Professional Documents
Culture Documents
A S I S I N T E R N A T I O N A L
ASIS/BSI BCM.01-2010
AMERICAN NATIONAL
STANDARD
ASIS/BSI BCM.01-2010
Abstract
Based on the BS 25999 Business continuity management (Part 1 and Part 2), this Standard specifies requirements for a
business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies,
objectives, capabilities, processes, and programs—taking into account legal and other requirements to which the
organization subscribes—to address disruptive events that might impact the organization and its stakeholders. This
Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing,
exercising, maintaining, and improving a documented BCMS within the context of managing an organization’s risks.
ASIS/BSI BCM.01-2010
NOTICE AND DISCLAIMER
The information in this publication was considered technically sound by the consensus of those who engaged in the
development and approval of the document at the time of its creation. Consensus does not necessarily mean that
there is unanimous agreement among the participants in the development of this document.
ASIS International and BSI standards and guideline publications, of which the document contained herein is one, are
developed through a voluntary consensus standards development process. This process brings together volunteers
and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication.
While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it
does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of
any information or the soundness of any judgments contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its
members or anyone else. ASIS and BSI do not accept or undertake a duty to any third party because it does not have
the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public,
because its works are not obligatory and because it does not monitor the use of them.
ASIS and BSI disclaim liability for any personal injury, property, or other damages of any nature whatsoever,
whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of,
application, or reliance on this document. ASIS and BSI disclaim and make no guaranty or warranty, expressed or
implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no
warranty that the information in this document will fulfill any person’s or entity’s particular purposes or needs.
ASIS and BSI do not undertake to guarantee the performance of any individual manufacturer or seller’s products or
services by virtue of this standard or guide.
In publishing and making this document available, ASIS and BSI are not undertaking to render professional or other
services for or on behalf of any person or entity, nor are ASIS and BSI undertaking to perform any duty owed by any
person or entity to someone else. Anyone using this document should rely on his or her own independent judgment
or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any
given circumstances. Information and other standards on the topic covered by this publication may be available from
other sources, which the user may wish to consult for additional views or information not covered by this
publication.
ASIS and BSI have no power, nor does it undertake to police or enforce compliance with the contents of this
document. ASIS and British Standards have no control over which of its standards, if any, may be adopted by
governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS
and British Standards do not list, certify, test, inspect, or approve any practices, products, materials, designs, or
installations for compliance with its standards. It merely publishes standards to be used as guidelines that third
parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with
any information in this document shall not be attributable to ASIS and British Standards and is solely the
responsibility of the certifier or maker of the statement. This publication does not purport to include all the necessary
provisions of a contract. Compliance with a British Standard cannot confer immunity from legal obligations.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written
consent of the copyright owner.
ISBN: 978-1-934904-07-7
ii
ASIS/BSI BCM.01-2010
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been
processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has
not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary
for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory
requirements are designated by the word shall and recommendations by the word should. Where both a mandatory
requirement and a recommendation are specified for the same criterion, the recommendation represents a goal
currently identifiable as having distinct compatibility or performance advantages.
ASIS International and BSI collaborated in the development of the Business Continuity Management Systems:
Requirements for Guidance for Use Standard. This management systems standard provides generic auditable criteria
and informative guidance on business continuity management.
About ASIS
ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members
worldwide. ASIS is dedicated to increasing the effectivenes s and productivity of security professionals by
developing educational programs and materials that address broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security
management profession to business, the media, government entities, and the public. By providing members and the
security community with access to a full range of programs and services, and by publishing the industry’s No. 1
magazine – Security Management – ASIS leads the way for advanced and improved security performance.
The work of preparing standards and guidelines is carried out through the ASIS International Standards and
Guidelines Committees , and governed by the ASIS Commission on Standards and Guidelines. The Mission of the
ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of
standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible
the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry.
About BSI
BSI is the UK’s National Standards Body, recognized globally for its independence, integrity, and innovation in the
production of standards and information products that promote and share best practices. BSI works with businesses,
consumers, and government to represent UK interests and to make sure that British, European, and international
standards are useful, relevant, and authoritative.
BSI Group is a global independent business services organization that inspires confidence and delivers assurance to
customers with standards-based solutions. Originating as the world’s first national standards body, the Group has
over 2,300 staff operating in over 120 countries through more than 50 global offices.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince
Street, Alexandria, VA 22314-2818, USA.
iii
ASIS/BSI BCM.01-2010
Commission Members
Jason L. Brown, Thales Australia
Steven K. Bucklin, Glenbrook Security Services, Inc.
John C. Cholewa III, CPP, Mentor Associates, LLC
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
Michael A. Crane, CPP, IPC International Corporation
William J. Daly, Control Risks Security Consulting
Eugene F. Ferraro, CPP, PCI, CFE, Business Controls Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
Robert W. Jones, Socrates Ltd, Inc.
Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair
John F. Mallon, CPP, Mallon & Associates, LLC
Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
John E. Turey, CPP, ITT Corporation
Roger D. Warwick, CPP, Pyramid International
At the time it approved this document, BCM Standards Committee, which is responsible for the development of this
Standard, had the following members:
Committee Members
Committee Co-Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative, ASIS International
Committee Co-Chairman: Kevin S. Brear, J.P. Morgan Chase
Committee Secretariat: Sue Carioti, ASIS International
Committee Secretariat: David Adamson, British Standards Institution
iv
ASIS/BSI BCM.01-2010
Sharon Caudle Ph.D., The Bush School of Government and Public Service
Chee Seng Chan, Becton Dickinson Critical Care Systems Pte Ltd
Ian Charters, Continuity Systems Ltd
Telva Chase, Regence Group
Ian Clark, East Neuk Consultants Ltd
Justin Clarke, Gobanza, Inc.
Mike Claver, State Farm Insurance Companies
William Coffey, American Society of Safety Engineers
Andrew Collins, Baylor Health Care System
Malcolm Cornish, RMI (UK) Limited
Robert J. Coullahan, CEM, CPP, CBCP, Readiness Resource Group
Georges Cowan, Business Continu-IT Partners
Kevin Cunningham, UBS
Merlyn Demaine, Imperial College NHS Trust
Indrajit Dimyati, Business Continuity Planning Asia Pte Ltd
Brian Dixon, Moody International
Lisa DuBrock, The Radian Group, LLC
Robert Duncan, Consultant
Edward Eaton, Warner Gudlaugsson LLC
Henry Ee, Business Continuity Planning Asia Pte Ltd
Jorge Escalera, Risk Mexico
Greig Fennell, Sprint
Patti Fitzgerald, Disaster Recovery Journal
Windom Fitzgerald, Pendulum
Walter Fountain, CPP, Schneider National, Inc.
Christopher Frampton, SRCN Limited
Barry Freedman, FCS Consulting Services
Peter French, CPP, SSR Personnel
Robin Gaddum, IBM
Paul Genzburg, Soros Fund Management/Open Society Institute
Robert Giffin, Avalution Consulting
Stephen Giordano, HCA Inc.
Matthew Gneuhs, Cincinnati Children's Hospital Medical Center
Julia Graham, DLA Piper UK LLP
Briane Grey, U.S. Drug Enforcement Administration
Wayne Harrop, Centre for Disaster Management: Coventry University
Ronald Hauri, Northwestern University
John Hele, British Standards Institution
Michael Hill, Nokia
Andrea Hollman, United Space Alliance, LLC
Simon Honey, Mitsubishi UFJ Securities International plc.
