ISO 22361 – the Crisis Management Standard
ISO 22361: 2022 Security and Resilience – Crisis Management – Guidelines
The Crisis Management Standard, ISO 22361, was published by the International Organisation for Standards in November 2022, following the successful introduction of BS 11200:2014 Crisis Management – Guidance and Good Practice in the UK.
The standard is a useful single source for crisis management guidance, and replaces BS 11200 and PAS 200, both of which have been withdrawn.
The standard defines a crisis as an “abnormal and unstable situation that threatens an organisation or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity”.
It summarises the defining features of a crisis, and lists seven principles for crisis management, before making specific recommendations for successful crisis management.
As well as general guidance on building a crisis management capability, the standard provides advice on:
- Crisis leadership;
- Crisis communications; and
- Training & exercising.
ISO 22361 Crisis Management Principles
ISO 22361 defines a number of principles as the foundation for developing and crisis management capability. These are:
- Risk Management
Clause 6 of the standard sets out to discuss the roles and responsibilities for a crisis leader, and describes the skills that with which crisis leaders should be equipped, whether through:
- Professional and technical expertise;
- Training; and
- Exposure to incidents.
Decision-making in a crisis is covered in some details in Clause 7, which suggests a process for decision-making, whilst highlighting some of the difficulties and challenges. The standard gives some suggestions for effective decision-making.
Clause 8 of the standard highlights the importance of effective crisis communications, and the need to prepare and plan for this in advance.
The standard identifies some pre-crisis planning steps that should be taken, and lists key roles within a communication function.
This section also includes some key principles and activities for effective communication, as well as listing some of the barriers that may occur.
Training and Exercising
Within Clause 9, ISO 22361 discusses training and exercising, as well as giving guidance for validation of the crisis management capabilities, and steps for evaluation, including suggestions for post-exercise activities.
We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.
How Can Cambridge Risk Solutions Help?
Click the button to see some examples of incident management training and exercises.