Khunatorn -


Use ISO 22320:2018 to prepare an incident management plan

Incident management is critical to ensure that businesses can deal with unplanned disruptive events. Find out how the ISO:22320:2018 standard can help.

Before an organization initiates business continuity and disaster recovery activities, incident management is critical.

Incident management starts when an organization identifies the severity of a threat and assesses the potential ramifications of it. This determines next steps for BCDR and establishes recovery priorities.

ISO released ISO 22320:2011 Security and resilience -- Emergency management -- Guidelines for incident management to advise emergency professionals on the key issues to address when a disruptive event occurs.

ISO updated the standard in 2018 to provide additional guidance. The standard is part of the ISO 223XX series of standards for BC and related societal security disciplines.

Getting started with ISO 22320:2018

The guidance in ISO 22320:2018 can add value to incident management plan development, testing and maintenance. The standard places emphasis on collaboration, communication throughout the process and plenty of preparation.

The first key section after the introduction discusses principles of incident management, including risk management, ethics and safety:

  • 4. Principles
    • 4.1 General. This encourages the use of specific principles for incident management.
    • 4.2 Ethics. This stresses the importance of managing incidents with integrity and duty of care for human life and dignity.
    • 4.3 Unity of command. Each member of an emergency or incident team reports to only one person in a leadership role.
    • 4.4 Working together. The need to collaborate across all team members and support organizations is encouraged.
    • 4.5 All-hazards approach. Rather than address a specific risk, incident management professionals are encouraged to take an all-hazards approach to incident management.
    • 4.6 Risk management. Incident management is a risk management activity. An understanding of risks, threats and vulnerabilities is essential to plan an incident management program.
    • 4.7 Preparedness. Like most BCDR activities, careful preplanning is a key component of successful incident management plans.
    • 4.8 Information sharing. Incident management teams must have a commitment to sharing and exchanging relevant incident data across all players in an event.
    • 4.9 Safety. A safe working environment and an emphasis on safety during an event -- for both responders and those affected -- are requirements for incident management.
    • 4.10 Flexibility. The ability to adapt to an incident and its unpredictability is an important capability for an incident management plan and its associated team.
    • 4.11 Human and cultural factors. In addition to assessing the operational characteristics and impacts of an event, incident management teams must also be able to support human and cultural factors.
    • 4.12 Continual improvement. Organizations should regularly review and update a plan or program to make it better.

Incident management processes and structure

Section five of the standard gets into the many different aspects of incident management. Along with a general introduction to incident management, sections 5.2 and 5.3 explain the incident management process and structure, respectively.

In section 5.2, the standard lists the processes -- both throughout the year and during an event -- that organizations must address when they develop an incident management program and plan. Along with general safety, important activities include the following:

  • Incident management objectives. Incident management plans must include objectives, along with the scope of activities and responsibilities.
  • Information about the situation. Plans must provide steps to identify the disruptive event and provide initial data of the circumstances and potential severity.
  • Monitoring and assessing the situation. Plans must specify how to monitor the evolving event and continue to assess changes.
  • Planning function which determines an incident action plan. Determine the steps to take during an incident management activity.
  • Allocating, tracking and releasing resources. The organization must manage all resources -- people, equipment, facilities, technology -- it is likely to employ in incident response.
  • Communications. Specify who communicates to whom, the contents of emergency communication messages, frequency of message initiation and technologies the organization uses.
  • Relationships with other organizations, common operational picture. Identify the primary and alternate organizations that the organization will engage in the course of the incident. This may include first responders, employees and vendors.
  • Demobilization and termination. This specifies how the response process is scaled back or terminated once the DR teams have assessed the status of the incident and launched next steps.
  • Documentation guidelines. This specifies what procedural documents organizations must prepare, as well as post-event reports.

Section 5.3 specifies that all incident management activities should adhere to the following structure:

  • Command. This element describes the leadership and authority for managing the incident. It also specifies the incident management program objectives, structure and responsibilities, plus the ordering and release of resources.
  • Planning. This includes the collection, evaluation and timely sharing of incident data and intelligence; it also includes status reports on resources and staffing and development and documentation of incident action plan(s).
  • Operations. This element specifies the tactical objectives and associated activities to achieve the tactical goals; guidance on risk mitigation; protection of people, property and environment; and control of incident and transition to a recovery phase.
  • Logistics. Procurement, coordination, and delivery of incident support and resources are identified here. Activities include facilities, transportation, supplies, equipment maintenance, fuel, food service and medical services for incident personnel, communications and IT support.
  • Finance and administration. This component addresses all administrative and financial issues associated with the incident, including compensation and claims, procurement, costs and time.

Many of the elements described in ISO 22320:2018 are also part of the Incident Command System. Part of the National Incident Management System, the Incident Command System is a widely used framework developed by the Federal Emergency Management Agency to manage all aspects of a disaster.

Additional guidance to note

ISO 22320:2018 also includes four annexes that provide additional details on incident management planning that organizations can use to formulate plans and programs:

  1. Annex A: Additional guidance on working together. This provides guidance on collaboration, communications and establishment of communication protocols during an incident.
  2. Annex B: Additional guidance on incident management structure. This provides additional content on structure and content that can be used for building a plan and program.
  3. Annex C: Examples of incident management tasks. These can be built into plans and can serve as checklists when engaged in an incident management activity.
  4. Annex D: Incident management planning. This provides guidance on building, exercising and maintaining an incident management activity.

DR teams and emergency professionals can access the full standard on the ISO website.

Dig Deeper on Disaster recovery planning and management

Data Backup