Planning the business continuity management system

Scope and objectives of the BCMS

BCM policy

Provision of resources

Competency of BCM personnel

Embedding BCM in the organization s culture
‡ Purpose ‡ To ensure that the organization embeds business continuity into its routine operations and management processes, regardless of its size or the sector within which it operates.

BCMS documentation and records
Purpose To provide clear evidence of the effective operation of the BCMS and the organization s implementation of BCM.

‡ Records shall be established, maintained and controlled to provide evidence of the effective operation of the BCMS. ‡ Documented procedures shall be established in order to identify the controls over BCMS documentation and records.

Implementing and operating the BCMS - Understanding the organization
Purpose To enable the organization to identify the critical activities and resources needed to support its key products and services, understand the threats to them and choose appropriate risk treatments.

Business impact analysis
‡ There shall be a defined, documented and appropriate method for determining the impact of any disruption of the activities that support the organization s key products and services (see 3.2.1).

Risk assessment
‡ There shall be a defined, documented and appropriate method ‡ for risk assessment that will enable the organization to understand the ‡ threats to and vulnerabilities of its critical activities and supporting ‡ resources, including those provided by suppliers and outsource ‡ partners.

Determining choices For each of its critical activities, the organization shall identify available risk treatments that:
a) reduce the likelihood of a disruption; b) shorten the period of disruption; and c) limit the impact of a disruption on the organization s key products and services. The organization shall choose and implement appropriate risk treatments for each critical activity in accordance with its level of risk acceptance.

Determining business continuity strategy
Purpose To identify BCM arrangements that will enable the organization to recover its critical activities within their recovery time objectives.

Developing and implementing a BCM response
Purpose To enable the organization to develop and implement appropriate BCM plans and arrangements to manage any incident and continue its critical activities.

Incident response structure
The organization shall nominate incident response personnel with the necessary responsibility, authority and competence to manage an incident.

Business continuity plans and incident management plans
‡ The organization shall have documented plans that detail how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption.

Exercising, maintaining and reviewing BCM arrangements
Purpose To verify the ongoing effectiveness of the BCM arrangements and to provide greater assurance following an incident that critical activities will be recovered as required.

Monitoring and reviewing the BCMS
Purpose To ensure that management monitor and review the effectiveness and efficiency of the BCMS, review the appropriateness of the business continuity policy, objectives and scope, and determine and authorize actions for remediation and improvement.

5.1 Internal audit
5.1.1 The organization shall ensure that internal audits of the BCMS are conducted at planned intervals to:
a) determine whether the BCMS:
1) conforms to planned arrangements for BCM, including the requirements of this BCM standard; and 2) has been properly implemented and is maintained; and 3) is effective in meeting the organization s BCM policy and objectives; and

b) provide information on the results of audits to management.

5.2 Management review of the BCMS Management shall review the organization s BCMS at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy and effectiveness.

6 Maintaining and improving the BCMS
Purpose To maintain and improve the effectiveness and efficiency of the BCMS by taking preventive and corrective actions, as determined by the management review.

6.1 Preventive and corrective actions
6.1.1 General The organization shall improve the BCMS through the application of preventive and corrective actions. Any preventive or corrective action taken shall be appropriate to the magnitude of the problems and commensurate with the business continuity policy and objectives. Changes arising from preventive and corrective actions shall be reflected in the BCMS documentation.

6.2 Continual improvement
The organization shall continually improve the effectiveness of the BCMS through the review of the business continuity policy and objectives, audit results, analysis of monitored events, preventive and corrective actions, and management review.

Sign up to vote on this title
UsefulNot useful