I'm a management tutor with BSI in the ISO 27001, 20000 and BS 25999 spaces, so let's see if I can answer some of the questions that have arisen in this thread.
First, Randy's description of the structure of BSI is substantially correct. There's a "Chinese Wall" between BSI Standards (who facilitate the writing of standards by identifying and bringing together subject matter expertise) and BSI Management Systems, who do the Certifications and Training -- so I don't know what they're writing in BS 25777 any more than anyone else :-( We're audited by UKAS who ensure, amongst other things, that the Chinese Wall is impenetrable.
Second, self assessment and audit. BSI Management Systems often put out self assessment instruments which help an organization assess its readiness for Certification. But in the case of BS 25999 there's a twist. It is a requirement of the standard for organizations to review their BCM arrangements at regular intervals either through self assessments or audit. (This requirement is distinct from requirements, also, to perform internal audit and management review in a manner similar to ISO 9001.) Think of it as analogous to monitoring and measuring processes and products: a detailed regular analysis of whether BC plans actually can deliver what they're supposed to, and an input to internal audit and the (more strategic level) management reviews.
Now, how do ISO 27001, BS 2599 (and BS 25777 although I'm guessing on this one) fit together?
Well, first, they overlap. And as you would expect, there's no need to duplicate effort purely for the sake of certification. (The principles of PAS 99 apply here too.)
Perhaps the easiest way to explain it is informally, with some (over-simplified) examples.
As you know, ISO 27001 is about information security - securing information in all its forms, whether paper, electronic or in people's heads with regard to confidentiality, integrity and availability. One of the many aspects of this is BC management from the perspective of information security. For example, many organizations have backups of their data, to secure integrity and availability. But how many encrypt their backups to safeguard against theft of the backups? That's one of the many places that ISO 27001 takes you.
Now let's turn to BS 25999. Significant drivers include the UK Civil Contingencies Act, Corporate Governance, Insurance, supply chain and outsourcing SLAs, protection of corporate value and reputation. The Civil Contingencies Act places mandates on Category 1 responders (fire, police, medical, local government) and Cat 2 responders (power utilities, telecom) and no doubt will feed down into other commercial organizations where services have been outsourced - IT services, for example.
BS 25999 is concerned with continuity of the entire business. Suppose you're a supermarket. Suppose there's an outbreak of foot and mouth disease. Now you have no meat to sell -- unless you can find alternative supplies. Or, suppose there's a sudden flood and several counties are submerged: how do you get your trucks from the warehouses to the stores when now, you need barges? Not to mention the crops spoiled and the animals lost, so now your food supply chain's a mess too. Both scenarios happened in England recently. ISO 27001 would not help these situations at all, because information was never much at risk; yet the supermarkets needed business continuity plans to find alternative food supplies, deal with delivery problems and manage media communications so as to avoid a PR disaster which might have affected reputation. This is where BS 2599 plays, by identifying critical business services and products and developing BCM plans for them -- and in conjunction with ISO 27001 if, for example, the floods damage the paperwork.
Finally, BS 25777. I'm guessing but it seems to be talking of continuity for IT and communications services. These are both highly complex and expensive areas. For example, in London there has been more than one severe incident involving underground railways, fire hazard and passengers, where radio communications devices issued to fire, ambulance and police simply don't work. BCPs are critically reliant on communications (phones, radio) and perhaps on IT too (e.g. to locate and despatch people and supplies in an emergency). Another example: many businesses in the Twin Towers had bought phone service from more than one telecom supplier, only to discover that the infrastructure had been bought from one, common supplier and did not provide the redundancy they thought they had. Also, IT service continuity (distinct from information security, though overlapping) is becoming critical to business: one aspect of the recent run on the UK Northern Rock bank was that its webservers became overloaded, could not enable people to see their accounts, and thereby exacerbated the panic. So it seems to me that BS 25777 might be expected to add additional detailed guidance and requirements to enable businesses to handle this complex area with confidence, as a contributing detail to their implementations of (their choice of one or more of) ISO 27001, ISO 20000, BS 25999 -- or, of course, ISO 9001. If or when I find out more about BS 25777 I'll let you know - but it's not worth my job to scale over the Chinese Wall and take a sneek peak ;-)
Hope this helps,
Pat
