12 1.2 BCP Standards and Guidelines
Additionally, the following international standards are available:
ISO/International Electrotechnical Commission (IEC) 17799:2000
Information Technology—This code of practice for information
security management, an international version of British Standard
7799-1:1999, was published in December 2000. It contains 10 major
sections, one of which is Business Continuity Management (Section
11). However, parts of Physical and Environmental Security (7),
Asset Classification and Control (5), and Security Policy (3) would
also apply.
ISO/IEC Technical Report (TR) 13335—Guidelines for the Manage-
ment of IT Security (GMITS), 13335-2: Managing and Planning IT
Security, contains requirements for procedural security, including
business continuity.
ISO 9002—This quality assurance model applies to organizations
that produce, install, and service products. It implies industry stan-
dards for IT security and the broader subject of general product secu-
rity, including continuity planning for IT systems—both as products
themselves and as environmental support—and all other aspects of
business operations (physical, environmental, personnel) that, if dis-
rupted, would affect product security.
1.2.1 Industry-Specific Standards and Regulations
Regulatory compliance can play a major role in motivating companies to
implement thorough business continuity plans. U.S. federal government
agencies with essential missions at federal, state, and local levels have
always had continuity plans. The Continuity of Operations Planning
(COOP) directives produced by the Office of Management and Budget
(OMB) and the President of the United States outline the objectives of
business continuity planning for all federal departments and agencies.
Examples are as follows:
OMB Circular A-130, Appendix III, “Security of Federal Automated
Information Resources” (published in 1993) ensures that appropriate
business continuity plans were put in place for all federal general pur-
pose systems and major applications, which include the mission-criti-
cal applications identified under the Y2K program.