1、Business Continuity Management Systems: Requirements with Guidance for UseASIS INTERNATIONAL STANDARDAMERICAN NATIONAL1625 Prince StreetAlexandria, Virginia 22314-2818 USA+1.703.519.6200Fax: +1.703.519.6299www.asisonline.orgASIS/BSI BCM.01-201012110 Sunset Hills Road, Suite 200Reston, Virginia 20190
2、-5902 USA1.800.862.4977Fax: +26559ASFIS_Covers-R5.indd 1-2 12/1/2010 1:12:46 PM12/1/2010 1:12:46 PMASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and prod
3、uctivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the
4、media, governmental entities, and the general public. By providing members and the security community with access to a full range of programs and services, and by publishing the industrys number one magazine, Security Management, ASIS leads the way for advanced and improved security performance. For
5、 more information, visit www.asisonline.org.BSI Group is a global independent business services organization that develops standards-based solutions to improve management practices and promote innovation. BSI can help businesses, governments and other organizations around the world to raise quality
6、and performance in a sustainable and socially responsible way. From its origins as the worlds first National Standards Body, BSI Group draws upon over 100 years experience, working with 66,000 organizations in 147 countries from its 50 offices. To learn more, please visit .26559ASFIS_Covers-R5.indd
7、3-4 12/1/2010 1:12:48 PM12/1/2010 1:12:48 PMASIS/BSI BCM.01-2010 an American National Standard BUSINESS CONTINUITY MANAGEMENT SYSTEMS: REQUIREMENTS WITH GUIDANCE FOR USE A management systems approach for preparedness and business/operational continuity management Approved November 2, 2010 American N
8、ational Standards Institute, Inc. ASIS International and British Standards Institution (BSI) Abstract Based on the BS 25999 Business continuity management (Part 1 and Part 2), this Standard specifies requirements for a business continuity management system (BCMS) to enable an organization to identif
9、y, develop, and implement policies, objectives, capabilities, processes, and programstaking into account legal and other requirements to which the organization subscribesto address disruptive events that might impact the organization and its stakeholders. This Standard specifies requirements for pla
10、nning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining, and improving a documented BCMS within the context of managing an organizations risks. ASIS/BSI BCM.01-2010 ii NOTICE AND DISCLAIMER The information in this publication was considered technically sound by t
11、he consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document. ASIS International and BSI standards and guideline publicat
12、ions, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS admini
13、sters the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideli
14、ne publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS and BSI do not accept or undertake a duty to any third party because it does not have the authority to enforce compliance with its standards o
15、r guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them. ASIS and BSI disclaim liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential
16、, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS and BSI disclaim and make no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes n
17、o warranty that the information in this document will fulfill any persons or entitys particular purposes or needs. ASIS and BSI do not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or guide. In publishing and making t
18、his document available, ASIS and BSI are not undertaking to render professional or other services for or on behalf of any person or entity, nor are ASIS and BSI undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own inde
19、pendent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult
20、 for additional views or information not covered by this publication. ASIS and BSI have no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS and British Standards have no control over which of its standards, if any, may be adopted by governmental r
21、egulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS and British Standards do not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to
22、be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document shall not be attributable to ASIS and British Standards and is solely the responsibility of the certifier or maker of th
23、e statement. This publication does not purport to include all the necessary provisions of a contract. Compliance with a British Standard cannot confer immunity from legal obligations. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
24、 any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner. Copyright 2010 ASIS International and British Standards Institution ISBN: 978-1-934904-07-7 ASIS/BSI BCM.01-2010 iii FOREWORD The information contained
25、in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain require
26、ments necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are speci
27、fied for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. ASIS International and BSI collaborated in the development of the Business Continuity Management Systems: Requirements for Guidance for Use Standard. T
28、his management systems standard provides generic auditable criteria and informative guidance on business continuity management. About ASIS ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members worldwide. ASIS is dedicated to increasing the
29、 effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profe
30、ssion to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industrys No. 1 magazine Security Management ASIS leads the way for advanced and improved security performanc
31、e. The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security man
32、agement through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry. About BSI BSI i
33、s the UKs National Standards Body, recognized globally for its independence, integrity, and innovation in the production of standards and information products that promote and share best practices. BSI works with businesses, consumers, and government to represent UK interests and to make sure that B
34、ritish, European, and international standards are useful, relevant, and authoritative. BSI Group is a global independent business services organization that inspires confidence and delivers assurance to customers with standards-based solutions. Originating as the worlds first national standards body
35、, the Group has over 2,300 staff operating in over 120 countries through more than 50 global offices. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA. ASIS/BSI BCM.01-2010 iv Commission Members Ja
36、son L. Brown, Thales Australia Steven K. Bucklin, Glenbrook Security Services, Inc. John C. Cholewa III, CPP, Mentor Associates, LLC Cynthia P. Conlon, CPP, Conlon Consulting Corporation Michael A. Crane, CPP, IPC International Corporation William J. Daly, Control Risks Security Consulting Eugene F.
