PTB Covid19-Response: Business Resilience

Back

How Standards Contribute to Business Resilience in Crisis Situations

Niels Ferdinand, Richard Prem

On behalf of the Federal Government of Germany, the Physikalisch-Technische Bundesanstalt promotes the improvement of the framework conditions for economic, social and environmentally friendly action and thus supports the development of quality infrastructure.

The following text can be downloaded here:

PTB_Info_Business_Resilience_EN.pdf How Standards Contribute to Business Resilience in Crisis Situations541 KB

Content overview:

1. Background

The global corona virus situation is presenting enormous challenges for companies worldwide. Companies in developing and emerging nations are especially affected, as the pandemic has severe ramifications for them, and they have less access to support. This raises the question of how we can use standardisation to improve the resilience of companies during global crises, and what development cooperation can contribute to that process.

This paper summarises the current state of affairs of standardisation in the area of business resilience. It will explain the general contributions standardisation can make towards promoting resilience. On this basis, it will give an overview to specific standards relevant to business resilience. Finally, it will make recommendations for development cooperation organisations, in order to promote the development and implementation of standards for increasing business resilience.

2. The Significance of Standards on increasing Business Resilience

2.1 Defining Resilience and Business Continuity Management

Resilience is "the ability to recognise changes in an environment and adjust to them".¹ Resilient companies recognise the opportunities and threats that arise from both sudden and gradual internal and external changes, and can react to them.² In this way, it becomes possible to overcome crises and disruptions, withstand unexpected shocks, and adapt to change.³ Resilience is, therefore, an extremely important characteristic for companies to have, and one that plays a decisive role for their long-term survival.

As an integral management process, business continuity management (BCM) presents a framework for increasing an organisation's resilience. The goal of this management discipline is to identify potential threats and risks that could impact the continued existence of the entrepreneurial activity in question. At the same time, it should increase the organisation's ability to react quickly and appropriately to events.⁴

BCM is essential to safeguarding profitability and survival in the market. It builds the groundwork that allows a company to react effectively, and its contributions increase business resilience.

_{1 ISO 22300:2018
2 ISO 22316:2019
3 Business Continuity Institute, BCI (2020)
4 Business Continuity Institute, BCI (2020)}

2.2 Fields of Action for increasing Business Resilience

Various areas will need continuous improvements before a company sees an increase in business resilience. These reach from improvements in strategic management, to corporate governance, all the way to improving a company's culture. ISO 22316 defines nine fields of action for encouraging business resilience. These are summarised in the text box.

Fields of Action for Encouraging Business Resilience as per ISO 22316

Have a shared vision and a clear goal. All hierarchical levels have a common vision and common goals and values regarding the advantages of business resilience.
Understand the environment and be able to influence it. The organisation understands the internal and external systems entirely, and is therefore able to influence them.
Practise effective and encouraging leadership. The leadership culture works efficiently even during periods of uncertainty and change.
Have a culture that promotes resilience. The beliefs and values of the organisation uniformly promote resilience, and the organisation incorporates positive mindsets and conduct.
Share information and knowledge. The organisation's employees exchange information and knowledge. The climate around learning from experience and mistakes is a supportive one.
Make resources available. There are resources (e.g. qualified employees, facilities, information, technology, etc.) available that cover vulnerable positions at the organisation, and allow for quick adjustments in the face of changing circumstances.
Coordinate business departments. Departments that will contribute to the resilience of the organisation are identified, developed, and coordinated. These departments work together so that they can pursue common strategic goals.
Promote continuous improvements. Organisations evaluate their results so they can learn from past experiences and recognise future opportunities.
Anticipate change. Future changes are recognised and managed in good time.