Roger Housner, WPS Insurance Corporation
C.J. Howard, Deere & Company
Terri Howard, FEI Behavioral Health
David Huynh, Ross Stores, Inc.
Brian Kaye, Control Risks Group
David Kaye, Risk Reality
Michael Keating, Doulos Business Consulting
James Kennedy, Recovery-Solutions
Penelope Killow, HFC Bank (HSBC Group)
Steven King, CPP, U.S. Department of Homeland Security, Office of Infrastructure Protection
Paul Kirvan, Paul Kirvan Associates
Donald E. Knox, CPP, Caterpillar Inc.
v
ASIS/BSI BCM.01-2010
vi
ASIS/BSI BCM.01-2010
vii
ASIS/BSI BCM.01-2010
viii
ASIS/BSI BCM.01-2010
TABLE OF CONTENTS
ix
ASIS/BSI BCM.01-2010
4.7.1 General.............................................................................................................................................. 15
4.7.2 Review Input...................................................................................................................................... 15
4.7.3 Review Output ................................................................................................................................... 16
4.7.4 Opportunities for Improvement.......................................................................................................... 16
A GUIDANCE ON THE USE OF THE STANDARD .................................................................................................... 17
A.0 INTRODUCTION ............................................................................................................................................... 17
A.4.1 GENERAL REQUIREMENTS............................................................................................................................... 17
A.4.2 ESTABLISHING THE CONTEXT ........................................................................................................................... 18
A.4.2.1 Scope of the BCMS............................................................................................................................ 19
A.4.2.2 Legal and Other Requirements.......................................................................................................... 19
A.4.3 POLICY AND MANAGEMENT COMMITMENT ........................................................................................................ 20
A.4.4 PLANNING .................................................................................................................................................. 21
A.4.4.1 Business Impact Analysis and Risk Assessment .................................................................................. 21
A.4.4.2 Business Continuity Objectives and Targets....................................................................................... 27
A.4.4.3 Business Continuity Strategies .......................................................................................................... 27
A.4.5 IMPLEMENTATION A ND OPERATION .................................................................................................................. 30
A.4.5.1 Resources ......................................................................................................................................... 30
A.4.5.2 Roles, Responsibility, and Authority .................................................................................................. 31
A.4.5.3 Competence, Training, and Awareness.............................................................................................. 33
A.4.5.4 Documentation ................................................................................................................................ 34
A.4.5.5 Control of Documents....................................................................................................................... 35
A.4.5.6 Developing and Implementing a Business Continuity Response.......................................................... 35
A.4.5.7 Communication and Consultation ..................................................................................................... 37
A.4.6 CHECKING AND CORRECTIVE ACTION ................................................................................................................. 39
A.4.6.1 Monitoring and Measurement .......................................................................................................... 39
A.4.6.2 Evaluation of Compliance and System Performance .......................................................................... 40
A.4.6.3 Non-conformity, Corrective Action and Preventive Action .................................................................. 41
A.4.6.3.1 General ......................................................................................................................................... 41
A.4.6.3.2 Corrective Action ........................................................................................................................... 42
A.4.6.3.3 Preventive Action........................................................................................................................... 42
A.4.6.4 Control of Records ............................................................................................................................ 43
A.4.6.5 Internal Audits.................................................................................................................................. 44
A.4.7 MANAGEMENT REVIEW ................................................................................................................................. 44
B COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS AND THE DHS PS-PREP STANDARDS ......................... 47
TABLE OF FIGURES
FIGURE 1: PDCA CYCLE APPLIED TO BCMS PROCESSES ....................................................................................................... XV
FIGURE 2: BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) FRAMEWORK....................................................................... 3
x
ASIS/BSI BCM.01-2010
TABLE OF TABLES
TABLE 1: CORRESPONDENCE BETWEEN THIS STANDARD OF BEST PRACTICES, BS 25999-1:2006, ISO 9001:2000, ISO 14001:2004,
AND ISO 27001:2005 ..................................................................................................................................... 47
TABLE 2: VERBAL FORMS FOR THE EXPRESSION OF PROVISIONS ............................................................................................. 51
xi
ASIS/BSI BCM.01-2010
xii
ASIS/BSI BCM.01-2010
0 INTRODUCTION
0.1 General
A business continuity management system (BCMS) is an organization-wide process that establishes
a fit-for-purpose, strategic, and operational framework that upon implementation by the
organization’s leadership:
• Improves an organization’s ability to withstand disruptive events that may jeopardize
the achievement of its purpose, mission, and strategic objectives.
• Delivers a demonstrable capability to manage a disruption and protect stakeholder
interests.
• Provides a structured and rehearsed method of restoring an organization’s productive
ability within a planned timeframe after a disruption.
• Enables an organization to return to its normal state more quickly and safely than would
otherwise be possible.
• Supports maintenance and continuous improvement of the organization’s BCMS.
• Promotes the safety and security of internal and external stakeholders.
An actively engaged top management team that directs and embraces a BCMS enables an
organization to create and maintain an effective and efficient business continuity program
(processes, strategies, and solutions). The BCMS enables the organization to systematically
address its stakeholder business continuity needs.
This Standard may be used by private, public, not-for-profit, and voluntary organizations,
regardless of their size, scope, or complexity. The Standard accommodates diverse
jurisdictional, geographical, cultural, operational, and social environments.
The success of a BCMS depends on the active engagement, endorsement, and commitment of
organizational leadership to the BCMS. A BCMS enables an organization to develop a business
continuity management policy, establish objectives and processes to achieve the policy
commitments, and take action as needed for continual improvement of business continuity
performance. A management system is a dynamic and iterative process; therefore, many of the
requirements in this Standard may be addressed concurrently or revisited at any time.
A BCMS has the following base components:
a) A policy providing a framework for management’s business continuity objectives and
expectations;
b) A definition of roles, responsibilities, and resources;
c) A description of required management process relating to:
i. Policy;
ii. Strategic planning;
iii. Business continuity planning and procedural implementation and operation;
xiii
ASIS/BSI BCM.01-2010
The main body of this Standard contains only those generic criteria that may be objectively
audited. Guidance on supporting BCM techniques is contained in the annexes of this
document.
This Standard , like other management standards, is not intended to be used to create non-tariff
trade barriers or to increase or change an organization’s legal obligations. Indeed, conformance
with a standard does not in itself confer immunity from legal obligations. Verification of an
organization's conformance to this Standard may be performed through an external or internal
auditing process. Verification may be by a first-, second-, or third-party mechanism.
Verification does not require third-party certification.
This Standard does not include requirements specific to other management systems such as
those for quality, occupational health and safety, or financial risk management—though its
elements can be aligned or integrated with those of other management systems. It is possible
for an organization to adapt its existing management system(s) in order to establish a BCMS
that conforms to the criteria of this Standard. It should be understood, however, that the
application of various elements of the management system might differ depending on the
intended purpose and the stakeholder involved.
The level of detail and complexity of the BCMS, the extent of documentation, and the resources
devoted to it will be dependent on a number of factors—such as the scope of the system; the
xiv
ASIS/BSI BCM.01-2010
size of an organization; and the nature of its activities, products, and services. This may be the
case in particular for small and medium-sized enterprises.
xv
ASIS/BSI BCM.01-2010
Plan Establish management system policy, objectives, processes, and procedures relevant to
(establish the managing business continuity risks and improving response and recovery processes that
management system) deliver results in accordance with the organization’s strategic needs.
