1、BS ISO 22325:2016Security and resilience Emergency management Guidelines for capabilityassessmentBSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO 22325:2016 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO 22325:2016.The UK
2、 participation in its preparation was entrusted to TechnicalCommittee SSM/1/-/3, Emergency Preparedness.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are r
3、esponsible for its correctapplication. The British Standards Institution 2016.Published by BSI Standards Limited 2016ISBN 978 0 580 82445 6ICS 03.100.01Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStanda
4、rds Policy and Strategy Committee on 31 October 2016.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dBS ISO 22325:2016 ISO 2016Security and resilience Emergency management Guidelines for capability assessmentScurit et rsilience Gestion des situations durgence Lignes directr
5、ices pour lvaluation de la capacitINTERNATIONAL STANDARDISO22325First edition2016-10-15Reference numberISO 22325:2016(E)BS ISO 22325:2016ISO 22325:2016(E)ii ISO 2016 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2016, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no
6、part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member
7、 body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgBS ISO 22325:2016ISO 22325:2016(E)Foreword ivIntroduction v1 Scope . 12 Normative references 13 Terms and defini
8、tions . 14 Assessment model 25 Indicators . 25.1 General . 25.2 Leadership 35.3 Resource management . 35.4 Information and communication 45.5 Risk management . 55.6 Coordination and cooperation. 55.7 Emergency management planning 55.8 Exercise programme 65.9 Incident management system 76 Assessment
9、process . 76.1 General . 76.2 Planning 86.3 Collecting . 86.4 Analysing 96.5 Reporting . 9Annex A (informative) Assessment template .10Bibliography .11 ISO 2016 All rights reserved iiiContents PageBS ISO 22325:2016ISO 22325:2016(E)ForewordISO (the International Organization for Standardization) is a
10、 worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represente
11、d on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop th
12、is document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC D
13、irectives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the dev
14、elopment of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO
15、 specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.The committee responsible for this document is
16、Technical Committee ISO/TC 292, Security and resilience.iv ISO 2016 All rights reservedBS ISO 22325:2016ISO 22325:2016(E)IntroductionThis document provides guidelines for an organization in assessing its emergency management capability by using four maturity levels, eight indicators and an assessmen
17、t process (see Figure 1).A capability assessment can be used to: ensure regulatory compliance, reduce risk and meet the safety expectations of the population; improve organizational processes; enhance partnership, coordination and cooperation within an organization and with other agencies and sector
18、s; share best practices; promote continual improvement.A capability assessment can be performed by the organization itself or by an external organization.Organizations can define their context to allow for an appropriate assessment of its emergency management capability. This context can be expresse
19、d through identifying appropriate activities in relation to prevention, mitigation, preparedness, response and recovery. While most organizations deliver all emergency management functions, some organizations can be responsible for only a single function so not all the indicators will apply.Figure 1
20、 Emergency capability assessment ISO 2016 All rights reserved vBS ISO 22325:2016BS ISO 22325:2016Security and resilience Emergency management Guidelines for capability assessment1 ScopeThis document provides guidelines for an organization in assessing its emergency management capability. It includes
21、 an assessment model with a hierarchy of four levels; eight indicators; an assessment process, explaining how to plan, collect, analyse and report.This document is intended to be used by organizations responsible and accountable for emergency management. Each organizations context can involve a mix
22、of prevention, mitigation, preparedness, response and recovery activities.2 Normative referencesThere are no normative references in this document.3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO 22300 apply.ISO and IEC maintain terminological database
23、s for use in standardization at the following addresses: ISO Online browsing platform: available at http:/www.iso.org/obp IEC Electropedia: available at http:/www.electropedia.org/3.1contextexternal and internal factors to be taken into account when undertaking a capability assessmentNote 1 to entry
24、: External context includes the following: cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; key drivers and trends having impact on the objectives of the organizations; relatio
25、nships with, and perceptions and values of external stakeholders.Note 2 to entry: Internal context includes the organizations mandate, business sensitivity, governance, organizational structure, roles and accountabilities, resources and knowledge (e.g. capital, time, people, processes, systems and t
26、echnologies), and organizational culture.INTERNATIONAL STANDARD ISO 22325:2016(E) ISO 2016 All rights reserved 1BS ISO 22325:2016ISO 22325:2016(E)3.2emergency management capabilityoverall ability to effectively manage prevention, preparedness, response and recovery before, during and after potential
27、ly destabilizing or disruptive events4 Assessment modelThe organization should use the assessment model with four levels to classify its emergency management capability (see Figure 2). This is subject to the role, functions, scope and authority of an organization and the operational context.Level 1
28、represents the minimum level of emergency management capability, while Level 4 represents the highest level of emergency management capability.Figure 2 Levels of emergency management capabilityAt Level 1, an organization performs its emergency management role at a basic level.At Level 2, an organiza
