Creating BS25777

Setting out to create a new formal standard for Business Continuity Management (BCM) for Information and Communications Technologies (ICT) is no small or simple undertaking.  There are many experts and standards bodies, both national and international, who might want to contribute.  They have all woken up to the need for such a standard.  Never one to shirk a challenge, the British Standards Institution (BSI) has decided to produce a comprehensive standard.  In doing so, the BSI is seeking to update and formalise earlier documents, including the recent PAS77:2006 Code of Practice for IT Service Continuity Management.

BSI established a committee in June 2007, which comprises expert representatives of a wide range of interest groups and organisations including the British Computer Society (BCS), the BCI, the Cabinet Office and Intellect.  Chairman Ron Miller (of Intellect) has divided the task of drafting the content amongst four working groups.

  • WG1 is responsible for producing the Scope, Introduction and Culture sections.  The emphasis within the Culture section is on alignment and integration with other related activities such as BCM, corporate governance and ICT strategy;
  • WG2 is responsible for Understanding the Organization, Determining Requirements and Evaluating Risk.  The emphasis when understanding is on ensuring that the relative criticality of the organization’s activities are understood so that the appropriate priority can be put on determining requirements and evaluating risks for the most critical activities first.  When evaluating risks, emphasis is placed not only on the assessment of likelihood and impact but also on the organization’s ability to detect when a risk becomes reality;
  • WG3 is responsible for the Strategy and Implementation sections covering people, processes, technology and premises, including all of the services required by each;
  • WG4 is responsible for the Exercising, Audit and Maintenance sections.  The emphasis of these sections is the ongoing nature of the process and re-emphasising the potential for virtuous feedback circles between ICT continuity, BCM and ICT strategy.

We are reviewing drafts now and expect to release the Draft for Public Comment by late April or early May.  All being well, we will publish the new standard this autumn.

One of the first tasks was to establish what the scope of the new standard would be.  In the ICT industry as a whole, there has been a tendency to focus on disaster recovery as the key component of business continuity for ICT.  We recognised, however, that recovering from a major incident is only a small part of the picture.  We believe that the new standard should provide guidance for five key components of business continuity for ICT services:

  • Prevention and resilience;
  • Initial response;
  • Recovery to abnormal operations;
  • Delivering abnormal operations; and
  • Resumption to normal operations.

The perception of risk management as “the avoidance or management of bad stuff” has moved on over recent years.  We now typically see a more rounded approach to managing potential changes to the operating environment whether their impacts could be positive or negative.  By embracing this changed perception, we are looking not only at the management of downside risks (or threats) but also at the exploitation of upside risks (or opportunities).

Given the complex nature of 21st century ICT services, we felt it was prudent to examine the process for assessing risk[1].  It is a relatively simple task to detect that a flood has occurred or a fire has started.  In a complex technical infrastructure, it is not always easy to detect a component malfunction or failure.  Hence, the ability to detect that a risk has become a reality will be included in the recommended methodology.

Another theme in our risk management approach is to focus on the risks to the organization’s activities rather than concentrating solely on risks to the technologies.  This approach enables organizations more accurately to quantify of the impact of technology risks by tracking and analysing the effects on operational activity.  In doing so, we hope to encourage organisations and their ICT communities to view themselves as parts of a whole rather than one being the customer of the other.

Since the early 1990’s, the numbers of systems and processes within the modern organisation has grown on exponentially.  At the same time, governance processes and controls surrounding these proliferating systems have weakened.  As a result, very few organisations today can accurately claim to know where all of their technologies are located, what they do, how they depend on each other or how the organisation would be affected if a given component were to fail.  In order to address this critical issue, BS25777 will be highlighting the importance of effective information security and configuration management.  It will also stress the importance of understanding the relative criticality of all of the organisation’s activities in order to prioritise investment in ICT continuity.

BS25777 will uphold and reinforce one of the fundamental tenets of BS25999, namely that business continuity will only truly add value to an organisation if it is embedded within the culture.  Hence, BS25777 will identify various aspects of organisational policy and activity which should have an influence on the development and implementation of an effective strategy for BCM for ICT.  These include corporate governance, corporate social responsibility, enterprise risk management, energy usage and environmental management, the delivery of new projects and services and the management of existing services.  In this context, BS25777 is as much a philosophy of how to manage ICT systems as it is about describing the components of an effective ICT continuity programme.

Another important element of BS25777 is the need for a formal feedback loop from ICT into the BCM programme and back again.  This enables an organization to ensure that investments in ICT continuity not only support the goals of the BCM programme but also the BCM programme sets appropriate and achievable requirements.  Since nothing comes free, there is an obvious correlation between speed of recovery and cost.  Short recovery time objectives are usually more expensive than long ones.  Aggressive recovery point objectives are usually more expensive than relaxed objectives.  The ICT and BCM teams need to work closely together both to manage the expectations of the organization and to ensure that cost-effective objectives are agreed and achieved.

In addition to BS25999, a wide range of factors and publications are influencing BS25777.  We have adopted the Plan-Do-Check-Act approach recommended by ISO9000.  We have studied formal and informal standards, guidelines, regulations and legislation.  We have done this to ensure that the adoption of BS25777 will not prejudice any existing certification or compliance with regulations and law.  Some of these influences may not be as obvious as others.  For example, any ICT continuity programme that reduced the level of Health and Safety protection for the people involved in its implementation would obviously be inappropriate and unacceptable.  At the same time, we can learn a great deal from ISO14000 and ISO20000 in terms of both process and maintaining appropriate levels of environmental protection within the ICT continuity arrangements.

We have looked at the ever-evolving discipline of enterprise risk management and looked at ways of ensuring that ERM, BCM and ICT could support each other for the benefit of the organization.  We have also looked at best practice in project and programme management to influence the recommendations for managing ICT continuity programme.  We believe that organizations that adopt BS25777 will find it a highly beneficial standard both in terms of the ability of the organization to respond to disruption but also by increasing the efficiency and effectiveness of the ICT function as a whole.

We are currently considering whether both a Code of Practice and a Specification are required and we expect to make a final decision in the next few weeks.  The primary consideration in taking the decision on whether to produce a Specification is whether it will be substantively different from BS25999- 2.  If not, then we will produce only BS25777-1 Code of Practice.

[1] A risk is the combination of the likelihood of an event and its consequences, i.e. a possible future event/incident.

Leave a Reply