© ISO 2016 Security and resilience — Emergency management — Guidelines for capability assessment Sécurité et résilience — Gestion des situations d’urgence — Lignes directrices pour l’évaluation de la[.]
INTERNATIONAL STANDARD ISO 22325 First edition 2016-10-15 Security and resilience — Emergency management — Guidelines for capability assessment Sécurité et résilience — Gestion des situations d’urgence — Lignes directrices pour l’évaluation de la capacité Reference number ISO 22325:2016(E) © ISO 2016 ISO 22325:2016(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2016, Published in Switzerland All rights reserved Unless otherwise specified, no part o f this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission Permission can be requested from either ISO at the address below or ISO’s member body in the country o f the requester ISO copyright o ffice Ch de Blandonnet • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel +41 22 749 01 11 Fax +41 22 749 09 47 copyright@iso.org www.iso.org ii © ISO 2016 – All rights reserved ISO 22325:2016(E) Page Contents Foreword iv Introduction v Scope Normative references Terms and definitions Assessment model Indicators 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 General Leadership Resource management Information and communication Risk management Coordination and cooperation Emergency management planning Exercise programme Incident management system Assessment process 6.1 General 6.2 Planning 6.3 Collecting 6.4 Analysing 6.5 Reporting Annex A (informative) Assessment template 10 Bibliography 11 © ISO 2016 – All rights reserved iii ISO 22325:2016(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies) The work o f preparing International Standards is normally carried out through ISO technical committees Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters o f electrotechnical standardization The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part In particular the different approval criteria needed for the di fferent types o f ISO documents should be noted This document was dra fted in accordance with the editorial rules of the ISO/IEC Directives, Part (see www.iso.org/directives) Attention is drawn to the possibility that some o f the elements o f this document may be the subject o f patent rights ISO shall not be held responsible for identi fying any or all such patent rights Details o f any patent rights identified during the development o f the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) Any trade name used in this document is in formation given for the convenience o f users and does not constitute an endorsement For an explanation on the meaning o f ISO specific terms and expressions related to formity assessment, as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html The committee responsible for this document is Technical Committee ISO/TC 292, Security and resilience iv © ISO 2016 – All rights reserved ISO 22325:2016(E) Introduction This document provides guidelines for an organization in assessing its emergency management capability by using four maturity levels, eight indicators and an assessment process (see Figure 1) A capability assessment can be used to: — ensure regulatory compliance, reduce risk and meet the sa fety expectations o f the population; — improve organizational processes; — enhance partnership, coordination and cooperation within an organization and with other agencies and sectors; — share best practices; — promote continual improvement A capability assessment can be per formed by the organization itsel f or by an external organization Organizations can define their context to allow for an appropriate assessment o f its emergency management capability This context can be expressed through identi fying appropriate activities in relation to prevention, mitigation, preparedness, response and recovery While most organizations deliver all emergency management functions, some organizations can be responsible for only a single function so not all the indicators will apply Figure — Emergency capability assessment © ISO 2016 – All rights reserved v INTERNATIONAL STANDARD ISO 22325:2016(E) Security and resilience — Emergency management — Guidelines for capability assessment Scope This c u ment provide s gu idel i ne s for an organ i z ation in as s e s s i ng its emergenc y ma nagement c ap abi l ity I t i nclude s — a n a s s e s s ment mo del with a h iera rchy o f fou r — eight i nd ic ators; — a n a s s e s s ment pro ce s s , e xplai n i ng how to pla n, col le c t, a na lys e a nd rep or t level s; T h i s c u ment i s i ntende d to b e u s e d b y organ i z ation s re s p on s ible and accountable for emergenc y management Each organization’s context can involve a mix of prevention, mitigation, preparedness, re s p on s e and re cover y ac tivitie s Normative references There are no normative references in this document Terms and definitions For the pu r p o s e s o f th i s c u ment, the term s and defi nition s given i n I S O 2 0 apply ISO and IEC maintain terminological databases for use in standardization at the following addresses: — ISO Online browsing platform: available at http://www.iso.org/obp — IEC Electropedia: available at http://www.electropedia.org/ 3.1 context ex terna l and i nterna l fac tors to b e ta ken i nto accou nt when u nder ta ki ng a c ap abi l ity as s e s s ment N o te to entr y: E x ter n a l co nte x t i nclude s the — c u ltu l , social, p ol itic a l , le ga l , fo l lowi ng: re gu l ator y, fi n a nc i a l , te ch nolo gic a l , e conom ic, n atu l a nd comp e titive envi ron ment, whe ther i nter n atio n a l , n ation a l , re gio n a l or lo c a l; — ke y d r i vers a nd trend s h avi ng i mp ac t on the ob j e c tive s o f the o rga