29、tion has established detailed plans with the goal of achieving a balance between resource demands and availability. Plans are developed in terms of the knowledge, skills and capabilities to manage incidents and are updated periodically.At Level 3, an organization has designed an emergency management
30、 process to facilitate appropriate measurement and assessment which enables the organization to identify opportunities for improvement. The organization has integrated with other organizations in order to increase the effectiveness and efficiency.At Level 4, an organization has reached an optimal le
31、vel of emergency management capability. Critical to this level of performance is the ability to demonstrate organizational learning, adaptive capacity and effective coordination and cooperation with other organizations. It commits to research and best practice and is able to appropriately use techno
32、logy.5 Indicators5.1 GeneralThe organization should assess emergency management capability using the indicators which reflect the scope, function and authority of the organization:a) leadership;b) resource management;c) information and communication;d) risk management;2 ISO 2016 All rights reservedB
33、S ISO 22325:2016ISO 22325:2016(E)e) coordination and cooperation;f) emergency management planning;g) exercise programme;h) incident management system.The indicators in Tables 1 to 8 are described in accordance with the four levels of the assessment model (see Figure 2).5.2 LeadershipEffective leader
34、ship enables the organization to forge effective communication and collaboration among organizations. It is important for the leadership to be aware of the organizations internal and external context. A clear commitment to the assessment process should be demonstrated.Table 1 Indicator for leadershi
35、pLevel CriteriaLevel 1 The roles and responsibilities of the organization have been defined.An emergency management policy has been approved which includes emergency manage-ment objectives.Level 2 The leadership is aware of the roles and responsibilities of the own organization and com-mits appropri
36、ate resources.The emergency management objectives have been harmonized with objectives of the organi-zation. Leadership approves and supports these objectives.The leadership has demonstrated a commitment to continual improvement.Level 3 The leadership is aware of the roles and responsibilities of ot
37、her organizations and demon-strates coordination and cooperation.The leadership has identified strengths and weaknesses of organization and shares opportu-nities for improvement with other organizations.The leadership ensures alignment between job competences and individuals.Level 4 Procedures have
38、been implemented to learn from incidents, near misses, exercises and tests. Leadership has been involved in exercises.The leadership has assigned resources to support research and development activities and to improve its capacity to cope with current and future emergencies.Commitment includes ident
39、ified contingency funding.The organization demonstrates the ability to optimize according to its context.5.3 Resource managementResource management is the efficient and effective allocation and deployment of resources when and where they are needed. ISO 2016 All rights reserved 3BS ISO 22325:2016ISO
40、 22325:2016(E)Table 2 Indicator for resource managementLevel CriteriaLevel 1 The organization has carried out an analysis of resources (e.g. personnel, facilities, tools, technol-ogy, equipment and budget).The basic resources are in place to achieve the organizations emergency management objectives.
41、Level 2 Resources are updated, documented and tracked, including the identification of resources available for immediate deployment.A policy for resource management regarding emergencies exists. The policy includes routines for: timely deployment of resources according to predefined priorities; back
42、up system(s); maintenance and test of the functionality of the internal material resources.Level 3 Resources requirements have been defined based on the results of a risk assessment.Resources are available to support coordination and cooperation and agreements are in place. Appropriate procedures ar
43、e in place for requesting and receiving external resources.Evidence of flexible resource allocation is demonstrated.Level 4 Resource management is based on research and evidence, which may include benchmarking, lessons learned from real incidents, exercises and stress tests.Lessons learned should be
44、: documented; captured as opportunities for improvement (e.g. of personnel, technical equipment); shared with other organizations.Agreements are periodically reviewed within a multi-organizational setting.5.4 Information and communicationIt is essential for information and communication to be effect
45、ively managed in order to support the organizations mission within an emergency management context.Table 3 Indicator for information and communicationLevel CriteriaLevel 1 An information and communication system within the organization has been implemented. The system supports information exchange a
46、nd communication within the organization.Level 2 The information and communication system is maintained regularly.Alternative solutions or backup systems are in place.Level 3 A plan for internal and external information and communication has been implemented.The information and communication system
47、supports the information exchange between organi-zations and the public and ensures continuity of the information and communication system.Level 4 Lessons learned from real incidents, exercises, research and stress tests are reflected in the infor-mation and communications system.An optimal system h
48、as been implemented and integrated with other organizations and considers: confidentiality, integrity, availability and reliability of the information; speed, timeliness and relevance of communication; communication needs of stakeholders; information analysis for situation awareness; training needs;
49、 human factors.4 ISO 2016 All rights reservedBS ISO 22325:2016ISO 22325:2016(E)5.5 Risk managementRisk management should be an integral to all of the organizations emergency management activities. It is a systematic approach to manage uncertainty to the organizations objectives. It should be consistent with ISO 31000.Table 4 Indicator for risk managementLevel CriteriaLevel 1 Risks have been identified but have not been analysed or considered in long-term planning.Level 2 A basi
