• Home /
• Useful BCM resources /
• FAQ on BS 25999

BS 25999 Frequently Asked Questions

No matter what size your business is, or how many people it employs, you should always be prepared for disruptions. Implementing and certifying to BS 25999 enables you to be better prepared and more resilient. We have listed below some of the frequently asked questions we have received to help you better understand BS 25999.

What is BS 25999?

BS 25999 is a standard that establishes the process, principles and terminology of Business Continuity Management (BCM). The standard deals with broad objectives and is therefore non-prescriptive so as to make it applicable to all organizations, whether they are small, medium or large, local, national or global, or are in the private or public sectors.

The standard has the following aims:

• Provides a basis for understanding BCM
• Provides a means of measurement that is consistent and recognised globally
• Provides a systematic approach to establishing good practice
• It does not deal with emergency planning and management except in the context of an organisation’s role within a larger incident

BS 25999 is published in two parts. Part 1 is a Code of Practice and Part 2 is a Specification giving the requirements for a Business Continuity Management System (BCMS). Sample pages of both parts are available from Useful documentation.

What’s the difference between BS 25999 Part 1 and Part 2?

There is often confusion about the relationship and differences between the Code of Practice and the Specification:

• BS 25999-1:2006 Code of Practice Published in November 2006 the Code of Practice describes how an organisation can establish and maintain effective business continuity arrangements using the BS 25999 Business Continuity Life Cycle. It uses the word 'Should' to denote the fact that this is not a set of prescriptive directives that organisations have to follow but a collection of best practice guidelines that should be tailored to suit the organisation using it. An organisation cannot be audited against the Code of Practice and therefore cannot achieve certification.
• BS 25999-2:2007 Specification Published in November 2007 the Specification describes how an organisation can implement, maintain and improve a Business Continuity Management System (BCMS) predicated on the PLAN - DO - CHECK - ACT model that will be familiar to users of other management standards such as ISO 9001, ISO 14001 and ISO 27001. It uses the word 'Shall' rather than ‘Should’ to denote that it is a specification describing the specific actions that an organisation must undertake in order to be compliant with the standard. The specification is auditable and therefore certifiable.

Why was BS 25999 developed?

BS 25999 was developed by BSI in the UK in response to business and government leaders who requested a standard to meet their business continuity needs. These needs included the ability to respond to incidents that disrupt normal business operations, which could be because of minor, frequent interruptions to the business, or because of the increasing major natural disasters and deliberate acts of terrorism.

This need was intensified following the Civil Contingencies Act (2004) being passed by the UK government to ensure its preparedness to respond to emergencies. Subsequent incidents like the Buncefield Oil Storage Depot fire in 2005 put business continuity on the highest agenda. The introduction of BS 25999 also aimed to move the focus away from Information Technology to the organisation’s (business) operations. Subsequently, BS 25999 has built up a broad following not just in the UK but throughout the world. Many organisations from different industry sectors and geographies have implemented the standard and become certified.

What is BS 25999 certification?

When BSI certifies (or registers) an organisation to a management systems standard such as BS 25999 this means that BSI gives an independent assurance that the organisation meets the requirements of the standard. BSI does this based on the results of an audit/assessment and provides a certificate as proof of conformity.

Why should we implement a Business Continuity Management System (BCMS) that complies with BS 25999 and then have it independently assessed by BSI?

The key benefits are:

• Confidence that you have plans in place to continue trading in the event of a disruption to your supply chain.
• Clear business advantage over your competitors when dealing with industry and government, providing levels of confidence and assurance.
• Offers public assurance that your business is robust.
• A certified BCMS will provide ‘proof of managed risk’ in your business, which could be reflected in insurance premiums over time, as the risk to the insurer may be reduced through a certified BCMS from BSI.
• BS 25999 certification can provide a competitive advantage particularly when you are competing for business with suppliers that do not have their BCMS independently assured.
• Continual improvement is an inherent benefit of BS 25999 certification. This is particularly relevant in industries which are highly regulated and high risk, and where organisations must demonstrate continued adherence to their legal and regulatory obligations.
• Reduction in audits from other parties. A BSI certificate confirms you have a certified BCMS in place.

BS 25999 certification gives organisations the assurance that their BCMS will be effective when a disruption occurs and the benefits of being able to demonstrate to all stakeholders that a world-class internationally recognised BCM best practice is in place.

What is the difference between certification and self-assessment?

Organisations can claim they comply with BS 25999 through self-assessment, or internal audit, but what does this mean to their stakeholders? Some might say this is similar to marking your homework because an independent party is not involved. We believe that only independent and repeatable certification audits to a defined standard are acceptable as evidence of conformity and continual improvement to BCM best practice.

