Whats Out There Now

By Andrew Garcia  |  Posted 2008-11-07 Print this article Print

Last year, title ix of public law 110-53 tasked the Department of Homeland Security to take the lead in developing, implementing and administering a voluntary certification program for BCM in the private sector, moving to help define a de facto standard in the process.   The DHS has not yet recommended a standard to fit this voluntary certification program, and the guidance the agency provides to help a company plan for disaster on the DHS Ready.gov Web site does not match the scope necessary for a full-fledged BCM initiation, let alone a certification program.

At this time, the only auditable BCM standard available that can help C-level executives fully identify and make more resilient the processes in need of protection is the British Standard Institution's BS 25999.

Celebrating its first birthday in November, BS 25999 is actually composed of two distinct documents (available for purchase).

Part one is a code of practice that lays out the terminology, scope and objectives of a BCM scheme, while part two comprises the actual specification that enumerates the steps that need to be taken to meet business goals. Part two is therefore intended to be auditable and certifiable, providing the basis of comparison needed to extend the relationship externally.

Third-party providers-such BSI Management Systems-currently perform the certification testing, while others - such as Avalution - provide consulting services to help kick-start a BCM pilot or guide a growing iteration's development.

These and other providers can come in to provide impartial and objective guidance and strategies, helping to deliver their clients to the certification stage. Ultimately, however, the DHS has charged the American National Standards Institute's American Society for Quality National Accreditation Board, or ANAB, with administering the certification program, so the certification processes provided by providers such as BSI Management Systems may need to evolve as time goes on.

However, BSI Management Systems officials are quick to point out that companies do not have to certify their BS 25999 implementation to reap tangible benefits.

"You can bring [BCM] into the organization as a best practice to start the process of interrogating where the key processes and people are, and to establish what to do to maintain sustainability in the organization," said VanderVen.
He added that planning with an eye toward BS 25999 also helps business leaders understand their companies better.

"BS 25999 causes an organization to begin a journey into what their processes really are, but may not necessarily be evident," VanderVen said. "We've had customers come to us who thought they had 80 different activities that they thought they needed to track, but it turns out there were 18 core processes that really made a difference in their business. Then they were able to distill down to make sure those 18 key processes were maintainable and protected."

While BS 25999 is a globally recognized standard (and one that the DHS recognizes), projects nonetheless are under way to establish a U.S. standard for BCM. Officials with information security company ASIS International, for example, recently notified ANSI that it would begin work on a new BCM standard.

According to VanderVen, the British Standards Institution is working with ASIS on the development of this standard, with development slated to begin this month. VanderVen anticipates that ASIS will largely utilize BS 25999 at its base, with the intention of the new proposal becoming an ISO (International Organization for Standardization) standard two or three years down the road.
eWEEK Labs Senior Technical Analyst Andrew Garcia can be reached at agarcia@eweek.com.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel