1. Overview

This International Standard outlines the requirements for establishing and managing an effective Business Continuity Management System (BCMS).

A BCMS highlights the importance of:

• Understanding the organization’s needs and the necessity for setting up a business continuity management policy and objectives.
• Implementing and operating controls and measures to manage the organization’s overall capability in handling disruptive incidents.
• Monitoring and reviewing the performance and effectiveness of the BCMS.
• Ensuring continual improvement based on objective measurement.
  
  

Like any other management system, a BCMS includes the following key components:

• A policy
• Personnel with defined responsibilities
• Management processes related to:
  1. Policy
  2. Planning
  3. Implementation and operation
  4. Performance assessment
  5. Management review
  6. Improvement
• Documentation that provides auditable evidence
• Relevant business continuity management processes for the organization.
  
  

This International Standard applies the “Plan-Do-Check-Act” (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving the effectiveness of the organization’s BCMS.

This ensures consistency with other management system standards, such as ISO 9001 for quality management, ISO 14001 for environmental management systems, ISO/IEC 27001 for information security management systems, ISO/IEC 20000-1 for information technology service management, and ISO 28000 for security management systems in the supply chain. It supports the integrated implementation and operation of related management systems.

Figure 1 illustrates how a BCMS takes inputs from interested parties and continuity management requirements, and through necessary actions and processes, generates continuity outcomes (i.e., managed business continuity) that meet those requirements.

Table 1 – Explanation of the PDCA Model