How long will certification take?

This entirely depends on the organisation, its maturity in BCM and how closely its BCMS meets the requirements of BS 25999. Many organisations will have BCM programmes but may not have a management systems approach. In any event, implementing a standard-based management system and having it assessed is not a short process. You should be thinking in terms of at least 6-12 months to achieve certification. Advice, gap analysis and training services are all available from BSI. These are aimed at guiding you towards a completed assessment in the quickest possible timescale for your business.

What is ‘scope’ and how is it determined?

The scope relates to the parts of your organisation that the BCMS applies to. Ideally this should be the whole organisation so that you have one holistic BCMS that can be invoked in the event of an incident. However, for some organisations they may only be interested in having a BCMS for some of their key products and services and therefore the scope may be restricted to those products and services and their supporting activities that ensure these are delivered to the customers.

Will this mean additional documentation for the organisation to manage?

BS 25999, as with all management systems standards, is not intended to be a burden for any organisation. It is expected that whatever documentation and records are required to fulfil the standard’s requirements will need to be properly managed. If your organisation is certified to other Management systems (e.g. ISO 9001 or ISO 14001) then a lot of the generic processes with their attendant documentation should already be in place.

We have implemented ISO 9001 in our organisation. Will implementing BS 25999 require duplication of effort?

There are some parallels between ISO 9001 and BS 25999 because they both follow the Management Systems methodology common to many standards. Elements that are the same include Top Management Involvement, Document Control, Training, Internal Audit, Management Reviews and Corrective and Preventative Actions. Of course, BS 25999 has specific some BCM related requirements which will require additional effort.

Can BSI offer training to assist in the implementation of BS 25999?

Yes. BSI offers a comprehensive programme of Business Continuity Management (BCM) and BS 25999 training courses in a number of countries. These courses cover every aspect of BS 25999, including Implementation and Internal Auditing.

How much will it cost for me to undertake BS 25999 Certification?

BSI’s audit fees are only one component in the total cost required to achieve certification to any standard. The cost of having BSI assess and certify your organisation is based on set of criteria that include factors such as number of employees and sites to be covered within your Business Continuity Management Systems’ scope. The combination of these factors will determine the number of days required to assess your system. You should also consider the costs that are internal to your business as well as those paid in assessment fees as being the “total cost” to achieve BS 25999 certification. A discussion with BSI will enable us to estimate the cost of assessment. However, it is worth considering what the cost to the organisation would be in the event of an incident that would have a serious impact your organisation’s ability to provide key products and services to your customers.

Are there any BS 25999 tools or solutions available for example to evaluate our organisation’s readiness for BS 25999 certification?

Yes. BSI is able to offer a number of solutions. They include:

• BS 25999 Part 1 - this is available to purchase directly from BSI.
• BS 25999 Part 2 – this is available to purchase directly from BSI.
• BS 25999 Starter Kit – this includes both parts of the standard, discounts on training courses and vouchers that can be used to subsidise the costs of the Online Self-Assessment Tool, gap analysis and training. This is not available in every country so check with your local BSI office.
• Training – many training courses are available covering BCM generically and BS 25999 specifically. For example learn more about BS 25999 and its requirements or the management systems approach to BC. More in depth courses cover the implementation of a BS 25999 compliant BCMS. You can also learn how to audit a BCMS within an organisation through the BSI Internal Auditor course or by attending the BSI Lead Auditor course you can learn how to lead audits internally or externally. Courses on specific aspects of BCM are also available and courses can be delivered in a variety of ways from online to on-site.
• Gap Analysis – this is a very useful service which provides an independent review of your BCMS and allows you to check your readiness for BS 25999 certification by identifying any gaps. This service is offered globally. BSI has found that many of its clients have robust BCM programmes in place but are not familiar with the management systems approach of BS 25999. A Gap Analysis, conducted by a qualified BSI auditor, can help bridge this gap, saving time, cost and disruption. Contact BSI Management Systems UK for more information.
• Consultancy – via the BSI Associate Consultancy Programme (ACP) which operates in a number of countries, we can put you in touch with consultants who can help you implement a BCMS.
• BS 25999 Business Continuity Self-Assessment Online– our online ‘off the shelf’ self-assessment tools enable you to quickly evaluate your existing BCM arrangements in line with the requirements of BS 25999. Available for both parts of BS 25999, the recently available Part 2 tool helps you plan, implement, operate, review, record and report on your business continuity management system (BCMS).
  • BS 25999-1 Business Continuity Self-assessment online tool
  • BS 25999-2 Business Continuity Self-assessment online tool
• Entropy - Our Entropy Software is a web-based Audit & Compliance solution, which provides senior managers and directors with the ability to identify, assess and manage business continuity compliance across the business, with real-time analysis and performance reporting via an instant corporate-wide executive dashboard view. The Entropy Software solution also helps companies to address risk, compliance and performance management in areas of corporate governance, corporate social responsibility, environmental, health & safety, quality, and supply chain compliance management”.

