Business Continuity Management Systems: Requirements with Guidance for Use
|Publication Date:||1 January 2010|
SCOPE OF STANDARD
This Standard specifies requirements for a business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs-taking into account legal and other requirements to which the organization subscribes or is governed by-to address disruptive events that might impact the organization and its stakeholders. This Standard specifies requirements for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS within the context of managing an organization's risks.
The requirements specified in this Standard are generic and intended to be applicable to all organizations (or parts thereof), regardless of type, size, and nature of the organizational mission. The scope of these requirements depends on the organization's operating environment and complexity.
This Standard seeks to offer a flexible management systems approach to address and minimize the consequences associated with disruptive events.
This Standard addresses all aspects of the organization deemed essential to meeting commitments (as agreed to by top management), consistent with the scope of the BCMS. The Standard does not itself state specific performance criteria.
The intent of this Standard is to position an organization to design a BCMS that is appropriate to its needs. These needs are shaped by customer and other stakeholder, regulatory, and operational requirements; the products and services; the processes employed; the size and structure of the organization; and jurisdictional and geographic areas of operation.
This Standard is applicable to any organization that chooses to:
a) Establish, implement, maintain, and improve a BCMS.
b) Assure itself of its conformity with its stated business continuity management policy.
c) Demonstrate conformity with this Standard by:
i. Making a self-determination and self-declaration.
ii. Seeking confirmation of its conformance by parties having an interest in the organization (such as customers and supply chain partners).
iii. Seeking confirmation of its self-declaration by a party external to the organization.
iv. Seeking certification/regist
Annex A provides informative guidance on management system planning, implementation, testing, maintenance, and improvement of a business continuity program.