioral Health
David Huynh, Ross Stores, Inc.
Brian Kaye, Control Risks Group
David Kaye, Risk Reality
Michael Keating, Doulos Business Consulting
James Kennedy, Recovery-Solutions
Penelope Killow, HFC Bank (HSBC Group)
Steven King, CPP, U.S. Department of Homeland Security, Office of Infrastructure Protection
Paul Kirvan, Paul Kirvan Associates
Donald E. Knox, CPP, Caterpillar Inc.
v

Richard Kobylar, Capgemini

John Kunert, First Restoration
Michael Kuras, American Imaging Management, Inc.
Bill Lang, VCPI
Lince Lawrence, Allianz Cornhill Information Services
Grant Lecky, Citizenship and Immigration Canada
James J. Leflar Jr., CPP, CBCP, Johns Hopkins Bloomberg School of Public Health
Hugh Leighton, Aon Global Risk Consulting
Victoria Leighton, Avanade, Inc.
Eric Levine, Wellpoint
Wayne Lewis, Global Consulting
Judy Little, TSYS
William Lloyd, City National Bank
David Lloyd, The Business Continuity Institute
James Lukaszewski, The Lukaszewski Group Inc.
Bruce Lundeen, AT&T
Tracy Male, Bristol-Myers Squibb
Bill Marotz, Schneider National, Inc.
Andrew Mason, PricewaterhouseCoopers LLP
Diana McClure, Institute for Business & Home Safety
Richard McGlave, Continuity² Ltd
Jim McMahon, CPP, Align Technology
Mohamed Fadhel Meddeb, Efla Consultants Engineers
Cynthia Miller, Abbott
Murray Mills, CPP, New Zealand Ministry of Health
Susan Mitchell, Wilmer Cutler Pickering Hale and Dorr LLP
Goh Moh Heng, BCM Institute
Lawrence Mondschein, Consultant
Ashley Moore, Federal Emergency Management Agency, U.S. Department of Homeland Security
Dennis Morgan, CPP, International Consortium for Organizational Resilience
Richard Moulton, AlliedBarton
James Murphy, North Carolina Department of Health and Human Services
James Murray, Blue Cross and Blue Shield of Florida
Doug Nelson, Business Continuity Solutions
James Nelson, International Consortium for Organizational Resilience
Alan M. Nutes, CPP, Consultant
Kevin O'Donnell, UBS
Augustine O. Okereke, CPP, Statoil Nigeria Ltd
Philip Oppenheim, International Continuity Oversight Board
Mary Parrish, University of North Carolina at Chapel Hill
John A. Petruzzi Jr., CPP, Andrews International
Abigail Pollard, Blake Emergency Services
Jeanne Powell, IBM
Ren Powers, City National Bank
Werner Preining, CPP, Interpool Security Ltd
Russell Price, Continuity Forum
Daniel Puente Pérez, Sociedad de Prevención Asepeyo
Heidi Raffanello, KTM Strategies
Joseph Rector, CPP, PCI, PSP, United States Air Force
George Richards, CPP, Edinboro University of Pennsylvania
Robert Roberts, Federal Home Loan Bank of Atlanta
Jean Rowe, Verisign Inc.
Craig Rydalch, American Imaging Management, Inc.
vi

Marilyn Saiewitz, Bristol-Myers Squibb

Angie Santiago, Contingency Planning Association of the Carolinas
Steve Schulze, WPS Insurance Corporation
Robert Sena, CPP, King’s College
Chris Servia, University Health Systems of Eastern Carolina
John Sharp, Kiln House Associates Ltd
Daniel Shellenberger, Kinder Morgan
Robert Sherwood, North American Security Products Organization
Jeffrey Slotnick, CPP, PSP, Setracon Inc.
Lisa Smallwood, Comprehensive Emergency Management Professionals LLC
Thomas Smith, Comcast
Wolf Smith-Butz, Computer Sciences Corporation
Kurt Sohn, Capgemini
Ian Speirs, North Yorkshire County Council
Sam Stahl, EMC
Jim Stephens, The Royal Bank of Scotland
Stuart Sterling, HM Government (UK) Civil Contingencies Secretariat, Cabinet Office
Richard Taylor, Abu Dhabi Accountability Authority
Darryl Thibault, CPP, Pexis Corporation
Mike Thomson, Association of Contingency Planners
Raymond Trombley, Bank of Hawaii
Dave Tyson, CPP, Pacific Gas and Electric
Eric Van Balen, McKesson Corp.
Ray Van Hook, CPP, The School of The Art Institute
Suzanne Warner Hart, Delaware Department of Transportation
Lee Webster, Society for Human Resource Management
Douglas Weldon, Thomson Reuters
Renee Wentworth, Union First Market Bankshares
Carl Wertman, Mantech SRS Technologies
Robert Whitcher, BSI Management Systems America Inc.
Dan Wilder, Danalie Partners
Frederick Wilson, CBCP, Consulting
Amanda Witt, Booz Allen Hamilton
Zechariah Wei Ning Wong, Atkins
Mark Wright, Brookfield Properties
Tim Wright, Institute of Internal Auditors
Richard Wright, Wright Security, Inc.
Roberta Yang, The Yang Group
Lisa Zammit, Bank of England
Brian Zawada, Avalution Consulting
Working Group Members

Working Group Co-Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative, ASIS
International
Working Group Co-Chairman: Kevin S. Brear, J.P. Morgan Chase
David Adamson, British Standards Institution

Pradeep Bajaj, PRISMA
Dennis R. Blass, CPP, PSP, Secumetrics LLC
Mark Borchers, CPP, Germanna Community College
Thomas Bozek, Bozek Consulting, LLC
vii

Kevin S. Brear, J.P. Morgan Chase

Patrick Brennan, BCMexperts
Donald Byrne, North River Solutions
Chee Seng Chan, Becton Dickinson Critical Care Systems Pte Ltd
Ian Charters, Continuity Systems Ltd
Lisa DuBrock, The Radian Group, LLC
Edward Eaton, Warner Gudlaugsson LLC
John Hele, British Standards Institution
Brian Kaye, Control Risks Group
Michael Keating, Doulos Business Consulting
Penelope Killow, HFC Bank (HSBC Group)
Paul Kirvan, Paul Kirvan Associates
Donald E. Knox, CPP, Caterpillar Inc.
Richard Kobylar, Capgemini
Bill Lang, VCPI
Lince Lawrence, Allianz Cornhill Information Services
Mohamed Fadhel Meddeb, Efla Consultants Engineers
James Murphy, North Carolina Department of Health and Human Services
Doug Nelson, Business Continuity Solutions
James Nelson, International Consortium for Organizational Resilience
Alan M. Nutes, Consultant
Philip Oppenheim, International Continuity Oversight Board
Russell Price, Continuity Forum
Robert Roberts, Federal Home Loan Bank of Atlanta
Jean Rowe, Verisign Inc.
Angie Santiago, Contingency Planning Association of the Carolinas
Lisa Smallwood, Comprehensive Emergency Management Professionals LLC
Thomas Smith, Comcast
Kurt Sohn, Capgemini
Ian Speirs, North Yorkshire County Council
Stuart Sterling, HM Government (UK) Civil Contingencies Secretariat, Cabinet Office
Mike Thomson, Association of Contingency Planners
Suzanne Warner Hart, Delaware Department of Transportation
Renee Wentworth, Union First Market Bankshares
Dan Wilder, Danalie Partners
Zechariah Wei Ning Wong, Atkins
Brian Zawada, Avalution Consulting
viii

TABLE OF CONTENTS
TABLE OF CONTENTS............................................................................................................................................. IX
TABLE OF FIGURES ................................................................................................................................................. X
TABLE OF TABLES .................................................................................................................................................. XI
0 INTRODUCTION .............................................................................................................................................. XIII
0.1 GENERAL ..................................................................................................................................................... XIII

0.2 PLAN-DO-CHECK-ACT (PDCA) CYCLE ................................................................................................................... XV
1 SCOPE OF STANDARD ........................................................................................................................................ 1
2 NORMATIVE REFERENCES ................................................................................................................................. 2
2.1 GENERAL REFERENCE ........................................................................................................................................ 2
3 TERMS AND DEFINITIONS .................................................................................................................................. 2
4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) REQUIREMENTS ......................................................... 2
4.1 GENERAL REQUIREMENTS ................................................................................................................................... 2

4.2 ESTABLISHING THE CONTEXT .............................................................................................................................. 4
4.2.1 Scope of the BCMS ............................................................................................................................... 4
4.2.2 Legal and Other Requirements ............................................................................................................. 4
4.3 POLICY AND MANAGEMENT COMMITMENT ........................................................................................................... 4
4.3.1 Policy .................................................................................................................................................. 5
4.3.2 Management Commitment.................................................................................................................. 5
4.4 PLANNING ..................................................................................................................................................... 6
4.4.1 Business Impact Analysis and Risk Assessment ..................................................................................... 6
4.4.1.1 Business Impact Analysis (BIA)........................................................................................................... 6
4.4.1.2 Risk Assessment................................................................................................................................ 7
4.4.2 Business Continuity Objectives and Targets .......................................................................................... 7
4.4.3 Business Continuity Strategies.............................................................................................................. 7
4.5 IMPLEMENTATION AND OPERATION ..................................................................................................................... 8
4.5.1 Resources ............................................................................................................................................ 8
4.5.2 Roles, Responsibility, and Authority...................................................................................................... 8
4.5.3 Competence, Training, and Awareness ................................................................................................. 9
4.5.4 Documentation.................................................................................................................................. 10
4.5.5 Control of Documents ........................................................................................................................ 10
4.5.6 Developing and Implementing a Business Continuity Response........................................................... 10
4.5.6.1 Response Structure ......................................................................................................................... 11
4.5.6.2 Business Continuity Plans ................................................................................................................ 11
4.5.7 Communication and Consultation ...................................................................................................... 12
4.6 CHECKING AND CORRECTIVE ACTION .................................................................................................................. 12
4.6.1 Monitoring and Measurement ........................................................................................................... 13
4.6.2 Evaluation of Conformance and System Performance......................................................................... 13
4.6.2.1 Evaluation of Conformance ............................................................................................................. 13
4.6.2.2 Exercises and Testing ...................................................................................................................... 13
4.6.3 Non-conformity, Corrective Action, and Preventive Action .................................................................. 14
4.6.4 Control of Records.............................................................................................................................. 14
4.6.5 Internal Audits ................................................................................................................................... 15
4.7 MANAGEMENT REVIEW .................................................................................................................................. 15
ix

4.7.1 General.............................................................................................................................................. 15
4.7.2 Review Input...................................................................................................................................... 15
4.7.3 Review Output ................................................................................................................................... 16
4.7.4 Opportunities for Improvement.......................................................................................................... 16
A GUIDANCE ON THE USE OF THE STANDARD .................................................................................................... 17
A.0 INTRODUCTION ............................................................................................................................................... 17
A.4.1 GENERAL REQUIREMENTS............................................................................................................................... 17
A.4.2 ESTABLISHING THE CONTEXT ........................................................................................................................... 18
A.4.2.1 Scope of the BCMS............................................................................................................................ 19
A.4.2.2 Legal and Other Requirements.......................................................................................................... 19
A.4.3 POLICY AND MANAGEMENT COMMITMENT ........................................................................................................ 20
A.4.4 PLANNING .................................................................................................................................................. 21
A.4.4.1 Business Impact Analysis and Risk Assessment .................................................................................. 21
A.4.4.2 Business Continuity Objectives and Targets....................................................................................... 27
A.4.4.3 Business Continuity Strategies .......................................................................................................... 27
A.4.5 IMPLEMENTATION A ND OPERATION .................................................................................................................. 30
A.4.5.1 Resources ......................................................................................................................................... 30
A.4.5.2 Roles, Responsibility, and Authority .................................................................................................. 31
A.4.5.3 Competence, Training, and Awareness.............................................................................................. 33
A.4.5.4 Documentation ................................................................................................................................ 34
A.4.5.5 Control of Documents....................................................................................................................... 35
A.4.5.6 Developing and Implementing a Business Continuity Response.......................................................... 35
A.4.5.7 Communication and Consultation ..................................................................................................... 37
A.4.6 CHECKING AND CORRECTIVE ACTION ................................................................................................................. 39
A.4.6.1 Monitoring and Measurement .......................................................................................................... 39
A.4.6.2 Evaluation of Compliance and System Performance .......................................................................... 40
A.4.6.3 Non-conformity, Corrective Action and Preventive Action .................................................................. 41
A.4.6.3.1 General ......................................................................................................................................... 41
A.4.6.3.2 Corrective Action ........................................................................................................................... 42
A.4.6.3.3 Preventive Action........................................................................................................................... 42
A.4.6.4 Control of Records ............................................................................................................................ 43
A.4.6.5 Internal Audits.................................................................................................................................. 44
A.4.7 MANAGEMENT REVIEW ................................................................................................................................. 44
B COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS AND THE DHS PS-PREP STANDARDS ......................... 47
C TERMINOLOGY CONVENTIONS ........................................................................................................................ 51
D GLOSSARY ....................................................................................................................................................... 52
E BIBLIOGRAPHY ................................................................................................................................................ 60
E.1 ASIS INTERNATIONAL PUBLICATIONS .................................................................................................................. 60

E.2 BRITISH STANDARDS INSTITUTE PUBLICATIONS ...................................................................................................... 60
E.3 ISO STANDARDS PUBLICATIONS ......................................................................................................................... 60
E.4 NATIONAL STANDARDS PUBLICATIONS................................................................................................................. 60
E.5 OTHER REFERENCED PUBLICATIONS .................................................................................................................... 61
TABLE OF FIGURES
FIGURE 1: PDCA CYCLE APPLIED TO BCMS PROCESSES ....................................................................................................... XV
FIGURE 2: BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) FRAMEWORK....................................................................... 3
x

TABLE OF TABLES
TABLE 1: CORRESPONDENCE BETWEEN THIS STANDARD OF BEST PRACTICES, BS 25999-1:2006, ISO 9001:2000, ISO 14001:2004,
AND ISO 27001:2005 ..................................................................................................................................... 47
TABLE 2: VERBAL FORMS FOR THE EXPRESSION OF PROVISIONS ............................................................................................. 51

xi

This page intentionally left blank
xii

0 INTRODUCTION
0.1 General
A business continuity management system (BCMS) is an organization-wide process that establishes
a fit-for-purpose, strategic, and operational framework that upon implementation by the
organization’s leadership:
• Improves an organization’s ability to withstand disruptive events that may jeopardize
the achievement of its purpose, mission, and strategic objectives.
• Delivers a demonstrable capability to manage a disruption and protect stakeholder
interests.
• Provides a structured and rehearsed method of restoring an organization’s productive
ability within a planned timeframe after a disruption.
• Enables an organization to return to its normal state more quickly and safely than would
otherwise be possible.
• Supports maintenance and continuous improvement of the organization’s BCMS.
• Promotes the safety and security of internal and external stakeholders.
An actively engaged top management team that directs and embraces a BCMS enables an
organization to create and maintain an effective and efficient business continuity program
(processes, strategies, and solutions). The BCMS enables the organization to systematically
address its stakeholder business continuity needs.
This Standard may be used by private, public, not-for-profit, and voluntary organizations,
regardless of their size, scope, or complexity. The Standard accommodates diverse
jurisdictional, geographical, cultural, operational, and social environments.
The success of a BCMS depends on the active engagement, endorsement, and commitment of
organizational leadership to the BCMS. A BCMS enables an organization to develop a business
continuity management policy, establish objectives and processes to achieve the policy
commitments, and take action as needed for continual improvement of business continuity
performance. A management system is a dynamic and iterative process; therefore, many of the
requirements in this Standard may be addressed concurrently or revisited at any time.
A BCMS has the following base components:
a) A policy providing a framework for management’s business continuity objectives and
expectations;
b) A definition of roles, responsibilities, and resources;
c) A description of required management process relating to:
i. Policy;
ii. Strategic planning;
iii. Business continuity planning and procedural implementation and operation;
xiii

iv. Performance assessment;

v. Management review; and
vi. Continual improvement.
d) A set of documentation providing auditable evidence demonstrating process
implementation and repeatability.
The adoption and implementation of a range of business continuity management techniques in

a systematic manner can contribute to optimal outcomes for all stakeholders and affected
parties. However, adoption of this Standard will not by itself guarantee optimal preparedness,
continuity, and response outcomes. In order to achieve its objectives, the BCMS should
incorporate the best available practices, techniques, and technologies, where appropriate and
where economically viable. The cost-effectiveness of such practices, techniques, and
technologies should be taken fully into account.
This Standard does not establish absolute requirements for preparedness, response, continuity,
or recovery performance beyond commitments in the organization’s policy to:
a) Comply with applicable legal requirements and with other requirements to which the
organization subscribes;
b) Support risk minimization and mitigation; and
c) Promote continual improvement.
The main body of this Standard contains only those generic criteria that may be objectively
audited. Guidance on supporting BCM techniques is contained in the annexes of this
document.
This Standard , like other management standards, is not intended to be used to create non-tariff
trade barriers or to increase or change an organization’s legal obligations. Indeed, conformance
with a standard does not in itself confer immunity from legal obligations. Verification of an
organization's conformance to this Standard may be performed through an external or internal
auditing process. Verification may be by a first-, second-, or third-party mechanism.
Verification does not require third-party certification.
This Standard does not include requirements specific to other management systems such as
those for quality, occupational health and safety, or financial risk management—though its
elements can be aligned or integrated with those of other management systems. It is possible
for an organization to adapt its existing management system(s) in order to establish a BCMS
that conforms to the criteria of this Standard. It should be understood, however, that the
application of various elements of the management system might differ depending on the
intended purpose and the stakeholder involved.
The level of detail and complexity of the BCMS, the extent of documentation, and the resources
devoted to it will be dependent on a number of factors—such as the scope of the system; the
xiv

size of an organization; and the nature of its activities, products, and services. This may be the
case in particular for small and medium-sized enterprises.
0.2 Plan-Do-Check-Act (PDCA) cycle

