Finding your way in the business continuity standards
Although BC is a relative young discipline, various organizations in various countries have created standards and guidelines on BC. In this article we guide you through the most important standards and guidelines
1. Good Practice Guidelines
A first very important guideline is the one from the Business Continuity Institute. (BCI) The BCI, founded in 1994, is worldwide the best known BC institute. They want to promote “the art and science of BC management (BCM) worldwide”. They do this by publishing their Good Practice Guidelines (GPG) on BC, a collection of best practices in the sector. The GPG are based on the BC lifecycle which is very well known in the sector.
2. The BS25999
Next to the BCI, the British Standards Institute also has written a standard on BC, the BS 25999. This standard is the successor of the Publically Available Specification (PAS) 56 on BC and consists of two parts: BS 25999-1 and BS 25999-2. The first part is an accompanying document and only gives best practices like the GPG. The second part specifies requirements for implementing, operating and improving a BCM system. A company needs to be in compliance with these requirements to achieve the certification the BSI on BC.
The BS 25999 is based on the GPG which is, however, much more detailed. Also people can achieve a BSI certification on BC but this is still not very popular in Belgium.
3. Guidelines in the USA
Next to Great Britain, the USA also has its own standards and regulations but most of them focus on the banking sector. The most important BC institute in the USA is the Disaster Recovery Institute. They never published guidelines or standards like the BSI or BCI did, but they train, inform and certify people and businesses on BC. Initially the organization focused on disaster recovery but they widened their field to BC. There are some guidelines in the USA however. There is the ‘BC Planning Committee Best Practice Guidelines’ or the ‘NYSE rule 446: BC and Contingency Planning’ which states that every member of the NYSE needs to have and maintain a Business Continuity Plan.
4. ISO Standards
The last few years the International Standardization Organization also started focusing on BC. This resulted in two standards on BC, the ISO 22301 and ISO 22313 created in 2012. Before these two, the ISO only had a standard on risk management (ISO 31000). Now, what about the content of both standards? The ISO 22301 actually blends the requirements from several national standards like Japan, USA, Australia,… It is very similar to the BS 25999-2 standard, as a consequence the BSI has withdrawn the second part of their standard. The ISO 22313 mainly clarifies ISO’s other standard on BC by giving some examples.
Keep in mind that the standards mentioned in this text are not exhaustive. We could probably write an entire book on different national standards on BC so we just targeted the most important ones. When we take a look at this short overview of BC standards, it becomes clear that Great-Britain is a very important country in the creation of BC standards in Europe. It laid the basis for the creation of an international standard on business continuity together with other great BC countries like the USA. Like always, it’s not clear what the future will bring, but now the ISO starts creating standards on BC, national standards might disappear and the situation on the standards in BC will become clearer.