There is an increased awareness amongst organizations in relation to their approach towards disaster recovery (DR) and business continuity planning (BCP). A very thin line differentiates these two concepts. While DR is undertaken for systems in the data center, BCP is reserved for business processes.
Pre-requisites for BS 25999 standard
The BS 25999 standard is a code of practice for guidance and recommendations. It establishes the processes, principles and terminologies of BCP. It also provides a basis for understanding, developing and implementing business continuity. There are two approaches (or rather situations), in which this standard could be implemented. The first approach comprises of implementing BS 25999 standard in a stable business environment, where one is aware of different processes. In the second instance, business is new, and one is not aware of how the processes will change.
It is ideal to implement BS 25999 standard for BCP only after some of the business processes have stabilized. Once the processes are in place, only then should you look at their continuity. This is a proven and conventional approach.
When BS 25999 standard is implemented in a new business, one can nominate a person who is an expert on the subject matter and look at stabilizing different processes. Out of ten processes, at least two or three processes would always have to be available, irrespective of anything.
BS 25999 is a BCP standard; hence, it is better to first analyze the business processes in an organization and streamline them. Do not look at isolated silos of processes.
For the successful implementation of BS 25999 standard, it is important to break up activities into smaller functions and induct the right people. BCP involves making certain predictions, based on which norms have to be followed. The success of BS 25999 standard also hinges on the top management and how convinced it is about going forward with the execution
Implementing BS 25999 standard involves cost, strategy, and time. If you look at implementing BCP on day one, it is only going to be a cost implication for the organization without any profit.
Another standard that can be implemented along with BS 25999 is BS 25777. It is a new standard that talks about having internal DR for processes. It can be implemented after the BS 25999 standard to give a holistic IT approach to business.
About the author: Ashish Dandekar has served as the chief information officer of Power Exchange India. He is a certified business continuity professional and a lead auditor (ISO 25999). Dandekar is also an information security management system implementer (ISO 27001) and holds a Quality Management Certification (ISO 9001).
(As told to Jasmine Desai.)