Business Continuity Standards and Regulations

The regulations, standards, and guidelines listed below have been developed to help companies achieve standard levels of compliance with industry-recommended practices. In a few industries, such as financial industries, government, the energy sector, and healthcare, there are mandatory requirements that are audited regularly for compliance; in industries where business continuity is not mandated, adherence to one or more of these standards demonstrates initiative in preparedness, instilling confidence in business partners, clients, and authorities. Contact Lootok for assistance in determining which standards are most applicable to your company and achieving compliance and/or certification.

International

BS 25999-1/2 (2007) – The BS 25999-1/2 was developed by the British Standards Institution (BSI) and provides a basis for understanding, developing and implementing business continuity that can serve as the foundation of a BCM program within an organization.

ISO 22301 (approval pending) – Currently awaiting final approval by ISO members, this standard is expected to replace the leading business continuity standard BS 25999-2 by the end of 2011.

BS ISO/IEC 27031 (2011) – provides security techniques and guidelines for information and communication technology readiness for business continuity.

PD 25666 (2010) – guidance to all organizations on performing, exercising, and testing activities for continuity and contingency programs.

PD 25111 (2010) – provides guidance on human aspects of business continuity.

BCI: Good Practice Guidelines (2010) – The Business Continuity Institute (BCI) guidelines are aimed at providing individual BCM practitioners with an approach to building or improving an organization's business continuity program.

DRII: Professional Practices for Business Continuity Practitioners (2008) [PDF] – through its professional practice guidelines, the Disaster Recovery Institute International (DRII) offers a widely accepted framework for building resilience within an organization.

ISO (PAS) 22399 (2007) – The ISO/PAS 22399 is a guideline that provides the principles to allow an organization to develop its own performance criteria for incident preparedness and operational continuity.

ASIS SPC.1-2009, Organizational Resilience Standard [PDF] – A comprehensive management systems approach for organizational resilience, developed by the American National Standards Institute and ASIS, a leading organization for security professionals.

OASIS Business-Centric Methodology (BCM) TC – OASIS is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. Its standards provide business managers with a set of clearly defined methods with which to acquire agile and interoperable e-business information systems within communities of interests.

Vital Records: Identifying, Managing, and Recovering Business-Critical Records (2003) – developed by ARMA International, this American National Standard sets the requirements for identifying and protecting vital records, assessing and analyzing their vulnerability and determining the impact of their loss on the organization.

Australia/New Zealand

AS/NZ HB 221-2004 – provides a framework for developing a business continuity program within an organization.

AS/NZ HB 292-2006 – an easy-to-understand guide for business continuity practitioners.

AS/NZ HB 293-2006 – business continuity management guidelines specifically designed for executives.

AS/NZS 5050-2010 – provides specifications for managing disruption-related risk.

Prudential Standard APS 231 [PDF] – sets out APRA's requirements in relation to outsourcing, including BCM requirements.

The Australasian Inter-service Incident Management System [PDF] – published by the Australian Fire Authority Council, the System is now used by many infrastructure providers.

The Australian Emergency Manual Series – meant to assist in the management and delivery of support services in a disaster context.

Canada

CSA Z1600: Standard on Emergency Management and Business Continuity Programs (2008) – Provides a business continuity management framework geared toward Canadian companies based on the NFPA 1600.

CAN/CSA-Z731-03 – Canada’s emergency preparedness and response standards.

China

Business Continuity Planning Against Serious Communicable Diseases – published by the Securities and Futures Commission of Hong Kong, this circular reminds licensed businesses to take precautions against a reoccurrence of SARS or other serious communicable diseases.

Singapore

Singapore TR19: Technical Reference for Business Continuity Management (2006) [PDF] – the TR 19 business continuity standard outlines risk prevention, planning and response within an organization.

South Africa

King Report on Corporate Governance – a corporate governance standard published by the South African Institute of Chartered Accountants.

United Kingdom

Business Continuity Management Practice Guide (2006) – aims to help regulated firms in their business continuity planning by identifying and sharing examples of business continuity practice.

United States

OSHA 3327: Guidance on Preparing Workplaces for an Influenza Pandemic (2009) [PDF] – this OSHA guideline provides best practices and control measures to help identify pandemic risk levels within an organization.

NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs (2007) [PDF] – U.S. National Preparedness Standard, this standard provides a team-based, "all hazards approach" to emergency preparedness and response. It is and can also be used in other countries.

PS Prep Certification Program – a voluntary private sector preparedness accreditation and certification program developed and implemented by the Department of Homeland Security.

ASIS/BSI Business Continuity Management Systems - Requirements with Guidance for Use (2010) – specifies requirements for a business continuity management system (BCMS) to enable an organization to identify, develop, and implement policies, objectives, capabilities, processes, and programs, taking into account legal and other requirements to which the organization subscribes, to address disruptive events that might impact the organization and its stakeholders.

FEMA Disaster Planning Guide for Business and Industry [PDF] – provides step-by-step advice on how to create and maintain a comprehensive emergency management program.

NFPA 111: Standard on Stored Electrical Energy Emergency and Standby Power Systems – guidelines on the assembly, installation, and performance of electrical power systems to supply critical and essential needs during outages of the normal power source.

Standard for the Protection of Records – includes protocols for fire safety, fire protection, and emergency planning.

Post 9-11 Crisis Communications, Best Practices for Crisis Planning Prevention and Continuous Improvement – designed to enable members of the Business Roundtable to tailor for their own unique purposes a workable post-911 crisis communications plan that includes crisis preparation, prevention, and continuous improvement.

Vital Records Programs: Identifying, Managing, and Recovering Business-Critical Records – published by the American National Standards Institute, this standard sets the requirement for establishment of a Vital Records Program.

The DRJ Editorial Advisory Board (EAB) Generally Accepted Business Continuity Practices (Draft) – contains a conceptual basis for Program development vs. an auditable checklist.