2.3 The Correlation between Standardisation and Business Resilience

Standards can be defined as an "agreed upon way of doing something", and are powerful tools with which organisations can further innovation, more efficiently design processes, and reduce risks.⁵

Standards can make important contributions to the various fields of action of resilience, especially regarding the following factors:

Recognising relevant environmental requirements in good time. Using standardised management systems, companies can better identify internal and external factors that may impact their goals and activities, and then systematically adjust for them. In this way, standards can also help organisations anticipate risks in good time. Thus, companies are prepared for threats, instead of having to employ reactive measures.
Implementing innovations. Standards make it easier for companies to introduce systematic innovation management. Moreover, they establish the agreed upon terminology and fundamental criteria for new products and services.⁶
Making processes more efficient. Companies that rework their processes based on standards are then able to standardise their processes and consequently design them to be more efficient. Each stage in the process is examined, and the interactions between various processes are tested and improved upon.7 ⁸
Continuous improvements. Management standards can contribute to the implementation of a business culture of continuous improvement. This not only influences the company's leadership, but also its employee's behaviour and engagement.⁹
Safeguarding business relationships. Standards play a decisive role in ensuring that the criteria for products and processes are consistently observed, especially when it comes to international business relationships. Product specifications, environmental and social criteria, i.a., could count as one of these. By adhering to such criteria, and auditing whether they really are being adhered to, we reduce risks for our trading partners. Such risks might, for example, result from a lack of consideration for product quality criteria, for minimum employment standards during production, or for human rights when extracting raw materials.

In this way, standards not only reduce the risk of damaging a company's reputation, but also reduce risks to its economic continuity: Current data on the economic impact on companies during the corona virus situation shows that companies with good environmental and social services are more economically stable than their competitors with worse ratings. In addition, standards bring together stakeholders' requirements, which are subsequently acknowledged by distributors, manufacturers, sales, and consumers. The foundation for stable business relationships arises as a result of this, relationships in which observing the requirements defined by stakeholders is rewarded with improved market access. Eventually, there are specific standards that attend to securing continuity in the supply chain (see text box on page 5). In this way, standards build the basis for business relationships in value creation chains that survive during crisis situations, and thereby ensure continuous access to the resources and contributions that value creation requires.

Standards are a valuable tool when used as guidelines for how to encourage a company's resilience. However, the effectiveness of each system depends on how committed management is and to what extent it is implemented in the organisation. This impacts the resources available for emergency planning, as well as the level of maintenance and of adjustment of structures dealing with crises, and how updated these structures are.

_{5 British Standards Institution, BSI (2020a)}

_{6 British Standards Institution, BSI (2020b)}

_{7 Advisera (2017)}

_{8 Prammer, Heinz Karl (2014)}

_{9 Advisera (2017)}

_{10 Fidelity 2020}

2.4 Risk Management in Standardisation

Risk is an essential part of any entrepreneurial activity. The multitude of information available to companies makes it a challenge to recognise threats and opportunities and react to them.¹¹

The risk-based approach of standardisation forces companies to concentrate on the essentials. At the same time, risk management requires further development if companies are to be able to respond to the myriad local and global threats in a swift and efficient manner. This ability is a result of recognising opportunities and risks, which enables a company to make better informed and more effective choices, and to more efficiently employ the resources available to it. Preventative planning such as this also gives companies some necessary flexibility.

_{11 ISO 31000:2018}

3. Specific Standards for Resilience and Business Continuity Management

Team working in Lab with masks an protective clothes

In the International Organisation for Standardization (ISO), security and entrepreneurial resilience are covered by ISO/TC 292. This technical committee was founded in 2014 to increase the security and resilience of countries, societies, industry, and people.¹² The committee's goal is to produce and improve standards for reinforcing the security and resilience of the society. This also includes areas that exceed the requirements of organisations, i.e. the resilience of societies and communities.¹³

_{12 ISO/TC 202 entstand aus der Zusammenführung von anderen Komitees: TC223 – Societal security, ISO/TC 247 – Fraud countermeasures and controls, ISO/TC 8 – Ships and marine technology (28000-series) and ISO/PC 284 – Management system for private security operations}

