Randy
Super Moderator
I know there hasn't been much discussion on this subject, but I figured tossing out a couple of hints for folks interested in it couldn't hurt.
First of all, "Business Continuity (BC)" and "BS25999" isn't about Disaster Planning in the context that we may be used to and does not center itself around IT. BC concerns itself with the "Business" as a whole and the planning necessary for business to sustain itself after a calamity strikes be it flood, fire, labor walkout, financial meltdown, power outage or whatever else can happen in the real life business environment.
The BS25999-2 document does have a couple of glitches in it and the most glaring one is that it is written out of sequence, or not in the order an organization needs to take when planning for the continuation of its operations. (This fact was agreed to by one of the authors during a recent discussion I had with him (This is the person who originally led the development team of BS25999)).
Another small problem is the lack of providing some key "Definitions" in Section/Clause 2. Definitions for key works like "competence" and "exclusions" are not provided. The lack of a defining of what "exclusions" meant in 3.2.2.3 Policy led to some very detailed discussion. In the end "exclusions" used in 3.2.2.2(a) Policy relates to activities determined to be excluded in the "scope"of the BC planning process due to their not being considered as critical activities (clause 2.15). These "exclusions"must be documented in the Policy.
When doing BC and using BS25999 as the template the organization should start at and follow this sequence in the beginning to help guarantee better success:
(1) 4.1 Understanding the organization;
(2) 4.1.1 Business impact analysis;
(3) 4.1.2 Risk assessment;
(4) 4.1.3 Determining choices;
(5) 3.2.1 Scope and objectives;
(6) 3.2.2 BCM policy,
and then follow on with all the other requirements from sections/clauses 3, 4, 5 & 6.
Ok, I'll stop here (mainly because I have to get on a plane)
Feel free to jump in.
First of all, "Business Continuity (BC)" and "BS25999" isn't about Disaster Planning in the context that we may be used to and does not center itself around IT. BC concerns itself with the "Business" as a whole and the planning necessary for business to sustain itself after a calamity strikes be it flood, fire, labor walkout, financial meltdown, power outage or whatever else can happen in the real life business environment.
The BS25999-2 document does have a couple of glitches in it and the most glaring one is that it is written out of sequence, or not in the order an organization needs to take when planning for the continuation of its operations. (This fact was agreed to by one of the authors during a recent discussion I had with him (This is the person who originally led the development team of BS25999)).
Another small problem is the lack of providing some key "Definitions" in Section/Clause 2. Definitions for key works like "competence" and "exclusions" are not provided. The lack of a defining of what "exclusions" meant in 3.2.2.3 Policy led to some very detailed discussion. In the end "exclusions" used in 3.2.2.2(a) Policy relates to activities determined to be excluded in the "scope"of the BC planning process due to their not being considered as critical activities (clause 2.15). These "exclusions"must be documented in the Policy.
When doing BC and using BS25999 as the template the organization should start at and follow this sequence in the beginning to help guarantee better success:
(1) 4.1 Understanding the organization;
(2) 4.1.1 Business impact analysis;
(3) 4.1.2 Risk assessment;
(4) 4.1.3 Determining choices;
(5) 3.2.1 Scope and objectives;
(6) 3.2.2 BCM policy,
and then follow on with all the other requirements from sections/clauses 3, 4, 5 & 6.
Ok, I'll stop here (mainly because I have to get on a plane)
Feel free to jump in.