| BS 25999-1/2: Business Continuity Management (2007) |
BS 25999 provides end-to-end business continuity management guidance to organizations with aggressive risk management demands or international business interests by focusing on risk treatment, response and recovery. This voluntary standard can be used as the basis of certification in the development of a business continuity program. |
Applies to all sized organizations anywhere in the world |
| BS 25777: Information and Communications Technology Continuity Management (2008) |
BS 25777 h elps organizations plan and implement an information and communication technology strategy, demonstrate they are prepared for an IT disaster, and show that they have an effective strategy to manage the loss of internet, email or company information, providing reassurance to business partners. |
Applies to all sized organizations anywhere in the world |
| ISO/IEC TR 18044: Information Technology Incident Management (2004) |
ISO/IEC TR 18044 provides guidance on information security incident management specific to the following: information on the benefits to be obtained from and the key issues associated with a good information security incident management approach, information on examples of information security incidents and an insight into their possible causes, a description of the planning and documentation required to introduce a good structured information security incident management approach, and a description of the information security incident management process. |
Applies to any organization’s information security managers and for information system managers |
| ISO/TC 223: Societal Security - Preparedness and Continuity Management Systems (2008) (will become ISO 22301) |
ISO 223 addresses the challenges an organization, group of organizations, or society may face before, during and after a disruptive event. International standardization in the area of Societal Security is aimed at achieving individual, multi-organizational and societal sustainability and resilience through improved management, information sharing and interoperability. ISO/TC 223 uses an all-hazards approach covering all necessary activities in the key phases of management of a disruptive event. |
Applies to any organization or group or organizations who wish to protect themselves against implications resulting from a disruptive event |
| ISO (PAS) 22399: Societal Security: Guidelines for Incident Preparedness and Operational Continuity Management (2007) |
ISO 22399 is a Publicly Available Specification (PAS) focused on organization response processes (crisis and incident management). This is a voluntary guideline. |
Applies to organizations seeking to create or improve crisis/incident management response processes |
| ISO/IEC 24762: Guidelines for Information and Communications Technology Disaster Recovery Services (2008) |
ISO 24762 is a standard focused on disaster recovery sites and service seeking confirmation of disaster recovery ability, either internally or as a commercial offering. This is a voluntary guideline. |
Applies to any organization with internal recovery sites or organizations offering disaster recovery services |
| ISO 27001 / 17999: Security Techniques for Information Security Systems (2005) |
ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. This voluntary standard can be used as the basis of certification in the development of a information security management system. |
Applies to a wide variety of organizations including commercial enterprises, government agencies, and not-for-profit organizations |
| ISO 28000: Specification for Security Management Systems for the Supply Chain (2007) |
ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain. |
Applies to organizations of all sizes, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain |
| ASIS SPC.1: Organizational Resilience: Security, Preparedness, and Continuity Management Systems (2009) |
ASIS SPC.1 provides a comprehensive approach for security, preparedness, response, mitigation, business/operational continuity, and recovery for disruptive incidents resulting in an emergency, crisis, or disaster. It is a management framework that enhances an organization’s capacity to manage and survive the event, and take all appropriate actions to help ensure the organization’s continued viability. |
Applies to private, not-for-profit, non-governmental, and public sector environments |
|
ASIS: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery (2005) |
The ASIS guideline is a tool to allow organizations to consider the factors and steps necessary to prepare for a crisis so that it can manage and survive the crisis and take all appropriate actions to help ensure the organization's continued viability. This is a voluntary guideline. |
Applies to private and public sector entities interested in developing business continuity capabilities |
|
DRII: Ten Professional Practices (1999) |
The Disaster Recovery Institute International (DRII) Professional Practices were designed to establish necessary skills and competencies for individuals focused on business continuity; more specifically, to establish requirements, define strategies, document plans, exercise strategies and advance awareness amongst all stakeholders. The Professional Practices may be viewed as voluntary guidelines for businesses, but mandatory for those individual seeking professional certification. |
Although focused on individual competencies, can be "retrofitted' to any international entity |
|
BCI: Good Practice Guidelines (2008) |
The Business Continuity Institute (BCI) guidelines aim to provide a framework for successful business continuity management by providing an approach in which a practitioner can use to build or improve their business continuity program. BCI's Good Practices may be viewed as voluntary guidelines for businesses, but mandatory for those individual seeking professional certification. |
Similar to the DRII Professional practices, applies to all organizations, regardless of size or industry sector |
| BASEL II: Revised International Capital Framework (2006) |
BASEL outlines a set of principles that provide a framework for the effective management and supervision of operational risk for banks, including business continuity. These requirements are mandatory for a select number of banks based on asset size. |
Applies to internationally-active banks at every tier within a banking group, any holding company that is the parent entity within a banking group, and banks that have a capital recognized in capital adequacy measures and is readily available for depositors |
| ITIL SCM: Disaster Recovery Self-Assessment (2008) |
IT Infrastructure Library (ITIL) Service Continuity Management (SCM) prepares for worst-case scenarios by investigating, developing and implementing recovery options when an interruption to a technology service reaches a pre-defined point. The goal is to support the overall BCM process by ensuring that required IT technical services can be recovered within required, and agreed, business timescales. This is a voluntary guideline. |
Applies to those who understand the importance of IT Service Management in the IT Infrastructure environment |
| SI 24001: Security and Continuity Management Systems (2007) |
SI 24001 assists organizations in laying the groundwork for how to deal with Emergency Preparedness. The standard combines the requirement of risk and threat analysis to the organization within the management system as a basis for preparation of a management program. The standard is based on the assumption that a security event cannot be categorically prevented; therefore, it contains a requirement to prepare plans for response and recovery in order to minimize the harm to the organization and its stakeholders. |
Applies to any organization or group or organizations who wish to protect themselves against implications resulting from a disruptive event |
| COBIT 4.1 (2007) |
The COBIT framework deals with the creation, testing, and monitoring of a continuity and contingency plan. Their audits require a BCP to be in place and to be effective in order to meet compliance requirements; the framework also details uninterruptible power supply needs. This is a voluntary guideline. |
Applies to the objectives and scope of IT governance, ensuring that its control framework is comprehensive, in alignment with enterprise governance principles and, therefore, acceptable to boards, executive management, auditors and regulators |
| ISO 20000 IT Service Management |
ISO-20000 is a two-part international IT Service Management Standard aiding organizations in developing integrated management processes that effectively deliver its IT services to the business and customers. Part I defines requirements an organization must meet in order to deliver an acceptable level of service. Part II describes a set of best practices for Service management within the guidelines of Part I. Service continuity management is a component of this effort. |
Applies to any organization looking to maintain or improve its IT Service Management Process |