Do
(implement and operate Implement and operate the management system policy, controls, processes, and procedures.
the management
system)
Check Monitor, assess, measure, and review performance against management system policy,
(monitor and review the objectives, and practical experience; report the results to management for review; and
management system) determine and authorize actions for remediation and improvement.
Act Take corrective and preventive actions, based on the results of the internal management
(maintain and improve system audit and management review, re-appraising the scope of the BCMS and business
the management continuity policy and objectives to achieve continual improvement of the management
system) system.
Conformance with this Standard can be verified by the auditing process described in ISO
19011:2002 that is compatible and consistent with the methodology used for ISO 9001:2008, ISO
14001:2004, ISO 28000:2007, and/or ISO/IEC 27001:2005, and the PDCA Model.
xvi
1 SCOPE OF STANDARD
This Standard specifies requirements for a business continuity management system (BCMS) to
enable an organization to identify, develop, and implement policies, objectives, capabilities,
processes, and programs—taking into account legal and other requirements to which the
organization subscribes or is governed by—to address disruptive events that might impact the
organization and its stakeholders. This Standard specifies requirements for planning,
establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and
improving a documented BCMS within the context of managing an organization’s risks.
The requirements specified in this Standard are generic and intended to be applicable to all
organizations (or parts thereof), regardless of type, size, and nature of the organizational
mission. The scope of these requirements depends on the organization’s operating environment
and complexity.
This Standard seeks to offer a flexible management systems approach to address and minimize
the consequences associated with disruptive events.
This Standard addresses all aspects of the organization deemed essential to meeting
commitments (as agreed to by top management), consistent with the scope of the BCMS. The
Standard does not itself state specific performance criteria.
The intent of this Standard is to position an organization to design a BCMS that is appropriate to
its needs. These needs are shaped by customer and other stakeholder, regulatory, and
operational requirements; the products and services; the processes employed; the size and
structure of the organization; and jurisdictional and geographic areas of operation.
This Standard is applicable to any organization that chooses to:
a) Establish, implement, maintain, and improve a BCMS.
b) Assure itself of its conformity with its stated business continuity management policy.
c) Demonstrate conformity with this Standard by:
i. Making a self-determination and self-declaration.
ii. Seeking confirmation of its conformance by parties having an interest in the
organization (such as customers and supply chain partners).
iii. Seeking confirmation of its self-declaration by a party external to the
organization.
iv. Seeking certification/registration of its BCMS by an external organization.
1
ASIS/BSI BCM.01-2010
2 NORMATIVE REFERENCES
The following standards contain provisions which, through reference in this text, constitute
provisions of this American National Standard. At the time of publication, the editions
indicated were valid. All standards are subject to revision, and parties to agreements based on
this American National Standard are encouraged to investigate the possibility of applying the
most recent editions of the standards indicated below.
NOTE: The reader is encouraged to read through the terms and definitions prior to reading the body of the
document.
2
ASIS/BSI BCM.01-2010
3
ASIS/BSI BCM.01-2010
When defining the scope, the organization shall document any exclusions; where such
exclusions do not affect the organization’s ability and/or responsibility to provide continuity of
business and operations that meet the BCMS requirements (determined by impact analysis or
risk assessment and applicable legal, regulatory, and contractual requirements).
The organization shall ensure that these applicable legal and other requirements to which the
organization subscribes or is governed by are taken into account in establishing, implementing,
and maintaining its BCMS.
The organization shall keep information required herein, up-to-date.
4
ASIS/BSI BCM.01-2010
4.3.1 Policy
Top management shall define the business continuity management policy in terms of the
characteristics of the organization, its location(s) and operating environment, its stakeholders,
obligations, and assets.
The policy shall include or make reference to:
a) Alignment with the organization’s mission, strategic objectives, and risk management
approach as it pertains to the BCMS and BCM program;
b) Commitment to proactively manage the impact of disruptive events;
c) A framework for setting objectives, direction, and principles for action;
d) Legal, regulatory, and contractual requirements;
e) The scope of business continuity management system, including limitations and
exclusions;
f) A commitment to leadership oversight; and
g) Continual improvement.
5
ASIS/BSI BCM.01-2010
4.4 Planning
4.4.1 Business Impact Analysis and Risk Assessment
The organization shall establish, implement, and maintain a formal and documented evaluation
process to systematically analyze risk and impacts, and establish business continuity objectives
consistent with the scope and policy of the BCMS.
The organization shall:
a) Evaluate the impact of disruptive events within its internal and external context;
b) Define and establish business continuity and recovery objectives and priorities;
c) Evaluate the direct and indirect benefits and costs of options to reduce risk;
d) Identify programs required to ensure achievement of its objectives prior to, during, and
following a disruption;
e) Assess risks and impacts following the changes within the organization's environment
caused by internal or external factors; and
f) Document and keep this information updated, secured (as appropriate), and readily
available for authorized use.
6
ASIS/BSI BCM.01-2010
When establishing and reviewing its objectives and targets, an organization shall consider the
legal, regulatory, and contractual requirements; the significant risks and impacts; risk tolerance;
resource options; financial, operational, contractual, and organizational requirements; and the
views of stakeholders.
7
ASIS/BSI BCM.01-2010
The organization shall determine and provide the resources needed to:
a) Establish, implement, operate, monitor, review, maintain, and continually improve the
BCMS and its business continuity strategies;
b) Assess and participate in agreements related to interdependencies and mutual aid, if
applicable; and
c) Maintain adequate proactive and reactive capacity.
The organization shall develop and document financial, logistical and administrative
procedures to support the business continuity strategies before, during, and after an incident.
Procedures shall be:
a) Established to ensure that fiscal decisions can be expedited; and
b) In accordance with established authority levels, governance, and accounting principles.
The organization’s top management shall assume the following responsibilities or shall:
a) Designate a management representative(s) with appropriate authority and
accountability for the BCMS, irrespective of other responsibilities, who will ensure that
the business continuity management system is established, communicated,
implemented, and maintained in accordance with the policy requirements , and report
8
ASIS/BSI BCM.01-2010
The organization shall establish, implement, and maintain awareness, competence, and training
procedures to ensure persons working for it or on its behalf are aware of:
a) Applicable strategies and procedures specific to business continuity, including
mitigation, response, communication, recovery, and resumption;
b) The importance of conformity with the business continuity management policy and with
the requirements of the BCMS;
c) Their roles and responsibilities in achieving conformity with the requirements of the
business continuity management system; and
d) The significant risks, and actual or potential impacts, associated with their work; and
e) The benefits of improved personal performance.
The organization shall promote awareness to build a culture that ensures business continuity
becomes part of its core values and governance, and makes its stakeholders aware of its BCM
policy and their roles in any plans.
The organization shall evaluate the efficacy of business continuity awareness, competence, and
training procedures and retain associated records.
9
ASIS/BSI BCM.01-2010
4.5.4 Documentation
BCMS documentation shall include:
a) A description of the purpose and scope of the BCMS;
b) The BCM policy, objectives, targets, and measures;
c) A description of the main elements of the BCMS and their interaction; and
d) Documents, including records, required by this Standard; or determined by the
organization to be necessary to ensure the effective planning, operation, and
maintenance of processes that relate to its identified risks and their impacts and the
business continuity plans.
BCMS documentation shall be reviewed and updated on a regular basis; however, significant
organizational or process changes should be addressed promptly.
