• Home /
• Becoming certified to BS 25999

Becoming certified to BS 25999

Certification demonstrates to your customers, suppliers, staff and investors that you follow the industry-respected best practices laid down in Part 2 of BS 25999 (BS 25999-2:2007 Business Continuity Management Specification). It shows your Business Continuity Management (BCM) system has passed a rigorous independent inspection.

The best approach when thinking about certification is to contact British Standards Institution (BSI) early and talk through the process.

When you are reasonably confident that your Business Continuity Management practices are at least close to those outlined in the standard, BSI can arrange the certification process.

Typically companies might work towards certification for a period of time and then use some sort of pre-assessment or gap analysis to see how closely they measure up. This needn't be expensive or time consuming; it will however require some careful planning. There are plenty of organisations offering training and other support materials.

The main tool for you to use in becoming certified will be BS 25999 Part 2, this document is the ‘specification' to Part 1 of the standard and it gives a comprehensive set of controls which establishes the BCM processes, principles and terminology that will be expected by the assessor.

It outlines what documentation and controls are required. To help you with this BSI offers a comprehensive program of BCM training courses covering every aspect of BS 25999, including certification.

Certification versus compliance; a chicken and egg problem?

John Hele, Global Product Manager, BSI Management Systems was the keynote speaker at a BCM conference in Singapore in November 2008. His slides are produced here for your information.

He was speaking about a question that is often asked by companies new to certification and to BCM – What should I focus on, compliance or certification?

John explains the inherent difference in mindset for doing each, and answers the question by saying that both are important and for different reasons. Thus he suggests that for completeness, organisations at a certain level of BCM maturity should go for both.

Initially it pays to go back to basics and consider what this is all about – remember it's about continuity – i.e. the continuing operations of the organisation.

It is necessary to establish which threats could impact the continuity of the organisation and then to set up some controls. These will either minimize the probability of the threats occurring, or of their impacts affecting the continuity of the organisation. Ensuring that the controls are adequate is the certification part, establishing those controls is the compliance part. Standards set a framework for the assurance of the controls.

There are several standards that can be used; you should look at them all and decide which one best suits your organisation.

Another way to look at this is that you don't get a choice about compliance – you have to set up some controls for the threats to your organisation.

The level to which you have to do this depends on which countries you are operating in and what sector you are in. How do you assure yourself that those controls are actually up to the task? Using the standards to develop a framework (or management system) will help you do this.

Certification is when a third party confirms this assurance. So you can see how certification supports, and in many cases proves, compliance.

Slides 9 and 10 give the differing characteristics of compliance and certification – look at the reasons and see which match your priorities. Going through certification says something about how seriously you are taking compliance.

Find out more about what you can expect as you move towards certification.

What should I focus on, compliance or certification? (PDF, 2.1MB)

 Download free PDF documents with Adobe Reader