Certification of BCMS (Business Continuity Management Systems) Standard BS 25999-2
Certification of BCMS (Business Continuity Management System Ensuring operational continuity in the event of interruptions, whether these are due to serious incidents or minor setbacks, is a fundamental requirement of any organisation operating in today s local and international context.
s) Standard BS 25999-2 Continuity in the provision of services or the delivery of products is an asset with an economic value and must thus be adequately protected from a wide range of threats so as to ensure that company activities are carried out normally, while minimizing the damage to the company (financial and/or image) and maximizing the returns on investment. Ensuring operational continuity requires the existence of an appropriate set of measures, including policies, operating practices and organisational structures that will allow a company to fulfil its business continuity objectives. An evaluation of the effects on operations is the ideal point from which to start to determine the solutions which most effectively meet the needs of each individual company. The new-economy and globalisation have resulted in a significant improvement of electronical transactions (typical examples can be found in the banking, insurance and financial sectors) while rendering organisations increasingly interdependent (in particular insofar as the critical infrastructures are concerned, these including Energy, ICT, Finance and Transportation among others) while dependence on outsourcers for processes that are vital to the organization has increased. This situation coupled with specific sectorial requests (for example the guidelines issued by the Bank of Italy on business continuity) and the proposal for a European Directive on Critical Infrastructures, have made it necessary to develop business continuity management systems that will guarantee survival of organisations in the event of an interruption in operations while ensuring the recovery of critical activities within predetermined times and through the use of specific procedures. In addition to the perceived value, auditing by a third party is one of the advantages of having a certified Business Continuity Management System (BCMS). Indeed, unlike other management systems (qualitative, environmental, safety, etc.), such an audit includes a documentary and operational structure which is tested through exercises that allow for validation of the system being certified. The regulatory and legislative framework for operational continuity Banking regulations Basel Accord II International Convergence of Capital Measurement and Capital Standards Revised Framework June 2004; Bank for International Settlements: Basel Committee on Banking Supervision Sound Practices for the Management and Supervision of Operational Risk Bank for International Settlements ; Guidelines of the Bank of Italy for the continuity of services in wholesale markets and support systems, October 2004; Supervisory Provisions of the Bank of Italy of 21 March 2007 (published in the Supervisory Bulletin issue n. 7, July 2004, pages 7-13) Specific requirements for operational continuity in systemically relevant processes.
Certification of Business Continuity Management Systems (BCM - Business Continuity Management) - Standard BS 25999-2 Fiscal regulations DMEF (Decree of the Minister of Economy and Finance) of 23 January 2004 (Official Gazette issue 27 of 3 February 2004) Procedures for fulfilling fiscal obligations relating to electronic documents and their reproduction in different support media; Circular of the Italian Inland Revenue Service of 6 December 2006 n.36/e Ministerial Decree of 23 January 2004 - Procedures for fulfilling fiscal obligations relating to electronic documents and their reproduction in different support media; Legislative Decree n. 52 of 20 February 2004 (Official Gazette issue 49 of 28 February 2004) Enactment of Directive 2001/115/EC which simplifies and harmonises invoicing procedures pertaining to V.A.T.; Circular of the Italian Inland Revenue Service of 19 October 2005 n.45/e Legislative Decree n. 52 of 20 February 2004 Enactment of Directive 2001/115/EC which simplifies and harmonises invoicing procedures pertaining to V.A.T. Regulations in the field of critical infrastructures Decree of the Ministry of the Interior of 9 January 2008 (Official journal no. 101 of 30 April 2008) Identification of critical IT infrastructures of national interest; Directive on the identification and designation of critical European infrastructures and on the evaluation of the need to improve their protection, text approved on 5 June 2008 by the Justice and Home Affairs Council of the European Union. Other applicable regulations Legislative Decree no. 196 of 30 June 2003 (Official journal no. 174 of 29 July 2003) Personal data protection code; Prime Ministerial Decree of 13 January 2004 (Official journal no. 98 of 27 April 2004) Technical specifications for the creation, transfer, storage, duplication, reproduction, and validation, including by time-stamp, of electronic documents; Legislative Decree of 2 November 2005 (Official journal no. 266 of 15 November 2005) Technical specifications for the creation, transfer and validation, including by time-stamp, of certified e-mail; Resolution no. 4, 17 February 2005 of the National Centre for IT in Public Administrations (Official journal no. 51 of 3 March 2005) Rules for the recognition and verification of the electronic document Voluntary regulations: BS 25999-2 Business continuity management Part 2: Specification BS 25999-1 Business continuity management Part 1: Code of practice CSQ-BCM certification Thanks to the great levels of experience CSQ has gained through his work in major areas of production, he is able to offer services to companies that wish to compare their methods with BS 25999-2, which is the new standard of reference on business continuity. BS 25999, the world s first standard on business continuity management, was developed by British standardisation
body BSI to reduce the risk of such interruptions to a minimum, this being a priority of many companies. CSQ has developed the CSQ-BCM scheme for issuing of BS 259992 certification. CSQ-BCM allows organisations to certify their own Operational Continuity System (OCS), through assessment of: The scope of the BCMS The Business Continuity Policy BIA Business Impact Analysis Risk Assessment Risk handling choices The existence of an organisation dedicated to the management of incidents and operational continuity Implementation of the provisions set up for operational continuity Procedures for the management of operational continuity Assessment and periodic review of the BCMS adopted The certification process This generally takes place in at least two phases, both of which aim to identify compliance with BS 25999-2. Phase 1: Audit on documentation. Assessment of the documentation supporting the BCMS, from the business continuity management manual to the document on business impact analysis and risk assessment. This can be carried out within the organization and involves all the major documents pertaining to the Business Continuity Management System. Phase 2: Audit on organization On site visit for interviews, examination of documents, comparisons of formal procedures and operating practices. The goal is to ensure that the organisation adheres to its own policies, objectives and procedures and that the OCS is efficiently imple-
