BS25999 Part 2: A Specification for BCM
The second part of BS 25999 is the 'specification'. This details the requirements for a BCM System and will be auditable, enabling organizations to demonstrate compliance to the standard. It is this part against which third party certification will be available.
A BRIEF NOTE ON CERTIFICATION
The generic process for gaining certification is as follows:
1. A Client seeking certification to BS 25999 Standard will apply to a Certification Body (CB);
2. The application will be reviewed to ensure that it is within the scope of the CBís accreditation. The CB will assemble an audit team to match the Clientís industry specific and technological environment;
3. If the proposed certification is within the CBís scope of accreditation and an Audit Team matching the Clientís requirements can be fielded, the CB will submit a quotation to the Client;
4. If the quotation is accepted, the CB will carry out the Stage 1 audit (also called the initial assessment or desktop review) of the documented BCP(s) and IMP to determine whether they meets the requirements of the standard. If the documentation fails to meet the required standard, the Client will be required to address the outstanding matters before the next stage, a Stage 2 (also called the Conformance Audit or Certification Audit), can start;
5. When the outstanding matters have been addressed successfully, a date for the Stage 2 Audit will be arranged with the Client.
6. The Stage 2 Audit will examine evidence that the implemented BCP(s) and IMP conforms to the Clientís documented BCP(s) and IMP. The Client will be advised of the findings and outcome of the audit.
7. If the results of the Stage 2 Audit indicate that the requirements of BS 25999 Standard have not been met, the Client will be required to agree to a Corrective Action Plan (CAP) to address the weaknesses. When the Client has addressed the weaknesses a further Conformance Audit will be carried out;
8. If the outcome of the further Stage 2 Audit is successful, a recommendation will be made for certification. The audit report will be forwarded to the BS 25999 Certification Manager for final review and subsequent issue of the certificate.
When the certificate has been granted, periodic monitoring of the BCP(s) and IMP, known as Surveillance Audits, begins. This process is designed to ensure that the Client Organisationís BCP(s) and IMP continue to conform to the requirements of BS 25999.