The management systems approach encourages organizations to analyze organizational and
stakeholder requirements and define processes that contribute to success. This Standard applies
the “Plan-Do-Check-Act” (PDCA) cycle to establishing, implementing, operating, monitoring,
exercising, maintaining, and improving the effectiveness of an organization’s BCMS.
Use of the PDCA model ensures a degree of consistency with other management systems
standards, such as ISO 9001:2008 (Quality Management Systems), ISO 14001:2004
(Environmental Management Systems), ISO/IEC 27001:2005 (Information Security Management
Systems), ISO 28000 (Security in the Supply Chain) and ISO/IEC 20000:2005 (IT Service
Management), thereby supporting consistent and integrated implementation and operation
with related management systems. A suitably designed management system can thus satisfy
the requirements of all these standards (see Annex B). Organizations that have adopted an ISO
approach to management systems may be able to use their existing management system as a
foundation for the business continuity management system.
Figure 1 illustrates how a BCMS takes as inputs the business continuity requirements and
expectations of the interested parties and, through the necessary actions and processes,
produces business continuity outcomes (i.e., managed business continuity) that meet those
requirements and expectations.
NOTE: In practice, a PDCA cycle is applied to each stage of the BCMS process in an iterative approach.
Continual improvement of the business continuity

management system
Interested Establish Interested

parties parties
Maintain and Implement and

improve operate
Business
continuity Managed
requirement business
s and Monitor and continuity
expectations review
Figure 1: PDCA cycle applied to BCMS processes
xv

Plan Establish management system policy, objectives, processes, and procedures relevant to
(establish the managing business continuity risks and improving response and recovery processes that
management system) deliver results in accordance with the organization’s strategic needs.
Do
(implement and operate Implement and operate the management system policy, controls, processes, and procedures.
the management
system)
Check Monitor, assess, measure, and review performance against management system policy,
(monitor and review the objectives, and practical experience; report the results to management for review; and
management system) determine and authorize actions for remediation and improvement.
Act Take corrective and preventive actions, based on the results of the internal management
(maintain and improve system audit and management review, re-appraising the scope of the BCMS and business
the management continuity policy and objectives to achieve continual improvement of the management
system) system.
Conformance with this Standard can be verified by the auditing process described in ISO
19011:2002 that is compatible and consistent with the methodology used for ISO 9001:2008, ISO
14001:2004, ISO 28000:2007, and/or ISO/IEC 27001:2005, and the PDCA Model.
xvi

AMERICAN NATIONAL STANDARD ASIS/BSI BCM.01-2010
an American National Standard –
Business Continuity Management Systems:

Requirements with Guidance for Use
1 SCOPE OF STANDARD
This Standard specifies requirements for a business continuity management system (BCMS) to
enable an organization to identify, develop, and implement policies, objectives, capabilities,
processes, and programs—taking into account legal and other requirements to which the
organization subscribes or is governed by—to address disruptive events that might impact the
organization and its stakeholders. This Standard specifies requirements for planning,
establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and
improving a documented BCMS within the context of managing an organization’s risks.
The requirements specified in this Standard are generic and intended to be applicable to all
organizations (or parts thereof), regardless of type, size, and nature of the organizational
mission. The scope of these requirements depends on the organization’s operating environment
and complexity.
This Standard seeks to offer a flexible management systems approach to address and minimize
the consequences associated with disruptive events.
This Standard addresses all aspects of the organization deemed essential to meeting
commitments (as agreed to by top management), consistent with the scope of the BCMS. The
Standard does not itself state specific performance criteria.
The intent of this Standard is to position an organization to design a BCMS that is appropriate to
its needs. These needs are shaped by customer and other stakeholder, regulatory, and
operational requirements; the products and services; the processes employed; the size and
structure of the organization; and jurisdictional and geographic areas of operation.
This Standard is applicable to any organization that chooses to:
a) Establish, implement, maintain, and improve a BCMS.
b) Assure itself of its conformity with its stated business continuity management policy.
c) Demonstrate conformity with this Standard by:
i. Making a self-determination and self-declaration.
ii. Seeking confirmation of its conformance by parties having an interest in the
organization (such as customers and supply chain partners).
iii. Seeking confirmation of its self-declaration by a party external to the
organization.
iv. Seeking certification/registration of its BCMS by an external organization.
1

Annex A provides informative guidance on management system planning, implementation,

testing, maintenance, and improvement of a business continuity program.
2 NORMATIVE REFERENCES
The following standards contain provisions which, through reference in this text, constitute
provisions of this American National Standard. At the time of publication, the editions
indicated were valid. All standards are subject to revision, and parties to agreements based on
this American National Standard are encouraged to investigate the possibility of applying the
most recent editions of the standards indicated below.
2.1 General Reference1

ISO Guide 73:2002, Risk management – Vocabulary – Guidelines for use in standards.
3 TERMS AND DEFINITIONS

An extensive Glossary of terms appears in Annex D.
NOTE: The reader is encouraged to read through the terms and definitions prior to reading the body of the
document.
4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS)

REQUIREMENTS
4.1 General Requirements
The organization shall establish, implement, operate, monitor, review, maintain, and improve a
documented BCMS within the context of the organization’s overall operational activities and
the risks it faces. Figure 2 outlines the process specified by this Standard.
1 This document is available from the International Organization for Standardization.

< http://www.iso.ch/iso/en/prods-services/ISOstore/store.html >
2

4.2 Establishing the Context

• Define Scope of the BCMS
• Legal and Other Requirements
4.7 Management Review 4.3 Policy & M anagement Commitment

• Review Input • Policy
• Review Output • Management Commitment
• Opportunities for Improvement
4.6 Checking & Corrective Action Continual

•Monitoring & Measurement Improvement 4.4 Planning
• Evaluation of Conformance & System • BIA & Risk Assessment
Performance • Business Continuity Objectives
• Exercises & Testing & Targets
• Nonconformity , Corrective, & Preventive Action • Business Continuity Strategies
•Control of Records
• Internal Audits 4.5 Implementation & O peration
• Resources
• Roles, Responsibility and Authorities
• Competence, Training, Awareness
• Documentation
• Control of Documents
• Developing and Implementing a BCM
Response
• Response Structure
• Business Continuity Plans and
Procedures
• Communication and Consultation
Figure 2: Business Continuity Management System (BCMS) Framework
The BCMS shall ensure that:

a) Processes and strategies appropriately provide for the safety and security of all
stakeholders.
b) Business continuity management objectives are clearly stated, understood, and
communicated to stakeholders.
c) Top management defines and communicates the organization’s strategic goals and
objectives for inclusion in the BCMS.
d) Resources are allocated to meet the goals and objectives of the program.
e) Those with BCMS management roles and responsibilities are competent to perform their
tasks.
f) There is a continual assessment of the BCMS elements.
3

4.2 Establishing the Context

4.2.1 Scope of the BCMS
The organization shall define and document the scope of the BCMS considering its internal and
external context. The organization shall:
a) Establish the organizational boundaries to be included in the BCMS, being the whole
organization or one or more of its internal entities.
b) Establish BCMS requirements, considering the organization’s mission, goals, internal
and external obligations (including those related to stakeholders), and legal
responsibilities.
c) Identify products and services and all related activities within the scope of the BCMS.
d) Take into account internal and external stakeholders needs and interests.
e) Define the scope of the BCMS in terms of – and appropriate to – the size, nature, and
complexity of the organization.
When defining the scope, the organization shall document any exclusions; where such
exclusions do not affect the organization’s ability and/or responsibility to provide continuity of
business and operations that meet the BCMS requirements (determined by impact analysis or
risk assessment and applicable legal, regulatory, and contractual requirements).
4.2.2 Legal and Other Requirements

The organization shall establish, document, and maintain a procedure(s) to:
a) Identify and assess legal, regulatory, contractual, and any other relevant requirements to
which the organization subscribes or is governed by related to the continuity of its
operations, products and services, and stakeholder interests.
b) Assess the impacts of non-conformance.
c) Determine how these requirements apply to organizations’ risks and their potential
impacts.
The organization shall ensure that these applicable legal and other requirements to which the
organization subscribes or is governed by are taken into account in establishing, implementing,
and maintaining its BCMS.
The organization shall keep information required herein, up-to-date.
4.3 Policy and Management Commitment

Top management shall establish, document, provide resources, and demonstrate commitment
to a business continuity management policy within the defined scope of the BCMS.
4

4.3.1 Policy
Top management shall define the business continuity management policy in terms of the
characteristics of the organization, its location(s) and operating environment, its stakeholders,
obligations, and assets.
The policy shall include or make reference to:
a) Alignment with the organization’s mission, strategic objectives, and risk management
approach as it pertains to the BCMS and BCM program;
b) Commitment to proactively manage the impact of disruptive events;
c) A framework for setting objectives, direction, and principles for action;
d) Legal, regulatory, and contractual requirements;
e) The scope of business continuity management system, including limitations and
exclusions;
f) A commitment to leadership oversight; and
g) Continual improvement.
The policy shall be:

a) Approved by top management;
b) Communicated to all persons working for or on behalf of the organization deemed
within the scope of the BCMS;
c) Available to stakeholders as approved by management; and
d) Reviewed at defined intervals and when significant changes occur.
4.3.2 Management Commitment

Top management shall provide evidence of its commitment to the establishment,
implementation, operation, monitoring, review, maintenance, and improvement of the BCMS
by:
a) Establishing a BCM policy;
b) Ensuring that BCMS objectives and plans are established;
c) Establishing roles, responsibilities, and competencies for BCM;
d) Appointing one or more persons to be responsible for the BCMS with the appropriate
authority and competencies to be accountable for the implementation and maintenance
of the management system;
e) Communicating and promoting awareness within the organization the importance of
meeting BCMS objectives and conforming to BCM policy, its responsibilities under the
law, and the need for continual improvement;
5

f) Providing sufficient resources to establish, implement, operate, monitor, review,

maintain, and continually improve the BCMS;
g) Defining the criteria for accepting risks and the acceptable levels of risk;
h) Actively engaging in exercises and testing;
i) Ensuring that internal BCMS audits are conducted;
j) Conducting management reviews of the BCMS; and
k) Demonstrating its commitment to continual improvement.
4.4 Planning
4.4.1 Business Impact Analysis and Risk Assessment
The organization shall establish, implement, and maintain a formal and documented evaluation
process to systematically analyze risk and impacts, and establish business continuity objectives
consistent with the scope and policy of the BCMS.
The organization shall:
a) Evaluate the impact of disruptive events within its internal and external context;
b) Define and establish business continuity and recovery objectives and priorities;
c) Evaluate the direct and indirect benefits and costs of options to reduce risk;
d) Identify programs required to ensure achievement of its objectives prior to, during, and
following a disruption;
e) Assess risks and impacts following the changes within the organization's environment
caused by internal or external factors; and
f) Document and keep this information updated, secured (as appropriate), and readily
available for authorized use.
4.4.1.1 Business Impact Analysis (BIA)

The organization shall establish, implement, and maintain a formal documented process and
methodology for conducting a business impact analysis (BIA) . The organization’s BIA shall assess
and prioritize organizational activities, and resources required to deliver its products and
services (including interdependencies and time and/or event-driven variations) by:
a) Identifying the potential impacts over time of disruptions resulting from uncontrolled,
non-specific events on the organization’s activities and resources;
b) Identifying legal, regulatory, and contractual requirements for the organization’s
activities and resources;
c) Based on the impacts, estimating maximum allowable downtime for each product,
service, and activity; and
d) Set recovery time objectives for resuming, at a specified acceptable level, the
organization’s activities and resources; taking into consideration the time within which
the impacts of not resuming them would become unacceptable.
6

4.4.1.2 Risk Assessment

The organization shall establish, implement, and maintain a formal documented risk
assessment process to systematically identify, analyze, and evaluate the risk of disruptive
events to the organization. The organization shall:
a) Identify risks (and their sources) that may lead to unacceptable levels of disruption to
the activities needed to achieve the organization’s objectives associated with activities,
processes, facilities, people, systems, information, resources, assets (tangible and
intangible), and partner and supplier relationships;
b) Systematically analyze risk;
c) Evaluate which risks require treatment; and
d) Identify treatments commensurate with business continuity and recovery objectives,
resource availability, related costs, and stakeholder expectations.
4.4.2 Business Continuity Objectives and Targets

The organization shall establish and maintain documented business continuity objectives
consistent with the business continuity expectations for organizational activities, dependency
relationships outside the organization (such as suppliers), and stakeholder requirements.
Business continuity objectives and targets shall be measurable qualitatively and/or
quantitatively, and consistent with the BCM policy.
When establishing and reviewing its objectives and targets, an organization shall consider the
legal, regulatory, and contractual requirements; the significant risks and impacts; risk tolerance;
resource options; financial, operational, contractual, and organizational requirements; and the
views of stakeholders.
4.4.3 Business Continuity Strategies

The organization shall establish and maintain strategies for achieving its business continuity
objectives and targets to prevent, prepare for, mitigate, respond to, and recover from disruptive
incidents. Such strategies shall include:
a) A designation of responsibility and resources for achieving objectives and targets at
relevant activities and levels of the organization; and
b) A means and timeframe by which the strategies are to be achieved.

a) Define a fit-for-purpose, predefined, and documented response structure that will
promote a safe and secure workplace, and an effective response and recovery effort
following a disruptive event. The response structure shall address appropriate
relationships and liaise with local authorities and assure the availability of necessary
7

communications with internal and external stakeholders regardless of the operating

environment.
b) Determine how it will recover each activity, and resource based on its business
continuity and recovery objectives.
c) Determine arrangements needed with suppliers and outsource partners to ensure the
timely delivery of their products and services.
d) Determine how it will manage relationships with its stakeholders and external parties
involved in the recovery effort, including coordination with public authorities.
4.5 Implementation and Operation