10
ASIS/BSI BCM.01-2010
identified in the business impact analysis. The organization shall document plans and
procedures (including necessary arrangements) to ensure continuity of activities and
management of a disruptive event. The plans and procedures shall be:
a) Establishing the appropriate internal and external communications protocol;
b) Specific regarding the immediate steps that should be taken during a disruption;
c) Flexible to respond to unanticipated threat scenarios and changing internal and external
conditions;
d) Focused on the impact of events that could potentially disrupt operations;
e) Developed based on stated assumptions and an analysis of interdependencies; and
f) Effective in minimizing consequences through implementation of appropriate
mitigation strategies.
11
ASIS/BSI BCM.01-2010
The organization shall periodically test, review, and (where necessary) revise its business
continuity plans—in particular, after the occurrence of the disruptive event and its associated
post-event review.
12
ASIS/BSI BCM.01-2010
13
ASIS/BSI BCM.01-2010
e) Exercise its business continuity plans, teams, and facilities to ensure that they meet
organizational requirements;
f) Carry out a range of different exercises that taken together validate the whole of its
business continuity arrangements;
g) Carry out a post-exercise review that will assess the achievement of the objectives and
targets of the exercise, lessons learned, and opportunities for improvement; and
h) Submit to top management a written report of the exercise, outcomes, and feedback,
including recommended corrective and preventative actions.
14
ASIS/BSI BCM.01-2010
The organization shall establish, implement, and maintain a procedure(s) to protect the integrity
of records including access to, identification, storage, protection, retrieval, retention, and
disposal of records.
Records shall be and remain legible, identifiable, and traceable.
15
ASIS/BSI BCM.01-2010
16
ASIS/BSI BCM.01-2010
Annex A
(informative)
It is good practice for an organization to protect its physical, virtual, and human assets. The
success of the management system depends on the commitment at all levels and activities in the
organization, especially the organization’s top management. Decision makers should be
prepared to budget and secure the necessary resources to support the BCMS. It is necessary
that an appropriate structure be implemented to effectively deal with prevention, mitigation,
and management. Regardless of the organization – for profit, not for profit, faith-based, non-
governmental – its leadership has a duty to stakeholders to plan for its continued operation.
17
ASIS/BSI BCM.01-2010
18
ASIS/BSI BCM.01-2010
• Audit reports;
• Government advisories; and
• Political and social operating environment.
19
ASIS/BSI BCM.01-2010
Legal obligations vary by jurisdiction, as well as geographic location, and the type and nature of
operations, as well as the location, type, and nature of the organization’s customers. Therefore,
it is important that the organization be aware of its obligations within the context of its
operating environment.
The organization should identify all relevant statutory, regulatory, contractual, and other
requirements and communicate this information to appropriate stakeholders. The organization
should evaluate which requirements apply and where they apply, and identify who should
receive this information. The organization should explicitly define, document, and keep current
its approach to accessing and addressing these requirements. Similarly, the organization
should define and document specific business continuity methods and controls as well as
individual responsibilities to meet these requirements.
20
ASIS/BSI BCM.01-2010
The BCMS management policy should be sufficiently clear to interested internal and external
parties. Top management reviews, revises, and endorses the policy periodically to reflect
changing conditions and information. The scope of the policy should be clearly identifiable and
reflect the unique nature, scale, and impact of the BCMS on the organization’s activities,
products, and services.
The BCMS management policy should be communicated and made available to all persons who
work for or on behalf of the organization and others such as customers, investors, stockholders,
the supply chain, and concerned public and/or community agencies. Communication to
external parties can be in alternative forms to the policy statement itself – such as rules,
directives, and procedures – and may therefore only include pertinent sections of the policy.
One or more qualified persons should be appointed and empowered to implement, test or
exercise, and maintain the BCMS. Top management should conduct its own periodic reviews
and audits of the overall BCMS. Top management should demonstrate its commitment to the
BCMS. It can do so showing that it champions the BCMS; provides sufficient resources for the
BCMS; and takes responsibility for creating, maintaining, testing, and implementing a
comprehensive BCMS throughout the Plan, Do, Check, and Act (PDCA) cycle. These steps
illustrate the priority of the BCMS to top management and signal that commitment to
management and staff throughout the organization. Equally essential is that top management
engage a “top down” approach to the BCMS to convey management accountability at all levels,
as part of the organization’s overall governance, for effective and efficient BCM plan
development, maintenance and testing.
A.4.4 Planning
A.4.4.1 Business Impact Analysis and Risk Assessment
The BIA and risk assessment provide the foundation for establishing the business continuity
objectives, targets, programs, and plans. The appropriate order of conducting BIA and risk
assessment depends on the approach the organization employs.
All organizations face a certain amount of uncertainty in achieving their objectives for product
and service delivery. The level of acceptance is set by top management, as stated in the BCM
policy. The BIA and risk assessment then provide the analytical basis for determining the
appropriate risk treatment strategies to reduce the risk to within the designated level of risk
acceptance.
Many methodologies exist for BIA and risk assessment. The organization should establish,
implement, and maintain a formal methodology that is documented and repeatable.
Assumptions, scope, evaluation criteria, and results should be clearly defined and reviewed by
top management.
21
ASIS/BSI BCM.01-2010
The BIA and risk assessment are inclusive processes taking into account the input of internal
and external stakeholders. The risk and impact identification, analysis, and evaluation
processes are framed within the operating environment of the organization; therefore, they
should take into account:
• Internal context such as governance, organizational roles, structures, policies, processes,
culture and strategies, resources capabilities and knowledge, and overall risk
management strategy;
• External context such as social, environmental, geographic, political, cultural,
competitive, business, financial, supply chain, interdependencies, and community; and
• Legal and other requirements should be considered.
To achieve results that accurately reflect the risk profile of the organization, data for the BIA
and risk assessment should be gathered by a competently trained team. The sampling
techniques for the collection of administrative, financial, technical, and physical data should be
selected to assure representative samples. The BIA and risk assessment are not exact sciences:
therefore, assumptions and reliability of information should be documented. All operational
units of the organization within scope of the BCMS should be directly consulted during the data
gathering process. Results of the BIA and risk assessment should be reported and reviewed by
top management in order to establish the BCM objectives, targets, and strategies. The
organization should define the scope of the BIA and risk assessment based on:
• BCMS scope (products, services, and organizational activities);
• Customer expectations and obligations;
• Legal, regulatory, and contractual requirements;
• Risk appetite;
• Interdependencies and supply chain obligations;
• Infrastructure requirements; and
• Data/information recovery requirements.
22
ASIS/BSI BCM.01-2010
• Estimate the maximum acceptable downtime that the organization can tolerate while
still maintaining viability – enabling it to establish recovery time objectives.
• Evaluate resource requirements, activity, and external interdependencies to resume
operations within the recovery timescales identified.
• Provide the parameters for the selection of appropriate BCM Strategies that can satisfy
the required recovery timescales identified.
The organization should document the scope of the BIA, based on the scope of the BCMS. It
should select and define the approach and methodology based on BIA objectives and
management expectations, as well as the information management needs to make decisions.
Typical BIA activities include:
• Confirm scope of BIA with top management;
• Identify sources of information;
• Decide on methods for data collection
• Perform data gathering through interviews, questionnaires, or documentation;
• Analyze impact, time, and interrelationship information;
• Present recommendations and justification to management for evaluation; and
• Prepare information for use in BCM strategy development.
A.4.4.1.1.2 Assessment
If the delivery of products and services to customers is disrupted, the impacts to the
organization will grow over time to a point where its viability is threatened and its survival is
unlikely.
