Cabinet Office Homepage

Security Policy No.7

This is the seventh Security Policy within the HMG Security Policy Framework (SPF); outlining the mandatory security requirements and management arrangements to which all Departments and their Agencies (defined as including all bodies directly responsible to them) must adhere. This policy deals with:

Business Continuity

What is Business Continuity Management?

The British Standard on Business Continuity Management (BCM), BS 25999, defines BCM as a: ‘holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities’.

Business Continuity Management (BCM) is the process through which Departments aim to continue their critical business activities following a disruption and effective recovery afterwards (return to ‘normal’). It is an essential aspect of securing their business.

What should a BCM system look like?

An effective BCM programme will have the following features:

• A BCM strategy endorsed and supported by Board level management.
• A BCM programme appropriate to the size and complexity of the department.
• Planning to proportionately manage the impact of events and recover from them.
• BCM arrangements that are exercised, reviewed and renewed as appropriate for the organisation and supported by adequately trained staff.
• Communications that ensure that all staff are aware of the BCM arrangements and of their responsibilities within them.

What are the outcomes of a BCM programme?

The outcomes of an effective BCM programme are that:

• Key assets, products and services are identified and protected, ensuring their continuity.
• An incident management capability is developed to provide an effective response.
• The organisation's understanding of itself and its relationships with other departments and organisations to include Local Authorities and the Emergency Services is properly developed, documented and understood.
• Staff are trained to respond effectively to an incident or disruption.
• Stakeholder requirements are understood and able to be met.
• Staff and stakeholders receive adequate support and communications in the event of a disruption.
• The organisation's supply chain is secured.
• The organisation's reputation is protected.

Strong Business Continuity Management in Government Departments provides leadership to other public and private sector organisations; sending a message of reassurance to citizens and business, and demonstrating to international partners that the United Kingdom is a secure place to trade.

The British Standard for Business Continuity Management: BS 25999

BS 25999 provides a basis for understanding, developing and implementing Business Continuity within an organisation. The standard comprises two parts:

• Part 1, the Code of Practice, provides BCM good practice recommendations.
• Part 2, the Specification, provides the requirements for a Business Continuity Management System (BCMS) based on BCM good practice and can be used to demonstrate compliance via an auditing and certification process.

It is recommended that Departments and Agencies work towards aligning their Business Continuity arrangements with BS 25999.