_{13 ISO/TC 292, 2016-05-08, Strategic Business Plan}

3.1 Topic Overview for Specific Standards

We can group some of the standards for resilience and business continuity management into general standards that establish fundamental structures. ISO 22301 especially belongs in this group, as it establishes the requirements for a business continuity management system, as does ISO 22300, which explains the terminology, and ISO 22316, in which the basic principles of organizational resilience are addressed.¹⁴ Other standards in the ISO 223xx family go into various subtopics of BCM and its implementation. There are more international standards under development by ISO/TC 292. For an overview of current ISO standards, standards under development, and examples of national and institutional standards, see appendix A.

Business resilience is not a stand-alone management discipline, but is a result of integrating various already established disciplines. It is important that the various disciplines work together and coordinate with one another, so that it is easier to adjust to crisis situations. Appendix A of ISO standard 22316:2017 mentions several resilience-relevant management disciplines, such as business continuity management, crisis management, communication management, environmental management, governance, financial management, information security, and supply chain management.¹⁵ There are specific standards that apply to each of these different disciplines. A second group categorizes those standards that focus on specific subject areas. This would include, for example, IT,¹⁶ supply chain security,¹⁷ and infrastructure protection in communities.¹⁸ The specific standards for business continuity management and supply chain security are summarised in the text box.

Supply Chain Continuity and Security Standards

ISO/TS 22318: Business continuity management — A guide to supply chain continuity. This standard is a guide for implementing the BCM principles of standards ISO 22301 and ISO 22313 in regard to managing supply relationships.The standard comprises of guidelines for analysing the consequences of incidents on the supply chain, for identifying suitable restoration strategies, and for taking these continuity planning precautions into account. According to this standard, examples of incidents might be production related delays, or the loss of one or more suppliers, as is currently the case during the corona virus pandemic.
The target of this standard is to increase companies' ability to react to incidents which interfere with the supply chain.
ISO 28000: Specifications for supply chain safety management systems.This standard establishes requirements for a safety management system that protects the security of the supply chain. Here, security is defined as resilience against deliberate, unwarranted actions that are designed to damage the supply chain or cause damage using the supply chain. The standard defines requirements for improving security processes concerning prevention, implementation, replicability, and documentation. The target of this standard is to improve reliability and security within the entire supply chain, and to sensitise all levels of the organisation to various dangers.

Other standards and guidelines are geared towards promoting resilience in society, and are, for example, developed by the European Commission¹⁹ or the UN.²⁰ Relatedly, the United Nations Economic Commission for Europe (UNECE) has initiated the development of an action plan on the topic of "Disaster Risk Reduction for Resilience". Among other things, the plan calls for individual organisations to prioritise reducing the risk of catastrophes.²¹

_{14 ISO 22313:2020}

_{15 ISO 22316:2017}

_{16 ISO 27000 ff.}

_{17 ISO 28000 ff.}

_{18 U.S Green Building Council (2017)}

_{19 European Commission (2012)}

_{20 United Nations Economic Commission for Europe (2015)}

_{21 UNECE (2019)}

3.2 Effectiveness of Standards in Social and Economic Crises

Social and economic crises present enormous challenges for companies due to the sudden shift in context they cause. Meanwhile, businesses with management systems based on standards are able to withstand crises better than organisations without such systems.²²

There is data available on the implementation of certifiable resilience standards and business continuity management. This data shows that, for example, standard ISO 22301:2012 is already implemented frequently in developing and emerging nations.²³ The effectiveness of standards in social and economic crises has not been investigated very much up until now however. No publications have been identified that explore the effectiveness of specific standards on business resilience or on BCM. The global corona virus pandamic is an opportunity to investigate the efficacy of existing standards, as well as the areas in which they can be improved upon, and thus lay the foundation for higher levels of resilience in future crises.

_{22 For example, during the Severe Acute Respiratory Syndrome (SARS) pandemic in 2003, organisations were shown to be able to alleviate the direct effects of the pandemic by having analysed multiple scenarios at an early stage, meaning they could respond to the crisis with the various options they had prepared. In this context, standards such as ISO/IEC 31000:2009 or ISO/IEC 31010:2009 can provide the framework for risk analysis and for implementing a risk management system.}

_{Even implementing an environmental management system as per ISO 14001 can, for example, contribute to the resilience of a company by implementing an emergency management system. Studies have shown that companies that meet high environmental criteria in the "corporate governance, environmental and social practices" (CESPs) proved to be especially resilient during the financial crisis of 2008 (Palmi et al.: 2018)}

_{23 So, for example, in 2018 India had 132 certificates based on ISO 22301:2012, the Philippines had 33, Mexico had 24, and Nigeria had 28. The country with the highest number of certificates is the UK with 290 (ISO:2018c)}

Abbreviations

BCM	Business Continuity Management
BCMS	Business Continuity Management System
BS	British Standards
CESPS	Corporate governance, environmental and social practices
DS	Danish Standards
ISO	International Organisation for Standardization
NFPA	National Fire Protection Association
NIST	National Institute of Standards and Technology
SARS	Severe Acute Respiratory Syndrome
UNDRR	United Nations Office for Disaster Risk Reduction
UNECE	United Nations Economic Commission for Europe

References

Advisera, 2017. Wie kann ISO 9001 das Wachstum Ihres unternehmens fördern? (“How can ISO 9001 promote growth for your company?”).
Available from: https://info.advisera.com/9001academy/de/kostenlose-download/wie-kann-iso-9001-das-wachstum-ihres- unternehmens-foerdern

Blyth, M., 2009. Business Continuity Management: Building an Effective Incident Management Plan.
Available from: https://www.wiley.com/en-us/Business+Continuity+Management%3A+Building+an+Effective+Incident+Management +Plan-p-9780470478097

British Standards Institution – BSI, 2020a. Vorteile und Nutzen von Normen. (“Advantages and uses of Standards.”)
Available from: https://www.bsigroup.com/de-DE/Normen/Vorteile-der-Nutzung-von-Normen/

British Standards institution – BSI, 2020b. Innovationen und Wachstum durch Normen fördern. Verfügbar auf:
https://www.bsigroup.com/de-DE/Normen/Vorteile-der-Nutzung-von-Normen/Foerdern-von-Innovation-und- Wachstum-durch-Normen/

British Standards institution – BSI, 2020c. unternehmen resilienter machen – Risiken verringern (“Making Companies More Resilient – Reducing Risks”).
Available from: https://www.bsigroup.com/de-DE/Normen/Vorteile- der-Nutzung-von-Normen/Verringern-der-Unternehmensrisiken-durch-Nutzung-von-Normen/

Bundesamt für Sicherheit in der Informationstechnik, 2008. BSI-Standard 100-4 Notfallmanagement (“German Federal Office for Information Security, 2008. BSI-Standard 100-4 Emergency Management”).
Available from: https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzStandards/Standard04/ITGStandard04_node. html

Business Continuity Institute, 2020. BCI Statement on Organizational Resilience.
Available from: https://www.thebci.org/knowledge/bci-statement-on-organizational-resilience.html

CEN CENELEC, 2020. Types of standards.
Available from: https://www.cencenelec.eu/research/innovation/ standardstypes/Pages/default.aspx

European Commission (Eu), 2012. The Eu Approach to Resilience: Learning from Food Security Crises.
Available from: https://ec.europa.eu/echo/files/policies/resilience/com_2012_586_resilience_en.pdf

Fidelity, 2020. Sacar ventaja en una crisis: Ser sostenible y batir el mercado. International Standards Office, 2011. ISO/TC 262 – Risk management.
Available from: https://www.iso.org/committee/629121.html

