What is BS 25999?

“A leading business continuity standard

BS 25999-2 is a British standard issued in 2007, which quickly became the main standard for business continuity management – although it is a British national standard, it is used in many other countries, and it is predicted that it will soon be accepted as an international (ISO 22301) standard.

Just like ISO 27001, ISO 9001, ISO 14001 and other standards that define management systems, BS 25999-2 also defines a business continuity management system which contains the same four management phases: planning, implementing, reviewing and monitoring, and finally, improving. The point of these four phases is that the system is continually updated and improved in order to be usable when a disaster occurs. The following are some of the key procedures and documents required by BS 25999-2:

• Scope of the BCMS – precise identification of that part of the organization to which business continuity management is applied
• BCM policy – defining objectives, responsibilities, etc.
• Human resources management
• Business impact analysis and risk assessment
• Defining business continuity strategy
• Business continuity plans
• Maintenance of plans and systems; improvement

Human resources management

The standard states that it is essential to determine the necessary knowledge and skills, to identify the necessary training sessions, to conduct such training sessions, to check whether the required knowledge and skills have been achieved, and to keep records. BS 25999-2 also requires conducting awareness programs, and also communicating the importance of business continuity management to employees.

Business impact analysis and risk assessment

Business impact analysis deals with important activities in an organization, defines the maximum tolerated period of disruption, describes the interdependence of individual actions, determines which activities are critical, explores the existing arrangements with suppliers and outsourcing partners, and finally, sets the recovery time objective.

Risk assessment is carried out to establish which disasters and other disruptions in business operations may occur and what their consequences are, but also which vulnerabilities and threats can lead to such business disruptions. Based on such assessment, the organization determines how to reduce the probability of risk, and how it will be mitigated if it should occur.

Defining the business continuity strategy

A strategy refers to defining how an organization will recover in case of disaster. The strategy is determined on the basis of the results of risk assessment and business impact analysis, and usually involves alternative locations, data recovery options, recovery of human resources, communications, equipment, management of suppliers and outsourcing partners, etc.

Business continuity plan

The business continuity plan includes plans for incident response, activation procedures for the business continuity plan, and recovery plans for critical activities – they are all written based on the business continuity strategy.

An incident response plan must specify the manner of determining types of incidents, communication channels, types of response, responsibility, etc.

Recovery plans must specify roles and responsibilities, key steps for recovery, locations, resources to be used and where they are located, priorities, what actions to take when recovery is completed, etc.

Maintenance of plans and system; improvement

The standard stipulates the following:

• Regular exercising and testing of plans to make staff more familiar with the plans and to check how up to date they are
• Conducting internal audits at regular intervals
• Management reviews to ensure that the BCMS is functioning and to make appropriate improvements
• Taking preventive and corrective actions to improve not only plans, but also other elements of the system

Documentation

Other related standards

In addition to BS 25999-2, BS 25999-1 is an “auxiliary” standard, which provides more details on how to implement specific parts of BS 25999-2.

Other useful standards are ISO 27001, which places business continuity in a broader context of information security, and ISO 27005, which gives a detailed description of the risk assessment process.

Why is ISO 9001 a good idea for your organization?

The benefits of ISO 9001 cannot be overstated; companies large and small have used this standard to great effect, discovering and securing tremendous cost and efficiency savings. Here are just a few of these benefits:

Improve your image and credibility – When customer see that you are certified by a recognized certification body, they will understand that you have implemented a system that is focused on meeting customer requirements and improvement. This improves their trust that you will deliver what you have promised.

Improve customer satisfaction – One of the key principles of the ISO 9001 QMS is the focus on improving customer satisfaction by identifying and meeting customer requirements and needs. By improving satisfaction, you improve repeat customer business.

Fully integrated processes – By using the process approach of ISO 9001, you not only look at the individual processes in your organization, but also at the interactions of those processes. By doing this, you can more easily find areas for improvement and resource savings within your organization.

Use evidence-based decision making – Ensuring that you are making decisions based on good evidence is a key to the success of an ISO 9001 QMS. By ensuring that your decisions are based on good evidence, you can better target resources to the best effect to correct problems and improve your organizational efficiency and effectiveness.

