Business Continuity Questions
  • 1. What is BS 11200?

    BS 11200 is the new British Standards Institution Guidance and Good Practice on Crisis Management. Published in 2014, it supersedes PAS 200:2011. BS 11200 is aimed primarily at top managers and the development of the strategic crisis management capability within an organisation

  • 2. What are the non-technical skills of crisis management?

    A crisis management team draws together experts and those with specialist knowledge from various functions of an organisation, such as HR, legal, finance and corporate affairs. These are already experts in their 'technical domain'. However, responding effectively to a crisis relies on a range of general problem-solving and 'non' technical skills in addition to technical skills. Non-technical skills include both cognitive skills, such as situational awareness and decision-making, as well as social or interpersonal skills, such as leadership, team-working and communication. They are particularly important because the characteristics of crises (uncertain, complex, dynamic, pressured in terms of time and accountability) present a unique management environment that cannot be 'solved' by technical capability alone. Competence in the non-technical skills of crisis management is largely built through experience of operating in a simulated crisis environment.

  • 3. What are PD 25111, PD 25666 and PD 25888)?

    These Published Documents (PDs) were created by BSI to provide additional guidance and insight to parts of BS 25999, the British Standard in Business Continuity Management. They are not British Standards and it is not possible to seek certification to a PD.

    PD 25111 provides guidance on the human aspects of business continuity in terms of the pre-planning and development of human resources requirements and policies for the stages following an incident.

    PD 25666 provides guidance on exercising and testing for continuity and contingency programmes.

    PD 25888 provides guidance on how best to develop and implement an organization's recovery in response to a disruptive incident.

  • 4. What is awareness training?

    Awareness training is designed to create a basic understanding of business continuity and crisis management such that staff recognise issues and know how to react and who to contact.  It is generally targeted at all staff in an organisation.

  • 5. What is the difference between an exercise and a test?

    An exercise is an opportunity to practise putting your Business Continuity Plan or Crisis Management Procedures into action and is regarded as a learning opportunity.  A test is also a learning opportunity, but success criteria are set and results are measured against these resulting in a pass/fail outcome.  Tests are usually associated with ICT recovery when a component or system can definably pass or fail.

  • 6. How often should I exercise my plan and my people?

    An organisation should have a programme approved by top management to ensure exercises are carried out at planned intervals and when significant changes occur such as introduction of a new service line.

  • 7. What are the options for running an exercise?

    The most simple exercise is a Plan Walk Through, which allows a plan to be reviewed and staff to be familiarised with procedures and is usually conducted with no external pressures.  Workshops use a more detailed scenario to define plans and outputs and focus on the response, but again with no external pressures.  Simulation exercises allow one or more teams to respond to a scenario as it unfolds, providing a more vigorous means of validating plans and procedures under the increased pressure of time and realistic decision making cycles.  Exercises can also focus on very specific areas of an organisation's response capability such as the crisis communications teams or crisis operations room staff, allowing them to rehearse their plans and responses in isolation, usually ahead of a much larger event. Exercises can range in scale from multi-agency, multi-national involvement or dealing with a National crisis response involving hundreds of players at all levels, through to specific exercises for strategic management teams of two or three key people.  Steelhenge offers the full range of exercise options.

  • 8. What should I hope to achieve from an exercise?

    When setting the scope of an exercise, the objectives should be realistic and achievable.  The complexity of the exercise and the ultimate objectives will depend on levels of preparedness and experience within the Crisis Management or Business Continuity teams.  While exercises are used to validate plans and responses the level of pressure and stress imposed can be graduated from simple walk throughs of the plan to full scale simulation exercises.  While exercises will highlight areas for improvement and further rehearsal, they should be seen as positive experiences and not negative "pass or fail tests" where every disaster imaginable occurs in a morning.  Well conducted exercises will support the development of plans and procedures, support the embedding of business continuity within and organisations culture and most importantly ensure a level of preparedness should the worst case occur.

  • 9. Why do I need to run an exercise for my organisation?

