Making Sense of Business Continuity Frameworks, Standards & Guidelines

There are about 50 or more Standards, Codes of Practice and Practice Guidelines for business continuity, risk management and IT disaster recovery around the world. Some are internationally applicable and some are country-specific.  

Below is some information about the various frameworks and standards that may relate to Australian organisations. This is not the complete list of all standards, rather a sampling of the most commonly referred to in Australia.

APRA (Australian Prudential Regulation Authority)
The overall objective of the APRA standard on Business Continuity Management (Prudential Standard APS232) is to ensure that all authorised deposit taking institutions, general insurers and life insurance companies implement a whole of business approach to business continuity.

Australian National Audit Office – Business Continuity Management 
In June 2009 ANAO released an updated version of their guide, titled Business Continuity Management. This guide is focused on building resilience in public sector entities.  It is freely available to download at the ANAO website

Australian Standards Handbooks
AS HB 292
, A practitioners guide to business continuity management provides an overview of the best practice Business Continuity Management (BCM) used in Australia, USA and the UK. It can help in implementing and analysing your continuity plans. It also covers what is BCM, establishing and managing a BCM program, assessing risks and developing scenarios, developing BCM strategies, assessing and collating resources, writing the plan, activation and deployment. It also includes useful checklists, templates and tables for use. This is a non-auditable standard.

 AS HB 293, Executive guide to business continuity management, provides senior management with an overview of key concepts and processes to implement and maintain an integrated, robust BCM program. It provides navigation to the comprehensive information in HB 292. This is a non-auditable standard.

British Standards: BS25999  Code of Practice for Business Continuity Management
BS 25999 is a voluntary standard suitable for any organisation, large or small, from any sector. This is an auditable standard.

Part 1, the Code of Practice provides BCM best practice recommendations.
Part 2, the Specification provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice.

ISO/IEC 27001 Information Security
ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The requirement for business continuity planning is an aspect of this system. State Government departments in Australia are required to have certification to this standard.

Business Continuity Institute Good Practice Guidelines: BCI GPG (2007)
Guide to Implementing Global Good Practice in BCM compiled by the peak industry body. This is a best practice guide intended for organisations of all sizes. It is developed and updated in the context of the internationally auditable standards as they develop ie. BS 25999.

The list can go on. There is Sarbanes Oxley (SOX), COBIT, ITIL and many more. They all vary but typically have some fundamental aspects the same. Whatever your Standard, we can help you to develop and maintain business continuity that will comply.

If you’re starting from scratch and don’t know if or which standard or guideline to follow, talk to us. OpsCentre can help to simplify it.