Top management should establish the maximum period of time that a failure to deliver each
product and services can be tolerated. This may be achieved by reviewing:
• Anticipated customer response;
• Contracts and service level agreements; and
• Regulatory requirements.
All business activities should be identified and their role and timescale in delivering products
and services identified. Interdependencies, both internal and external, should be reviewed to
establish activity priorities. The information gathering process may include:
• Organizational charts and structure;
• Process flow charts and observation of daily work flow;
• Interviews with department and division heads; and
• Identification of significant interrelationships internally and externally.
23
ASIS/BSI BCM.01-2010
A.4.4.1.1.3 Impacts
This acceptable (tolerable) disruption period and the time to restore operations to normal
should be based on:
• Safety implications;
• Probable financial, operational, and reputational impairment;
• Legal, regulatory, and contractual requirements;
• Stakeholder expectations and societal impacts;
• Environmental damage; and
• Long-term strategic imperatives.
The cause of the disruption is not a consideration – the disruption to supply could result from
the non-availability of any of the organization’s internal resources or external services.
When assessing impacts, the organization may consider how the disruption to supply of its
products and services or interruption to any of its activities could result in:
a) Human cost: Potential physical and psychological harm to employees, customers, or
other stakeholders.
b) Financial considerations: Lost or deferred sales/business, loss of market share, lawsuits,
regulatory fines/penalties, equipment and property replacement, overtime pay, and
stock devaluation.
c) Reputational impairment: Damaged reputation with customers and potential customers.
Diminished standing in the community, and negative press.
d) Community/societal impacts: Indirect impacts on the regional economy, reduction in the
regional net economy, and losses to the tax base of local jurisdictions.
e) Environmental impacts: Degradation to the quality of the environment.
These parameters are then utilized to assist the organization in setting recovery time objectives.
24
ASIS/BSI BCM.01-2010
• The role and timescale of each activity that support the delivery of products and
services;
• Management’s guidance regarding disruption tolerance for each activity;
• Current and future-state strategic imperatives;
• The interdependencies between activities and with external suppliers; and
• The currency of information required to undertake each activity is identified.
Recovery time objectives are used to prioritize recovery efforts and the use of recovery
resources. Recovery point objectives are used to determine an appropriate back-up strategy for
information. These terms are applicable to all disciplines and are not exclusive to information
technology and data, and can be applied to other capabilities.
A.4.4.1.1.5 Resources
The resource requirements of each activity should be quantified. This is usually undertaken at
the same time as the BIA. These resources may include:
• Staff numbers (special skills or qualifications may be required);
• Technology and systems);
• Access to information);
• Accommodation); and
• External supplies.
The setting and quantification of recovery time objectives enables a timetable of resource
recovery to be prepared. This may take into account the requirement to provide extra resources
to clear backlogs or cope with anticipated extra demands following an incident.
A.4.4.1.1.6 Output
The BIA report presented to top management should clearly identify the priority of activities,
significant interdependencies, and contain a summary of the BIA methodology used.
It should quantify the activities for each product and service
• Recovery time objectives and associated justification to include:
o Initial resumption – and capacity; and
o Return to its defined operational capability.
25
ASIS/BSI BCM.01-2010
26
ASIS/BSI BCM.01-2010
27
ASIS/BSI BCM.01-2010
The strategies may be subdivided to address specific elements of the organization’s operations.
The organization may use several action plans as long as the key responsibilities, tactical steps,
resource needs, and schedules are adequately defined in each of the documented plans.
The strategies should include – where appropriate and practical – consideration of all stages of
an organization’s activities related to planning, design, construction, commissioning, operation,
retrofitting, production, marketing, outsourcing, and decommissioning. Strategy development
may be undertaken for current activities and new activities, products, and/or services.
Prevention, preparedness, and mitigation strategies should give priority to the safe removal of
people and property at risk. Additional topics include:
a) E-location, retrofitting, and provision of protective systems or equipment;
b) Information, data, document, and cyber security;
c) Establishment of threat or hazard warning and communication procedures; and
d) Redundancy or duplication of systems, essential personnel, equipment, information,
operations, or materials – including those from partner organizations.
The organization should plan for incident response and recovery, taking into account the
priority of activities, contractual obligations, employee and neighboring community necessities,
operational continuity, and environmental remediation. Organizations have different
approaches to managing crises. Regardless of the approach, there are three generic and
interrelated management response steps that require pre-emptive planning and implementation
in case of a disruptive incident:
1) Emergency response: The initial response to a disruptive incident usually involves the
protection of people and property from immediate harm. An initial reaction by
management may form part of the organization’s first response.
2) Continuity: Processes, controls, and resources are made available to ensure that the
organization continues to meet its BCM objectives.
3) Recovery: Processes, resources, and capabilities of the organization are re-established to
meet ongoing operational requirements. This may often include the introduction of
significant organizational improvements even to the extent of refocusing strategic or
operational objectives.
28
ASIS/BSI BCM.01-2010
In each case, the organization should minimize the likelihood of implementing a business
continuity solution that might be affected by the same incident that causes the business
disruption.
Top management should approve documented strategies to confirm that the determination of
continuity strategies has been properly undertaken, that they have addressed the likely causes
and effects of disruption, and that the chosen strategies are appropriate to meet the
organization’s objectives within the organizations risk appetite.
The strategies should also consider the organization’s relationships, interdependencies, and
obligations with external stakeholders. These stakeholders include customers, suppliers, and
outsource partners – as well as first responders, public authorities, and others in the
community. The organization should establish and maintain strategies that protect and preserve
the integrity of its supply chain and the delivery of products and services, including
29
ASIS/BSI BCM.01-2010
arrangements needed with customers, suppliers, outsourcing partners, and other stakeholders.
In addition, interactions and coordination with first responders, public authorities, and others
in the community should be determined and included in strategy development. These strategic
arrangements with external stakeholders should support the achievement of business
continuity objectives and be clearly defined and documented.
Top management plays a key role by providing resources needed to implement the BCMS. The
management of an organization should determine and make available appropriate resources to
establish, implement, maintain, and improve the BCMS. These resources should be provided in
a timely and efficient manner.
When identifying the resources needed to establish, implement, and maintain the BCMS, an
organization should consider:
• People and people-related resources (which may include):
o The time necessary to perform BCMS requirements
o Security
o Transportation logistics
o Welfare needs
o Emergency expenses
• Facilities:
o Emergency Operations Centers
o Recovery locations
o Infrastructure
• Technology:
o Applications
o Technology Services Methods to manage and control documentation and records
30
ASIS/BSI BCM.01-2010
• Communications
• Information (which may include):
o Policies
o Standard operating procedures
o Work instructions
o Internal and external contact information
o Financial (e.g., payroll) details
o Customer account records
o Supplier and stakeholder details
o Legal documents (e.g., contracts, insurance policies, title deeds, etc.)
o Other services documents (e.g., contracts and service level agreements)
• Supplies
Resources and their allocation should be reviewed periodically, and in conjunction with the
management review, to ensure their adequacy. In evaluating adequacy of resources,
consideration should be given to planned changes and/or new facilities, projects, or operations.
31
ASIS/BSI BCM.01-2010
A.4.5.2.2 BCM
Roles, responsibilities, and authorities should also be defined, documented, and communicated
for coordination with external stakeholders. This should include interactions with contractors,
partners, suppliers, public authorities, and financial institutions. The organization should
define and communicate the responsibilities and authorities of all persons engaged in business
continuity management regardless of their other roles in the organization. The resources
provided by top management should enable the fulfillment of the roles and responsibilities
assigned. The roles, responsibilities, and authorities should be reviewed when a change in the
operational context of the organization occurs.
