What does the ISO 22330 business continuity standard cover?

More than any other tool, people are often considered an organization's most important asset. A disaster or disruptive event can affect an organization's employees in different, and sometimes severe, ways.

The ISO/TS 22330:2018 business continuity standard from the International Organization for Standardization provides a detailed look at what can happen to people in a disaster and offers suggestions on managing those effects.

Officially titled ISO/TS 22330:2018 Security and resilience -- Business continuity management systems -- Guidelines for people aspects of business continuity, addresses people issues not previously covered in ISO standards, the standard addresses people issues not previously covered.

Common people issues surrounding business continuity and disaster recovery (BCDR) include awareness and training, exercising and testing, and incident response. The first four issues are largely part of the planning process, while the last applies to actual events.

Incident response activities are typically focused on assessing the situation, ensuring that employees are safe -- and evacuated, if needed -- engaging first responders and activating emergency teams as needed.

ISO/TS 22330:2018 provides guidelines and a framework for the planning and development of policies, strategies and procedures to help prepare and manage people affected by an incident. Let's examine these in more detail:

• Pre-event preparation: Awareness, analysis of needs and learning and development. A key part of the people process is to understand your organization and its people. This can be done in partnership with HR, as it has the most detailed information on employees. The ISO/TS 22330:2018 business continuity standard provides guidance on the above activities and can be used as a checklist to ensure that existing BC/DR programs address people issues in greater detail. Of the above issues, analysis of needs is probably the most important. This is where you can examine issues such as employees' family members and employees with special health requirements. The more you know potential staff issues in advance, the better your recovery is likely to be, especially from a people perspective.
• Response phase: Dealing with the immediate effects of an incident. When faced with an emergency, people react in different ways. This is one reason that, when choosing members of an emergency response team, it's important to remember that people may react in an entirely different way when faced with a real emergency, as opposed to when they attend a training exercise. In an exercise, people are likely to perform their duties calmly and in complete control. However, in a live event, those same people may freeze and be unresponsive, or may panic and flee the situation as quickly as possible. It's almost impossible to know how people will respond until a real event occurs. That's one good reason to hold regular BCDR plan exercises and emergency response plan drills.
• Recovery phase: Managing people during the event. Noting the above realities of people responding to emergencies, ISO/TS 22330:2018 provides guidance on how to deal with a variety of situations. These can include what to do when employees are injured, how to aid employees who have a traumatic reaction to the event and how to communicate with family members and others. While each disruptive event is different, the impact on people is a major challenge.
• Restoration phase: Ongoing support to employees after returning to business as usual. Even once a disaster has been addressed and resources have been brought in to help speed the return to business as usual, more still may need to be done to help employees. Injured employees and their care will need to be addressed. Employees who have not fared well emotionally may need counseling and professional help. These and other kinds of post-event activities are addressed in the new standard.

People have always been part of BCDR processes, but ISO's new standard raises the bar on the importance of people and their needs in a disaster. ISO/TS 22330:2018 provides an in-depth look at how to respond effectively to the needs of an organization's staff during and after the event.