International Standards Office, 2014. ISO/TC 292 – Security and resilience.
Available from: https://www.iso.org/committee/5259148.html

International Standards Office, 2014. ISO/TC 292 – Strategic business plan.
Available from: https://isotc.iso.org/livelink/livelink/fetch/2000/2122/687806/ISO_TC_292__Security_and _resilience_. pdf?nodeid=17840581&vernum=-2

International Standards Office, 2017. ISO 22316:2017 – Security and resilience – Organizational resilience – Principles and attributes.
Available from: https://www.iso.org/standard/50053.html

International Standards Office, 2018a. ISO/TS 22330:2018 – Security and resilience – Business continuity management systems – Guidelines for people aspects of business continuity.
Available from: https://www.iso.org/standard/50067.html

International Standards Office, 2018b. ISO 31000:2018 Risk management – Principles and Guidelines.
Available from: https://committee.iso.org/sites/tc262/home/projects/published/iso-31000-2018-risk-management.html

International Standards Office, 2018c. The ISO Survey of Management System Standard Certifications 2018.
Available from: https://www.iso.org/the-iso-survey.html

International Standards Office, 2019. ISO 22316:2019 – Security and resilience – Organizational resilience – Principles and attributes.
Available from: https://pecb.com/en/education-and-certification-for-individuals/iso-22316

International Standards Office, 2019. ISO 22301:2019 – Security and resilience – Business continuity management systems – Requirements.
Available from: https://www.iso.org/standard/75106.html

National Fire Protection Association, 2019. NPFA 1600 Standard on Continuity, Emergency, and Crisis Management.
Available from: https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/ detail?code=1600

National Institute of Standards and Technology, 2016. Community Resilience Program.
Available from: https://www.nist.gov/programs-projects/community-resilience-program

National Institute of Standards and Technology, 2010. Contingency Planning Guide for Federal Information Systems.
Available from: https://nvpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

Palmi, P. et al., 2018. How did Organizational Resilience Work before and after the Financial Crisis? An Empirical Study. Available from: www.researchgate.net/publication/327473787_How_Did_Organizational_Resilience_ Work_Before_and_after_the_Financial_Crisis_An_Empirical_Study
Prammer, H., 2014. Ressourceneffizientes Wirtschaften (“Resource Efficient Economic Activity”).
Available from: http://booksgoogle.com

Sheffi, y., (2005). A supply chain view of the resilient enterprise.
Available from: https://www.researchgate.net/publication/255599289_A_Supply_Chain_View_of_the_Resilient_Enterprise

united Nations Office for disaster Risk Reduction, Sendai Framework for disaster Risk Reduction 2015–2030.
Available from: https://www.undrr.org/implementing-sendai-framework/what-sf

united Nations Economic Commission for Europe, 2015. Standards for disaster Risk Reduction.
Available from: https://www.unece.org/index.php?id=42065&L=0

united Nations Economic Commission for Europe, 2019. Resilience to disasters for Sustainable development.
Available from: http://www.unece.org/ab/sustainable-development/disaster-risk-reduction/disaster-resilience-for- sustainable-development.html

u.S Green Building Council, 2017. Building Resilience Los Angeles.
Available from: https://usgbc-la.org/programs/building-resilience/

An Overview of Existing Standards, Specifically in regard to Business Resilience

Institution	Number	Name	Description
General Standards
ISO	ISO 31000:2018	Risk Management - Guidelines	Guidelines for risk management
ISO	ISO 22300:2018	Security and resilience – Vocabulary	Terms and definitions
ISO	ISO 22301:2019	Security and resilience – Business continuity management systems – requirements	Basic requirements for a business continuity management system
ISO	ISO 22313:2020	Security and resilience – Business Continuity Management systems – guidance on the use of ISO 22301	Guidance for using ISO 22301
ISO	ISO 22316:2017	Security and resilience – Organizational resilience – Principles and attributes	Principles for developing a resilient organisation
Standards for Organisations
ISO	ISO/TS 22317:2015	Societal security – Business continuity management systems – Guidelines for business impact analysis (BIA)	Guidelines for business impact analysis (BIA)
ISO	ISO/TS 22318:2015	Societal security – Business continuity management systems – Guidelines for supply chain continuity	Business continuity management of supply chains
ISO	ISO 22319:2017	Security and resilience – Community resilience – Guidelines for planning the involvement of spontaneous volunteers	Guidelines for planning the involvement of spontaneous volunteers in threat protection