4.5.1 Resources
Management shall ensure the availability of resources essential for the implementation and
maintenance of the business continuity management system and the business continuity
strategies (see 4.4.3). Resources include facilities, human resources , equipment, infrastructure
and other services, technology, information, intelligence, and financial resources.
The organization shall determine and provide the resources needed to:
a) Establish, implement, operate, monitor, review, maintain, and continually improve the
BCMS and its business continuity strategies;
b) Assess and participate in agreements related to interdependencies and mutual aid, if
applicable; and
c) Maintain adequate proactive and reactive capacity.
The organization shall develop and document financial, logistical and administrative
procedures to support the business continuity strategies before, during, and after an incident.
Procedures shall be:
a) Established to ensure that fiscal decisions can be expedited; and
b) In accordance with established authority levels, governance, and accounting principles.
4.5.2 Roles, Responsibility, and Authority

Roles, responsibilities, and authorities shall be defined, documented, and communicated to
facilitate effective business continuity management.
The organization’s top management shall assume the following responsibilities or shall:
a) Designate a management representative(s) with appropriate authority and
accountability for the BCMS, irrespective of other responsibilities, who will ensure that
the business continuity management system is established, communicated,
implemented, and maintained in accordance with the policy requirements , and report
8

on the performance of the business continuity management system to top management

for review and as the basis for improvement;
b) Ensure all management, staff, and other stakeholders (internal and external) are aware
and accountable to support the BCMS;
c) Identify personnel with the authority to invoke business continuity plans and
procedures based on triggers and escalation criteria, as well as terminate response and
recovery operations following the conclusion of the event; and
d) Identify appropriate business continuity management teams with appropriate authority
and responsibility to oversee and execute response and recovery efforts as documented
in the BCMS plan(s).
4.5.3 Competence, Training, and Awareness

The organization shall ensure that any person(s) assigned business continuity responsibilities
under the BCMS framework is (are) competent to perform the required tasks by:
a) Determining the necessary competencies for such persons;
b) Conducting a training needs analysis on personnel being assigned business continuity
management roles and responsibilities;
c) Providing training based on the competency requirements;
d) Ensuring that the necessary competence has been achieved and maintained; and
e) Maintaining associated records of education, training, skills, experience, and
qualifications.
The organization shall establish, implement, and maintain awareness, competence, and training
procedures to ensure persons working for it or on its behalf are aware of:
a) Applicable strategies and procedures specific to business continuity, including
mitigation, response, communication, recovery, and resumption;
b) The importance of conformity with the business continuity management policy and with
the requirements of the BCMS;
c) Their roles and responsibilities in achieving conformity with the requirements of the
business continuity management system; and
d) The significant risks, and actual or potential impacts, associated with their work; and
e) The benefits of improved personal performance.
The organization shall promote awareness to build a culture that ensures business continuity
becomes part of its core values and governance, and makes its stakeholders aware of its BCM
policy and their roles in any plans.
The organization shall evaluate the efficacy of business continuity awareness, competence, and
training procedures and retain associated records.
9

4.5.4 Documentation
BCMS documentation shall include:
a) A description of the purpose and scope of the BCMS;
b) The BCM policy, objectives, targets, and measures;
c) A description of the main elements of the BCMS and their interaction; and
d) Documents, including records, required by this Standard; or determined by the
organization to be necessary to ensure the effective planning, operation, and
maintenance of processes that relate to its identified risks and their impacts and the
business continuity plans.
BCMS documentation shall be reviewed and updated on a regular basis; however, significant
organizational or process changes should be addressed promptly.
4.5.5 Control of Documents

Records are a special type of document and shall be maintained in accordance with the
requirements given in 4.6.4.
The organization shall establish, implement, and maintain a procedure(s) to ensure:
a) Documents are approved for adequacy prior to being marked as a final, approved copy;
b) Documents are reviewed and updated with each significant change impacting the
validity of the document and re-approved;
c) Summaries of document change and the current revision status of each document are
identified;
d) Relevant versions of applicable documents are available at points of use;
e) Documents of external origin are identified and their distribution controlled;
f) Unintended use of obsolete documents is prevented and that such documents are
marked as such, if they are to be retained for any purpose;
g) Documents remain legible, readily identifiable, and retrievable;
h) Provisions for document identification, storage, protection, and retrieval;
i) Only authorized personnel have access to documents in order to protect individuals’
personal sensitive data and adherence to legal and jurisdictional requirements; and
j) Documents are tamper-resistant; securely backed-up; and protected from damage,
deterioration, or loss.
4.5.6 Developing and Implementing a Business Continuity Response

The organization shall establish, implement, and maintain business continuity plans and
procedures to manage a disruptive event and continue its activities based on recovery objectives
10

identified in the business impact analysis. The organization shall document plans and
procedures (including necessary arrangements) to ensure continuity of activities and
management of a disruptive event. The plans and procedures shall be:
a) Establishing the appropriate internal and external communications protocol;
b) Specific regarding the immediate steps that should be taken during a disruption;
c) Flexible to respond to unanticipated threat scenarios and changing internal and external
conditions;
d) Focused on the impact of events that could potentially disrupt operations;
e) Developed based on stated assumptions and an analysis of interdependencies; and
f) Effective in minimizing consequences through implementation of appropriate
mitigation strategies.
4.5.6.1 Response Structure

The organization shall establish, document, and implement procedures and a management
structure to prepare for, mitigate, and respond to a disruptive event using personnel with the
necessary authority, experience, and competence.
The response structure shall:
a) Identify impact thresholds that justify initiation of formal response;
b) Assess the nature and extent of a disruptive event or the potential impact;
c) Initiate an appropriate business continuity response;
d) Have plans, processes, and procedures for the activation, operation, coordination, and
communication of the response;
e) Have resources available to support the plans, processes, and procedures to manage a
disruptive event or work to minimize impact before realized; and
f) Communicate with stakeholders and authorities, as well as the media.
4.5.6.2 Business Continuity Plans

The organization shall establish documented plans that detail how the organization will
manage a disruptive event and how it will recover or maintain its activities to a predetermined
level, based on management-approved recovery objectives.
Each plan shall define:
a) Purpose and scope;
b) Objectives, targets and metrics;
c) Activation criteria and procedures;
d) Implementation procedures;
11

e) Roles, responsibilities, and authorities;

f) Communication requirements and procedures;
g) Internal and external interdependencies and interactions;
h) Resource requirements; and
i) Information flow and documentation processes.
The organization shall periodically test, review, and (where necessary) revise its business
continuity plans—in particular, after the occurrence of the disruptive event and its associated
post-event review.
4.5.7 Communication and Consultation

The organization shall establish, implement, and maintain procedure(s) for:
a) Internal communication amongst stakeholders and employees within the organization;
b) External communication with customers, partner entities, local community, and other
stakeholders – including the media;
c) Receiving, documenting, and responding to communication from internal and external
stakeholders;
d) Taking into advisement external and/or internal threat advisory system in planning and
operational use;
e) Alerting stakeholders potentially impacted by an actual or impending disruptive event;
f) Ensuring availability of the means of communication during a disruptive event;
g) Facilitating structured communication with appropriate authorities and ensuring the
interoperability of multiple responding organizations and personnel, where appropriate;
and
h) Operating and testing of communications capabilities intended for use during
disruption of normal communications.
4.6 Checking and Corrective Action

The organization shall evaluate the BCMS—including the efficacy of business continuity
strategies, capabilities, and plans—through periodic assessments, testing/exercises, post-event
analyses, other lessons learned, and performance evaluations. Significant findings should be
reflected in strategies and plans as soon as practical. The organization shall keep records of the
results of the periodic evaluations.
12

4.6.1 Monitoring and Measurement

The organization shall establish and maintain procedures to monitor and measure the
management system performance on a periodic basis. The procedure(s) shall document the
information associated with BCMS performance monitoring, including applicable operational
controls and other means of ensuring conformity with the organization's BCMS objectives.
The organization shall establish and maintain procedure(s) for maintaining and reviewing
business continuity strategies and plans. It shall:
a) At defined intervals, review BCMS documentation to ensure continuing suitability,
adequacy, and effectiveness; and
b) Ensure its business continuity capability and appropriateness is reviewed at planned
intervals and when significant changes occur to ensure its continuing suitability,
adequacy, and effectiveness.
4.6.2 Evaluation of Conformance and System Performance

The organization shall ensure that the business continuity policy, objectives, strategies, and
plans meet the organization’s strategic requirements. This evaluation of business continuity
conformance and performance will ensure the BCMS remains aligned to and provides the
organization with the means to be prepared for a process or service disruption, thus allowing
the organization to meet its legal, regulatory, and contractual requirements and minimizing the
impact to stakeholders.
4.6.2.1 Evaluation of Conformance

The organization shall establish and maintain procedure(s) for periodically evaluating
conformance with applicable legal, regulatory, and contractual requirements to which the
organization subscribes in order to meet the organization’s commitment to conformance. The
organization shall keep records of the results of the periodic evaluations.
4.6.2.2 Exercises and Testing

The organization shall ensure that its BCMS – specifically its business continuity plans, teams,
and resources – are validated by exercise and review and are kept current.
a) Establish a program, approved by top management, to ensure exercises are carried out
at planned intervals and as significant changes occur due to internal and external
factors;
b) Develop exercises that are consistent with the scope of the BCMS;
c) Define the objectives and targets of every exercise;
d) Plan exercises to prevent a disruptive event occurring as a direct result of the exercise;
13

e) Exercise its business continuity plans, teams, and facilities to ensure that they meet
organizational requirements;
f) Carry out a range of different exercises that taken together validate the whole of its
business continuity arrangements;
g) Carry out a post-exercise review that will assess the achievement of the objectives and
targets of the exercise, lessons learned, and opportunities for improvement; and
h) Submit to top management a written report of the exercise, outcomes, and feedback,
including recommended corrective and preventative actions.
4.6.3 Non-conformity, Corrective Action, and Preventive Action

The organization shall improve its BCMS through the identification of non-conformities and
application of preventive and corrective actions. Changes arising from preventive and
corrective actions shall be reflected in appropriate BCMS documentation.
The organization shall take action to eliminate the cause of non-conformities associated with the
implementation and operation of the BCMS to prevent their occurrence as well as take action to
prevent potential non-conformities from occurring.
These actions include:
a) Identification and correction of each actual non-conformity, together with the mitigation
of their business impact;
b) Investigation and elimination of the cause of each actual non-conformity, in order to
prevent recurrence;
c) Determination of actions to eliminate the causes of potential non-conformities to prevent
their occurrence;
d) Any action taken to identify, correct, mitigate, prevent, or eliminate the causes or effects
of each actual and potential non-conformity appropriate to the magnitude of problems
and the business impact encountered;
e) The organization shall document non-conformities identified, as well as corrective and
preventative actions taken; and
f) A review of corrective and preventative actions taken and implemented within the
context of the BCM policy and risk and impact assessment.
4.6.4 Control of Records

The organization shall establish and maintain records to demonstrate conformity to the
requirements of its BCMS and the results achieved.
14

The organization shall establish, implement, and maintain a procedure(s) to protect the integrity
of records including access to, identification, storage, protection, retrieval, retention, and
disposal of records.
Records shall be and remain legible, identifiable, and traceable.
4.6.5 Internal Audits

The organization shall plan and conduct internal audits of the BCMS periodically such that the:
a) Audit programs shall be planned, established, implemented, and maintained by the
organization, taking into account the business impact analysis, risk assessment, control
and mitigation measures, plan documentation, exercises, management involvement, and
the results of previous audits;
b) Audits shall determine whether the BCMS:
i. Conforms to planned arrangements, including the requirements of this Standard;
ii. Has been properly implemented and is maintained; and
iii. Is effective in meeting the organization’s business continuity policy and
objectives;
c) Information on the results of audits shall be provided to top management in order to
drive BCMS improvement; and
d) Audit procedure(s) shall be established, implemented, and maintained that address:
i. Responsibilities, competencies, and requirements for planning and conducting
audits, reporting results, and retaining associated records;
ii. Determination of audit criteria, scope, frequency, and methods; and
iii. Selection of auditors and conduct of audits so as to ensure objectivity and the
impartiality of the audit process.
4.7 Management Review

4.7.1 General
Top management shall review the organization’s BCMS at planned intervals and when
significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. This
review shall include assessing opportunities for improvement and the need for changes to the
BCMS, including policy, objectives, and targets. Results of management reviews shall be
documented.
4.7.2 Review Input

The input to a management review shall include:
a) Follow-up actions from previous management reviews;
b) Results of BCMS audits and reviews;
15

c) Results of education and awareness training programs;

d) Any internal or external changes that could affect the BCMS;
e) Communication with stakeholders;
f) Techniques, products, or procedures that could be used in the organization to improve
BCMS performance and effectiveness;
g) Emerging good practice and guidance;
h) Status of preventive and corrective actions;
i) Level of residual risk and acceptable risk;
j) Vulnerabilities and threats not adequately addressed in previous risk assessments;
k) Results and lessons learned from exercises, tests, and incidents;
l) Current resource allocation to treat risks as needed to meet the organization’s BCM
policy and objectives; and
m) Recommendations for improvement.
4.7.3 Review Output

The output from a management review shall include any decisions and actions related to:
a) Varying the scope of the BCMS;
b) Improving the effectiveness of the BCMS;
c) Modifying business continuity strategies and plans, as necessary, to respond to internal
or external events that could impact the BCMS, including changes to:
i. Business requirements;
ii. Statutory, regulatory, and contractual requirements;
iii. Levels of risk and/or levels of risk acceptance;
iv. Resource needs; and
v. Funding and budget requirements.
4.7.4 Opportunities for Improvement

The organization shall continually improve the effectiveness of the BCMS through the review of
the business continuity policy and objectives, audit results, analysis of monitored exercises and
events, preventive and corrective actions, and management review.
16

Annex A
(informative)
A GUIDANCE ON THE USE OF THE STANDARD

A.0 Introduction
Natural disasters, environmental accidents, technology mishaps, and man-made crises have
historically demonstrated that disruptive incidents will happen, impacting the public and
private sectors alike. The challenge to organizations goes beyond most emergency response
plans or disaster management activities previously deployed. Organizations should engage in a
comprehensive and systematic process to manage the continuity of operations. It is no longer
enough to draft a response plan that anticipates disasters or emergency scenarios. Today’s
threats require the creation of an on-going, dynamic, and interactive management process that
serves to assure the continuation of an organization’s core activities before, during, and after a
major disruptive incident.
This Standard provides:
a) Organizations of all sizes and types (private, not-for-profit, and public sectors) with the
elements needed to achieve and demonstrate proactive risk reduction and business
continuity.
b) A framework to aid organizations in successfully managing a disruptive incident by
developing a strategy and action plan to safeguard its interests and those of its
stakeholders; and
c) A holistic management process to help avoid and minimize the suspension of service
and operations and having procedures to allow a return to normal services and
operations as rapidly as possible.
It is good practice for an organization to protect its physical, virtual, and human assets. The
success of the management system depends on the commitment at all levels and activities in the
organization, especially the organization’s top management. Decision makers should be
prepared to budget and secure the necessary resources to support the BCMS. It is necessary
that an appropriate structure be implemented to effectively deal with prevention, mitigation,
and management. Regardless of the organization – for profit, not for profit, faith-based, non-
governmental – its leadership has a duty to stakeholders to plan for its continued operation.
A.4.1 General Requirements

The additional text given in this annex is strictly information and is provided to assist the
understanding of requirements contained in Section 4 of this Standard. While this information
addresses and is consistent with the requirements of Section 4, it is not intended to add to,
subtract from, or in any way modify those requirements.
17

The implementation of a BCMS specified by this Standard is intended to result in improved

business continuity integrated with the organization’s other policies and plans such as privacy,
security, and safety. Therefore, this Standard is based on the premise that the organization
should periodically review and evaluate its BCMS to identify opportunities for improvement
and their implementation. The organization should determine the rate, extent, and timescale of
this continual improvement process in the context of economic and other circumstances.
Improvements in its business continuity management system are intended to result in further
improvements in business performance.
This Standard requires an organization and its management to:
a) Define and document the scope of the BCMS considering its internal and external
context;
b) Take into account applicable legal and other requirements when establishing the BCMS;
c) Demonstrate continuing commitment to business continuity management policy;
d) Maintain a formal process to analyze priorities, impacts, and risks, and establish
business continuity objectives consistent with the scope and policy of the BCMS;
e) Ensure the availability of resources (including financial and empowered, competent
human resources) to implement and maintain the business continuity management
system, and a system of BCMS records including a management structure, plans, and
procedures to maintain business continuity during and after disruptive incidents; and
f) Evaluate the efficacy of the BCMS, business continuity strategies, capabilities, and plans.
A.4.2 Establishing the Context

The organization establishes the context of its BCMS by identifying and understanding the
internal and external influences and environment in which it operates. By establishing the
context, an organization can define the scope of its BCMS and design a fit-for-purpose
framework for business continuity management. This should assure that the organization
meets the objectives, needs and concerns of internal and external stakeholders.
When initiating a BCMS, the organization should conduct an analysis or review to help
establish the context of its operations and determine the boundaries of its scope. For example,
when conducting the analysis or review, the organization should consider:
• Assets, activities, products, and services;
• Risks associated with normal, abnormal, and emergency situations (actual and
potential);
• Applicable legal and other requirements;
• Supply chain, contractual, community, and mutual aid agreements;
• Interdependencies and supporting infrastructure;
• Previous disruptions, accidents, incident reports, and exercise reports;
18

• Audit reports;
• Government advisories; and
• Political and social operating environment.
A.4.2.1 Scope of the BCMS

An organization has the freedom to define the boundaries for implementing its BCMS. It may
choose to implement the BCMS across the entire organization, specific operating units, discrete
geographic locations, or clearly defined supply chain flows. These scoping boundaries reflect
top management objectives for the BCMS, and the size and nature and complexity of the
organization and its activities. Once top management defines the BCMS scope, all assets,
activities, products, and services within that scope become elements of concern within the
BCMS.
Outsourced activities and supply chain remain the organization’s responsibility and should be
within the BCMS. If an outsourced product, service, activity, or part of the organization’s
supply chain remains under the organization’s risk accountability and management control,
then top management should place it within the scope of the BCMS. The organization should
make appropriate agreements and take appropriate measures to assure effective BCM
agreements are in place with its suppliers and outsource partners.
The organization should justify all exclusions from the scope of the BCMS using risk assessment
and impact analysis in the justification. Exclusions may include the inability of an organization
to provide the continuity of its business and operations, or meet its legal and other
requirements and obligations. The scope should ensure the integrity and continuity of
operations. The credibility of the BCMS depends on the choice of organizational boundaries
defined in the scope.
The level of detail and complexity of the BCMS, the extent of documentation required, and
resources committed to the BCMS should guide the BCMS scope statement. When the
organization implements the Standard for a specific operating unit, then the organization may
use applicable policies, plans, and procedures developed by other parts of the organization to
satisfy the requirements of this Standard.
A.4.2.2 Legal and Other Requirements

The organization should identify and understand legal, regulatory, and contractual
requirements that affect its business continuity intentions. These may include national,
international, state, local, legal, and regulatory requirements. Identifying and understanding
these requirements should help to ensure legal compliance, prevent litigation, minimize
liability, improve the organization’s image, and meet its obligations to society.
Examples of other requirements to which the organization may subscribe include, if applicable:
• Business and other contractual obligations;
19

• Agreements with public authorities, community groups, or non-governmental

organizations;
• Agreements with customers;
• Non-regulatory guidelines;
• Voluntary principles or codes of practice;
• Product or service stewardship commitments (e.g., warranties);
• Requirements of trade associations;
• Public commitments of the organization or its parent organization;
• Non-binding protocols;
• Healthcare requirements;
• Financial obligations;
• Social responsibility and environmental commitments; and
• Identity information and privacy requirements.
Legal obligations vary by jurisdiction, as well as geographic location, and the type and nature of
operations, as well as the location, type, and nature of the organization’s customers. Therefore,
it is important that the organization be aware of its obligations within the context of its
operating environment.
The organization should identify all relevant statutory, regulatory, contractual, and other
requirements and communicate this information to appropriate stakeholders. The organization
should evaluate which requirements apply and where they apply, and identify who should
receive this information. The organization should explicitly define, document, and keep current
its approach to accessing and addressing these requirements. Similarly, the organization
should define and document specific business continuity methods and controls as well as
individual responsibilities to meet these requirements.
A.4.3 Policy and Management Commitment

The BCMS management policy is the driver for implementing and improving an organization’s
business continuity management system so that it can address and potentially improve its
ability to continue business operations during and after disruptive incidents. The BCMS policy
should therefore reflect the commitment of top management to:
a) Define the scope of the BCMS in terms of its organizational boundaries, products, and
services; stakeholder needs and interests; and supply chain – as well as any limitations
and exclusions;
b) Comply with legal, regulatory, and contractual requirements;
c) Align the BCMS with the organization’s mission, strategic objectives, and risk
management approach;
d) Proactively manage the impact of disruptive events;
20

e) Provide active, engaged leadership oversight; and

f) Promote continual improvement.
The BCMS management policy should be sufficiently clear to interested internal and external
parties. Top management reviews, revises, and endorses the policy periodically to reflect
changing conditions and information. The scope of the policy should be clearly identifiable and
reflect the unique nature, scale, and impact of the BCMS on the organization’s activities,
products, and services.
The BCMS management policy should be communicated and made available to all persons who
work for or on behalf of the organization and others such as customers, investors, stockholders,
the supply chain, and concerned public and/or community agencies. Communication to
external parties can be in alternative forms to the policy statement itself – such as rules,
directives, and procedures – and may therefore only include pertinent sections of the policy.
One or more qualified persons should be appointed and empowered to implement, test or
exercise, and maintain the BCMS. Top management should conduct its own periodic reviews
and audits of the overall BCMS. Top management should demonstrate its commitment to the
BCMS. It can do so showing that it champions the BCMS; provides sufficient resources for the
BCMS; and takes responsibility for creating, maintaining, testing, and implementing a
comprehensive BCMS throughout the Plan, Do, Check, and Act (PDCA) cycle. These steps
illustrate the priority of the BCMS to top management and signal that commitment to
management and staff throughout the organization. Equally essential is that top management
engage a “top down” approach to the BCMS to convey management accountability at all levels,
as part of the organization’s overall governance, for effective and efficient BCM plan
development, maintenance and testing.
A.4.4 Planning
A.4.4.1 Business Impact Analysis and Risk Assessment
The BIA and risk assessment provide the foundation for establishing the business continuity
objectives, targets, programs, and plans. The appropriate order of conducting BIA and risk
assessment depends on the approach the organization employs.
All organizations face a certain amount of uncertainty in achieving their objectives for product
and service delivery. The level of acceptance is set by top management, as stated in the BCM
policy. The BIA and risk assessment then provide the analytical basis for determining the
appropriate risk treatment strategies to reduce the risk to within the designated level of risk
acceptance.
Many methodologies exist for BIA and risk assessment. The organization should establish,
implement, and maintain a formal methodology that is documented and repeatable.
Assumptions, scope, evaluation criteria, and results should be clearly defined and reviewed by
top management.
21

The BIA and risk assessment are inclusive processes taking into account the input of internal
and external stakeholders. The risk and impact identification, analysis, and evaluation
processes are framed within the operating environment of the organization; therefore, they
should take into account:
• Internal context such as governance, organizational roles, structures, policies, processes,
culture and strategies, resources capabilities and knowledge, and overall risk
management strategy;
• External context such as social, environmental, geographic, political, cultural,
competitive, business, financial, supply chain, interdependencies, and community; and
• Legal and other requirements should be considered.
To achieve results that accurately reflect the risk profile of the organization, data for the BIA
and risk assessment should be gathered by a competently trained team. The sampling
techniques for the collection of administrative, financial, technical, and physical data should be
selected to assure representative samples. The BIA and risk assessment are not exact sciences:
therefore, assumptions and reliability of information should be documented. All operational
units of the organization within scope of the BCMS should be directly consulted during the data
gathering process. Results of the BIA and risk assessment should be reported and reviewed by
top management in order to establish the BCM objectives, targets, and strategies. The
organization should define the scope of the BIA and risk assessment based on:
• BCMS scope (products, services, and organizational activities);
• Customer expectations and obligations;
• Legal, regulatory, and contractual requirements;
• Risk appetite;
• Interdependencies and supply chain obligations;
• Infrastructure requirements; and
• Data/information recovery requirements.
A.4.4.1.1 Business Impact Analysis (BIA)

A.4.4.1.1.1 Process
The organization should conduct a documented BIA within the scope of its BCMS to prioritize
the recovery of product, services, activities, and resources after a disruptive event.
The BIA is an important part of the business continuity planning process that helps an
organization identify how impacts would increase over time if its operations were disrupted.
The purpose of the BIA is to:
• Identify and determine priority of business activities and the impact of a disruption.
22

• Estimate the maximum acceptable downtime that the organization can tolerate while
still maintaining viability – enabling it to establish recovery time objectives.
• Evaluate resource requirements, activity, and external interdependencies to resume
operations within the recovery timescales identified.
• Provide the parameters for the selection of appropriate BCM Strategies that can satisfy
the required recovery timescales identified.
The organization should document the scope of the BIA, based on the scope of the BCMS. It
should select and define the approach and methodology based on BIA objectives and
management expectations, as well as the information management needs to make decisions.
Typical BIA activities include:
• Confirm scope of BIA with top management;
• Identify sources of information;
• Decide on methods for data collection
• Perform data gathering through interviews, questionnaires, or documentation;
• Analyze impact, time, and interrelationship information;
• Present recommendations and justification to management for evaluation; and
• Prepare information for use in BCM strategy development.
A.4.4.1.1.2 Assessment
If the delivery of products and services to customers is disrupted, the impacts to the
organization will grow over time to a point where its viability is threatened and its survival is
unlikely.
Top management should establish the maximum period of time that a failure to deliver each
product and services can be tolerated. This may be achieved by reviewing:
• Anticipated customer response;
• Contracts and service level agreements; and
• Regulatory requirements.
All business activities should be identified and their role and timescale in delivering products
and services identified. Interdependencies, both internal and external, should be reviewed to
establish activity priorities. The information gathering process may include:
• Organizational charts and structure;
• Process flow charts and observation of daily work flow;
• Interviews with department and division heads; and
• Identification of significant interrelationships internally and externally.
23

A.4.4.1.1.3 Impacts
This acceptable (tolerable) disruption period and the time to restore operations to normal
should be based on:
• Safety implications;
• Probable financial, operational, and reputational impairment;
• Legal, regulatory, and contractual requirements;
• Stakeholder expectations and societal impacts;
• Environmental damage; and
• Long-term strategic imperatives.
The cause of the disruption is not a consideration – the disruption to supply could result from
the non-availability of any of the organization’s internal resources or external services.
When assessing impacts, the organization may consider how the disruption to supply of its
products and services or interruption to any of its activities could result in:
a) Human cost: Potential physical and psychological harm to employees, customers, or
other stakeholders.
b) Financial considerations: Lost or deferred sales/business, loss of market share, lawsuits,
regulatory fines/penalties, equipment and property replacement, overtime pay, and
stock devaluation.
c) Reputational impairment: Damaged reputation with customers and potential customers.
Diminished standing in the community, and negative press.
d) Community/societal impacts: Indirect impacts on the regional economy, reduction in the
regional net economy, and losses to the tax base of local jurisdictions.
e) Environmental impacts: Degradation to the quality of the environment.
These parameters are then utilized to assist the organization in setting recovery time objectives.
A.4.4.1.1.4 Maximum Allowable Disruption and Recovery Time Objective

The maximum allowable time (or maximum tolerable period of disruption) identifies the point
at which the organization’s viability is threatened if the delivery of each product and service is
not resumed. Top management can then set a recovery time objective for each product and
service within this maximum time, based on their assessment of the increasing impacts over
time.
Once these times for delivery are established, the organization should assign recovery time
objectives to each organizational activity that contributes—directly or indirectly—to the
delivery of the product or service based on:
24

• The role and timescale of each activity that support the delivery of products and
services;
• Management’s guidance regarding disruption tolerance for each activity;
• Current and future-state strategic imperatives;
• The interdependencies between activities and with external suppliers; and
• The currency of information required to undertake each activity is identified.
Recovery time objectives are used to prioritize recovery efforts and the use of recovery
resources. Recovery point objectives are used to determine an appropriate back-up strategy for
information. These terms are applicable to all disciplines and are not exclusive to information
technology and data, and can be applied to other capabilities.
A.4.4.1.1.5 Resources
The resource requirements of each activity should be quantified. This is usually undertaken at
the same time as the BIA. These resources may include:
• Staff numbers (special skills or qualifications may be required);
• Technology and systems);
• Access to information);
• Accommodation); and
• External supplies.
The setting and quantification of recovery time objectives enables a timetable of resource
recovery to be prepared. This may take into account the requirement to provide extra resources
to clear backlogs or cope with anticipated extra demands following an incident.
A.4.4.1.1.6 Output
The BIA report presented to top management should clearly identify the priority of activities,
significant interdependencies, and contain a summary of the BIA methodology used.
It should quantify the activities for each product and service
• Recovery time objectives and associated justification to include:
o Initial resumption – and capacity; and
o Return to its defined operational capability.
For each activity (in addition):

• Identification of recovery resource requirements; and
25

• Recovery point objectives for information required - and associated justification.
A thorough BIA is essential for an organization to develop a suitable business continuity

strategy and effective business continuity plan. Therefore, an organization’s BIA team should
possess necessary knowledge and skills to conduct all BIA activities.
A.4.4.1.2 Risk Assessment

An organization should undertake a documented risk assessment in order to understand the
level of risk associated with the organization’s activities, activities, resources, obligations, and
processes. The risk assessment should take an accounting of the organization’s underlying
resources such as people, premises, technology, information, supplies, and shareholders. The
organization should understand the threats to these resources, the vulnerabilities of each
resource, and the impact that would arise if a threat became an incident and caused a business
disruption. Each organization should:
a) Choose which risk assessment method to use – but it is important that the method is
suitable and appropriate to address all of the organization’s requirements. A suitable
and appropriate risk assessment method should consider risks related to the
organization’s activities, products, and services as well as their potential for direct or
indirect impact on the organization’s operations, people, property, assets,
compensation, image and reputation, profit, credit, and/or environment.
b) Use a documented quantitative or qualitative methodology to estimate the likelihood of
the identified potential risks and the significance of the impacts if a disruptive incident
should occur.
c) Consider its dependencies on others and others’ dependencies on the organization –
including infrastructure and supply chain dependencies and obligations.
d) Evaluate the consequences of legal and other obligations that govern the organization’s
activities.
e) Consider risks associated with stakeholders, contractors, suppliers, and other affected
parties.
f) Analyze information on risks, and select those risks that may result in significant
disruption to prioritize operations and/or those risks whose consequences are hard to
determine in terms of significance.
g) Analyze and evaluate alternative risk treatments and the extent to which each risk
treatment reduces risk.
h) Evaluate risks and impacts it can control and influence. In all circumstances, top
management – and, secondly, the organization – determines the degree of control it
chooses to exercise as well as its strategies for risk acceptance, avoidance, management,
minimization, tolerance transfer, and/or treatment.
26

