BS 25999-2:2007

BS 25999 is BSI's standard in the field of Business Continuity Management (BCM). This standard replaces PAS 56, a Publicly Available Specification, published in 2003 on the same subject.

Produced by the British Standards Institution (BSI), BS 25999 is a Business Continuity Management (BCM) standard in two parts.

The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.

The second, "BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.

A useful means of understanding the difference between the two is Part 1 is a guidance document and uses the term 'should', Part 2 is an independently verifiable specification that uses the word 'shall'.

Certification (independent verification) to this standard is available from certification bodies accredited by the United Kingdom Accreditation Service (UKAS) and is a multi stage process usually involving a number of assessment visits. The assessor will then make a recommendation that the organization receive certification or not. After initial certification a number of surveillance visits are made as per plan to ensure that the organization is still in compliance.