Create a culture of continual improvement – With continual improvement as the main output of the QMS, you can attain ever-increasing gains in savings of time, money and other resources. By making this the culture of your company, you can focus your workforce on improving the processes they are directly responsible for.

Engage your people – Who better than the people working within a process to help find the best solutions for improving that process? By focusing your workforce on not only managing, but also improving the processes, they will be more engaged in the outcome of the organization.

What are the practical steps to becoming ISO 9001 certified?

What is ISO 9001 certification? There are two types of certification: certification of a company’s Quality Management System against the ISO 9001 requirements, and certification of individuals to be able to audit against the ISO 9001 requirements. This section discussed the steps for a company to implement an ISO 9001 Quality Management System and have it certified.

ISO 9001 certification for your company involves implementing a QMS based on the ISO 9001 requirements, then hiring a recognized certification body to audit and approve your QMS as meeting the requirements of the ISO 9001 standard.

Starting with management support and identifying the customer requirements for the QMS, you will need to start with defining your quality policy, quality objectives and quality manual, which together define the overall scope and implementation of the Quality Management System. Along with these, you will need to create the mandatory and additional processes and procedures necessary for your organization to properly create and deliver your product or service. There are six mandatory documents that need to be included, and others to be added as the company finds them necessary. For a good explanation on this, take a look at this white paper on Mandatory Documentation Required by ISO 9001:2008.

This creation of documents can be done internally by your company, or you can get help through hiring a consultant or purchasing standard documentation. To see samples of documentation, visit this free ISO 9001 downloads page.

Once all of the processes and procedures are in place, you will need to operate the QMS for a period of time. By doing this, you will be able to collect the records necessary to go to the next steps: to audit and review your system and get certified.

Mandatory steps to finish implementation and get your company certified

After finishing all your documentation and implementing it, your organization also needs to perform these steps to ensure a successful certification:

Internal audit –The internal audit is in place for you to check your QMS processes. The goal is to ensure that records are in place to confirm compliance of the processes and to find problems and weaknesses that would otherwise stay hidden.  

Management review –A formal review by your management to evaluate the relevant facts about the management system processes in order to make appropriate decisions and assign resources.

Corrective actions – Following the internal audit and management review, you need to correct the root cause of any identified problems anddocument how they were resolved.

The company certification process is divided into two stages:

Stage One (documentation review) – The auditors from your chosen certification body will check to ensure your documentation meets the requirements of ISO 9001.

Stage Two (main audit) – Here, the certification body auditors will check whether your actual activities are compliant with both ISO 9001 and your own documentation by reviewing documents, records and company practices.

If you’re looking for help with these stages, why not visit our free ISO 9001 virtual consultant Oscar the Owl?

What ISO 9001 training and certification is available if you’re an individual?

Training in the concepts of ISO 9001 is available, and there are a range of course options for individuals to choose from. Only the first of these can lead to certification for the individual to be able to audit for a certification body, but the others are very useful for those who will be using these skills within their own company:

ISO 9001 Lead Auditor Course – This is a four- to five-day training course focused on understanding the ISO 9001 QMS standard and being able to use it for auditing management systems against these requirements. The course includes a test at the end to verify knowledge and competence, and it is only with an accredited course that an individual can become approved to audit for a certification body.

ISO 9001 Internal Auditor Course – This is commonly a two- or three-day course that is based on the lead auditor course above, but does not include the test for competence, so this is most useful for someone beginning to do internal audits within a company.

ISO 9001 Awareness and Implementation Course – Several courses are offered that provide knowledge of ISO 9001 and how to implement it. These can be one- or two-day courses, and can even include online e-learning sessions as a method of teaching the material. These courses are good for those who need an overview on the ISO 9001 standard, or those who will be involved in the implementation within a company, and many are more economical than investing in the lead auditor course for those involved at this level.

There are a number of accredited training organizations around the world where you can gain individual qualifications in ISO 9001.

To learn more about ISO 9001 implementation, please visit our ISO 9001 Learning Center. You’ll find a host of helpful resources, including free ISO 9001 downloads.