NFPA 1600 vs. BS 25999: Which is right for your business continuity program?

The amount of business continuity standards has been growing rapidly in recent years. This tip discusses the NFPA 1600 and BS 25999 standards to help you determine which is best for your business.

The amount of business continuity (BC) standards has been growing rapidly in recent years. There are dozens of documents calling themselves standards around the globe, including ANZ (Australia/New Zealand) HB221/292/293, Z1600 (Canada), TM-G-2 (Hong Kong), and SS 540 (Singapore). There are also many guidance and best practice documents that address business continuity in various ways.

So why should you be concerned about business continuity standards? Use of a common language, access to a common set of rules and processes, performance measurements and ease of auditing are pertinent.

NFPA 1600 vs. BS 25999

Currently, the American National Standard for business continuity is NFPA 1600: 2007, which addresses emergency management, incident response and business continuity. The standard has been in place for several years and was initially launched as an emergency management standard. Business continuity was added in the early part of this century.

BS 25999 is the British National Standard for business continuity. The first part of the standard, Part 1, the Code of Practice and the second part, Part 2, Specification, comprise a document that focuses largely on business continuity. The document has been positioned for audit purposes, and organizations can submit their plans to a formal audit and certification process by the British Standards Institution (BSI), the author of BS 25999.

In comparing the two documents, we see that both support the business continuity competencies as espoused by the Business Continuity Institute (BCI) and DRI International (DRII). The level of detail exhibited by both standards is sufficient for launching a business continuity program. Both documents tell us what we should be doing in business continuity and are comparable in that they do not provide education on how to create business continuity programs.

NFPA 1600 has not been actively embraced by many U.S. organizations to date. This is largely because the standard is not well known and the NFPA does not actively promote it. By contrast, BS 25999 is the British National standard and due to the BSI's efforts, the standard's recognition and acceptance in the U.S. is growing.

Business continuity and disaster recovery

Business continuity typically addresses the actions an organization takes to keep itself in business following a potential disaster. Often, business continuity is preceded by incident response, emergency response and disaster recovery activities. If a BC plan needs to be invoked, it is assumed the situation is serious enough that the company is not likely to restart operations for significant amount of time, e.g., one day, one week.

NFPA 1600 and its roots in emergency management would appear to be a more realistic standard, in that it addresses more of the above disaster continuum than BS 25999. However, neither standard explains when various activities should be activated, or what should be done. That is up to individual organizations.

BS 25999 was designed to be an "auditable" standard, in that its structure is designed so that each step can audited. Individual BC plans and associated program activities can be audited against the standard. The BSI even has its own audit process in which organizations can submit their programs (for a fee) to be audited and certified for compliance with BS 25999. The NFPA has no such audit process in place, but the structure of the document makes it easy to transform NFPA1600 into an audit document.

Multinational business continuity standards

As we said earlier, NFPA1600 is considered an American standard; therefore it would not be used outside this country. By contrast, while BS 25999 is the designated British standard, it has gained recognition on the world scene, largely through the efforts of the BSI. Does it make sense, therefore, to consider BS 25999 an international standard that is more relevant to multinational companies? And by contrast, would NFPA 1600 be used by U.S.-only companies?

If you have an established program/plan and are looking to have it officially validated against BS 25999, the BSI's audit and certification program makes sense. With regard to certification against NFPA 1600, various consulting firms in this country can audit your program against NFPA 1600 and certify you as compliant. Either way, both options can be expensive, to the tune of thousands of dollars.

A closer look at the NFPA 1600 and BS 25999

The differences between NFPA 1600 and BS 25999 are limited more to structure and language. Content necessary for a BC program can be found in both. Let's briefly examine two issues and compare text from each standard.

Program administration

NFPA 1600

4.1 - The entity shall have a documented program that includes the following:

  • Executive policy
  • Program goals, objectives
  • Program plan, procedures
  • Applicable authorities
  • Program budget
  • Records management

BS 25999

5.1 - The firm shall establish a Business Continuity Management System (BCMS) to set up, organize and provide ongoing management for a business continuity capability

Program manager/coordinator

NFPA 1600

The program coordinator shall be appointed by the organization and authorized to administer and keep the program current

BS 25999

The organization's management should:

  • Appoint or nominate a competent person to be accountable for BCM policy and implementation;
  • Appoint or nominate an individual to implement the BCM program (this person may be known as the BC manager).

Despite the differences in language and formatting, you can see that the two standards (at least in these two examples) address the issues largely the same.

Outside the U.S. and U.K., over two dozen standards and related documents have been developed, most within the past three years. One question on many practitioners' minds is when a global standard for BC is likely to appear. Currently, the International Organization for Standardization (ISO) is working on such a standard. Depending on who you talk to, it could emerge within the next 18 months or not appear until five years from now.

So, in terms of which standard is better, the answer is "neither." Each can be used to help establish a business continuity program. The key is not which standard to use, but rather to have a plan that will keep you in business in the event that an incident seriously restricts your ability to function normally.

About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.

Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.

Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchDisasterRecovery.com.


Dig Deeper on Disaster recovery planning - management