37、 Ferraro, CPP, PCI, CFE, Business Controls Inc. F. Mark Geraci, CPP, Purdue Pharma L.P., Chair Robert W. Jones, Socrates Ltd, Inc. Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair John F. Mallon, CPP, Mallon therefore, many of the requirements in this Standard may be addressed concurrently o
38、r revisited at any time. A BCMS has the following base components: a) A policy providing a framework for managements business continuity objectives and expectations; b) A definition of roles, responsibilities, and resources; c) A description of required management process relating to: i. Policy; ii.
39、 Strategic planning; iii. Business continuity planning and procedural implementation and operation; ASIS/BSI BCM.01-2010 xiv iv. Performance assessment; v. Management review; and vi. Continual improvement. d) A set of documentation providing auditable evidence demonstrating process implementation an
40、d repeatability. The adoption and implementation of a range of business continuity management techniques in a systematic manner can contribute to optimal outcomes for all stakeholders and affected parties. However, adoption of this Standard will not by itself guarantee optimal preparedness, continui
41、ty, and response outcomes. In order to achieve its objectives, the BCMS should incorporate the best available practices, techniques, and technologies, where appropriate and where economically viable. The cost-effectiveness of such practices, techniques, and technologies should be taken fully into ac
42、count. This Standard does not establish absolute requirements for preparedness, response, continuity, or recovery performance beyond commitments in the organizations policy to: a) Comply with applicable legal requirements and with other requirements to which the organization subscribes; b) Support r
43、isk minimization and mitigation; and c) Promote continual improvement. The main body of this Standard contains only those generic criteria that may be objectively audited. Guidance on supporting BCM techniques is contained in the annexes of this document. This Standard, like other management standar
44、ds, is not intended to be used to create non-tariff trade barriers or to increase or change an organizations legal obligations. Indeed, conformance with a standard does not in itself confer immunity from legal obligations. Verification of an organizations conformance to this Standard may be performe
45、d through an external or internal auditing process. Verification may be by a first-, second-, or third-party mechanism. Verification does not require third-party certification. This Standard does not include requirements specific to other management systems such as those for quality, occupational he
46、alth and safety, or financial risk managementthough its elements can be aligned or integrated with those of other management systems. It is possible for an organization to adapt its existing management system(s) in order to establish a BCMS that conforms to the criteria of this Standard. It should b
47、e understood, however, that the application of various elements of the management system might differ depending on the intended purpose and the stakeholder involved. The level of detail and complexity of the BCMS, the extent of documentation, and the resources devoted to it will be dependent on a nu
48、mber of factorssuch as the scope of the system; the ASIS/BSI BCM.01-2010 xv size of an organization; and the nature of its activities, products, and services. This may be the case in particular for small and medium-sized enterprises. 0.2 Plan-Do-Check-Act (PDCA) cycle The management systems approach
49、 encourages organizations to analyze organizational and stakeholder requirements and define processes that contribute to success. This Standard applies the “Plan-Do-Check-Act” (PDCA) cycle to establishing, implementing, operating, monitoring, exercising, maintaining, and improving the effectiveness of an organizations BCMS. Use of the PDCA model ensures a degree of consistency with other management systems standards, such as ISO 9001:2008 (Quality Management Systems), ISO 14001:2004 (Environmental Management S