27165322 Guide to Business Continuity Management

27165322 Guide to Business Continuity Management

Citation preview


PAS 56:2003

PAS 56 Guide to Business Continuity Management

ICS 03.100.01


The Business Continuity Institute

PAS 56:2003

This Publicly Available Specification comes into effect on 24 March 2003

Amd. No. © BSI 24 March 2003

ISBN 0 580 41370 5



PAS 56:2003

Contents Foreword Introduction

Page ii iii

1 Scope 2 Terms and definitions 3 Abbreviations 4 Overview 5 BCM programme management 6 Understanding your business 7 BCM strategies 8 Developing and implementing BCM plans 9 Building and embedding a BCM culture 10 BCM exercising, maintenance and audit

1 1 6 6 7 10 14 18 21 23

Annex A (informative) Participants in the BCM cycle Annex B (informative) BCM evaluation criteria Annex C (informative) Frequency and triggers

29 31 43



Figure 1 BCM — the unifying process Figure 2 BCM relationships Figure 3 The BCM lifecycle Figure 4 The BIA and RA process Figure 5 Exercising types and methods

iii iii 7 12 24

Table A.1 RACI participants in the BCM cycle


© BSI 24 March 2003


PAS 56:2003 Foreword This Publicly Available Specification, PAS 56, was sponsored by the Business Continuity Institute1 and Insight Consulting Limited2, and developed through the British Standards Institution. Acknowledgement is given to the following organizations that were consulted in the development of this Publicly Available Specification: Adviza Risk Management Corporation of London Electronic Data Systems Corporation Insight Consulting Limited Marsh UK Ltd Office of Government Commerce Post Office Ltd Redan International/CMA Royal & SunAlliance Sainsburys The Business Continuity Institute This Publicly Available Specification is based upon the Business Continuity Institute’s Business Continuity Management: Good Practice Guidelines, 2002 [1]. This Publicly Available Specification has been prepared and published by BSI, which retains its ownership and copyright. BSI reserves the right to withdraw or amend this PAS on receipt of authoritative advice that it is appropriate to do so. This PAS will be reviewed at intervals not exceeding two years, and any amendments arising from the review will be published as an amended PAS and publicized in Update Standards. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The steering group of this Publicly Available Specification wishes to acknowledge the personal contributions of John Bartlett and Dr David J Smith FBCI to the development of the document. This Publicly Available Specification (PAS) is not to be regarded as a British Standard. It will be withdrawn upon publication of its content in, or as, a British Standard. Compliance with a Publicly Available Specification does not in itself confer immunity from legal obligations.


The Business Continuity Institute, PO Box 4474, Worcester WR6 5YA; telephone 08706 038783; www.thebci.org Insight Consulting Limited, Churchfield House, 5 The Quintet, Churchfield Road, Walton on Thames, Surrey KT12 2TZ; telephone 01932 241000; www.insight.co.uk



© BSI 24 March 2003

PAS 56:2003 Introduction Business continuity management (BCM) should be a fit-for-purpose, business-owned and -driven activity that unifies a broad spectrum of business and management disciplines in both the public and private sectors, including crisis management, risk management and technology recovery, and should not be limited to information technology disaster recovery (ITDR) (see Figure 1). BCM is directly linked to corporate governance and establishes good management p