Using Standards to Get Immediate Value for Your Organization

by Dr. Marc Siegel, Donald L. Schmidt and John DiMaria

Using ASIS International Standard to Get Immediate Value for Your Organization

The ASIS International standard: Organizational Resilience: Security, Preparedness and Continuity Management Systems is the only standard that takes a holistic perspective towards managing a disruptive event, before, during and after the event. This perspective improves the capacity of public and private organizations to prepare for and respond to a wide range of threats and hazards (natural, unintentional and intentional). The integrated approach helps avoid siloing risks and provides an overall risk profile allowing the organization to better understand the relationships between risks and identify solutions to problems.

Generic criteria of this standard provide a framework for any organization, regardless of size or type, to tailor its application and implementation to address the organization’s particular needs and special circumstances. The ASIS standard is aligned with other ISO management system standards in order to support consistent and integrated implementation and operation with the related management standards. One suitably designed management system can satisfy the requirements of this and the ISO 9001:2000, ISO 14001:2004, ISO/IEC 27001:2005 and ISO 28000:2008 standards. Given that ISO is currently developing an international standard, the ASIS document provides organization a roadmap to what will eventually be the ISO standard.

The ASIS standard serves as an umbrella management system standard, minimizing the financial burden on organizations seeking to enhance sustainability and resilience performance. This enables an organization to develop a strategic approach to managing a disruptive event. It establishes the management system framework that can be used regardless if the organization wishes to emphasize security, risk, preparedness, crisis, emergency, business continuity, recovery, and/or disaster management. The organization determines which disciplinary perspective, or perspectives, it will adopt in developing a strategy for managing risks and consequences of disruptive events. Therefore, organizations may develop an approach compatible with their business model.

Courtesy of Dr. Marc Siegel, Security Management Systems Consultant heading the ASIS International Global Standards Initiative.

Using NFPA 1660 to Get Immediate Value for Your Organization

NFPA 1600 is a high level, overarching standard that defines the essential elements of an emergency management and business continuity program and the connectivity between those elements. The standard has been written with mandatory language (i.e., “shall”) so an entity – public, private, or not for profit – can adopt the standard and enforce its use. The “mandatory” requirements of NFPA 1600 are very short – they comprise just over four pages of text. Sections with an asterisk have explanatory information that can be found in Annex A. Following Annex A there are five annexes (B – F) that identify organizations, documents, and online resources that can be used to help develop or keep current the program.

The standard can be used to build, enhance, or evaluate your program. Since the document is available for free download, you can make it accessible to senior management to inform then about the requirements of a program and you can distribute it to persons with involvement in your program. If you wish to build a program, review the Annex A for some guidance, but if you want detailed guidance you may want to purchase the handbook that is available from NFPA.

If you want to evaluate your program, the program management requirements in chapter 4 and the program elements in chapter 5 can be easily organized into a self-evtion checklist. A suggested high level outline would include:

• Program Management
  • Policy, goals, objectives, budget and project schedule, records management
  • Program Coordinator & Advisory Committee
  • Program Evaluation
  • Laws and Authorities
  • Finance and Administration
• Risk Assessment (hazard identification and impact analysis)
• Incident Prevention & Mitigation
• Resource Management and Logistics
  • Mutual Aid
  • Communications and Warning
  • Facilities (emergency operations center)
• Planning and operational procedures
  • Strategic
  • Response
  • Business continuity
  • Recovery
  • Incident Management
  • Crisis Communications and Public Information
• Training
• Exercises, Evaluations, and Corrective Action

Use of a checklist will help you identify gaps or areas of weakness. You can also use the checklist to compare the programs of multiple facilities or business units.

For a free download of NFPA 1600 go to www.nfpa.org/assets/files/PDF/NFPA1600.pdf

Courtesy of Donald L. Schmidt, CEO, Preparedness, LLC and Chair NFPA 1600 Technical Committee

Using BS25999 to Get Immediate Value for Your Organization

BS 25999 establishes the processes, principles and terminology to address business continuity and availability risk. It also provides a comprehensive set of controls based on industry leading practices that help organizations develop, implement, maintain and mature business continuity processes. The standard can be used as a framework so that those organizations without a BCMS can efficiently establish a workable program, and those that already have a program can ensure it meets best practices where applicable. The growing consensus regarding BS 25999, combined with the opportunity to become certified in its use, provides unparalleled benefits to companies of all sizes whose customers rely on their products and services.

Summary of Benefits

Courtesy of John DiMaria of BSI Management Systems.