32
ASIS/BSI BCM.01-2010
All personnel should receive training to perform their individual BCMS-related responsibilities.
They should receive briefs on the key components of the BCMS, as well as the response and
recovery plans that affect them directly. Such training could include procedures for mitigation
measures, evacuation, shelter-in-place, check-in processes to account for employees,
arrangements at alternate worksites, and the handling of media inquiries by the company.
Response and recovery teams should receive education and training about their responsibilities
and duties including interactions with first responders and other internal and stakeholders.
Team members should be trained at regular intervals (at least annually), and new members
should be trained when they join the organization. These teams should also receive training on
prevention of incidents that may escalate into crises. The organization should include relevant
external stakeholders and resources in their competence, awareness, and training programs.
The organization should identify and assess any differences between the competence needed to
perform a business continuity activity and that possessed by the individual required to perform
the activity. This difference can be rectified through additional education, training, or skills
development program which may include the following steps:
33
ASIS/BSI BCM.01-2010
A.4.5.4 Documentation
The level of detail of the documentation should be sufficient to describe the BCMS and how the
parts work together. The documentation should also provide direction on where to obtain
more detailed information on the operation of specific parts of the BCMS. This documentation
may be integrated with documentation of other management systems implemented by the
organization. It does not have to be in the form of a manual.
The extent of the BCMS documentation can differ from one organization to another due to:
a) The size and type of organization and its activities, products or services;
b) The complexity of processes and their interactions; and
c) The competence of personnel.
Any decision to document (a) procedure(s) should be based on issues such as:
a) The consequences, including those to human and physical assets and the environment,
of not doing so;
b) The need to demonstrate compliance with legal and with other requirements to which
the organization subscribes;
34
ASIS/BSI BCM.01-2010
Documents originally created for purposes other than the BCMS may be used as part of this
management system, and (if so used) should be referenced in the system.
35
ASIS/BSI BCM.01-2010
3. The scope of assessments (including field and local assessments) needed to
effectively manage the impact of the disruption.
d) Be specific as to which team should immediately perform what tasks, and the resources
required to carry-out its responsibilities during a disruption; and
e) Optimize the benefits of the response implementation to the appropriate mitigation
strategies.
In some organizations, certain divisions, departments, and activities are better situated to
address specific aspects of incident response, continuity, and recovery. These organizations
may use a tiered approach, establishing multiple teams to focus on specific aspects of managing
the disruptive incident (e.g., communications and media response team). The teams should
coordinate their activities to assure a seamless response, and be appropriate to the size and
nature of the organization. The response structure should avoid vesting authority of the
mobilization of a response in a single individual.
36
ASIS/BSI BCM.01-2010
The organization should periodically test, review, and (where necessary) revise its business
continuity plans—in particular, after the occurrence of the disruptive event and its associated
post-event review.
Organizations should also identify and establish relationships with public sector agencies,
organizations, and officials responsible for intelligence, warnings, prevention, response, and
recovery related to potential disruptions.
Organizations should implement a procedure for receiving, documenting, and responding to
relevant communications from stakeholders and interested parties. This procedure can include
a dialogue with interested parties and consideration of their relevant concerns. In some
circumstances, responses to concerns of interested parties may include relevant information
about the risks and impacts associated with the organization’s activities and operations. These
procedures should also address necessary communications with public authorities regarding
emergency planning and other relevant issues.
37
ASIS/BSI BCM.01-2010
The organization should formally plan its crisis communications strategy, taking into account
the decisions made specific to relevant target groups, the appropriate messages and subjects,
and the choice of means. When considering communication about hazards, threats, risks,
impacts, and control procedures, organizations should take into consideration the views and
information needs of all stakeholders.
The organization should establish procedures to communicate and consult with internal and
external stakeholders specific to its hazards, threats, risks, impacts, and control procedures.
These procedures could change depending on several factors, such as the specific stakeholder
group, the type of information to be communicated, the type of disruptive event and its
consequences, the availability of methods of communication, and the individual circumstances
of the organization. Methods for external communication can include:
• News or press releases;
• Media;
• Financial reports;
• Newsletters;
• Websites;
• Phone calls, emails, and text messages (manually delivered and/or via automated
emergency notification systems);
• Phone calls;
• Voice mails; and
• Community meetings.
38
ASIS/BSI BCM.01-2010
Response and recovery plan documentation should contain current contact details for relevant
internal and external agencies, as well as for organizations and providers that might be required
to support the organization.
39
ASIS/BSI BCM.01-2010
The organization may experience changes internally and externally, thus it should conduct
exercises taking into account such changes to:
• Primary or alternate facilities;
• Organization restructure;
• Assigned staff;
• Partnering relationships;
• Support systems;
• Scope of the operations; and/or
• Recovery objectives.
Exercising ensures that technology resources function as planned and that staff members are
adequately trained in their use and operation. Exercising can keep response teams and
employees effective in their duties, clarify their roles, and identify areas for improvement in the
40
ASIS/BSI BCM.01-2010
BCMS, its plans, and its procedures. A commitment to exercising lends credibility and
authority to the BCMS.
The organization should design exercise scenarios to evaluation the continuity plans. An
exercise schedule and timeline for periodically exercising the plan and its components should
be established. Exercising and testing should be realistic, evaluate the capabilities and
capacities of BCM, and assure the protection of people and assets involved. The scope and
detail of the exercises should mature based on the organization’s experience, resources, and
capabilities. Early tests may include checklists, simple exercises, and small components of the
BCMS. Examples of increasing maturity of exercises include:
• Orientation: Introductory, overview or education session.
• Table top: Practical or simulated exercise presented in a narrative format.
• Functional: Walk-through or specialized exercise simulating a scenario as realistically as
possible in a controlled environment.
• Full scale: Live or real-life exercise simulating a real-time, real-life scenario.
There are several roles that exercise participants may fill. All participants should understand
their roles in the exercise. The exercise should involve all organizational participants defined
by the scope of the exercise; where appropriate, external stakeholders may be included. As part
of the exercise, a review should be scheduled with all participants to discuss issues and lessons
learned. This information should be documented, and updates should be made to the plan as
required.
Lessons learned from exercises and tests, as well as actual incidents experienced, should be built
into future exercises and test planning for the BCMS.
Design of exercises and tests should be evaluated and modified as necessary. They should be
dynamic, taking into account changes to the BCMS, personnel turnover, actual incidents, and
results from previous exercises.
41
ASIS/BSI BCM.01-2010
operations, and take steps to prevent the problem from recurring by eliminating cause(s). The
nature and timing of actions should be appropriate to the scale and nature of the nonconformity
and its potential consequences.
A potential problem may be identified, but no actual nonconformity exists. In this case, a
preventive action should be taken using a similar approach. Potential problems can be
extrapolated from corrective actions for actual nonconformities, identified during the internal
BCMS audit process, analysis of industry trends and events, or identified during exercise and
testing. Identification of potential nonconformities can also be made part of routine
responsibilities of persons aware of the importance of noting and communicating potential or
actual problems.
Establishing procedures for addressing actual and potential nonconformities and for taking
corrective and preventive actions on an ongoing basis helps to ensure reliability and
effectiveness of the BCMS. The procedures should define responsibilities, authority, and steps
to be taken in planning and carrying out corrective and preventive action. Top management
should ensure that corrective and preventive actions have been implemented and that there is
systematic follow-up to evaluate their effectiveness.
