ASIS/BSI BCM.01-2010
Business Continuity Management Systems: Requirements with Guidance for Use
Applies to private, public, not-for-profit, and voluntary organizations, regardless of their size, scope, or complexity. The standard accommodates diverse jurisdictional, geographical, cultural, operational and social environments
The standard provides auditable criteria with accompanying guidance for developing and implementing a business continuity management system that improves an organization’s ability to prepare for, respond to, and recover from a disruptive event.
ASIS SPC.1-2009
Organizational Resilience: Security, Preparedness & Continuity Management Systems
Applies to private, not-for-profit, non-governmental, and public sector environments
ASIS SPC.1-2009 provides a comprehensive approach for security, preparedness, response, mitigation, business and operational continuity, and recovery for incidents resulting in an emergency, crisis, or disaster. It is a management system framework that enhances an organization’s capacity to manage and survive the event, and take all appropriate actions to help ensure the organization’s continued viability.
ASIS SPC.1-2009 is also one of the three standards selected for inclusion in the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep).
BASEL II: Revised International Capital Framework (2006)
Applies to internationally-active banks at every tier within a banking group, any holding company that is the parent entity within a banking group, and banks that have a capital recognized in capital adequacy measures and is readily available for depositors
BASEL outlines a set of principles that provide a framework for the effective management and supervision of operational risk for banks, including business continuity. These requirements are mandatory for a select number of banks based on asset size.
BS 25999-1/2: Business Continuity Management (2006/2007)
Applies to all sized organizations anywhere in the world
BS 25999 provides end-to-end business continuity management guidance to organizations with aggressive risk management demands or international business interests by focusing on risk treatment, response and recovery. This voluntary standard can be used as the basis of certification in the development of a business continuity program.
BS 25999 is also one of the three standards selected for inclusion in the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep).
BS 25777: Information and Communications Technology Continuity Management (2008)
Applies to all sized organizations anywhere in the world
BS 25777 helps organizations plan and implement an information and communication technology strategy, demonstrate they are prepared for an IT disaster, and show that they have an effective strategy to manage the loss of internet, email or company information, providing reassurance to business partners. This document was designed to complement BS 25999.
COBIT 4.1 (2007)
Applies to the objectives and scope of IT governance, ensuring that its control framework is comprehensive,
in alignment with enterprise governance principles and, therefore, acceptable to boards, executive management, auditors and regulators
The COBIT framework deals with the creation, testing, and monitoring of a continuity and contingency plan. Their audits require a BCP to be in place and to be effective in order to meet compliance requirements; the framework also details uninterruptible power supply needs. This is a voluntary guideline.
ISO/IEC 27035: Information Security Incident Management (2011)
Applies to large and medium-sized organizations. Smaller organizations can use a basic set of documents, processes and routines described in this standard, depending on their size and type of business in relation to the information security risk situation. It also provides guidance for external organizations providing information security incident management services.
ISO/IEC 27035:2011 provides a structured and planned approach to detect, report and assess information security incidents; respond to and manage information security incidents; detect, assess and manage information security vulnerabilities; and continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities.
ISO/TC 223: Societal Security
Preparedness and Continuity Management Systems (2008) (will become ISO 22301)
Applies to any organization or group or organizations who wish to protect themselves against implications resulting from a disruptive event
ISO 223 addresses the challenges an organization, group of organizations, or society may face before, during and after a disruptive event. International standardization in the area of Societal Security is aimed at achieving individual, multi-organizational and societal sustainability and resilience through improved management, information sharing and interoperability. ISO/TC 223 uses an all-hazards approach covering all necessary activities in the key phases of management of a disruptive event.
In addition to ISO 22301, here is an informal listing of some of the standards currently being worked on (some of the titles may change based on TC 223 discussion and public comment):
- ISO 22300: Societal Security – Vocabulary
- ISO 22311: Societal Security – Video Surveillance
- ISO 22313: Societal Security – Business Continuity Management Systems – Guidance*
- ISO 22320: Societal Security – Emergency Management – Requirements for Command and Control
- ISO 22322: Societal Security – Emergency Management – Public Warning
- ISO 22323: Societal Security – Organizational Resilience Management Systems – Requirements with Guidance for Use**
- ISO 22351: Societal Security – Emergency Management – Shared Situational Awareness
- ISO 22397: Societal Security – Guideline to Set Up a Partnership Agreement for the Governance of Interoperability
- ISO 22398: Societal Security – Guidelines for Exercises and Testing
- ISO 22399: Societal Security – Guideline for Incident Preparedness and Operational Continuity Management
* Regarding ISO 22313, this is the guidance document for ISO 22301, which describes strategies to implement a business continuity management system.
** Regarding ISO 22323, this standard is also written for certification (with embedded guidance as an annex), and it is based on the ASIS SPC.1-2009 Organizational Resilience Standard.
ISO (PAS) 22399: Societal Security
Guidelines for Incident Preparedness and Operational Continuity Management (2007)
Applies to organizations seeking to create or improve crisis/incident management response processes
ISO 22399 is a Publicly Available Specification (PAS) focused on organization response processes (crisis and incident management). This is a voluntary guideline.
ISO/IEC 24762
Guidelines for Information and Communications Technology Disaster Recovery Services (2008)
Applies to any organization with internal recovery sites or organizations offering disaster recovery services
ISO 24762 is a standard focused on disaster recovery sites and service seeking confirmation of disaster recovery ability, either internally or as a commercial offering. This is a voluntary guideline.
ISO 27001: Security Techniques for Information Security Systems (2005)
Applies to a wide variety of organizations including commercial enterprises, government agencies, and not-for-profit organizations
ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. This voluntary standard can be used as the basis of certification in the development of a information security management system.
ISO 28000: Specification for Security Management Systems for the Supply Chain (2007)
Applies to organizations of all sizes, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain
ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.
ISO 20000: IT Service Management
Applies to any organization looking to maintain or improve its IT Service Management Process
ISO-20000 is a two-part international IT Service Management Standard aiding organizations in developing integrated management processes that effectively deliver its IT services to the business and customers. Part I defines requirements an organization must meet in order to deliver an acceptable level of service. Part II describes a set of best practices for Service management within the guidelines of Part I. Service continuity management is a component of this effort.
PAS 200:2011 Crisis Management – Guidance and Good Practice
Applies to top managers in organizations of any size, type, industry and sector.
PAS 200:2011 is a standard designed to help organizations take practical steps to help deal with crises. It does this by giving organizations an operational structure to detect and prepare for such crises; helping organizations to prevent or survive them. The standard includes seven sections: scope, terms and definitions, understanding crises, developing a crisis management capability, planning and preparing for crisis response and recovery, communications in a crisis, and evaluating crisis management capability.
SI 24001: Security and Continuity Management Systems (2007)
Applies to any organization or group or organizations who wish to protect themselves against implications resulting from a disruptive event
SI 24001 assists organizations in laying the groundwork for how to deal with Emergency Preparedness. The standard combines the requirement of risk and threat analysis to the organization within the management system as a basis for preparation of a management program. The standard is based on the assumption that a security event cannot be categorically prevented; therefore, it contains a requirement to prepare plans for response and recovery in order to minimize the harm to the organization and its stakeholders.