_Legends:

_{International standards have a white background.
National standards have a grey background.
Standards under development are in blue letters.}

_{Note: Standards under development, status as of 20.05.2020}

Institution	Number	Name	Description
ISO	ISO 22320:2018	Security and resilience – Emergency management – Guidelines for incident management	Guidelines for organising threat protection during incidents
ISO	ISO 22325:2016	Security and resilience – Emergency management – Guidelines for capability assessment	Guidelines for evaluating an organisation‘s ability to handle emergencies
ISO	ISO 22326:2018	Security and resilience – Emergency management – Guidelines for monitoring facilities with identified hazards	Guidelines for monitoring facilities with identified hazards
ISO (draft)	ISO/Cd 22329	Security and resilience – Emergency management – Guidelines for the use of social media in emergencies	[draft] Guidelines for the use of social media in emergencies
ISO	ISO/TS 22330:2018	Security and resilience – Business continuity management systems – Guidelines for people aspects of business continuity	Guidelines for preparing people that are affected by an incident
ISO	ISO/TS 22331:2018	Security and resilience – Business continuity management systems – Guidelines for business continuity strategy	Guidelines for developing and selecting a strategy for business continuity management
ISO (draft)	ISO/AWI TS 22332	Security and resilience – Business continuity management systems – Guidelines for developing business continuity plans and procedures	[draft] Guidelines for developing business continuity plans and procedures
ISO (draft)	ISO/Wd 22340	Security and resilience – Protective security – Guidelines for establishing an enterprise protective security architecture and management framework	[draft] Guidelines for an essential organisational structure for preventative security measures
ISO (draft)	ISO/AWI 22342	Security and resilience – Protective security – Guidelines for the development of a security plan for an organization	[draft] Guidelines for drafting a security plan to protect people, materials, or immaterial goods
ISO (draft)	ISO/Wd 22343	Security and resilience – Vehicle security barriers – Performance requirement, vehicle impact test method and performance rating	[draft] Guidelines for vehicle security barriers

Institution	Number	Name	Description
ISO	ISO/TR 22351:2015	Security and resilience – Emergency management – Message structure for exchange of information	Guidelines for uniform portrayal and assessment of situations
ISO (draft)	ISO/AWI 22361	Security and resilience – Crisis Management – Guidelines for developing a strategic capability	[draft] Guidelines for developing an organisation‘s crisis handling skills
ISO	ISO/TS 22375:2018	Security and resilience – Guidelines for complexity assessment process	Guidelines for assessing the complexity of an organisation
ISO	ISO 22380:2018	Security and resilience – Authenticity, integrity and trust for products and documents – General principles for product fraud risk and countermeasures	Guidelines for security and principles for preventing product fraud
ISO	ISO 22381:2018	Security and resilience – Authentic- ity, integrity and trust for products and documents – Guidelines for es- tablishing interoperability among object identification systems to de- ter counterfeiting and illicit trade	Guidelines for establishing interoperability between object identification systems to deter counterfeiting and illicit trade
ISO (draft)	ISO/dIS 22383	Security and resilience – Authenticity, integrity and trust for products and documents – Guidelines and performance criteria for authentication solutions for material goods	[draft] Guidelines for authenticating products during their life cycle
ISO (draft)	ISO/dIS 22384	Security and resilience – Authentic- ity, integrity and trust for products and documents – Guidelines to establish and monitor a protection plan and its implementation	[draft] Guidelines for assessing dangers, and for authenticating products during their life cycle
ISO	ISO 22392:2020	Security and resilience – Community resilience – Guidelines for conducting peer reviews	Guidelines for implementing peer assessments in order to reduce the risk of catastrophes
ISO	ISO 22395:2018	Security and resilience – Community resilience – Guidelines for supporting vulnerable persons in an emergency	Guidelines for supporting vulnerable people‘s ability to react to emergencies
ISO	ISO 22398:2013	Societal security – Guidelines for ex- ercises	Guidelines for practising and testing