Corrective and preventive actions that result in changes to the BCMS should be reflected in the
documentation, as well as trigger a revisit of the risk assessment and impact analysis related to
the changes to the system to evaluate the affect on plans, procedures, and training needs.
Changes should be communicated to all who need to know.
42
ASIS/BSI BCM.01-2010
43
ASIS/BSI BCM.01-2010
NOTE: Records are not the sole source of evidence to demonstrate conformity to this Standard .
44
ASIS/BSI BCM.01-2010
Review of the implementation and outcomes of the BCMS by top management should be
regularly scheduled and evaluated. While ongoing system review is advisable, formal review
should be structured, appropriately documented and scheduled on a suitable basis. Persons
who are involved in implementing the BCMS and allocating its resources should be involved in
the management review. In addition to the regularly schedule management system reviews,
the following factors can trigger a review and should otherwise be examined once a review is
scheduled:
a) Risk assessment and BIA: The BC management system should be reviewed every time a
risk assessment and BIA are completed for the organization. The results of the risk
assessment and BIA can be used to determine whether the BC management system
continues to adequately address the risks facing the organization.
b) Sector/industry trends: Major sector/industry initiatives should initiate a BC management
system review. General trends and best practices in the sector/industry and in
business/operational continuity planning techniques can be used for benchmarking
purposes.
c) Regulatory requirements : New regulatory requirements may require a review of the BC
management system.
d) Event experience: A review should be performed following a response to a disruptive
incident, whether the response or recovery plan was activated or not. If the plan was
activated, the review should take into account the history of the plan itself, how it
worked, why it was activated, etc. If the plan was not activated, the review should
examine why not and whether this was an appropriate decision.
e) Test and exercise results : Based on test and exercise results, the BC management system
should be modified as necessary.
Continual improvement and BC management system maintenance should reflect changes in the
risks, activities, and operation of the organization that will affect the BC management system.
The following are examples of procedures, systems, or processes that may affect the plan:
a) Policy changes;
b) Hazards and threat changes;
c) Changes to the organization and its business processes;
d) Changes in assumptions in risk assessment and BIA;
e) Personnel changes (employees and contractors) and their contact information;
f) Supplier and supply chain changes;
g) Process and technology changes;
h) Systems and application software changes;
i) Lessons learned from exercising and testing;
45
ASIS/BSI BCM.01-2010
46
ASIS/BSI BCM.01-2010
Annex B
(informative)
3 Terms and 3 Terms and 3 Terms and 3 Terms and 3 Terms and 3 Terms and 2 Terms and 3 Definitions
definitions definitions definitions definitions definitions definitions definitions
2 U.S.
Department of Homeland Security Voluntary Private Sector Preparedness Accreditation and Certification
Program (PS-Prep) information is available at < http://www.fema.gov/privatesector/preparedness >.
47
ASIS/BSI BCM.01-2010
4.4 Planning 7 Product 4.3 Planning 4.2 Establishing 4.3 Security 4.3 Planning 4 5. Planning
4.4.1 Business realization 4.3.1 and managing risk assessment 4.3.1 Risk Implementation 5.1 Planning
impact analysis 7.1 Planning of Environmental the ISMS and planning assessment and and operation process
and risk product aspects 4.2.1 Establish 4.3.1 Security impact analysis of the BCMS 5.2 Common
assessment realization 4.3.2 Legal and the ISMS risk assessment 4.3.2 Legal and 4.1 plan
4.4.1.1 Business 7.2 Customer- other 4.2.2 Implement 4.3.2 Legal, other Understanding requirements
impact analysis related requirements and operate the statutory and requirements the organization 5.3 Planning and
4.4.1.2 Risk processes 4.3.3 Objectives, ISMS other security 4.3.3 Objectives, 4.1.1 Business design
assessment 7.2.1 targets and regulatory targets, and impact analysis 5.4 Risk
4.4.2 Business Determination program(s) requirements program(s) 4.1.2 Risk assessment
continuity of requirements 4.3.3 Security assessment 5.5 Business
objectives and related to the management 4.1.3 impact analysis
targets product objectives Determining 5.6 Prevention
4.4.3 Business 7.2.2 Review of 4.3.4 Security choices 5.7 Mitigation
continuity requirements management Determining
strategies related to the targets busi nes s
product 4.3.5 Security continuity
management strategy
programmes
48
ASIS/BSI BCM.01-2010
4.6 Checking 8 Measurement, 4.5 Checking 4.2.3 Monitor 4.5 Checking 4.5 Checking 4.4 Exercising, 7. Testing and
and corrective monitoring and 4.5.1 Monitoring and review the and corrective (evaluation) maintaining Exercises
action improvement and ISMS action 4.5.1 Monitoring and reviewing 7.1 Entity
4.6.1 Monitoring 8.1 General measurement 8.2 Corrective 4.5.1 Security and BCM evaluation
and 8.2 Monitoring 4.5.2 Evaluation action performance measurement arrangements 7.2 Exercise
measurement and of compliance 8.3 Preventive measurement 4.5.2 Evaluation 4.4.1 General evaluation
4.6.2 Evaluation measurement 4.5.3 Non- action and monitoring of compliance 4.4.2 BCM 7.3 Methodology
of conformance 8.2.2 Internal conformity, 4.3.3 Control of 4.5.2 System and system exercising 7.4 Frequency
and system audit corrective action records evaluation performance 4.4.3 7.5 Exercise
performance 8.2.3 Monitoring and preventive 6 Internal ISMS 4.5.3 Security- 4.5.2.1 Maintaining and design
4.6.2.1 and action audits related failures, Evaluation of reviewing BCM
Evaluation of measurement of 4.5.4 Control of incidents, non- compliance arrangements
conformance processes records conformances 4.5.2.2 Exercises 5 Monitoring
4.6.2.2 Exercises 8.2.4 Monitoring 4.5.5 Internal and corrective and testing and reviewing
and testing and audits and preventive 4.5.3 BCMS
4.6.3 Non- measurement of action Nonconformity, 5.1 internal
conformity, product 4.5.4 Control of corrective audit
corrective 8.3 Control of records action, and 6 Maintaining
action and nonconforming 4.5.5 Audit preventive and improving
preventive product action the BCMS
action 8.5.3 Corrective 4.5.4 Control of 6.1 Preventive
4.6.4 Control of actions records and corrective
records 8.5.3 Preventive 4.5.5 Internal actions
4.6.5 Internal actions audits
audits 4.2.4 Control of
records
8.4 Analysis of
data
49
ASIS/BSI BCM.01-2010
50
ASIS/BSI BCM.01-2010
Annex C
(informative)
C TERMINOLOGY CONVENTIONS
The terminology conventions in Table 2 are in accordance with ISO/IEC – Directives Part 2:
Rules for the structure and drafting on International Standards, Annex H, Verbal forms for the
expression of provisions , 2004.
shall Aud ita ble req uire ments of a d ocum ent – “used to indicate requirements strictly
to be followed in order to conform to the document and from which no
deviation is permitted.”
may Permission – “used to indicate a course of action permissible within the limits
of the document.”
can Possibility and capability – “used for statements of possibility and capability,
whether material, physical, or causal.”
