Human resources management
The standard states that it is essential to determine the necessary knowledge and skills, to identify the necessary training sessions, to conduct such training sessions, to check whether the required knowledge and skills have been achieved, and to keep records. BS 25999-2 also requires conducting awareness programs, and also communicating the importance of business continuity management to employees.
Business impact analysis and risk assessment
Business impact analysis deals with important activities in an organization, defines the maximum tolerated period of disruption, describes the interdependence of individual actions, determines which activities are critical, explores the existing arrangements with suppliers and outsourcing partners, and finally, sets the recovery time objective.
Risk assessment is carried out to establish which disasters and other disruptions in business operations may occur and what their consequences are, but also which vulnerabilities and threats can lead to such business disruptions. Based on such assessment, the organization determines how to reduce the probability of risk, and how it will be mitigated if it should occur.
Defining the business continuity strategy
A strategy refers to defining how an organization will recover in case of disaster. The strategy is determined on the basis of the results of risk assessment and business impact analysis, and usually involves alternative locations, data recovery options, recovery of human resources, communications, equipment, management of suppliers and outsourcing partners, etc.
Business continuity plan
The business continuity plan includes plans for incident response, activation procedures for the business continuity plan, and recovery plans for critical activities – they are all written based on the business continuity strategy.
An incident response plan must specify the manner of determining types of incidents, communication channels, types of response, responsibility, etc.
Recovery plans must specify roles and responsibilities, key steps for recovery, locations, resources to be used and where they are located, priorities, what actions to take when recovery is completed, etc.
Maintenance of plans and system; improvement
The standard stipulates the following:
- Regular exercising and testing of plans to make staff more familiar with the plans and to check how up to date they are
- Conducting internal audits at regular intervals
- Management reviews to ensure that the BCMS is functioning and to make appropriate improvements
- Taking preventive and corrective actions to improve not only plans, but also other elements of the system