Monday, April 14, 2008

Some thoughts about BSI 25999

There has been a lot of promotion lately by the British Standards Institute (BSI) of its BS 25999-series business continuity standards.

BSI is making every effort to put BS 25999-* on the fast track to International Standards Organization (ISO) status.

BSI seems to be making pretty good headway on the island and the continent, but there appears to be some push-back from the colonies.

How can that be?

Well, the colonies have some pretty good standards and guides of their own, standards and guides which have been around, developing as the business continuity trade moved from "pick up the InfoTech pieces after an event" to "protect the organization through risk avoidance and mitigation."

In the U.S., and with slight variations on the theme in Canada, the de facto standard is the National Fire Protection Association (NFPA) 1600.

Now I confess I had little to do with the BS - I did comment on draft copies, but I have not seen if my suggestions were incorporated. Why? I can't afford the cost of the BS.

It is my understanding that the BS was developed with input primarily from island-based planners. NFPA, on the other hand, developed from input from a variety of sources, including - as the name implies - fire fighters. I am a very strong proponent of involving as many people and as much expertise as possible in every plan. This scrivener, at least, cannot claim to be a Subject Matter Expert in "everything."

I have another problem with "island-based planners." This is a generality (and as I learned in my early teens, "all generalities are lies"): the UK approach to business continuity is somewhat different than the approach by - again a generality - most planners in the U.S. I base my opinion on two British Airways events. The UK response seems to be "there was nothing we could have done" while those of us in the colonies contend that there were many measures that could have been implemented to avoid or mitigate the events. BA has a high-visibility business continuity programme (cq).

The BSI intends for BS 25999 to become an ISO and, by extension, to become by fiat a requirement for organizations wishing to do business on the island, the continent, and any place island and continental organizations have influence.

NFPA 1600, on the other hand, simply is a guide which is voluntarily followed. It is widely implemented because it has proven worth and, perhaps, because it is freely - as in "no charge" - available to "the masses."

People who know me know that "if it's free, it's for me" - and apparently a lot of other planners, too.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: