BS25999-1:2006 First Part of Business Continuity Standard Published

[Sidney Vianna]

BSI Standards does just that, develop standards and serves as a member of the ISO.

BSI Management Systems is who does the certification work.

Thanks, Randy for the clarification. Myself was fully aware of that. But without skirting the issue, according to the article at hand (which we don't know if is reliable or not), BSi would be warning against self declaration to a voluntary standard and deeming self attestation worthless. If the article is false, BSi should go after the editor. If the article is true, I have already made my position clear about it.

 

[Randy]

I'll go deep inside and see what I can find out.

 

[ISOgal2]

Indeed. There seem to be business continuity related standards emerging all over the place (PAS77 for example), with little in the way of clarity of delineation.

 

[tyker]

Thanks, Randy for the clarification. Myself was fully aware of that. But without skirting the issue, according to the article at hand (which we don't know if is reliable or not), BSi would be warning against self declaration to a voluntary standard and deeming self attestation worthless. If the article is false, BSi should go after the editor. If the article is true, I have already made my position clear about it.

This article in BSI's Business Standards magazine suggests that BSI supports self assessment and is developing tools to support it (page 3 of the article).

http://www.bsi-global.com/upload/St...k Management/Stayingontrack_BS25999_Feb07.pdf

There's obviously no guarantee that some elements within that organization don't have a different policy.

 

[Paul Simpson]

I would hope that a Standard Developing Body such as BSI British Standards would not get involved with the conformity assessment (provided by BSI Management Systems) route an organization decides to take in order to demonstrate compliance to a standard.

Aaah, if it weren't for the almighty dollar, pound, euro, pick a currency! Standards development organizations in theory operate totally altruistically. :mg: But then you get the marketing people saying - "Can we slant it so that people come to us?"

That decision, as well as the degree of confidence any stakeholder, such as a customer, places on self declaration mechanisms should be outside of the realm of standard developers. Unless BSI is mixing standard development with conformity assessment activities, I don’t understand why a Standard Developing Body would warn anyone against self declaration routes.

Again conformity assessment bodies have become part of the industry - so standards development committees include certification companies now - a self perpetuating cycle?

Only if people continue to buy the standards and the certification.

Look at the ISO Management System Standards, such as ISO 9001 and 14001 families of documents. They contain self-assessment guidance. The market and the consenting parties (customer and supplier) should decide the appropriate routes for someone to provide attestation of conformity to voluntary standards; not a standard development body.

Agreed. But as both of us represent companies who promote assessment and certification we might hope that people use the "independent" route.

 

[ISOgal2]

I've seen this sort of confusion from BSI before, with other standards.

I'm guessing that what they are referring to with respect to self assessment is Part 1 of the standard, which is just the code of practice (basically best practice). Self assessment against this surely wouldn't appear to be worth too much.

This is entirely different to Part 2, which will be the specification, which will also presumably be certifiable (third party).

To add to the BSI mix (and confusion) though one might wonder about another BSI standard in the same approximate area: BS25777 (ref:
http://www.27001.net/2007/07/iso-27000-iso-27031-and-business.html).

Exactly how that fits together with BS25999 is difficult to see, even taking the ISO developments out of the equation.

 

[Phil P]

Morning All,

Does anyone have any reasonable examples of BCM Policies per chance? Im putting a system in place thats going to eventually be certified by BSI to 25999 so if anyone has any useful tips or ideas they'll be warmly received.

This is going to be particularly interesting as I only have the draft version of 25999-2 at the moment.

Given the level of interest in this standard should there be a main thread for BCM? Business Continuity Policy? If someone can add one then Ill be happy to contribute to it to help others in the future.

Thanks in advance,

Phil.

 

[ISOgal2]

Phil,

I'm not 100% on what you mean by policies. Policies covering BCM are usually included within an organization's security policies. There is some association with ISO 17799/27002 in this respect, as section 5 of this standard specifically covers such policies. You might wish to take a look at that.

Bear in mind too that 25999 is just one of a number of current initiatives in the BCM area. It is probably worth waiting for things to settle before thinking about categorization on Elsmar.

One final point: contrary to some of the information in circulation out there, part 2 of this standard will not in fact be published on 25th September, as origianlly planned. The most likely date is now sometime in November.

Hope this helps.

 

[tyker]

BSI has had a webinar on the subject of BS 25999 which can be viewed on the link below. There's a lot of padding in there along with a bit of useful stuff and you'll have to accept being spoken to like a 7 year old school kid.

http://seminar.bsi-global.com/bs25999intro/

The link will expire in about 10 days.

 

[Randy]

you'll have to accept being spoken to like a 7 year old school kid.

Sounds about right