A.4.4.2 Business Continuity Objectives and Targets

Objectives and targets are established to meet the goals and commitments of the organization’s
business continuity policy. By setting the business continuity objectives and targets, the
organization can translate the policy into action plans it describes in the business continuity
strategies. The objectives and targets should be specific and measureable in order to track
progress and ascertain how the BCMS is performing in improving overall organizational
preparedness.
Business continuity “objectives” are overriding considerations such as the rapid restoration of
business operations. Business continuity “targets” are specific metrics for restoration of
operations. Objectives and targets should be appropriate for the organization, based on the risk
assessment and BIA. The objectives and targets should reflect what the organization does, how
well it is performing, and what it wants to achieve. Appropriate levels of management should
define the objectives and targets. Objectives and targets should be periodically reviewed and
revised.
When the objectives and targets are set, the organization should consider establishing
measurable business continuity performance indicators. These indicators can be used as the
basis for a business continuity performance evaluation system and can provide information on
the business continuity management system and specific mitigation, response, and recovery
strategies.
In establishing its objectives and targets the organization should consider, including:
• Policy commitments;
• Alignment with strategic objectives;
• Outcomes of the business impact analysis and risk assessment;
• Risk tolerance;
• Legal and other requirements;
• Internal and external context;
• Performance criteria;
• Infrastructure requirements and interdependencies;
• Interests of stakeholders and supply chain partners;
• Technology options;
• Financial, operational, and other organizational considerations; and
• Actions, resources, and timescales needed to achieve objectives.
A.4.4.3 Business Continuity Strategies

The business continuity strategies are documented approaches to achieve the organization’s
objectives and targets. Strategies should be coordinated or integrated with other organizational
plans, strategies, and budgets.
To ensure its success, the business continuity management strategies should define:
27

a) Responsibilities for achieving goals (who will do it?);

b) Means and resources for achieving goals (how to do it?); and
c) Timeframe for achieving those goals (when will it be done?)
The strategies may be subdivided to address specific elements of the organization’s operations.
The organization may use several action plans as long as the key responsibilities, tactical steps,
resource needs, and schedules are adequately defined in each of the documented plans.
The strategies should include – where appropriate and practical – consideration of all stages of
an organization’s activities related to planning, design, construction, commissioning, operation,
retrofitting, production, marketing, outsourcing, and decommissioning. Strategy development
may be undertaken for current activities and new activities, products, and/or services.
Prevention, preparedness, and mitigation strategies should give priority to the safe removal of
people and property at risk. Additional topics include:
a) E-location, retrofitting, and provision of protective systems or equipment;
b) Information, data, document, and cyber security;
c) Establishment of threat or hazard warning and communication procedures; and
d) Redundancy or duplication of systems, essential personnel, equipment, information,
operations, or materials – including those from partner organizations.
The organization should plan for incident response and recovery, taking into account the
priority of activities, contractual obligations, employee and neighboring community necessities,
operational continuity, and environmental remediation. Organizations have different
approaches to managing crises. Regardless of the approach, there are three generic and
interrelated management response steps that require pre-emptive planning and implementation
in case of a disruptive incident:
1) Emergency response: The initial response to a disruptive incident usually involves the
protection of people and property from immediate harm. An initial reaction by
management may form part of the organization’s first response.
2) Continuity: Processes, controls, and resources are made available to ensure that the
organization continues to meet its BCM objectives.
3) Recovery: Processes, resources, and capabilities of the organization are re-established to
meet ongoing operational requirements. This may often include the introduction of
significant organizational improvements even to the extent of refocusing strategic or
operational objectives.
Strategies should be dynamic and modified when:

• Outcomes of the risk assessment and impact analysis change;
28

• Objectives and targets are modified or added;

• Relevant legal requirements are introduced or changed;
• Substantial progress in achieving the objectives and targets has been made (or has not
been made); or
• Products, services, processes, or facilities change or other issues arise.
Determining business continuity strategy enables the organization to evaluate a range of

options. The organization may choose an appropriate response for each activity, such that it
can continue to deliver activities at an acceptable level of operations and within an acceptable
timeframe during and following a disruption. Strategic options should be considered for the
resumption of activity. The most appropriate strategy or strategies should depend on a range of
factors such as:
a) The results of the organization’s BIA and risk assessment;
b) The costs of implementing a strategy or strategies; and
c) The consequences of inaction.
Strategies might be required for the following organizational resources:

a) Staff;
b) Premises;
c) Technology;
d) Information;
e) Supplies;
f) Stakeholders; and
g) Supporting Infrastructure.
In each case, the organization should minimize the likelihood of implementing a business
continuity solution that might be affected by the same incident that causes the business
disruption.
Top management should approve documented strategies to confirm that the determination of
continuity strategies has been properly undertaken, that they have addressed the likely causes
and effects of disruption, and that the chosen strategies are appropriate to meet the
organization’s objectives within the organizations risk appetite.
The strategies should also consider the organization’s relationships, interdependencies, and
obligations with external stakeholders. These stakeholders include customers, suppliers, and
outsource partners – as well as first responders, public authorities, and others in the
community. The organization should establish and maintain strategies that protect and preserve
the integrity of its supply chain and the delivery of products and services, including
29

arrangements needed with customers, suppliers, outsourcing partners, and other stakeholders.
In addition, interactions and coordination with first responders, public authorities, and others
in the community should be determined and included in strategy development. These strategic
arrangements with external stakeholders should support the achievement of business
continuity objectives and be clearly defined and documented.
A.4.5 Implementation and Operation

A.4.5.1 Resources
An organization should provide resources, capabilities, structures, and support mechanisms
necessary to:
a) Achieve its business continuity policy, objectives, and targets;
b) Meet the changing requirements of the organization;
c) Communicate on business continuity management system matters, internally and
externally; and
d) Provide for the ongoing operation and continual improvement of the business
continuity management system to improve the organization’s business continuity
performance.
Top management plays a key role by providing resources needed to implement the BCMS. The
management of an organization should determine and make available appropriate resources to
establish, implement, maintain, and improve the BCMS. These resources should be provided in
a timely and efficient manner.
When identifying the resources needed to establish, implement, and maintain the BCMS, an
organization should consider:
• People and people-related resources (which may include):
o The time necessary to perform BCMS requirements
o Security
o Transportation logistics
o Welfare needs
o Emergency expenses
• Facilities:
o Emergency Operations Centers
o Recovery locations
o Infrastructure
• Technology:
o Applications
o Technology Services Methods to manage and control documentation and records
30

• Communications
• Information (which may include):
o Policies
o Standard operating procedures
o Work instructions
o Internal and external contact information
o Financial (e.g., payroll) details
o Customer account records
o Supplier and stakeholder details
o Legal documents (e.g., contracts, insurance policies, title deeds, etc.)
o Other services documents (e.g., contracts and service level agreements)
• Supplies
Resources and their allocation should be reviewed periodically, and in conjunction with the
management review, to ensure their adequacy. In evaluating adequacy of resources,
consideration should be given to planned changes and/or new facilities, projects, or operations.
A.4.5.2 Roles, Responsibility, and Authority

A.4.5.2.1 BCMS
The successful implementation of a BCMS calls for a commitment from all persons working for
the organization or on its behalf. The roles, responsibilities, and authorities of individuals
should be clearly defined to ensure implementation of the BCMS, prevent misunderstandings
(particularly during an incident), and avoid duplication and/or missed tasks.
To demonstrate its commitment, top management should establish and communicate the
organization’s BCMS policy and ensure the necessary resources for the implementation of the
BCMS. Therefore, top management should designate (a) specific management representative(s)
with defined responsibilities and authority for implementing the BCMS, who:
a) Champions the BCMS;
b) Ensures that the BCMS is established and implemented;
c) Reports on BCMS performance over time; and
d) Works with others to modify the BCMS as needed.
Many organizations nominate a program sponsor who is supported by a cross-functional team

of executive managers with the authority to commit the organization to action. In large or more
complex organizations, there may be more than one designated sponsor. In small or medium-
sized enterprises, one individual may undertake these responsibilities.
31

A.4.5.2.2 BCM
Roles, responsibilities, and authorities should also be defined, documented, and communicated
for coordination with external stakeholders. This should include interactions with contractors,
partners, suppliers, public authorities, and financial institutions. The organization should
define and communicate the responsibilities and authorities of all persons engaged in business
continuity management regardless of their other roles in the organization. The resources
provided by top management should enable the fulfillment of the roles and responsibilities
assigned. The roles, responsibilities, and authorities should be reviewed when a change in the
operational context of the organization occurs.
A.4.5.2.3 Team Structure

An organization should have a crisis (or incident) management team to lead incident/event
response. The team should be comprised of such functions as human resources, information
technology, facilities, security, legal, communications/media relations, operational activities,
and other business support activities. Senior management or its representatives should provide
overall team direction. Organizations should consider the attributes found in the NIMS
incident command system or equivalent (see E.5).
Allocate as many response and recovery teams as needed to support the organization’s crisis
management team. These requirements should consider such factors as organization size and
type, number of employees, location, industry/sector, and culture. Response and recovery
teams should develop plans to address various aspects of potential disruptive events – such as
escalation and activation, damage assessment, payroll, human resources (benefits),
administrative support, process recovery, information technology recovery, administrative
support, and site restoration. Response and recovery plans should follow a consistent format
and only include content needed during the disruptive event. Business continuity planning
process information and supporting detail may be documented elsewhere in separate
documents (e.g., in Standard Operating Procedures) in order to streamline plan documentation.
Individuals should be recruited for membership on response and recovery teams based upon
their skills, experience, and level of commitment.
A.4.5.2.4 Administrative and Financial Structures

It is necessary that the organization put in place appropriate administrative and financial
structures to effectively deal with response and recovery efforts during a disruptive incident. A
management structure, authorities, and responsibility delegation for decision-making –
including spending limitations and responsibility for implementation – should be clearly
defined.
32

A.4.5.3 Competence, Training, and Awareness

The organization should identify the awareness, knowledge, understanding, and skills needed
by every person – and their alternate(s) – with the responsibility and authority to perform
response and recovery tasks. The organization should establish training and awareness
programs for internal and external stakeholders who may be affected by a disruptive incident.
The organization should require that contractors working on its behalf are able to demonstrate
that their employees have the requisite competence and/or appropriate training. Management
should determine the level of experience, competence, and training necessary to ensure the
capability of personnel having documented responsibility for carrying out specialized BCMS
management activities.
A training and awareness program may include:
• A consultation process with staff throughout the organization concerning the
implementation of the BCM program;
• Discussion of BCM in the organization’s newsletters, briefings, induction program, or
journals (including new employee orientation);
• Inclusion of BCM on relevant web pages or intranets;
• Online training modules housed in the organization’s learning management system;
• Learning from internal and external incidents through after action reports;
• BCM as an item at management team meetings;
• Exercising continuity plans at an alternative location (e.g., a recovery site);
• Visits to any designated alternative location (e.g., a recovery site);
• Conferences and classroom training; and
• First aid and other hands-on training.
All personnel should receive training to perform their individual BCMS-related responsibilities.
They should receive briefs on the key components of the BCMS, as well as the response and
recovery plans that affect them directly. Such training could include procedures for mitigation
measures, evacuation, shelter-in-place, check-in processes to account for employees,
arrangements at alternate worksites, and the handling of media inquiries by the company.
Response and recovery teams should receive education and training about their responsibilities
and duties including interactions with first responders and other internal and stakeholders.
Team members should be trained at regular intervals (at least annually), and new members
should be trained when they join the organization. These teams should also receive training on
prevention of incidents that may escalate into crises. The organization should include relevant
external stakeholders and resources in their competence, awareness, and training programs.
The organization should identify and assess any differences between the competence needed to
perform a business continuity activity and that possessed by the individual required to perform
the activity. This difference can be rectified through additional education, training, or skills
development program which may include the following steps:
33

• Identification of competence and training needs;

• Design and development of a training plan to address defined competence and training
needs;
• Selection of suitable methods and materials;
• Verification of conformity with BCMS training requirements;
• Training of target groups;
• Documentation and monitoring of training received;
• Evaluation of training received against defined training needs and requirements; and
• Improvement of the training program, as needed.
A.4.5.4 Documentation
The level of detail of the documentation should be sufficient to describe the BCMS and how the
parts work together. The documentation should also provide direction on where to obtain
more detailed information on the operation of specific parts of the BCMS. This documentation
may be integrated with documentation of other management systems implemented by the
organization. It does not have to be in the form of a manual.
The extent of the BCMS documentation can differ from one organization to another due to:
a) The size and type of organization and its activities, products or services;
b) The complexity of processes and their interactions; and
c) The competence of personnel.
Examples of documents include:

a) Policy, objectives, and targets;
b) Information on significant risks and impacts;
c) Procedures;
d) Process information;
e) Organizational charts;
f) Internal and external standards;
g) Site response, mitigation, emergency, and crisis plans; and
h) Records.
Any decision to document (a) procedure(s) should be based on issues such as:
a) The consequences, including those to human and physical assets and the environment,
of not doing so;
b) The need to demonstrate compliance with legal and with other requirements to which
the organization subscribes;
34

c) The need to ensure that the activity is undertaken consistently;

d) The advantages of doing so, which can include:
a) Easier implementation through communication and training;
b) Easier maintenance and revision;
c) Less risk of ambiguity and deviations; and
d) Demonstrability and visibility.
e) The requirements of this Standard.
Documents originally created for purposes other than the BCMS may be used as part of this
management system, and (if so used) should be referenced in the system.
A.4.5.5 Control of Documents

The intent of 4.4.5 is to ensure that organizations create and maintain documents in a manner
sufficient to implement the BCMS. However, the primary focus of organizations should be on
the effective implementation of the BCMS and not on a complex document control system.
Organizations should ensure the integrity of the documents by ensuring they are tamperproof;
securely backed-up; accessible only to authorized personnel; and protected from damage,
deterioration, or loss.
A.4.5.6 Developing and Implementing a Business Continuity Response

Business continuity plans and procedures provide the basis for everyone in the organization to
be well informed about how the organization and those who have specific BCMS roles and
responsibilities should be expected to respond to a disruptive incident.
Business continuity response should ensure life safety, protect assets, and assess the impact of
the disruption. BCM activities enable the organization to utilize the available resources to
manage the impact of the disruption to operations and reputation. The plans and procedures
should include necessary arrangements to ensure human safety and support, continuity of
activities, and management of a disruptive event. Business continuity response plans and
procedures should:
a) Describe the purpose, scope, and assumptions of the plans (including
interdependencies);
b) Describe specific delegations of authority to the appropriate level, and adequate
resource staging;
c) Describe communications protocols for:
1. Roles, responsibilities, and authorities of first responders;
2. Primary and backup communications technologies; and
35

3. The scope of assessments (including field and local assessments) needed to
effectively manage the impact of the disruption.
d) Be specific as to which team should immediately perform what tasks, and the resources
required to carry-out its responsibilities during a disruption; and
e) Optimize the benefits of the response implementation to the appropriate mitigation
strategies.
A.4.5.6.1 Response Structure

The response structure should include provisions/threshold criteria to activate response plans,
and identify who has the authority to do the activation. The response structure provides for:
a) A determination of the nature and extent of the disruptive incident to establish the scope
of the response required, and define actions that might be necessary based on impact
and/or potential impact;
b) A response to protect people, assets, and stakeholders interests;
c) Communication with stakeholders and authorities, as well as the media, using pre-
established message templates; and
d) Coordination with initial responders, first responders, and government agencies.
In some organizations, certain divisions, departments, and activities are better situated to
address specific aspects of incident response, continuity, and recovery. These organizations
may use a tiered approach, establishing multiple teams to focus on specific aspects of managing
the disruptive incident (e.g., communications and media response team). The teams should
coordinate their activities to assure a seamless response, and be appropriate to the size and
nature of the organization. The response structure should avoid vesting authority of the
mobilization of a response in a single individual.
A.4.5.6.2 Business Continuity Plans

The organization should establish documented plans that detail how the organization should
manage a disruptive event and how it should recover or maintain its activities to a
predetermined level, based on management-approved recovery objectives.
Each plan should define:
a) Purpose and scope;
b) Objectives and measures of success;
c) Activation criteria and procedures;
d) Implementation procedures;
e) Roles, responsibilities, and authorities;
f) Communication requirements and procedures;
36

g) Internal and external interdependencies and interactions;

h) Resource requirements; and
i) Information flow, documentation, and record keeping processes.
The organization should periodically test, review, and (where necessary) revise its business
continuity plans—in particular, after the occurrence of the disruptive event and its associated
post-event review.
A.4.5.7 Communication and Consultation

Arrangements should be made for communication and consultation internally and externally
during normal and abnormal conditions. Effective communication is one of the most important
ingredients in managing a disruptive incident. Commonly termed crisis communications
planning , internal and external stakeholders (or the public) should be identified in order to
convey alerts, warnings, and disruptive event and organizational response information. To
provide the best communications and suitable messages for various groups, it may be
appropriate to segment the audiences. In this way, messages may be tailored can be released to
specific groups such as employees, stockholders, the local community, or the media.
The communication and consultation procedures and processes should consider:
• Internal communication between the various levels and activities of the organization
and with partner entities;
• Receiving, documenting, and responding to relevant communications from external
stakeholders (including supply chain partners);
• Proactive planning of communications with external stakeholders (including the media);
• Preemptive communication of response plans to applicable stakeholders facilitating
communication and assuring stakeholders that proper planning is in place;
• Facilitating structured communication with emergency responders; and
• Availability of the communication channels during a disruptive situation.
Organizations should also identify and establish relationships with public sector agencies,
organizations, and officials responsible for intelligence, warnings, prevention, response, and
recovery related to potential disruptions.
Organizations should implement a procedure for receiving, documenting, and responding to
relevant communications from stakeholders and interested parties. This procedure can include
a dialogue with interested parties and consideration of their relevant concerns. In some
circumstances, responses to concerns of interested parties may include relevant information
about the risks and impacts associated with the organization’s activities and operations. These
procedures should also address necessary communications with public authorities regarding
emergency planning and other relevant issues.
37

The organization should formally plan its crisis communications strategy, taking into account
the decisions made specific to relevant target groups, the appropriate messages and subjects,
and the choice of means. When considering communication about hazards, threats, risks,
impacts, and control procedures, organizations should take into consideration the views and
information needs of all stakeholders.
The organization should establish procedures to communicate and consult with internal and
external stakeholders specific to its hazards, threats, risks, impacts, and control procedures.
These procedures could change depending on several factors, such as the specific stakeholder
group, the type of information to be communicated, the type of disruptive event and its
consequences, the availability of methods of communication, and the individual circumstances
of the organization. Methods for external communication can include:
• News or press releases;
• Media;
• Financial reports;
• Newsletters;
• Websites;
• Phone calls, emails, and text messages (manually delivered and/or via automated
emergency notification systems);
• Phone calls;
• Voice mails; and
• Community meetings.
The organization should conduct preplanning of communication for a disruptive incident.