51
ASIS/BSI BCM.01-2010
Annex D
(normative)
D GLOSSARY
For the purposes of this standard, the following terms and definitions apply:
Term Definition
D.2 asset anything that has value to the organization. [ISO/IEC 13335-
1:2004]
D.5 business continuity strategic and tactical capability of the organization to plan for and
respond to incidents and business disruptions in order to
continue business operations at an acceptable predefined level.
[BSI 25999-2:2007]
NOTE: Business continuity involves designing, implementing, and
maintaining strategies to ensure the availability of business processes,
personnel, equipment, suppliers, and technology assets in accordance
with management approved objectives.
52
ASIS/BSI BCM.01-2010
Term Definition
D.6 business continuity holistic management process that identifies potential threats to an
management (BCM) organization and the impacts to business operations that those
threats—if realized—might cause, and which provides a
framework for building organizational resilience with the
capability for an effective response that safeguards the interests
of its key stakeholders, reputation, brand, and value-creating
activities. [BSI 25999-2:2007]
NOTE: Business continuity management involves managing the
recovery or continuation of business activities in the event of a business
disruption, and management of the overall program through training,
exercises, and reviews to ensure the business continuity plan(s) stays
current and up-to-date.
D.7 business continuity that part of the overall management system that establishes,
management system implements, operates, monitors, reviews, maintains, and
(BCMS) improves business continuity. [BSI 25999-2:2007]
NOTE: The management system includes organizational structure,
policies, planning activities, responsibilities, procedures, processes, and
resources.
D.8 business continuity plan documented collection of procedures and information that is
(BCP) developed, compiled, and maintained in readiness for use in an
incident to enable an organization to continue to deliver its
critical activities at an acceptable predefined level. [BSI 25999-
2:2007]
D.12 corrective action action to eliminate the cause of a detected non-conformity (3.6.2)
or other undesirable situation. [ISO 9000:2005]
NOTE 1: There can be more than one cause for a non-conformity.
NOTE 2: Corrective action is taken to prevent recurrence whereas
preventive action is taken to prevent occurrence.
53
ASIS/BSI BCM.01-2010
Term Definition
D.13 crisis management team a group of individuals responsible for developing and
(CMT) implementing a comprehensive plan for responding to a
disruptive incident. The team consists of a core group of
decision-makers trained in incident management and prepared to
respond to any situation.
NOTE: Members of the CMT should be knowledgeable of the business,
authorized to identify a disruptive situation, communicate appropriately,
and deploy the necessary resources (human and physical) to control
the disruptive event to assure the safety and security of human and
physical assets.
54
ASIS/BSI BCM.01-2010
Term Definition
D.20 first responder a member of an emergency service who is first on the scene at a
disruptive incident
NOTE 1: Emergency services include any public or private service that
deals with disruptions, such as the initial responding law enforcement
officers, other public safety officials, emergency medical personnel,
rescuers and/or other emergency response service providers.
D.22 impact analysis process of analyzing all operational activities and the effect that
an operational interruption might have upon them.
NOTE: Impact analysis includes Business Impact Analysis—the
identification of business assets, activities, processes, and resources as
well as an evaluation of the potential damage or loss that may be
caused to the organization resulting from a disruption (or a change in
the business or operating environment). Impact analysis identifies: 1)
how the loss or damage will manifest itself; 2) how that degree for
potential escalation of damage or loss with time following an Incident; 3)
the minimum services and resources (human, physical, and financial)
needed to enable business processes to continue to operate at a
minimum acceptable level; and 4) the timeframe and extent within which
activities, and services of the organization should be recovered.
D.23 incident event that has the capacity to lead to human, intangible, or
physical loss or a disruption of an organization’s operations,
services, or activities – which, if not managed, can escalate into an
emergency, crisis, or disaster.
D.25 internal audit systematic, independent, and documented process for obtaining
audit evidence and evaluating it objectively to determine the
extent to which the management system audit criteria set by the
organization are fulfilled. [ISO 14001:2004]
NOTE: In many cases, particularly in smaller organizations,
independence can be demonstrated by the freedom from responsibility
for the activity being audited.
D.27 management system system to establish policy and objectives and to achieve those
objectives. [ISO 9000:2005]
NOTE: A management system of an organization can include different
management systems, such as a business continuity management
system, quality management system, a financial management system,
and/or an environmental management system.
55
ASIS/BSI BCM.01-2010
Term Definition
D.30 objective overall goal, consistent with the policy that an organization sets
itself to achieve. [ISO 14001:2004]
D.33 preparedness (readiness) activities, programs, and systems developed and implemented
prior to an incident that may be used to support and enhance
mitigation of, response to, and recovery from disruptions.
D.35 preventive action action to eliminate the cause of a potential non-conformity (see
3.6.2) or other undesirable potential situation. [ISO 9000:2005]
NOTE 1: There can be more than one cause for a potential non-
conformity.
NOTE 2: Preventive action is taken to prevent occurrence whereas
corrective action is taken to prevent recurrence.
56
ASIS/BSI BCM.01-2010
Term Definition
D.39 recovery time objective period of time after which it is planned to recover each activities
and resources to an acceptable capability after a disruptive event.
This may be a simple resumption of full service or a phased
return over a period.
D.40 recovery point objective point in time to which data or capacity of a process is in a known
and valid or integral state can be restored from. This should be
less than the maximum amount of loss tolerance and may be
defined in hours or days.
D.42 resources all assets, people, skills, information, technology (including plant
and equipment), premises, and supplies and information
(whether electronic or not) that an organization has to have
available to use, when needed, in order to operate and meet its
objectives. [BSI 25999-2:2007]
57
ASIS/BSI BCM.01-2010
Term Definition
D.44 risk acceptance informed decision to take a particular risk. [ISO/IEC Guide 73]
NOTE 1: Risk acceptance can occur without risk treatment or during the
process of risk treatment.
NOTE 2: Risk acceptance can also be a process.
NOTE 3: Risks accepted are subject to monitoring and review .
D.45 risk appetite amount and type of risk that an organization is prepared to
pursue, retain, or take.
D.46 risk assessment overall process of risk identification, risk analysis, and risk
evaluation. [ISO/IEC Guide 73]
NOTE: Risk assessment involves the process of identifying internal and
external threats and vulnerabilities, identifying the probability and impact
of an event arising from such threats or vulnerabilities, defining critical
activities necessary to continue the organization’s operations, defining
the controls in place necessary to reduce exposure, and evaluating the
cost of such controls.
D.47 risk management coordinated activities to direct and control an organization with
regard to risk. [ISO/IEC Guide 73]
NOTE: Risk management generally includes risk assessment, risk
treatment, risk acceptance, and risk communication.
D.51 supply chain the linked set of resources and processes that begins with the
acquisition of raw material and extends through the delivery of
products or services to the end user across the modes of
transport. The supply chain may include suppliers, vendors,
manufacturing facilities, logistics providers, internal distribution
centers, distributors, wholesalers, and other entities that lead to
the end user.
58
ASIS/BSI BCM.01-2010
Term Definition
D.55 top management person or group of people who directs and controls an
organization (see 3.3.1) at the highest level. [ISO 9000:2005]
NOTE: Top management, especially in a large multinational
organization, might not be directly involved; however, top management
accountability through the chain of command is manifest. In a small
organization, top management might be the owner or sole proprietor.
59
ASIS/BSI BCM.01-2010
Annex E
(informative)
E BIBLIOGRAPHY
E.1 ASIS International Publications 3
Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management,
and Disaster Recovery , 2005.
60
ASIS/BSI BCM.01-2010
61