    An exercise is an opportunity to practise or rehearse putting your Business Continuity Plan or Crisis Management Procedures into action.  The exercise offers the opportunity to simulate the pressure and stress of a crisis event in order to rehearse your staff and validate your plans and responses in a controlled environment.  The exercise can take many forms from a simple walk through of the plan to a full live "dress rehearsal" of your response to a simulated event.

  • 10. Is business continuity and crisis management relevant to SMEs?

    SMEs are frequently more vulnerable to an unanticipated incident than larger organisations.  Both resources, skills and knowledge tend to be concentrated leading to potentially business threatening 'single points of failure'.  SMEs may also be less able to sustain periods of business interruption. Demonstration of business continuity planning is increasingly a requirement of supply chain resilience and it is a common prerequisite in the procurement process.

  • 11. How frequently should I review my crisis and continuity plans?


    BS 25999 does not specify an interval for plan reviews, although it does recommend a deskcheck or walkthrough of each plan at least annually. An annual review should be a minimum schedule and should be complemented by proactive reviews driven by organisational changes.

  • 12. Why should I have Business Continuity and Crisis Management plans?

    Business Continuity and Crisis Management should not be separate from normal business processes, but should be in support of them, providing planning and preparation to ensure key value generating activities will continue in the event of a disruption.  It has been found repeatedly that those organisations that are prepared for major crisis not only recover substantially faster, but with significantly less damage than organisations that are not prepared.  Whilst plans will not protect you from crisis events occurring, the planning process and the consideration of how your organisation will deal with the potential impacts makes the recovery considerably smoother and faster.

  • 13. Who should own the BC planning process?

    Individuals tasked with implementing and maintaining the business continuity programme may reside in many areas of an organisation depending on its size, scale and complexity. It is essential, however, that a person with appropriate authority (e.g. owner, board director or elected representative) has overall responsibility for BCM and is directly accountable for ensuring the continued success of this capability.
  • 14. What is the relationship between Business Continuity Management and Enterprise-wide Risk Management?

    Business Continuity Management is complementary to a risk management framework that sets out
    to understand the risks to operations or business, and the consequences of those risks.  Risk management seeks to manage risk around the key products and services that an organisation delivers. Product and service delivery can be disrupted by a wide variety of incidents, many of which are difficult to predict or analyse by cause.  By focusing on the impact of disruption, BCM identifies those products and services on which the organisation depends for its survival, and can identify what is required for the organisation to continue to meet its obligations, whatever the cause of the disruption.
  • 15. What are ISO 22301 and ISO 22313?

    ISO 22301 is the International Standard on Societal Security - Business Continuity Management Systems, published in May 2012.  It is the specification document against which organisations will seek certification. 

    ISO 22313 is the guidance document to support the specification document ie ISO 22301, published in December 2012. 

  • 16. What is ISO/IEC 27031?

    Published in March 2011 and superseding BS 25777, the International Standard describes the concepts and principles of ICT readiness for business continuity and provides a framework of methods and processes to identify and specify all aspects for improving an organisation's ICT readiness to ensure business continuity. 
  • 17. What is BS 25777?

    To be truly resilient, an organisation must consider the continuity of its information and communications technology services.   BS 25777 is the British Standard for ICT Continuity Management published in 2008 as a code of practice (BS 25777-1:2008). It gave clear recommendations for ICT Continuity Management within the framework of business continuity management provided by BS 25999.  It has since been superseded by ISO/IEC 27031:2011 and withdrawn.
  • 18. What is ISO 27001?

    ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organisation's overall business risks. It is designed to be suitable for all types of organisation.  Steelhenge is a member of the BSi's Associate Consultant Programme for ISO 27001.

  • 19. What is BS 25999?

    BS25999 is the British Standard for Business Continuity Management first published in 2006 as a code of practice (BS25999-1:2006) and followed in 2007 by the specification (BS25999-2:2007).  With the publication of ISO 22301 and ISO 22313, both BS25999-1 and BS25999-2 have been withdrawn.


For more information please contact us