n i z atio n s; — relationships with, and perceptions and values of external stakeholders N o te to entr y: I nter n a l conte x t i nclude s — the organization’s mandate, — b u s i ne s s s en s iti vity, — governance, organizational structure, roles and accountabilities, — re s o u rce s a nd knowle dge (e g c ap ita l , ti me , p e o p le , pro ce s s e s , s ys tem s a nd te ch nolo gie s) , a nd — organizational culture © ISO 2016 – All rights reserved ISO 22325:2016(E) 3.2 emergency management capability overall ability to e ffectively manage prevention, preparedness, response and recovery be fore, during and a fter potentially destabilizing or disruptive events Assessment model The organization should use the assessment model with four levels to classi fy its emergency management capability (see Figure ) This is subject to the role, functions, scope and authority o f an organization and the operational context Level represents the minimum level o f emergency management capability, while Level represents the highest level o f emergency management capability Figure — Levels of emergency management capability At Level 1, an organization per forms its emergency management role at a basic level At Level 2, an organization has established detailed plans with the goal of achieving a balance between resource demands and availability Plans are developed in terms o f the knowledge, skills and capabilities to manage incidents and are updated periodically At Level 3, an organization has designed an emergency management process to facilitate appropriate measurement and assessment which enables the organization to identi fy opportunities for improvement The organization has integrated with other organizations in order to increase the e ffectiveness and e fficiency At Level 4, an organization has reached an optimal level o f emergency management capability Critical to this level o f per formance is the ability to demonstrate organizational learning, adaptive capacity and effective coordination and cooperation with other organizations It commits to research and best practice and is able to appropriately use technology 5.1 Indicators General The organization should assess emergency management capability using the indicators which reflect the scope, function and authority o f the organization: a) leadership; b) resource management; c) in formation and communication; d) risk management; © ISO 2016 – All rights reserved ISO 22325:2016(E) e) coordination and cooperation; f ) emergency management planning; g) exercise programme; h) incident management system The indicators in Tables to are described in accordance with the four levels of the assessment model (see Figure 2) 5.2 Leadership Effective leadership enables the organization to forge effective communication and collaboration among organizations It is important for the leadership to be aware of the organization’s internal and external context A clear commitment to the assessment process should be demonstrated Table — Indicator for leadership Level Level Level Criteria The roles and responsibilities o f the organization have been defined An emergency management policy has been approved which includes emergency manage ment objectives The leadership is aware of the roles and responsibilities of the own organization and commits appropriate resources The emergency management objectives have been harmonized with objectives o f the organi zation Leadership approves and supports these objectives Level The leadership has demonstrated a commitment to continual improvement The leadership is aware of the roles and responsibilities of other organizations and demonstrates coordination and cooperation The leadership has identified strengths and weaknesses o f organization and shares opportu- nities for improvement with other organizations Level The leadership ensures alignment between job competences and individuals Procedures have been implemented to learn from incidents, near misses, exercises and tests Leadership has been involved in exercises The leadership has assigned resources to support research and development activities and to improve its capacity to cope with current and future emergencies Commitment includes identified contingency funding The organization demonstrates the ability to optimize according to its context 5.3 Resource management Resource management is the e fficient and e ffective allocation and deployment o f resources when and where they are needed © ISO 2016 – All rights reserved ISO 22325:2016(E) Table — Indicator for resource management Level Level Level Level Level Criteria The organization has carried out an analysis o f resources (e.g personnel, facilities, tools, technology, equipment and budget) The basic resources are in place to achieve the organization’s emergency management objectives Resources are updated, documented and tracked, including the identification o f resources available for immediate deployment A policy for resource management regarding emergencies exists The policy includes routines for: — timely deployment o f resources according to predefined priorities; — backup system(s); — maintenance and test o f the functionality o f the internal material resources Resources requirements have been defined based on the results o f a risk assessment Resources are available to support coordination and cooperation and agreements are in place Appropriate procedures are in place for requesting and receiving external resources Evidence o f flexible resource allocation is demonstrated Resource management is based on research and evidence, which may include benchmarking, lessons learned from real incidents, exercises and stress tests Lessons learned should be: — documented; — captured as opportunities for improvement (e.g o f personnel, technical equipment); — shared with other organizations Agreements are periodically reviewed within a multi-organizational setting 5.4 Information and communication It is essential for in formation and communication to be e ffectively managed in order to support the organization’s mission within an emergency management context Table — Indicator for information and communication Level Level Level Level Level Criteria An in formation and communication system within the organization has been implemented The system supports in formation exchange and communication within the organization The in formation and communication system is maintained regularly Alternative solutions or backup systems are in place A plan for internal and external information and communication has been implemented The in formation and communication system supports the in formation exchange between organizations and the public and ensures continuity o f the in formation and communication system Lessons learned from real incidents, exercises, research and stress tests are reflected in the in formation and communications system An optimal system has been implemented and integrated with other organizations and considers: — confidentiality, integrity, availability and reliability o f the in formation; — speed, timeliness and relevance o f communication; — communication needs o f stakeholders; — in formation analysis for situation awareness; — training needs; — human factors © ISO 2016 – All rights reserved ISO 22325:2016(E) 5.5 Risk management Ri s k management s hou ld b e an i ntegra l to a l l o f the organ i z ation’s emergenc y management ac tivitie s I t i s a s ys tematic appro ach to ma nage uncer ta i nty to the organ i z ation’s obj e c tive s I t s hou ld b e s i s tent with ISO 31000 Table — Indicator for risk management Level Level Level Level Level Criteria Ri s ks h ave b e en identi fie d b ut h ave no t b e en a n a l ys e d o r s idere d i n lo ng- ter m p l a n n i n g A basic risk management process has been conducted in an ad hoc manner Risk management includes critical dependencies to other organizations and stakeholders The risk treatment plan considers other organizations and stakeholders and shares with them Risk treatment activities are implemented Risk management is integral to all decision making within the organization and is monitored a nd re gu l a rl y re viewe d Ri s k m a n agement re fle c ts re s e a rch a nd b e s t prac tice 5.6 Coordination and cooperation E ffe c tive a nd e fficient emergenc y management re s u lts of coordination and cooperation from organ i z ation s demon s trati ng a h igh level Table — Indicator for coordination and cooperation Level Level Level Level Criteria The organization demonstrates awareness of its roles and responsibilities and is able to communicate them to other organizations or stakeholders The organization has knowledge of other relevant organization’s roles and responsibilities T he orga n i z ation demon s trate s co ord i n ate d ab i l ity at the o p eration a l le vel The organization has signed cooperation agreement(s) with other organization(s) according to ISO 22320 C o m mo n , agre e d to o b j e c ti ve s a re e s tab l i s he d to en s u re a nd p r ior iti z e e ffe c tive , s u s ta i ne d co o rd i Level nation and cooperation at the tactical and strategic levels among organizations C o ord i n ation a nd co o p eration h a s b e en fu l l y - i mp lemente d accord i ng to I S O 2 The coordination and cooperation agreement(s) are reviewed and updated Coordination and cooperation is considered during exercises and during continuous improvement activities T he orga n i z ation en ab le s i nte gration with co op eratio n p a r tners b y e xch a ngi ng e xp er ts where appropriate The organization has implemented ISO 22397 where applicable 5.7 T he Emergency management planning emergenc y ma nagement plan n i ng shou ld be d riven by organ i z ation’s i nterna l a nd ex terna l emergenc y management contex t © ISO 2016 – All rights reserved ISO 22325:2016(E) Table — Indicator for emergency management planning Level Level Level Level Level Criteria Emergency management planning is undertaken Emergency management planning is known within the own organization and includes — the scope; — objectives which consider human lives and health, societal functionality, economic assets and environment; — roles and responsibilities Emergency management planning is developed with consideration o f other organizations Planning considers other organizations A fter a significant incident or a major change in the organization, planning is updated accordingly Plans are evaluated and updated reflecting the outcomes o f exercises, training, lessons learned and significant changes An emergency response plan has been integrated with other plans within the organization and also ensures continuity o f operations The organization care fully considers other organization’s emergency response plans with the in- tention to promote coordination and cooperation in accordance with ISO 22397 where applicable Results from research and best practice are incorporated into the emergency response plan 5.8 Exercise programme An exercise programme is essential for driving e ffective and e fficient organizational per formance Exercises can be used for: — validating policies, plans, procedures, training, equipment and inter-organizational agreements; — clari fying and training personnel in roles and responsibilities; — improving inter-organizational coordination and communications; — identi fying gaps in resources, improving individual per formance; — identi fying opportunities for improvement and controlled opportunity to practice improvisation