BS 25999

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

BS 25999 is the British Standards Institution (BSI)'s standard in the field of Business Continuity Management (BCM). This standard replaces PAS 56, a publicly available specification, published in 2003 on the same subject.


BS 25999 is a Business Continuity Management (BCM) standard published by the British Standards Institution (BSI).

It has two parts;

  • The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance on the processes, principles and terminology recommended for BCM. Part 1 offers good practice advice on the things that ought to be considered to achieve business continuity. It needs to be interpreted by user organizations according to their specific situations.
  • The second, "BS 25999-2:2007 Specification for Business Continuity Management", formally specifies a set of requirements for implementing, operating and improving a BCM System (BCMS). Part 2 describes a how the business continuity arrangements described in part 1 can be managed systematically using a documented BCMS. Since part 2 is a precisely-worded specification, user organizations may opt to have their BCMS objectively and independently audited for compliance with the standard, leading to certification. The certificate assures stakeholders that the organization is proactively managing its business continuity in the structured manner laid down in part 2 of the standard. BS 25999-2 will be withdrawn in November 2012. It has been replaced by the International Standard, ISO 22301.

Commercial certification bodies accredited by the United Kingdom Accreditation Service (UKAS) are authorized to verify organizations' compliance with part 2 and issue recognized certificates. Certification involves a multistage process with a number of assessment visits. After the initial certification activities and issue of a certificate, surveillance or follow-up visits are made subsequently according to a plan in order to ensure that the organization remains compliant.

Unless certification is demanded by some authority, organizations are free to adopt parts 1 and/or 2 without necessarily being certified compliant. In so doing, they avoid the costs of certification but miss out on the added assurance and proof that a certificate would provide.


The contents of the code of practice (BS 25999-1) are as follows:

Section 1 - Scope and Applicability. This section defines the scope of the standard, making clear that it describes generic best practice that should be tailored to the organization implementing it

Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard

Section 3 - Overview of Business Continuity Management. A short overview is the subject of the standard. It is not meant to be a beginners guide but describes the overall processes, its relationship with risk management and reasons for an organization to implement along with the benefits

Section 4 - The Business Continuity Management Policy. Central to the implementation of business continuity is having a clear, unambiguous and appropriately resourced policy

Section 5 - BCM Program Management. Program management is at the heart of the whole BCM process and the standard defines an approach

Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organization has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.

Section 7 - Determining BCM Strategies. Once the organization is thoroughly understood the overall business continuity strategies can be defined that are appropriate.

Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.

Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organization cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organizations goals.

Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organization is managed.

The contents of the specification (BS 25999-2) are as follows:

Section 1 - Scope. Defines the scope of the standard, the requirements for implementing and operating a documented business continuity management system (BCMS)

Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard

Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is predicated on the well established Plan-Do-Check-Act model of continuous improvement. The first step is to plan the BCMS, establishing and embedding it within the organization.

Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones plans. This section includes a number of topics that are found in Part 1 although Part 1 should only be used for general guidance and information. Only what is in Part 2 can be assessed.

Section 5 - Monitoring and Reviewing the BCMS (CHECK) To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS

Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is both maintained and improved on an ongoing basis this section looks at preventative and corrective action


The first part of BS 25999 (BS 25999-1:2006) was published by the British Standards Institution in December 2006. The second part of BS 25999 (BS 25999-2:2007) was published in November 2007.

BS 25999-2 will be withdrawn in November 2012. It has been replaced by the International Standard, ISO 22301.


Both parts of the standard are likely to be revised and it may ultimately be incorporated into other national or international standards.

Other related standards

There are a number of similar worldwide standards:

  • North America - Published by the National Fire Protection Association
  • NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
  • ASIS/BSI BCM.01:2010 Business Continuity Management Systems: Requirements with Guidance for Use. Published in December 2010 and developed jointly between ASIS and BSI for North America
  • Australia - Published by Standards Australia
  • HB 292-2006 : A practitioners guide to business continuity management
  • HB 293-2006 : Executive guide to business continuity management
  • AS/NZS 5050 : Business Continuity Managing disruption-related risk

See also

External links