National foreword

This British Standard is the UK implementation of EN ISO 22361:2022. It is identical to ISO 22361:2022. It supersedes PD CEN/TS 17091:2018 and BS 11200:2014, which are withdrawn.

The UK participation in its preparation was entrusted to Technical Committee CAR/1/2, Crisis Management: Development of ISO 22361.

A list of organizations represented on this committee can be obtained on request to its committee manager.

Contractual and legal considerations

This publication has been prepared in good faith, however no representation, warranty, assurance or undertaking (express or implied) is or will be made, and no responsibility or liability is or will be accepted by BSI in relation to the adequacy, accuracy, completeness or reasonableness of this publication. All and any such responsibility and liability is expressly disclaimed to the full extent permitted by the law.

This publication is provided as is, and is to be used at the recipient’s own risk.

The recipient is advised to consider seeking professional guidance with respect to its use of this publication.

This publication is not intended to constitute a contract. Users are responsible for its correct application.

Compliance with a British Standard cannot confer immunity from legal obligations.

This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 November 2022.

Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 292, Security and resilience, in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC 391, Societal and Citizen Security, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna Agreement).

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.

Introduction

This document has been developed to aid in the design and ongoing development of an organization’s crisis management capability. It sets out principles and practices needed by all organizations.

Crises present organizations with complex challenges and, possibly, opportunities that can have profound and far-reaching consequences. An organization’s crisis management capability and its ability to manage a changing environment are key factors in determining whether a situation or incident has the potential to pose a serious or existential threat to the organization and its environment. The crisis affecting an organization can be part of a broader crisis.

To ensure the crisis management capability has the desired outcome, the organization should provide:

committed leadership;
structures (e.g. funding, communications, relationships and linkages, equipment, facilities, information management, principles, processes and procedures);
a supportive culture (e.g. values, ethics, code of conduct);
competent personnel (e.g. knowledge, skills and attitude, flexible thinking).

An organization’s crisis management capability will be influenced by its relationship with other interdependent areas such as risk management, business continuity, information security, physical security, safety, civil protection, incident response and emergency management.

The organization should adopt a structured approach to crisis management by applying a set of principles on which a crisis management framework can be developed. These interrelated principles, framework and applicable process elements support the implementation of a crisis management capability in a purposeful, consistent and rigorous manner (see Figure 1).

The structure of the document is as follows:

the core concepts of crisis management are described (see Clause 4);
then the framework and process for building a crisis management capability are outlined (see Clause 5).

The clauses that follow provide more detail on:

crisis leadership (see Clause 6);
strategic crisis decision-making (see Clause 7);
crisis communication (see Clause 8);
training, validation and learning from crises (see Clause 9).

Continual improvement is a component of all elements of this document (see 5.3.7), so that while it is part of the process, it also addresses all capability elements.

This European Standard was approved by CEN on 14 October 2022.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

European foreword

This document (EN ISO 22361:2022) has been prepared by Technical Committee ISO/TC 292 "Security and resilience" in collaboration with Technical Committee CEN/TC 391 “Societal and Citizen Security” the secretariat of which is held by AFNOR.

This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by May 2023, and conflicting national standards shall be withdrawn at the latest by May 2023.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

This document supersedes CEN/TS 17091:2018.

Any feedback and questions on this document should be directed to the users’ national standards body/national committee. A complete listing of these bodies can be found on the CEN website.

According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United Kingdom.

Endorsement notice

The text of ISO 22361:2022 has been approved by CEN as EN ISO 22361:2022 without any modification.

1 Scope

This document provides guidance on crisis management to help organizations plan, establish, maintain, review and continually improve a strategic crisis management capability. This guidance can help any organization to identify and manage a crisis. Elements for consideration include:

context, core concepts, principles and challenges (see Clause 4);
developing an organization’s crisis management capability (see Clause 5);
crisis leadership (see Clause 6);
the decision-making challenges and complexities facing a crisis team in action (see Clause 7);
crisis communication (see Clause 8);
training, validation and learning from crises (see Clause 9).

It is applicable to top management with strategic responsibilities for the delivery of a crisis management capability in any organization. It can also be used by those who operate under the direction of top management.

This document acknowledges the relationship and interdependencies with various disciplines but is distinct from these topics.

2 Normative references

3 Terms and definitions

4 Crisis management — Context, core concepts and principles

4.1 The nature of crises

4.2 Characteristics of a crisis

4.3 Potential origins of crises

4.4 Readiness to respond and recover

4.5 Principles for crisis management

5 Building a crisis management capability

5.1 General

5.2 Crisis management framework

5.3 Crisis management process

6 Crisis leadership

6.1 Core leadership skills and attributes

6.2 Well-being and sustainable crisis response

7 Strategic crisis decision-making

7.1 General

7.2 Why decision-making can be challenging

7.3 Dilemmas, decision delay, decision avoidance

7.4 Decision-making issues

7.5 Effective crisis decision-making

8 Crisis communication

8.1 General

8.2 Pre-crisis preparation

8.3 Managing relationships and reputation

8.4 Key roles

8.5 Crisis communication strategy

8.6 Key principles and activities of crisis communication

8.7 Consistency of message

8.8 Barriers to effective communication

8.9 Social media — Opportunities and threats

9 Training, validation and learning from crises

9.1 General

9.2 Developing competence

9.3 Training

9.4 Exercising

9.5 Validation

9.6 Evaluating and learning

Bibliography

BS EN ISO 22361:2022

Security and resilience. Crisis management. Guidelines

Current

Published:

30 Nov 2022