Draft message templates, scripts, and statements can be crafted in advance for threats identified
in the risk assessment, for distribution to one or more stakeholder groups identified in the BIA.
Procedures to ensure that communications can be distributed on short notice should also be
established.
The organization should designate and publicize the name of a primary spokesperson (with
back-ups identified) who should manage/disseminate crisis communications to the media and
others. These individuals should receive training in media relations in preparation for a crisis,
and on an ongoing basis. All information should be funneled through a single team to assure
the consistency of messages. Top management should stress that all organization personnel
should be informed quickly regarding where to refer calls from the media and that only
authorized company spokespeople may speak to the media. In some situations, an
appropriately trained site spokesperson may also be necessary.
The organization’s media response strategy and relevant procedures should be documented in
the crisis/incident management plan, or a separate crisis communications plan. The plan should
include the following key information:
• A crisis communications strategy overview.
38

• The organization’s preferred interface with the media.

• A guideline or template for the drafting or updating of a statement to be provided to the
media at the earliest practical opportunity following the disruptive incident.
• The most appropriate contact information for trained, competent spokespeople
nominated and authorized to release information to the media if the primary
spokesperson is unavailable.
• The preferred venue or the identification of an alternative suitable venue to support
liaison with the media, and other stakeholder groups.
In some cases, it may be appropriate to:

• Provide supporting detail in a separate document, including holding statement content.
• Establish an appropriate number of competent, trained people to answer inquiries from
the press regardless of the method the press chooses to make the inquiry (e.g.,
telephone, e-mail, text message, and Internet social media forums).
• Prepare in advance background material about the organization and its operations (this
information should be pre-approved for release at an appropriate management level).
Response and recovery plan documentation should contain current contact details for relevant
internal and external agencies, as well as for organizations and providers that might be required
to support the organization.
A.4.6 Checking and Corrective Action

A.4.6.1 Monitoring and Measurement
The BCMS should provide for the analysis of data collected from monitoring and measurement
to identify patterns and obtain information. Knowledge gained from this information can be
used to implement corrective and preventive action. Metrics should be established to monitor
and measure the effectiveness of the BCMS and identify areas for improvements to enhance
preparedness.
Metrics assure the organizations policy, objectives, and targets are achieved, as well as elucidate
areas for improvement.
Checking involves measurement, monitoring, and evaluation of the organization’s business
continuity performance. The organization should have a systematic approach for measuring
and monitoring its business continuity performance on a regular basis. In order to measure and
monitor the organization’s business continuity performance, a set of performance indicators
should be developed to measure both the management systems and its outcomes.
Measurements can be either quantitative or qualitative. Performance indicators can be
management, operational, or economic indicators. Indicators should provide useful
information to identify both successes and areas requiring correction or improvement.
39

A.4.6.2 Evaluation of Compliance and System Performance

A.4.6.2.1 Evaluation of Compliance
The organization should be able to demonstrate that it has evaluated compliance with the legal
requirements.
The organization should be able to demonstrate that it has evaluated compliance with the
identified other requirements to which it has subscribed.
A.4.6.2.2 Exercises and Testing

Exercises are activities designed to examine the staff’s ability to effectively respond, recover,
and continue to perform assigned business activities when faced with specific disruptive
scenarios. The organization should use exercises and the documented results of exercises to
ensure the effectiveness and readiness of the BCMS – specifically, its business continuity plans,
team readiness, and facilities – to perform and validate its business continuity function.
Benefits of exercising and testing include:
a) Validation of planning scope, assumptions, and strategies;
b) Capacity testing (e.g., the capacity of a call-in or call-out phone system);
c) Increase efficiency and reduce the time necessary for accomplishment of a process (e.g.,
using repeated drills to shorten response times); and
d) Awareness and knowledge for internal and external stakeholders about the BCMS and
their roles.
The organization may experience changes internally and externally, thus it should conduct
exercises taking into account such changes to:
• Primary or alternate facilities;
• Organization restructure;
• Assigned staff;
• Partnering relationships;
• Support systems;
• Scope of the operations; and/or
• Recovery objectives.
Exercising ensures that technology resources function as planned and that staff members are
adequately trained in their use and operation. Exercising can keep response teams and
employees effective in their duties, clarify their roles, and identify areas for improvement in the
40

BCMS, its plans, and its procedures. A commitment to exercising lends credibility and
authority to the BCMS.
The organization should design exercise scenarios to evaluation the continuity plans. An
exercise schedule and timeline for periodically exercising the plan and its components should
be established. Exercising and testing should be realistic, evaluate the capabilities and
capacities of BCM, and assure the protection of people and assets involved. The scope and
detail of the exercises should mature based on the organization’s experience, resources, and
capabilities. Early tests may include checklists, simple exercises, and small components of the
BCMS. Examples of increasing maturity of exercises include:
• Orientation: Introductory, overview or education session.
• Table top: Practical or simulated exercise presented in a narrative format.
• Functional: Walk-through or specialized exercise simulating a scenario as realistically as
possible in a controlled environment.
• Full scale: Live or real-life exercise simulating a real-time, real-life scenario.
There are several roles that exercise participants may fill. All participants should understand
their roles in the exercise. The exercise should involve all organizational participants defined
by the scope of the exercise; where appropriate, external stakeholders may be included. As part
of the exercise, a review should be scheduled with all participants to discuss issues and lessons
learned. This information should be documented, and updates should be made to the plan as
required.
Lessons learned from exercises and tests, as well as actual incidents experienced, should be built
into future exercises and test planning for the BCMS.
Design of exercises and tests should be evaluated and modified as necessary. They should be
dynamic, taking into account changes to the BCMS, personnel turnover, actual incidents, and
results from previous exercises.
A.4.6.3 Non-conformity, Corrective Action, and Preventive Action

A.4.6.3.1 General
The organization should establish effective procedures to ensure that non-fulfillment of a
requirement, planning approach, incidents, near misses, and weaknesses associated with the
BCMS (its plans and procedures) are identified and communicated in a timely manner to
prevent further occurrence of the situation, as well as to identify and address root causes. The
procedures should enable ongoing detection, analysis, and elimination of actual and potential
causes of nonconformities.
An investigation should be conducted of the root cause(s) of any identified nonconformity in
order to develop a corrective action plan for immediately addressing the problem to mitigate
any consequences, make changes needed to correct the situation and to restore normal
41

operations, and take steps to prevent the problem from recurring by eliminating cause(s). The
nature and timing of actions should be appropriate to the scale and nature of the nonconformity
and its potential consequences.
A potential problem may be identified, but no actual nonconformity exists. In this case, a
preventive action should be taken using a similar approach. Potential problems can be
extrapolated from corrective actions for actual nonconformities, identified during the internal
BCMS audit process, analysis of industry trends and events, or identified during exercise and
testing. Identification of potential nonconformities can also be made part of routine
responsibilities of persons aware of the importance of noting and communicating potential or
actual problems.
Establishing procedures for addressing actual and potential nonconformities and for taking
corrective and preventive actions on an ongoing basis helps to ensure reliability and
effectiveness of the BCMS. The procedures should define responsibilities, authority, and steps
to be taken in planning and carrying out corrective and preventive action. Top management
should ensure that corrective and preventive actions have been implemented and that there is
systematic follow-up to evaluate their effectiveness.
Corrective and preventive actions that result in changes to the BCMS should be reflected in the
documentation, as well as trigger a revisit of the risk assessment and impact analysis related to
the changes to the system to evaluate the affect on plans, procedures, and training needs.
Changes should be communicated to all who need to know.
A.4.6.3.2 Corrective Action

The organization should take action to eliminate the cause of nonconformities associated with
the implementation and operation of the BCMS to prevent their recurrence. The documented
procedures for corrective action should define requirements for:
a) Identifying any nonconformities;
b) Determining the causes of nonconformities;
c) Evaluating the need for actions to ensure that nonconformities do not recur;
d) Determining and implementing the corrective action needed;
e) Recording the results of action taken; and
f) Reviewing the corrective action taken and the results of that action.
A.4.6.3.3 Preventive Action

The organization should take action to prevent potential nonconformities from occurring.
Preventive actions taken should be appropriate to the potential impact of nonconformities.
The documented procedure for preventive action should define requirements for:
a) Identifying potential nonconformities and their causes;
b) Determining and implementing preventive action needed;
42

c) Recording results of action taken;

d) Reviewing preventive action taken;
e) Identifying changed risks and ensuring that attention is focused on significantly
changed risks;
f) Ensuring that all those who need to know are informed of the non-conformity and
preventive action put in place; and
g) The priority of preventive actions based on results of business impact analyses and risk
assessments.
A.4.6.4 Control of Records

Management system records can include, among others:
a) Compliance records;
b) Training records;
c) Process monitoring records;
d) Inspection, maintenance, and calibration records;
e) Pertinent contractor and supplier records;
f) Incident reports;
g) Records of incident and emergency preparedness tests;
h) Audit results;
i) Management review results;
j) External communications decision;
k) Records of applicable legal requirements;
l) Records of significant risk and impacts;
m) Records of management systems meetings;
n) Security, preparedness, response, continuity, and recovery performance information;
o) Legal compliance records;
p) Communications with stakeholders and interested parties; and
q) Results of testing/exercises.
Proper account should be taken of confidential information.

Organizations should ensure the integrity of records by rendering them tamperproof; securely
backed-up; accessible only to authorized personnel; and protected from damage, deterioration,
or loss.
The organization should consult with the appropriate legal authority within their organization
to determine the appropriate period of time the documents should be retained and establish,
implement, and maintain the processes to effectively do so.
43

NOTE: Records are not the sole source of evidence to demonstrate conformity to this Standard .
A.4.6.5 Internal Audits

It is essential to conduct internal audits of the BCMS to ensure that the BCMS is achieving its
objectives, that it conforms to its planned arrangements, that it has been properly implemented
and maintained, and to identify opportunities for improvement. Internal audits of the BCMS
should be conducted at planned intervals to determine and provide information to top
management on appropriateness and effectiveness of the BCMS, as well as to provide a basis for
setting objectives for continual improvement of BCMS performance.
The organization should establish an audit program (see ISO 19011 for guidance) to direct the
planning and conduct of audits, and identify the audits needed to meet the program objectives.
The program should be based on the nature of the organization’s activities, in terms of its risk
assessment and impact analysis, the results of past audits, and other relevant factors.
An internal audit program should be based on the full scope of the BCMS; however, each audit
need not cover the entire system at once. Audits may be divided into smaller parts, so long as
the audit program ensures that all organizational units, activities and system elements, and the
full scope of the BCMS are audited in the audit program within the auditing period designated
by the organization.
The results of an internal BCMS audit can be provided in the form of a report and used to
correct or prevent specific nonconformities and provide input to the conduct of the
management review.
Internal audits of the BCMS can be performed by personnel from within the organization or by
external persons selected by the organization, working on its behalf. In either case, the persons
conducting the audit should be competent and in a position to do so impartially and objectively.
In smaller organizations, auditor independence can be demonstrated by an auditor being free
from responsibility for the activity being audited.
A.4.7 Management Review

Management review provides top management with the opportunity to evaluate the continuing
suitability, adequacy, and effectiveness of the BCMS. The management review should cover the
scope of the BCMS, although not all elements of the BCMS need to be reviewed at once, and the
review process may take place over a period of time. The management review will enable top
management to address need for changes to key BCMS elements, including:
• Policy;
• Resource allocations;
• Risk acceptance;
• Objectives and targets; and
44

• Business continuity strategies.
Review of the implementation and outcomes of the BCMS by top management should be
regularly scheduled and evaluated. While ongoing system review is advisable, formal review
should be structured, appropriately documented and scheduled on a suitable basis. Persons
who are involved in implementing the BCMS and allocating its resources should be involved in
the management review. In addition to the regularly schedule management system reviews,
the following factors can trigger a review and should otherwise be examined once a review is
scheduled:
a) Risk assessment and BIA: The BC management system should be reviewed every time a
risk assessment and BIA are completed for the organization. The results of the risk
assessment and BIA can be used to determine whether the BC management system
continues to adequately address the risks facing the organization.
b) Sector/industry trends: Major sector/industry initiatives should initiate a BC management
system review. General trends and best practices in the sector/industry and in
business/operational continuity planning techniques can be used for benchmarking
purposes.
c) Regulatory requirements : New regulatory requirements may require a review of the BC
management system.
d) Event experience: A review should be performed following a response to a disruptive
incident, whether the response or recovery plan was activated or not. If the plan was
activated, the review should take into account the history of the plan itself, how it
worked, why it was activated, etc. If the plan was not activated, the review should
examine why not and whether this was an appropriate decision.
e) Test and exercise results : Based on test and exercise results, the BC management system
should be modified as necessary.
Continual improvement and BC management system maintenance should reflect changes in the
risks, activities, and operation of the organization that will affect the BC management system.
The following are examples of procedures, systems, or processes that may affect the plan:
a) Policy changes;
b) Hazards and threat changes;
c) Changes to the organization and its business processes;
d) Changes in assumptions in risk assessment and BIA;
e) Personnel changes (employees and contractors) and their contact information;
f) Supplier and supply chain changes;
g) Process and technology changes;
h) Systems and application software changes;
i) Lessons learned from exercising and testing;
45

j) Lessons learned from external organizations’ disruptive events;

k) Issues discovered during actual invocation of the plan;
l) Changes to external environment (new businesses in area, new roads or changes to
existing traffic patterns, etc.); and
m) Other items noted during review of the plan and identified during the risk assessment
and impact analysis.
46

Annex B
(informative)
B COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS AND