Institution	Number	Name	Description
ISO	ISO 44001:2017	Collaborative business relationship management systems – Require- ments and framework	Requirements for business relationship management systems
BS – British Standard	BS 65000:2014	Guidance on Organizational Resilience	Guide to implementing business resilience (includes a questionnaire)
DS – Danske Standard	dS 3001:2009	Organizational Resilience: Security, Preparedness, And Continuity Management Systems – Require- ments with Guidance for use	Requirements for a resilience management system for an organisation
Topic-Specific Resilience Standards
ISO	ISO/IEC 27001:2013	Information technology – Security techniques – Information security management systems – Requirements	Requirements for an information security management system (ISMS)
ISO	ISO/IEC 27000:2018	Information Technology – Security Techniques – Information Security Management Systems – Overview and vocabulary	IT terms and definitions
ISO	ISO/IEC 27002:2013	Information technology – Security techniques – Code of practice for information security controls	Recommendations for information security control mechanisms
ISO	ISO/IEC 27003:2017	Information technology – Security techniques – Information security management systems – Guidance	Support for implementing ISO 27001
ISO	ISO/IEC 27005:2018	Information technology – Security techniques – Information security risk management	Guide to risk analysis and risk management in IT
ISO	ISO/IEC 27010:2015	Information Technology – Security Techniques – Information Security Management for inter-sector and inter-organizational communi- cations	Guide to information security in inter-organizational communications
ISO	ISO 28000:2007	Specification for Security management systems for the supply chain	Specification for Safety Manage- ment Systems for the Supply Chain*

_{* Certification is conducted via accredited certification services. ISO/TC292 established a team for reviewing and updating the standard. (WG 8). In this context, there are no plans to remove existing or add new requirements for this standard. In 2016, the countries with the largest number of certifications were India (425), Japan (299), Spain (231), the uSA (223), and the uk (197).
https://www.isotc292online.org/news-archive/the-revision-of-iso-28000-will-begin-in-september-in-bangkok/}

Institution	Number	Name	Description
ISO	ISO 28001:2007	Security management systems for the supply chain – Best practices for implementing supply chain security, assessments and plans – Requirements and guidance	Guidelines for best practices when implementing supply chain security systems
ISO	ISO 28002:2011	Security management systems for the supply chain – development of resilience in the supply chain – Requirements with guidance for use	Requirements for security error margins in the supply chain
ISO	ISO 28003:2007	Security management systems for the supply chain – Requirements for bodies providing audit and cer- tification of supply chain security management systems	Requirements for institutes that audit and certify security management systems
ISO	ISO 28004-1:2007	Security management systems for the supply chain – Guidelines for the implementation of ISO 28000 – Part 1: General principles	Guidelines for general principles, systems, and supportive security management work techniques for the supply chain
ISO	ISO 28004-3:2014	Security management systems for the supply chain – Guidelines for the implementation of ISO 28000 – Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses (other than marine ports)	Additional specific guidance for small and medium sized businesses adopting ISO 28000 (not including marine ports)
ISO	ISO 28004-4:2014	Security management systems for the supply chain – Guidelines for the implementation of ISO 28000 – Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective	Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective
NIST	NIST – Special Publication 800-34 Rev. 1	National Institute of Standards and Technology – Contingency Planning Guide for Federal Information Systems	Contingency planning guidelines for IT