Have many organisations been certified to BS 25999?

Although BS 25999 Part 2 was only published in November 2007, many organisations through out the world have already been certified which clearly demonstrates the importance of BCM, the popularity of the standard and its international recognition. BSI has certified more than 40 organisations around the world from a number of different industries. These include household names such as Vodafone, Accenture, Citigroup and NEC Corporation along with a number of small and medium sized businesses. You can see some case studies here.

What are the key differences between BS 25999 and other standards?

BS 25999 focuses entirely on ensuring that a robust business continuity management system exists for an organisation’s entire business. Some other standards have controls or objectives that partially cover the area of business continuity without going into the detail of BS 25999. For example, ISO 9001 has a control (8.5.3) which considers the measures your business has in place to mitigate risk. ISO 27001 has a section on business continuity in relation to information security.

There are a number of standards available that will help to enhance BS 25999 as part of a ‘family’ of risk products offered by BSI. They include:

• ISO/IEC 27001 Information Security
• ISO/IEC 20000 IT Service Management
• BS ISO/IEC 27031:2011 Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity
• BS 31100 Code of Practice for Risk Management

Other Business Continuity standards do exist but these tend to be local standards that have been specifically developed for local markets. BS 25999 is recognised as the only globally accepted standard for BCM best practice and excellence.

We are led to believe that BS 25999 is going to be an ISO Standard soon. Should we wait for this?

As with a number of British Standards in the past, including BS 7799 and BS 15000 - which became ISO 27001 and ISO 20000 respectively - ISO (the International Standards Organisation) has taken a keen interest in BS 25999 and its impact on the market. Development of two new ISOs is underway: ISO 22399 (a Code of Practice) and ISO 22301 (Specification). Both standards are using BS 25999 as a major source document and BSI British Standards is leading the Working Groups which are developing these standards. However the standards-making consensus based process can be lengthy and these standards are not expected to be published until at least 2011. When they are published it is expected that clients with BS 25999 certification will easily be able to transition to the new ISO. In the meantime, if organisations want to comply with the latest BCM best practice which is already recognised internationally, they should adopt BS 25999 and not wait for the ISOs.

What is BS 25999 Route to Certification for my organisation?

There are a number of key steps that will take you through to certification with BSI. They are:

• Step 1 Purchase BS 25999 Parts 1 and 2 and familarize yourself with the requirements
• Step 2 Determine the scope of your BCMS
• Step 3 Consider your self-assessment options
• Step 4 Consider a Gap Analysis to determine how close your BCMS complies with BS 25999
• Step 5 Consider your training and consultancy requirements
• Step 6 Submit an application for certification to BSI
• Step 7 Consider an optional Pre-assessment to determine your readiness for certification
• Step 8 Undertake a full assessment which is split into 2 stages
• Step 9 Achieve certification
• Step 10 Ongoing annual continual assessment visits.

Once certified, BSI will continue to assess your BCMS on a regular basis ensuring ongoing compliance with BS 25999 and enabling continual improvement.

Why choose BSI?

BSI Management Systems is one of the largest and most widely respected certification bodies in the world with more than 64,000 certified client locations in over 100 countries and a proven track record of delivering value to its clients through accredited certification. Indeed, BSI meets the highest standard for certification bodies as demonstrated by its having been awarded ISO/IEC 17021 accreditation by UKAS (the United Kingdom Accreditation Service) and ANAB (the ANSI-ASQ National Accreditation Board in the United States), enabling networked certification around the world. This achievement underlines BSI’s commitment to meeting the most exacting standards for assessment delivery competence and impartiality and demonstrates that BSI meets the industry’s highest requirements. With increasing globalisation and supply chains which extend around the world, working with a certification partner with worldwide accreditation is important to many organisations seeking to manage efficiency, risk and compliance across their international operations. BSI is the BS 25999 pioneer, having developed the standard and certifying the first organisations in November 2007 when BS 25999 was published. Since then BSI has gone on to become the clear BS 25999 certification market leader with over 40 certified clients in numerous countries and from many sectors.

Where can I go for further information on BS 25999?

Please see Becoming certified or Contact us for more information.

Want to comment? Join us on our LinkedIn discussion group.