THE DHS PS-PREP STANDARDS
This Standard is aligned with ISO 9001:2008, ISO 14001:2004, ISO/IEC 27001:2005, and ISO
28000:2007 in order to support consistent and integrated implementation and operation with
related management standards. One suitably designed management system can support the
requirements of all these standards.
Table 1: Correspondence between this Business Continuity Management System Standard

and ISO Management System Standards and the standards in the U.S. Department of
Homeland Security PS-Prep Program 2
ISO Standards US-DHS PS-Prep Standards
ASIS/BSIBCM.01- ANSI/ASIS
ISO 9001:2008 ISO 14001:2004 ISO 27001:2005 ISO 28000-2007 BS 25999-2:2007 NFPA16 00:201 0
2010 SPC.1-2009
0 Introduction 0 Introduction Introduction 0 Introduction Introduction 0 Introduction Introduction

0.1 General 0.1 General 0.1 General 0.1 General
0.2 Plan-Do- 0.2 Process 0.2 Process 0.2 Process
Check-Act approach approach approach
Cycle 0.3 0.3
Relationship Compatibility
with ISO 9004 with other
0.4 management
Compatibility systems
with other
management
systems
1 Scope of 1 Scope 1 Scope 1 Scope 1 Scope 1 Scope 1 Scope 1

Standard 1.1 General 1.1 General Administration
1.2 Application 1.2 Application 1.1 Scope
1.2 Purpose
1.3 Application
2 Normative 2 Normative 2 Normative 2 Normative 2 Normative 2 Normative 2 Referenced

reference reference reference references references references Publications
3 Terms and 3 Terms and 3 Terms and 3 Terms and 3 Terms and 3 Terms and 2 Terms and 3 Definitions
definitions definitions definitions definitions definitions definitions definitions
2 U.S.
Department of Homeland Security Voluntary Private Sector Preparedness Accreditation and Certification
Program (PS-Prep) information is available at < http://www.fema.gov/privatesector/preparedness >.
47


2010 SPC.1-2009
4 Business 4 Quality 4 4 Information 4 Security 4 3 Planning the 4. Program

continuity management Environmental security management Organizational business Management
management system management management system resilience (OR) continuity 4.1 Leadership
system 4.1 General system system (ISMS) elements management management and commitment
requirements. requirements requirements 4.1 General 4.1 General system system 4.2 Program
4.1 General 5 Management 4.1 General requirements requirements requirements 3.1 General coordinator
Requirements responsibility requirements 4.2 Establishing 4.2 Security 4.1 General 3.2 Establishing 4.3 Program
4.2 Establishing 5.1 Management 4.2 and managing management requirements and managing committee
the context commitment Environmental the ISMS policy 4.1.1 Scope of the BCMS 4.4 Program
4.3 Policy and 5.2 Customer policy 4.2.1 Establish OR 3.2.1 Scope and administration
management focus the ISMS management objectives of 4.5 Laws and
commitment 5.3 Quality 4.2.2 Implement system BCMS authorities
policy and operate the 4.2 3.2.2 BCM 4.6 Performance
5.4 Planning ISMS Organizational policy objectives
4.2.3 Monitor resilience (or) 3.2.3 Provision
5.5 4.7 Finance and
and review the management of resources
Responsibility, administration
ISMS policy 3.2.4
authority and 4.8 Records
communication 4.2.4 Maintain 4.2.1 Policy Competency of management
and improve the statement BCM personnel
ISMS 4.2.2
5 Management Management
responsibility commitment
5.1
Management
commitment
4.4 Planning 7 Product 4.3 Planning 4.2 Establishing 4.3 Security 4.3 Planning 4 5. Planning
4.4.1 Business realization 4.3.1 and managing risk assessment 4.3.1 Risk Implementation 5.1 Planning
impact analysis 7.1 Planning of Environmental the ISMS and planning assessment and and operation process
and risk product aspects 4.2.1 Establish 4.3.1 Security impact analysis of the BCMS 5.2 Common
assessment realization 4.3.2 Legal and the ISMS risk assessment 4.3.2 Legal and 4.1 plan
4.4.1.1 Business 7.2 Customer- other 4.2.2 Implement 4.3.2 Legal, other Understanding requirements
impact analysis related requirements and operate the statutory and requirements the organization 5.3 Planning and
4.4.1.2 Risk processes 4.3.3 Objectives, ISMS other security 4.3.3 Objectives, 4.1.1 Business design
assessment 7.2.1 targets and regulatory targets, and impact analysis 5.4 Risk
4.4.2 Business Determination program(s) requirements program(s) 4.1.2 Risk assessment
continuity of requirements 4.3.3 Security assessment 5.5 Business
objectives and related to the management 4.1.3 impact analysis
targets product objectives Determining 5.6 Prevention
4.4.3 Business 7.2.2 Review of 4.3.4 Security choices 5.7 Mitigation
continuity requirements management Determining
strategies related to the targets busi nes s
product 4.3.5 Security continuity
management strategy
programmes
48


2010 SPC.1-2009
4.5 6 Resource 4.4 5.2 Resource 4.4 4.4 4.3 Developing 6.

Implementation management Implementation management Implementation Implementation and Implementation
and operation 6.1 Provision of and operation 5.2.1 Provision and operation and operation implementing a 6.1 Resource
4.5.1 Resources resources 4.4.1 Resources, of resources 4.4.1 Structure, 4.4.1 Resources, BCM response management
4.5.2 Roles, 6.2 Human roles, 5.2.2 Training, authority and roles, 4.3.1 General 6.2 Mutual aid /
responsibility resources responsibility awareness and responsibilities responsibility, 4.3.2 Incident assistance
and authority 6.2.2 and authority competence for security and authority response 6.3
4.5.3 Competence, 4.4.2 4.3 management 4.4.2 structure Communications
Competence, training and Competence, Documentation 4.4.2 Competence, 4.3.3 Business and warning
training and awareness training, and requirements Competence, training, and continuity plans 6.4 Operational
awareness 6.3 awareness 4.3.1 General training and awareness and incident procedures
4.5.4 Infrastructure 4.4.3 4.3.2 Control of awareness 4.4.3 management 6.5 Emergency
Documentation 6.4 Work Communication documents 4.4.3 Communication plans response
4.5.5 Control of environment and warning Communication and warning 3.2.4 6.6 Employee
documents 7.2.3 Customer 4.4.4 4.4.4 4.4.4 Competency of assistance and
4.5.6 communication Documentation Documentation Documentation BCM personnel support
Developing and 4.2 4.4.5 Control of 4.4.5 Document 4.4.5 Control of 3.3 Embedding 6.7 Business
implementing a Documentation documents and data control documents BCM in the continuity and
busi nes s requirements 4.4.6 4.4.6 4.4.6 organization’s recovery
continuity 4.2.1 General Operational Operational Operational culture 6.8 Crisis
response 4.2.2 Quality control control control 3.4 BCMS communication
4.5.6.1 Response manual 4.4.7 Emergency 4.4.7 Emergency 4.4.7 Incident documentation and public
structure preparedness preparedness, prevention, and records information
4.2.3 Control of
4.5.6.2 Business documents and response response and preparedness, 3.4.2 Control of 6.9 Incident
continuity plans security and response BCMS records management
7.3 Design and
4.5.7 recovery 3.4.3 Control of 6.10 Emergency
development
Communication BCMS operations
7.4 Purchasing
and notification documentation centers (EOCs)
7.5 Product and
service 6.11 Training
provision and education
4.6 Checking 8 Measurement, 4.5 Checking 4.2.3 Monitor 4.5 Checking 4.5 Checking 4.4 Exercising, 7. Testing and
and corrective monitoring and 4.5.1 Monitoring and review the and corrective (evaluation) maintaining Exercises
action improvement and ISMS action 4.5.1 Monitoring and reviewing 7.1 Entity
4.6.1 Monitoring 8.1 General measurement 8.2 Corrective 4.5.1 Security and BCM evaluation
and 8.2 Monitoring 4.5.2 Evaluation action performance measurement arrangements 7.2 Exercise
measurement and of compliance 8.3 Preventive measurement 4.5.2 Evaluation 4.4.1 General evaluation
4.6.2 Evaluation measurement 4.5.3 Non- action and monitoring of compliance 4.4.2 BCM 7.3 Methodology
of conformance 8.2.2 Internal conformity, 4.3.3 Control of 4.5.2 System and system exercising 7.4 Frequency
and system audit corrective action records evaluation performance 4.4.3 7.5 Exercise
performance 8.2.3 Monitoring and preventive 6 Internal ISMS 4.5.3 Security- 4.5.2.1 Maintaining and design
4.6.2.1 and action audits related failures, Evaluation of reviewing BCM
Evaluation of measurement of 4.5.4 Control of incidents, non- compliance arrangements
conformance processes records conformances 4.5.2.2 Exercises 5 Monitoring
4.6.2.2 Exercises 8.2.4 Monitoring 4.5.5 Internal and corrective and testing and reviewing
and testing and audits and preventive 4.5.3 BCMS
4.6.3 Non- measurement of action Nonconformity, 5.1 internal
conformity, product 4.5.4 Control of corrective audit
corrective 8.3 Control of records action, and 6 Maintaining
action and nonconforming 4.5.5 Audit preventive and improving
preventive product action the BCMS
action 8.5.3 Corrective 4.5.4 Control of 6.1 Preventive
4.6.4 Control of actions records and corrective
records 8.5.3 Preventive 4.5.5 Internal actions
4.6.5 Internal actions audits
audits 4.2.4 Control of
records
8.4 Analysis of
data
49


ASIS/BSI BCM.01- ANSI/ASIS
2010 SPC.1-2009
4.7 5.6 4.6 7 Management 4.6 4.6 5.2 8. Program

Management Management Management review of the Management Management Management Improvement
review review review ISMS review and review review of the 8.1 Program
4.7.1 General 8.5 7.1 General continual 4.6.1 General BCMS reviews
4.7.2 Review Improvement 7.2 Review improvement 4.6.2 Review 5.2.1 General 8.2 Corrective
input 8.5.1 Continual input input 5.2.2 Review action
4.7.3 Review improvement 7.3 Review 4.6.3 Review Input
output output output 5.2.3 Review
4.7.4 4.2.4 Maintain 4.6.4 output
Opportunities and improve Maintenance 6.2 Continual
for 4.6.5 Continual improvement
improvement 8 ISMS improvement
improvement
8.1 Continual
improvement he
ISMS
Annex A Annex A Annex A Annex A Annex A Annex A Annex A

Guidance on Correspondence Guidance on Control Guidance on Correspondence Explanatory
the use of this between ISO the use of this objectives and the use of the with BS EN ISO material
Standard 9001:2000 and International controls standard 9001:2000, BS Annex B
Annex B ISO 14001:2004 Standard Annex B OECD Annex B EN ISO Program
Compatibility Annex B Annex B principles and Compatibility 14001:2004, BS development
with other Changes Correspondence this with other ISO/IEC resources
management between ISO between ISO International management 27001:2005 Annex C Self
system 9001:2000 and 14001:2004 and Standard systems assessment for
standards and ISO 9001:2008 ISO 9001:2000 Annex C Annex C conformity with
PS-Prep Correspondence Terminology NFPA 1600, 2010
standards between ISO conventions edition
C Terminology 9001:2000, ISO Annex D Annex D
convention 14001:2004 and Glossary Management
D Glossary this Annex E system
E Bibliography International Qualifications guidelines
Standard
Annex F Annex E
Bibliography Informational
references
Management Management Management Management Management Management Management Program
System System System System System System System Management
Standard Standard Standard Standard Standard Standard Standard Standard
50

Annex C
(informative)
C TERMINOLOGY CONVENTIONS
The terminology conventions in Table 2 are in accordance with ISO/IEC – Directives Part 2:
Rules for the structure and drafting on International Standards, Annex H, Verbal forms for the
expression of provisions , 2004.
Table 2: Verbal forms for the expression of provisions

Verbal form Usage
(ISO/IEC – Directives Part 2:
Rules for the structure and drafting on International Standards )
shall Aud ita ble req uire ments of a d ocum ent – “used to indicate requirements strictly
to be followed in order to conform to the document and from which no
deviation is permitted.”
should Recommendations – “used to indicate that among several possibilities one is

recommended as particularly suitable, without mentioning or excluding
others, or that a certain course of action is preferred but not necessarily
required, or that (in the negative form) a certain possibility or course of
action is deprecated but not prohibited.”
may Permission – “used to indicate a course of action permissible within the limits
of the document.”
can Possibility and capability – “used for statements of possibility and capability,
whether material, physical, or causal.”
51

Annex D
(normative)
D GLOSSARY
For the purposes of this standard, the following terms and definitions apply:
Term Definition
D.1 activity process or set of processes undertaken by an organization (or on

its behalf) that produces or supports one or more products or
services.
NOTE: Examples of such processes include accounting, call center,
information services, manufacturing, distribution, and other services.
D.2 asset anything that has value to the organization. [ISO/IEC 13335-
1:2004]
D.3 audit systematic, independent, and documented process for obtaining

audit evidence and evaluating it objectively to determine the
extent to which audit criteria are fulfilled. [ISO 9000:2005]
NOTE 1: Internal audits—sometimes called first-party audits—are
conducted by, or on behalf of, the organization itself for management
review and other internal purposes, and may form the basis for an
organization’s declaration of conformity. In many cases, particularly in
smaller organizations, independence can be demonstrated by the
freedom from responsibility for the activity being audited.
NOTE 2: External audits include those generally termed second- and
third-party audits. Second-party audits are conducted by parties having
an interest in the organization, such as customers, or by other persons
on their behalf. Third-party audits are conducted by external,
independent auditing organizations, such as those providing
certification/registration of conformity to a standard.
NOTE 3: When two or more management systems are audited together,
this is termed a combined audit .
NOTE 4: When two or more auditing organizations cooperate to audit a
single auditee, this is termed a joint audit .
D.4 auditor person with competence to conduct an audit. [ISO 9001:2000]
D.5 business continuity strategic and tactical capability of the organization to plan for and
respond to incidents and business disruptions in order to
continue business operations at an acceptable predefined level.
[BSI 25999-2:2007]
NOTE: Business continuity involves designing, implementing, and
maintaining strategies to ensure the availability of business processes,
personnel, equipment, suppliers, and technology assets in accordance
with management approved objectives.
52

Term Definition
D.6 business continuity holistic management process that identifies potential threats to an
management (BCM) organization and the impacts to business operations that those
threats—if realized—might cause, and which provides a
framework for building organizational resilience with the
capability for an effective response that safeguards the interests
of its key stakeholders, reputation, brand, and value-creating
activities. [BSI 25999-2:2007]
NOTE: Business continuity management involves managing the
recovery or continuation of business activities in the event of a business
disruption, and management of the overall program through training,
exercises, and reviews to ensure the business continuity plan(s) stays
current and up-to-date.
D.7 business continuity that part of the overall management system that establishes,
management system implements, operates, monitors, reviews, maintains, and
(BCMS) improves business continuity. [BSI 25999-2:2007]
NOTE: The management system includes organizational structure,
policies, planning activities, responsibilities, procedures, processes, and
resources.
D.8 business continuity plan documented collection of procedures and information that is
(BCP) developed, compiled, and maintained in readiness for use in an
incident to enable an organization to continue to deliver its
critical activities at an acceptable predefined level. [BSI 25999-
2:2007]
D.9 conformity fulfillment of a requirement.
D.10 consequence outcome of an event. [ISO/IEC Guide 73]

NOTE 1: There can be more than one consequence from one event.
NOTE 2: Consequences can range from positive to negative.
NOTE 3: Consequences can be expressed qualitatively or
quantitatively.
D.11 continual improvement recurring process of enhancing the business continuity

management system in order to achieve improvements in overall
business continuity management performance consistent with the
organization’s business continuity management policy.
NOTE: The process need not take place in all areas of activity
simultaneously.
D.12 corrective action action to eliminate the cause of a detected non-conformity (3.6.2)
or other undesirable situation. [ISO 9000:2005]
NOTE 1: There can be more than one cause for a non-conformity.
NOTE 2: Corrective action is taken to prevent recurrence whereas
preventive action is taken to prevent occurrence.
53

Term Definition
D.13 crisis management team a group of individuals responsible for developing and
(CMT) implementing a comprehensive plan for responding to a
disruptive incident. The team consists of a core group of
decision-makers trained in incident management and prepared to
respond to any situation.
NOTE: Members of the CMT should be knowledgeable of the business,
authorized to identify a disruptive situation, communicate appropriately,
and deploy the necessary resources (human and physical) to control
the disruptive event to assure the safety and security of human and
physical assets.
D.14 disruption an event that interrupts normal business, activities, operations, or

processes, whether anticipated (e.g., hurricane, political unrest) or
unanticipated (e.g., a blackout, terror attack, technology failure,
or earthquake).
NOTE: A disruption can be caused by either positive or negative factors
that will disrupt normal activities, operations, or processes.
D.15 document information and its supporting medium. [ISO 9000:2005]

NOTE: The medium can be paper, magnetic, electronic or optical
computer disc, photography, or master sample, or a combination
thereof.
D.16 downtime period of time when something is not in operation.

