1、BSI Standards PublicationBS ISO 22398:2013Societal security Guidelinesfor exercisesBS ISO 22398:2013 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO 22398:2013.The UK participation in its preparation was entrusted to TechnicalCommittee SSM/1, Societal security
2、management.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by B
3、SI StandardsLimited 2013ISBN 978 0 580 74562 1ICS 03.100.01Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 October 2013.Amendments issued since publicationDate
4、Text affectedBS ISO 22398:2013 ISO 2013Societal security Guidelines for exercisesScurit socitale Lignes directrices pour exerciceINTERNATIONAL STANDARDISO22398First edition2013-09-15Reference numberISO 22398:2013(E)BS ISO 22398:2013ISO 22398:2013(E)ii ISO 2013 All rights reservedCOPYRIGHT PROTECTED
5、DOCUMENT ISO 2013All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission
6、 can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO 22398:2013ISO 22398:2013(E)
7、ISO 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Planning, conducting and improving an exercise programme . 44.1 General . 44.2 Planning 44.3 Conducting 64.4 Reviewing and improving the exercise programme . 75 Plann
8、ing, conducting and improving exercise projects . 75.1 General . 75.2 Planning 85.3 Conducting . 195.4 Improving . 216 Continual improvement .216.1 General 216.2 Evaluation . 216.3 Management review and corrective action . 23Annex A (informative) Exercises within a management system description 24An
9、nex B (informative) Needs analysis .27Annex C (informative) National strategic exercises .29Annex D (informative) Exercise enhancement 32Annex E (informative) Creating scenarios through experience 33Bibliography .35BS ISO 22398:2013ISO 22398:2013(E)ForewordISO (the International Organization for Sta
10、ndardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the righ
11、t to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures
12、used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rule
13、s of the ISO/IEC Directives, Part 2. www.iso.org/directivesAttention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified du
14、ring the development of the document will be in the Introduction and/or on the ISO list of patent declarations received. www.iso.org/patentsAny trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning
15、of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 223, Soc
16、ietal security.iv ISO 2013 All rights reservedBS ISO 22398:2013ISO 22398:2013(E)IntroductionThis International Standard describes the elements of a generic approach to planning, conducting and improving exercise programmes and projects. The purpose of this International Standard is to: provide a bas
17、is for understanding, developing and implementing an effective exercise programme within an organization; provide guidelines for planning and conducting an exercise project; enhance the organizations ability to conduct exercises with internal and external involved parties; assist the organization wi
18、th developing and assessing its exercising capability in a consistent and risk-assessed manner that reflects good practice; and, enable continual improvement in exercise programmes and projects within an organization.It is applicable to all organizations, regardless of type, size and nature, whether
19、 private or public. The guidance can be adapted to the needs, objectives, resources, and constraints of the organization.Exercises are an important management tool intended to identify gaps and areas for improvement as well as to determine the effectiveness of response and recovery strategies. In ad
20、dition to measuring the competence of the organization and its personnel, exercises are excellent tools to assess revised plans and changed programmes for completeness, relevancy and accuracy.Exercises can be used for validating policies, plans, procedures, training, equipment, and inter-organizatio
21、nal agreements; testing information and communication technology (ICT) disaster recovery systems; clarifying and training personnel in roles and responsibilities; improving inter-organizational coordination and communications; identifying gaps in resources; improving individual performance; identify
22、ing opportunities for improvement; and, providing a controlled opportunity to practice improvisation.Exercise projects usually have performance objectives such as: orientation/demonstration: simulating experience of an expected situation to increase awareness of vulnerabilities and the importance of
23、 effective action in response to the simulated conditions; learning: enhancing knowledge, skills, or abilities by individuals or groups with the goal of mastering specific competencies; cooperation: providing an opportunity for people to work together to achieve a common end result; experimenting: t
24、rying new methods and/or procedures with the intent of refinement; and, testing: evaluating a method and/or procedure to assess which components are sufficiently developed.See Figure 1. ISO 2013 All rights reserved vBS ISO 22398:2013ISO 22398:2013(E). Establish programme need. Develop base of suppor
25、t. Identify aim and objectives. Implement programme. Monitor programme and. Review programme. Improve programmePLANNING CONDUCTING IMPROVINGExercise ProgrammeContinual Improvement: Evaluation, Management Review and Corrective ActionExercise Project 3 . XExercise Project 2Exercise Project 1PLANNING.