Table — Indicator for exercise programme Level Criteria Level The organization does not have a formal exercise programme Level A needs based exercise programme has been established Level Level Exercises are conducted to meet minimum mandatory requirements Exercises are conducted regularly according to the exercise programme The organizations’ needs analysis is regularly monitored and reviewed The exercise programme is regularly reviewed and updated in line with the needs analysis Where appropriate, it is developed with other organizations Exercises are conducted with other organizations according to the programme An exercise programme has been implemented according to ISO 22398 where applicable Exercises are evaluated and lessons learned are documented These learnings are integrated into strategy and continuous improvement The exercise programme is continuously improved and is based on research and best practice © ISO 2016 – All rights reserved ISO 22325:2016(E) 5.9 Incident management system Organizations should be able to establish an e ffective incident management system or integrate into an existing one The system should be based on ISO 22320 Table — Indicator for incident management system Level Level Level Level Level Criteria An incident management system has been implemented and the organization is capable o f a basic incident response Incident management system roles and responsibilities are defined and assigned The incident management system is updated regularly The incident management system is able to integrate with other organizations The e fficiency o f the incident response is measured against objectives The incident management system ensures optimal use o f scarce resources, including: — tests and reviews its incident management system regularly; — considers the entire incident response in the learning process; — prepares an incident response evaluation report after each incident to assist in the improve- ment o f the incident management system The organization is capable of a sustained response to deal with an escalating incident The organization demonstrates a commitment to achieving system to system integration 6.1 Assessment process General The assessment process involves planning, collecting, analysing and reporting activities Figure — Assessment process An assessment should be conducted: — at regular intervals or when deemed appropriate by the organization; © ISO 2016 – All rights reserved ISO 22325:2016(E) — to de term i ne what h as change d s i nce the las t a s s e s s ment; — a fter a maj or change i n or arou nd the organ i z ation has o cc u rre d; — fol lowi ng a s ign i fic ant event or i nc ident T he a s s e s s ment may b e conduc te d b y: — s el f-review; — on- s ite review b y a n ex terna l orga ni z ation; — b ench ma rki ng ( p e er orga n i z ation – b y s e c tor a nd s i z e) ; — regu lator y review; — a combination of above methods T he a s s e s s ment s hou ld b e p er forme d b y p e ople: — with releva nt e duc ation, trai n i ng , e xp erience a nd comp e tence; — who are able to p er form the a s s e s s ment i n accord ance with th i s c ument; — who have b e en provide d s u ffic ient re s ource s and authority When designating the assessment, the following should be considered in relation to the organization’s go a l s a nd obj e c tive s: — identi fic ation o f c urrent, emergi ng or — de term i nation o f how re gu l arly the as s e s s ment shou ld b e conduc te d; — how fidenti a l ity/s en s itivity i s mai nta i ne d/con s idere d 6.2 futu re th re ats; Planning The assessment process should be documented The planning process addresses the following: — a s s e s s ment pu rp o s e a nd s cop e, i nclud i ng s tra i nts; — identi fic ation o f key role s and re s p on s ibi l itie s; — recording of the results 6.3 Collecting T he a s s e s s ment s hou ld ob tai n de tai le d, acc urate data Key i nputs to the a s s e s s ment may i nclude: — p ol ic ie s; — budge ts; — management rep or ts; — ri s k a nd as s e t regi s ters; — e xerc i s e and te s t rep or ts; — trai n i ng re cord s; — i ncident rep or ts; — me e ti ng re cord s; © ISO 2016 – All rights reserved ISO 22325:2016(E) — audit reports 6.4 Analysing The criteria in Clause are used to evaluate each indicator (for template, see Annex A) Analysis should be based on evidence as listed in 6.3 6.5 Reporting The report includes: — the results o f the assessment; — identified opportunities for improvement; — recommendations © ISO 2016 – All rights reserved ISO 22325:2016(E) Annex A (informative) Assessment template Table A.1 — Assessment template Indicators Indicator 1: Leadership Level (1) (2) (3) (4) (1) (2) (3) (4) (1) (2) (3) (4) (1) (2) (3) (4) (1) (2) (3) (4) (1) (2) (3) (4) (1) (2) (3) (4) (1) (2) (3) (4) Comments/Reference Indicator 2: Resource management Comments/Reference Indicator 3: Information and communication Comments/Reference Indicator 4: Risk management Comments/Reference Indicator 5: Coordination and cooperation Comments/Reference Indicator 6: E mergenc y m a n agement p l a n n i ng Comments/Reference Indicator 7: Exercise programme Comments/Reference Indicator 8: I nc ident m a n agement s ys tem Comments/Reference 10 © ISO 2016 – All rights reserved ISO 22325:2016(E) Bibliography [1] [2] [3] [4] [5] ISO 22300, Societal security — Terminology ISO 22320, Societal security — Emergency management — Requirements for incident response ISO 22397, Societal security — Guidelines for establishing partnering arrangements ISO 22398, Societal security — Guidelines for exercises ISO 31000, Risk management — Principles and guidelines © ISO 2016 – All rights reserved 11 ISO 22325:2016(E) ICS 03.100.01 Price based on 11 pages © ISO 2016 – All rights reserved