Institution	Number	Name	Description
Societal Resilience Standards
ISO	ISO 22315:2014	Societal security – Mass evacuation – Guidelines for planning
ISO	ISO 22322:2015	Societal security – Emergency management – Guidelines for public warning	Guidelines for developing, maintaining, and implementing public warning systems, during and after incidents.
ISO	ISO 22324:2015	Societal security – Emergency management – Guidelines for colour-coded alerts	Colour-coded public warning systems
ISO	ISO 22327:2018	Security and resilience – Emergency management – Guidelines for implementation of a community-based landslide early warning system	Guidelines for implementing early warning systems for landslides
ISO (draft)	ISO/dIS 22328-1	Security and resilience – Emergency management – Part 1: General guidelines for the implementation of a community- based disaster early warning system	[draft] Guidelines for implementing community early warning systems
ISO (draft)	ISO/dIS 22341	Security and resilience – Protective security – Guidelines for crime prevention through environmental design	[draft] Guidelines for procedures to reduce crime in new or existing premises
ISO (draft)	ISO/Wd 22350	Security and resilience – Emergency management – Framework	[draft] Frameworks for emergency management (under development)
ISO (draft)	ISO/AWI 22360	Security and resilience – Crisis management – Concept, principles and framework	[draft] Basic requirements for crisis management (under development)
ISO	ISO/TR 22370:2020	Security and resilience – urban resilience – Framework and principles	Guidelines for improving the security and resilience of population centres, e. g. cities and communities
ISO (draft)	ISO/AWI 22371	Security and resilience – urban resilience – Framework, model and guidelines for strategy and implementation	[draft] Guidelines for developing a strategy for building up resilience in cities
ISO (draft)	ISO/AWI 22379	Security and resilience – Guidelines for hosting and organizing large citywide events	[draft] Guidelines for organising citywide events

Institution	Number	Name	Description
ISO	ISO 22382:2018	Security and resilience – Authentic- ity, integrity and trust for products and documents – Guidelines for the content, security, issuance and examination of excise tax stamps	Guidelines for the content, security, issuance and examination of excise tax stamps
ISO	ISO 22396:2020	Security and resilience – Community resilience – Guidelines for information exchange between organizations	Guidelines for information exchange between organizations
ISO	ISO 22397:2014	Societal security – Guidelines for establishing partnering arrangements	Guidelines for establishing partners for incidents
uNECE	ECE/TRAdE/424	Standards for disaster Risk Reduction	Guidelines for demonstrating the possibilities offered by standards in preventing and handling catastrophes
uNdRR	Sendai Framework for disaster Risk Reduction	Sendai Framework for disaster Risk Reduction 2015–2030	A framework for making societies and communities more resilient to catastrophes
BSI	BSI-Standard 100-4	Notfallmanagement	Systemic approach to establishing emergency management in an agency or company
NFPA	NFPA 1600:2019	National Fire Protection Association – Standard on Continuity, Emer- gency, and Crisis Management	Standard for catastrophe preparation
NIST		Community Resilience Program	A program to support communities and interested parties in planning and attending to aspects that increase resilience in society
uS Green Building Council		Building Resilience Los Angeles	Supporting resilience at the local level

E-Learning Resources

A selection of e-learning resources for promoting business resilience, and for business continuity management:

BCM-Institute: www.bcm-institute.org/courses/business-continuity-management-courses-2/bcm-e- learning/
BCM Academy: www.bcmacademy.de/de/ausbildung/elearning
TÜV Süd: www.tuvsud.com/en-in/services/training/e-learning-courses/bcm-awareness
BISG – Bundesverband der IT-Sachverständigen und -Gutachter e.V. (The German Federal Society for IT Experts and Consultants): www.bisg-ev.de/kalender/event/2020-04-27/online-training-bc120-iso-22301-bcm- implementierung