Certification of Business Continuity Management Systems (BCM - Business Continuity Management) - Standard BS 25999-2 mented, maintained and improved. The objectives To provide a consistent infrastructure that is based on the best international practices with which to manage operational continuity. To identify any impacts that could threaten the organisation and provide a model to ensure resilience and the ability to react in a feasible manner so as to safeguard the interests of the main stakeholders, the reputation, brand and the activities that create added value. To proactively improve resilience in case of interruption, so as to ensure that key objectives are reached. To provide an effective method for recovering the capacity to deliver critical products and services at a predefined level and within a specified time following an interruption. To offer an appropriate response for managing an interruption. To provide a clear comprehension of how the entire organisation operates and to identify opportunities for improvement. To make it possible to reduce the insurance premium for the interruption of operations. IMQ accreditations 1. IMQ is accredited by SINCERT to issue certifications that comply with the ISO/IEC 27001 standard in all sectors included in the international EA (European Cooperation for Accreditation) classification. 2. IMQ's Security Testing Laboratory assesses IT security according to the ITSEC and Common Criteria (ISO/IEC 15408) standards. The laboratory is accredited by National Schemes for the Evaluation and Certification of the Security of ICT Systems and Products. Advantages of CSQ-BCM certification Certifying a business continuity management system makes it possible to: ensure adherence to contractual and legislative requirements; strengthen a company s credibility and visibility while safeguarding its image and assets and facilitating recovery from interruptions; reduce the cost of incidents; efficiently finalise the investments used to implement the incident management and operational continuity plans; ensure and prove to stakeholders that all instruments and technical and organisational measures are in place to ensure the delivery of critical products and services.
Ensuring continuity of transactions; Ensuring data protection and recovery; Recovering critical services within established time. The banking sector and by extension its strategic partners can use the certification of their own BCMS to provide objective evidence of compliance with the directives of the Bank of Italy so as to ensure the continuity of operations. Certification of Operational Continuity Systems: Major industrial sectors and areas covered The need to guarantee that products and/or services continue to be delivered even in the case of serious incidents of any type (such as natural disasters, breakdowns, strikes, acts of terrorism or vandalism, etc.) is now a requirement of all organisations. Indeed, we note that in such a context, business continuity in a general sense cannot be ensured solely by the introduction of technical elements, as it requires appropriate organisation and procedures. Furthermore, the management of operational continuity is strongly based on the participation of all key personnel and in certain cases of suppliers, clients and other stakeholders. Organisations must therefore identify specific critical areas depending on the sector they operate in. Financial Sector Financial services are carried out throughout different sectors ranging from banks to insurance companies, all of which share the need to utilise network systems for data and funds transactions. In this sector, the following are important: The Utilities Sector Suppliers of energy, telecommunications, transportation, etc. are among Italy s critical infrastructures. The transposition of European Directives in this area results in the implementation of plans guaranteeing the continuity of supply and services and BCMS certification will be the natural way to ensure that the emergency management system is updated, appropriate and in a state of continual improvement. Industry and Sales The Industry and Sales sectors must guarantee production or the provision of services in the advent of a disaster, by anticipating possible scenarios and being prepared and trained to ensure survival of the organisation while ascertaining that its own critical suppliers are equally prepared to do so. It does not suffice to be optimistic that such a thing will not occur, while it is always best to be prepared for the worst. Certification of a company s BCMS also provides the advantage of a better image and more opportunities compared to the competitors. The Public Sector The Public Sector includes many different areas, for which the issue of operational continuity is of fundamental importance; in particular, this involves public administration (PA), defence, health and the provision of services to citizens. Understanding an organisation s particular situation and the threats that it may be subject to, analyzing the possible scenarios and the impacts to services and infrastructures, planning ahead to reduce the impact of these disastrous events, managing incidents and having plans in place that will allow for recovery of operations should be the duty of any good public administration. Certifying an operational continuity system means ensuring that what has been planned is consistent, updated, efficient and tested, while it is periodically reviewed and improved.
ABOUT US The IMQ group is Italy's leading organisation in conformity assessment (certifications, tests, verifications and inspections). With the synergies of its companies, its prestige gained from more than 50 years of experience and a complete range of services, the IMQ Group is the partner of choice for companies who are committed to safety and quality. The IMQ group operates in numerous sectors, from the electro-technical and electronics industries to telecommunications, the automotive industry, the gas sector, plant engineering, construction products and the food and agricultural industry. The IMQ group can provide general or targeted services for each product category, based on needs, including product certification, certification for EC directives, company management system certification, inspections of systems and property, laboratory tests, international type tests, assistance with exports, surveillance of manufacturing abroad, as well as assistance with technical formalities and training. The comprehensive range of services is delivered through the expertise gained in numerous product categories from IMQ group companies: IMQ S.p.A., CSI S.p.A., IMQ Primacontrol S.r.l., IMQ Clima S.p.A., ICILA S.r.l., IMQ Iberica SL, IMQ Kraków R.O., IMQ Shanghai R.O. (Representative Office in China). The IMQ Group also has a holding in Istituto Giordano S.p.A., in CISQCERT S.p.A. and in Icube S.A. (Argentina). mod.1131/0/e- 2009/1 -Med. 250 MILAN - ROME - BARCELONA - MADRID - KRAKÓW - SHANGHAI - BUENOS AIRES