26、Establish the Foundation. Scope. Project Planning. Communications. Design and Development. DocumentationCONDUCTING. Run-through. Start-up Brieg976ing. Launch. TerminationIMPROVING. Observation. Debrieg976ing. After Action ReviewFigure 1 Relation between exercise programme, exercise projects and cont
27、inual improvementvi ISO 2013 All rights reservedBS ISO 22398:2013INTERNATIONAL STANDARD ISO 22398:2013(E)Societal security Guidelines for exercises1 ScopeThis International Standard recommends good practice and guidelines for an organization to plan, conduct, and improve its exercise projects which
28、may be organized within an exercise programme.It is applicable to all organizations regardless of type, size or nature, whether private or public. The guidance can be adapted to the needs, objectives, resources, and constraints of the organization.It is intended for use by anyone with responsibility
29、 for ensuring the competence of the organizations personnel, particularly the leadership of the organization, and those responsible for managing exercise programmes and exercise projects.2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document a
30、nd are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 22300, Societal security Terminology3 Terms and definitionsFor the purposes of this document, t
31、he terms and definitions given in ISO 22300 and the following apply.3.1after-action reportdocument which records, describes and analyses the exercise, drawing on debriefs and reports from observers, and derives lessons from itNote 1 to entry: The after-action report documents the results from the af
32、ter-action review.Note 2 to entry: An after-action report is also called a final exercise report.3.2competencedemonstrated ability to apply knowledge and skills to achieve intended results3.3drillactivity which practices a particular skill and often involves repeating the same thing several timesEXA
33、MPLE A fire drill to practice safely evacuating a building on fire.3.4evaluationsystematic process that compares the result of measurement to recognised criteria to determine the discrepancies between intended and actual performanceNote 1 to entry: The gaps are inputs into the continual improvement
34、process. ISO 2013 All rights reserved 1BS ISO 22398:2013ISO 22398:2013(E)3.5exerciseprocess to train for, assess, practice, and improve performance in an organizationNote 1 to entry: Exercises can be used for validating policies, plans, procedures, training, equipment, and inter-organizational agree
35、ments; clarifying and training personnel in roles and responsibilities; improving inter-organizational coordination and communications; identifying gaps in resources; improving individual performance and identifying opportunities for improvement; and a controlled opportunity to practice improvisatio
36、n.Note 2 to entry: A test is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned.3.6exercise coordinatorperson responsible for planning, conducting, and evaluating exercise activitiesNote 1
37、to entry: In larger exercises, this function may include several persons/staff and may be called “exercise control”.Note 2 to entry: Some countries use a term such as “exercise director” instead of “exercise coordinator” (or similar text).Note 3 to entry: The exercise coordinator role is also respon
38、sible for the cooperation among internal and external entities.3.7exercise programmeseries of exercise activities designed to meet an overall objective or goal3.8exercise programme managerperson responsible for planning and improving the exercise programme3.9exercise project teampersons planning, co
39、nducting and evaluating an exercise project3.10exercise safety officerperson tasked with ensuring that any actions during the exercise are performed safelyNote 1 to entry: In larger exercises, involving multiple functions, more than one safety officer may be assigned.3.11hazardsource of potential ha
40、rmNote 1 to entry: A hazard can be a source of risk.3.12interested partyperson or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activityNote 1 to entry: A decision maker can be an interested party.3.13injectscripted piece of information inserted
41、 into an exercise designed to elicit a response and facilitate the flow of the exerciseNote 1 to entry: Injects can be written, oral, televised, and/or transmitted via any means (e.g. fax, phone, e-mail, voice, radio, or sign).2 ISO 2013 All rights reservedBS ISO 22398:2013ISO 22398:2013(E)3.14manag
42、ementcoordinated activities to direct and control an organization3.15observerexercise participant who witnesses the exercise while remaining separate from exercise activitiesNote 1 to entry: Observers may be part of the evaluation process.3.16participantperson or organization who performs a function
43、 related to an exercise3.17riskeffect of uncertainty on objectivesNote 1 to entry: An effect is a deviation from the expected - positive and/or negative.Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different l
44、evels (such as strategic, organization-wide, project, product, and process).Note 3 to entry: Risk is often characterized by reference to potential events, consequences, or a combination of these and how they can affect the achievement of objectives.Note 4 to entry: Risk is often expressed in terms o
45、f a combination of the consequences of an event or a change in circumstances, and the associated likelihood of occurrence.Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.3.18scena
46、riopre-planned storyline that drives an exercise, as well as the stimuli used to achieve exercise project performance objectives3.19scope of exercisemagnitude, resources, and extent which reflects the needs and objectives3.20scriptstory of the exercise as it develops which allows directing staff to
47、understand how events should develop during exercise play as the various elements of the master events list are introducedNote 1 to entry: The script is often written as a narrative of simulated events.3.21target groupindividuals and/or organizations subject to exercise3.22testexercise with an aim t
48、o obtain an expected measureable pass/fail outcomeNote 1 to entry: A test is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the aim or objectives of the exercise being planned.Note 2 to entry: The terms “test” and “testing” are not the sa
49、me as “exercise” and “exercising”. ISO 2013 All rights reserved 3BS ISO 22398:2013ISO 22398:2013(E)3.23trainingactivities designed to facilitate the learning and development of knowledge, skills, and abilities, and to improve the performance of specific tasks or roles4 Planning, conducting and improving an exercise programme4.1 GeneralAn organization conducting exercises should establish an exercise programme. Establishing an exercise programme allows for a coordinated approach to building and maturing the organizations capabiliti