NOTE: The allowable period of downtime is determined by the
organizations obligations (e.g., customer and regulatory requirements).
D.17 event occurrence or change of a particular set of circumstances.

[ISO/IEC Guide 73]
NOTE 1: The nature, likelihood, and consequence of an event cannot
be fully knowable.
NOTE 2: An event can be one or more occurrences, and can have
several causes.
NOTE 3: Likelihood associated with the event can be determined.
NOTE 4: An event can consist of a non-occurrence of one or more
circumstances.
NOTE 5: An event with a consequence is sometimes referred to as
“incident”.
D.18 exercise planned rehearsal of a possible incident designed to evaluate an

organization’s capability to manage that incident and to provide
an opportunity to improve the organization’s future responses
and enhance the relevant competences of those involved.
D.19 facility (infrastructure) plant, machinery, equipment, property, buildings, vehicles,
information systems, transportation facilities, and other items of
infrastructure or plant and related systems that have a distinct
and quantifiable function or service.
54

Term Definition
D.20 first responder a member of an emergency service who is first on the scene at a
disruptive incident
NOTE 1: Emergency services include any public or private service that
deals with disruptions, such as the initial responding law enforcement
officers, other public safety officials, emergency medical personnel,
rescuers and/or other emergency response service providers.
D.21 impact evaluated consequence of a particular outcome. [ISO/PAS

22399:2007]
D.22 impact analysis process of analyzing all operational activities and the effect that
an operational interruption might have upon them.
NOTE: Impact analysis includes Business Impact Analysis—the
identification of business assets, activities, processes, and resources as
well as an evaluation of the potential damage or loss that may be
caused to the organization resulting from a disruption (or a change in
the business or operating environment). Impact analysis identifies: 1)
how the loss or damage will manifest itself; 2) how that degree for
potential escalation of damage or loss with time following an Incident; 3)
the minimum services and resources (human, physical, and financial)
needed to enable business processes to continue to operate at a
minimum acceptable level; and 4) the timeframe and extent within which
activities, and services of the organization should be recovered.
D.23 incident event that has the capacity to lead to human, intangible, or
physical loss or a disruption of an organization’s operations,
services, or activities – which, if not managed, can escalate into an
emergency, crisis, or disaster.
D.24 integrity the property of safeguarding the accuracy and completeness of

assets. [ISO/IEC 13335-1:2004]
D.25 internal audit systematic, independent, and documented process for obtaining
audit evidence and evaluating it objectively to determine the
extent to which the management system audit criteria set by the
organization are fulfilled. [ISO 14001:2004]
NOTE: In many cases, particularly in smaller organizations,
independence can be demonstrated by the freedom from responsibility
for the activity being audited.
D.26 loss negative consequence. [BSI 25999-2:2007]
D.27 management system system to establish policy and objectives and to achieve those
objectives. [ISO 9000:2005]
NOTE: A management system of an organization can include different
management systems, such as a business continuity management
system, quality management system, a financial management system,
and/or an environmental management system.
D.28 mitigation limitation of any negative consequence of a particular incident.

[ISO/PAS 22399:2007]
D.29 non-conformity non-fulfillment of a requirement. [ISO 9000:2005]
55

Term Definition
D.30 objective overall goal, consistent with the policy that an organization sets
itself to achieve. [ISO 14001:2004]
D.31 organization group of people and facilities with an arrangement of

responsibilities, authorities, and relationships. (e.g., company,
corporation, firm, enterprise, institution, charity, sole trader,
association, or parts or combination thereof). [ISO 9000:2005]
NOTE 1: The arrangement is generally orderly.
NOTE 2: An organization can be public, private, faith-based, or not-for-
profit.
D.32 policy overall intentions and direction of an organization as formally

expressed by top management. [ISO 9000:2005]
NOTE 1: Generally, the business continuity policy is consistent with the
overall policy of the organization and provides a framework for the
setting of business continuity objectives.
NOTE 2: Business continuity management principles presented in this
Standard can form a basis for the establishment of a business continuity
policy.
D.33 preparedness (readiness) activities, programs, and systems developed and implemented
prior to an incident that may be used to support and enhance
mitigation of, response to, and recovery from disruptions.
D.34 prevention measures that enable an organization to avoid, preclude, or limit

the impact of a disruption. [ISO/PAS 22399:2007]
D.35 preventive action action to eliminate the cause of a potential non-conformity (see
3.6.2) or other undesirable potential situation. [ISO 9000:2005]
NOTE 1: There can be more than one cause for a potential non-
conformity.
NOTE 2: Preventive action is taken to prevent occurrence whereas
corrective action is taken to prevent recurrence.
D.36 procedure specified way to carry out an activity. [ISO 9000:2005]

NOTE: Procedures can be documented or not.
D.37 process set of interrelated or interacting activities which transforms

inputs into outputs. [ISO 9000:2005]
NOTE 1: Inputs to a process are generally outputs of other processes.
NOTE 2: Processes in an organization are generally planned and
carried out under controlled conditions to add value.
56

Term Definition
D.38 product result of a process. [ISO 9000:2005]

NOTE 1: There are four generic product categories, as follows:
• Services;
• Software;
• Hardware; and
• Processed materials.
Many products comprise elements belonging to different generic
product categories. Whether the product is then called service,
software, hardware, or processed material depends on the dominant
element.
NOTE 2: Service is the result of at least one activity necessarily
performed at the interface between the supplier and customer and is
generally intangible. Provision of a service can involve, for example, the
following:
• An activity performed on a customer-supplied tangible
product;
• An activity performed on a customer-supplied intangible
product;
• The delivery of an intangible product; or
• The creation of ambience for the customer.
D.39 recovery time objective period of time after which it is planned to recover each activities
and resources to an acceptable capability after a disruptive event.
This may be a simple resumption of full service or a phased
return over a period.
D.40 recovery point objective point in time to which data or capacity of a process is in a known
and valid or integral state can be restored from. This should be
less than the maximum amount of loss tolerance and may be
defined in hours or days.
D.41 record document stating results achieved or providing evidence of

activities performed. [ISO 9000:2005]
NOTE 1: For example, records can be used to document traceability
and to provide evidence of verification, preventive action, and corrective
action.
NOTE 2: Generally records need not be under revision control.
D.42 resources all assets, people, skills, information, technology (including plant
and equipment), premises, and supplies and information
(whether electronic or not) that an organization has to have
available to use, when needed, in order to operate and meet its
objectives. [BSI 25999-2:2007]
D.43 risk combination of the probability of an event and its consequence.

[ISO/IEC Guide 73]
NOTE 1: The term “risk” is generally used only when there is at least
the possibility of negative consequences.
NOTE 2: In some situations, risk arises from the possibility of deviation
from the expected outcome or event.
NOTE 3: See ISO/IEC Guide 51 for issues related to safety.
57

Term Definition
D.44 risk acceptance informed decision to take a particular risk. [ISO/IEC Guide 73]
NOTE 1: Risk acceptance can occur without risk treatment or during the
process of risk treatment.
NOTE 2: Risk acceptance can also be a process.
NOTE 3: Risks accepted are subject to monitoring and review .
D.45 risk appetite amount and type of risk that an organization is prepared to
pursue, retain, or take.
D.46 risk assessment overall process of risk identification, risk analysis, and risk
evaluation. [ISO/IEC Guide 73]
NOTE: Risk assessment involves the process of identifying internal and
external threats and vulnerabilities, identifying the probability and impact
of an event arising from such threats or vulnerabilities, defining critical
activities necessary to continue the organization’s operations, defining
the controls in place necessary to reduce exposure, and evaluating the
cost of such controls.
D.47 risk management coordinated activities to direct and control an organization with
regard to risk. [ISO/IEC Guide 73]
NOTE: Risk management generally includes risk assessment, risk
treatment, risk acceptance, and risk communication.
D.48 risk treatment process of selection and implementation of measures to modify

risk. [ISO/IEC Guide 73]
NOTE 1: The term “risk treatment” is sometimes used for the measures
themselves.
NOTE 2: Risk treatment measures can include avoiding, optimizing,
transferring, or retaining risk.
D.49 safety freedom from danger, risk, or injury.
D.50 stakeholder person or group having an interest in the performance or success

(interested party) of an organization. [ISO/PAS 22399:2007]
NOTE: The term includes persons and groups with an interest in an
organization, its activities and its achievements—e.g., customers,
partners, persons working for or on behalf of the organization,
shareholders, owners, the local community, first responders,
government, and regulators.
D.51 supply chain the linked set of resources and processes that begins with the
acquisition of raw material and extends through the delivery of
products or services to the end user across the modes of
transport. The supply chain may include suppliers, vendors,
manufacturing facilities, logistics providers, internal distribution
centers, distributors, wholesalers, and other entities that lead to
the end user.
58

Term Definition
D.52 target detailed performance requirement applicable to the organization

(or parts thereof) that arises from the objectives and that needs to
be set and met in order to achieve those objectives. [ISO
14001:2004]
D.53 testing evaluation of a resource to validate the achievement of objectives

and aims. See exercise.
D.54 threat potential cause of an unwanted incident, which may result in

harm to individuals, assets, a system or organization, the
environment, or the community.
D.55 top management person or group of people who directs and controls an
organization (see 3.3.1) at the highest level. [ISO 9000:2005]
NOTE: Top management, especially in a large multinational
organization, might not be directly involved; however, top management
accountability through the chain of command is manifest. In a small
organization, top management might be the owner or sole proprietor.
59

Annex E
(informative)
E BIBLIOGRAPHY
E.1 ASIS International Publications 3
Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management,
and Disaster Recovery , 2005.
E.2 BSI Publications 4

[1] BS 25999-1: 2006, Business Continuity Management – Part 1: Code of Practice.
[2] BS 25999-2: 2007, Business Continuity Management – Part 2: Specification.
E.3 ISO standards Publications1

[1] ISO 9001:2008, Quality management systems — Requirements.
[2] ISO 14001:2004, Environmental management systems — Requirements with guidance for use.
[3] ISO/IEC TR 18044:2004, Information technology — Security techniques — Information security
incident management.
[4] ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing.
[5] ISO/IEC 27001:2005, Information technology — Security techniques — Information security
management systems — Requirements.
[6] ISO 28000:2007, Specification for security management systems for the supply chain.
[7] ISO/PAS 22399:2007, Societal Security – Guidelines for incident preparedness and operational
continuity management.
[8] ISO/IEC Guide 73:2002, Risk management — Vocabulary — Guidelines for use in standards.
E.4 National Standards Publications

[1] ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness and Continuity Management
Systems – Requirements with Guidance for Use.3
[2] NFPA 1600: 2010, Standard on Disaster/Emergency Management and Business Continuity
Programs. 5

1 These documents are available at < http://iso.org >.

3 This document is available at < https://www.asisonline.org/guidelines/published.htm >.
4 These documents are available at < http://shop.bsigroup.com/ >.
5 This document is available from the National Fire Protection Association (NFPA) < http://www.nfpa.org >.
60

E.5 Other Referenced Publications

[1] National Incident Management System (NIMS): 2008, US Department of Homeland
Security.6

6 This document is available at < http://www.fema.gov/pdf/emergency/nims/NIMS_core.pdf >.
61

ASIS International (ASIS) is the preeminent

organization for security professionals, with more
than 37,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management , ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
BSI Group is a global independent business services

organization that develops standards-based solutions
to improve management practices and promote
innovation. BSI can help businesses, governments
and other organizations around the world to raise
quality and performance in a sustainable and socially
responsible way. From its origins as the world’s first
National Standards Body, BSI Group draws upon
over 100 years’ experience, working with 66,000
organizations in 147 countries from its 50 offices. To
learn more, please visit www.bsigroup.com.

1625 Prince Street 12110 Sunset Hills Road, Suite 200

Alexandria, Virginia 22314-2818 Reston, Virginia 20190-5902
USA USA
+1.703.519.6200 +1.800.862.4977
Fax: +1.703.519.6299 Fax: +1.703.437.9001
www.asisonline.org www.bsiamerica.com

ASIS BSI BCM 01-2010 Business Continuity Management Systems

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASIS BSI BCM 01-2010 Business Continuity Management Systems

Uploaded by

Copyright:

Available Formats

Business Continuity Management Systems:

an American National Standard

BUSINESS CONTINUITY MANAGEMENT SYSTEMS:

A management systems approach for preparedness and

Approved November 2, 2010

ASIS International and British Standards Institution (BSI)

Copyright © 2010 ASIS International and British Standards Institution

David Adamson, British Standards Institution

Richard Kobylar, Capgemini

Marilyn Saiewitz, Bristol-Myers Squibb

Working Group Members

David Adamson, British Standards Institution

Kevin S. Brear, J.P. Morgan Chase

TABLE OF CONTENTS............................................................................................................................................. IX

TABLE OF FIGURES ................................................................................................................................................. X

TABLE OF TABLES .................................................................................................................................................. XI

0 INTRODUCTION .............................................................................................................................................. XIII

0.1 GENERAL ..................................................................................................................................................... XIII

1 SCOPE OF STANDARD ........................................................................................................................................ 1

2 NORMATIVE REFERENCES ................................................................................................................................. 2

2.1 GENERAL REFERENCE ........................................................................................................................................ 2

3 TERMS AND DEFINITIONS .................................................................................................................................. 2

4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) REQUIREMENTS ......................................................... 2

4.1 GENERAL REQUIREMENTS ................................................................................................................................... 2

C TERMINOLOGY CONVENTIONS ........................................................................................................................ 51

D GLOSSARY ....................................................................................................................................................... 52

E BIBLIOGRAPHY ................................................................................................................................................ 60

E.1 ASIS INTERNATIONAL PUBLICATIONS .................................................................................................................. 60

This page intentionally left blank

iv. Performance assessment;

The adoption and implementation of a range of business continuity management techniques in

0.2 Plan-Do-Check-Act (PDCA) cycle

Continual improvement of the business continuity

Interested Establish Interested

Maintain and Implement and

Figure 1: PDCA cycle applied to BCMS processes

AMERICAN NATIONAL STANDARD ASIS/BSI BCM.01-2010

an American National Standard –

Business Continuity Management Systems:

Annex A provides informative guidance on management system planning, implementation,

2.1 General Reference1

3 TERMS AND DEFINITIONS

4 BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS)

1 This document is available from the International Organization for Standardization.

4.2 Establishing the Context

4.7 Management Review 4.3 Policy & M anagement Commitment

4.6 Checking & Corrective Action Continual

Figure 2: Business Continuity Management System (BCMS) Framework

The BCMS shall ensure that:

4.2 Establishing the Context

4.2.2 Legal and Other Requirements

4.3 Policy and Management Commitment

The policy shall be:

4.3.2 Management Commitment

f) Providing sufficient resources to establish, implement, operate, monitor, review,

4.4.1.1 Business Impact Analysis (BIA)

4.4.1.2 Risk Assessment

4.4.2 Business Continuity Objectives and Targets

4.4.3 Business Continuity Strategies

The organization shall:

communications with internal and external stakeholders regardless of the operating

4.5 Implementation and Operation

4.5.2 Roles, Responsibility, and Authority

on the performance of the business continuity management system to top management