A Guide To PS-Prep Certification
What Is PS-Prep Certification?
The Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) is designed to encourage private sector preparedness by assessing whether an organization complies with one or more of the standards adopted by the Department of Homeland Security (DHS). The program is based on established conformance assessment processes widely used in business and industry.
PS-Prep provides the structure and associated information tools to facilitate preparedness and certification. Conformance with one or more of the standards helps foster resilient organizations.
In June 2010, three non-industry specific standards were identified and accepted for compliance to meet the requirements established in Public Law 110-53. DHS defines the standards as a “common set of criteria for preparedness, disaster management, emergency management and business continuity programs.”
Each standard helps organizations establish a comprehensive preparedness program that best addresses the needs of the industry and organization:
- ASIS SPC. 1–2009 — Organizational Resilience: Security Preparedness and Continuity Management Systems — Requirements with Guidance for Use.
- British Standard 25999–2:2007 — Business Continuity Management.
- National Fire Protection Association 1600–2010 — Standard on Disaster/Emergency Management and Business Continuity Programs.
In the context of PS-Prep, certification is confirmation that an accredited third party has validated an entity’s conformance with one or more of the DHS- adopted standards.
Once an entity is certified, there will be a periodic assessment and audit process (three year cycle) so that the certification body can validate the entity’s continued conformity. The certificate “mark” signifying PS-Prep certification is yet to be released by the DHS.
Why Should An Organization Become Certified?
Obtaining third-party certification provides an independent assessment of an entity’s preparedness to survive, respond to and recover more effectively from adverse conditions. In addition, certification:
- Provides an independent, objective evaluation that enables internal and external stakeholders to give credence to an organization’s preparedness.
- Makes a powerful statement to customers, employees and other stakeholders.
- Helps demonstrate to stakeholders that a business is run effectively, and that it will continue to do so in the event of a disruption.
- Improves overall performance, removes uncertainty and widens market opportunities.
The process of achieving and maintaining certification also helps ensure that you are continually improving and refining your BCM activities, while the regular assessment process will improve staff responsibility, commitment and motivation.
Despite all these internal reasons, the reason for many companies will be that a major customer requires some evidence of competent BCM performance. With a global supply chain, large organizations may audit their suppliers to determine if they have a viable plan for business continuity or disaster management.
By conforming to and being certified against the PS-Prep standards, a business may save the time, effort and cost associated with audits, as large organizations should recognize certification as equivalent to its own audit. Also, companies may prefer to do business with suppliers that have a certified preparedness plan in place.
Who Should Get Certified?
Certification is voluntary — no private sector entity is required by DHS to seek or obtain PS-Prep certification; however, DHS encourages all private sector entities to consider seeking certification to one or more of the standards.
Title IX of Public Law 110-53 identifies the process for private sector organizations to become certified. Small businesses are allowed to use a first party self-declaration of conformity to one or more of the standards. The definition of a “small business” and the requirements for first party self declaration of conformity are as yet undetermined. All other organizations are required to use third party certification by an ANSI-ASQ National Accreditation Board (ANAB) accredited certifying body.
It is important that organizations hire an ANAB accredited certifying body to conduct the third party audit for certification. The certifying bodies have completed rigorous training to ensure that they are competent to conduct the audits, and they are the only entities allowed to certify under PS-Prep.
For an up-to-date listing of the certifying bodies currently accredited by ANAB and other information about PS-Prep certification, visit www.anab.org/accreditation/preparedness.aspx.
How To Get Certified
Before an organization applies for third party certification from an ANAB-approved certifying body, they must ensure that they are prepared by considering the following questions.
- Which Standard?
The first step is to decide which standard or standards your organization will be certified to? To answer this question, review each of the three standards to determine which one is best aligned to the program you already have in place.
You may find that different parts of your organization align to different standards. An organization
can choose to be certified against one, two or all three standards. However, you cannot pick and choose elements from each of the standards; you must conform to all elements of each standard chosen
- What Is The Scope?
This is probably the most important decision in the process. The scope must be broad enough to protect the integrity of the organization — that is, providing goods and services — while considering critical operational objectives, assets, functions, services and products.
This includes the organization’s relationship with stakeholders, including key suppliers, outsourcing partners and customers. The organization will also need to identify key products and services within the scope of the organization’s business continuity management system (BCMS).
Decisions on the products, services or locations to include within the scope may be prompted by one or more of the following factors:
• A customer requirement.
• A regulatory or statutory requirement.
• Perceived high-risk location due to proximity to other industrial premises or physical threats such as flooding.
• Product being an overwhelming proportion of organizational income.
The scope can be limited to headquarters, a particular product or service, or a location. The scope should align with the findings of the business impact analysis.
- How Mature Is Your Program?
Do you remember when business continuity professionals would discuss how to move the business continuity “project” to a “program”? When you consider your organization’s readiness to be audited against one or more of the three standards, you should determine if your business continuity program is a “management system”.
Key components of all management systems include:
• A policy.
• People with defined responsibilities.
• Management processes relating to:
— Implementation & operation.
— Performance assessment.
— Management review.
• A set of documentation providing auditable evidence.
• Topic specific processes relating to the subject.
Planning For The Certification Process
Planning for third party certification takes a commitment from the organization in both time and resources. At least one internal audit must be completed prior to the third party assessment.
Like the auditing of other management systems, the PS-Prep audit process contains the following stages:
- Pre-Audit (Optional): Finds the gaps (holes in the system), teaches personnel how to be audited and does not result in official audit nonconformities.
- Stage 1 Audit: Determines readiness for Stage 2 via review of management’s commitment, resources and preparations, the business impact analysis, plans and procedures, audit scope, limited implementation review, and Stage 2 plans.
- Stage 2 Audit: Audit of the full system including compliance to all requirements, evaluation of effectiveness of the system and determination of whether the company should be certified. This is ideally conducted at least 30 days but no more than 90 days after Stage 1.
- Nonconformities Addressed: There are two levels of nonconformities: major and minor. Both require correction in the form of cause identification, corrective action and verification by the certifying body.
- Certification Granted: Granted after completion of the Stage 2 Audit and the acceptable responses by the applicant to address all nonconformities. The certification period is three years.
- Surveillances: Sample continued implementation and effectiveness of the system. Usually, the first surveillance is completed 12 months after completion of the Stage 2 Audit and the second surveillance 12 months later. Surveillance takes about one-third of the amount of time required for the first audit.
- Recertification: Review of the complete system to the entire standard (generally requires less time than Stage 1 and Stage 2 Audits) and must be conducted before the certificate expires (three years from the Stage 2 Audit).
Professionals who wish to prepare organizations for PS-Prep Certification should consider a training course. There are several options in the marketplace:
- ASIS International: Organizational Resilience: Implementing and Auditing and the ASIS American National Standard. This two-and-a-half day course teaches the ASIS SPC.1 Standard.
- Business Continuity Institute: BS 25999 Lead Auditor. This five day course teaches the BS 25999 standard.
- DRI International: BCLE-AUD – Certified Business Continuity Auditor. This five day course explores different standards, laws and regulations.
- The International Consortium for Organiza-tional Resilience (ICOR): ICOR offers two courses, both accredited by ANSI:
- BCM 5000: Auditing BCM Programs for PS-Prep Certification. This five day course prepares certifying bodies, internal auditors and consultants to audit a BCMS against all three PS-Prep standards. In addition, business continuity professionals can use this course to prepare their organization for a third party audit. This is the only ANSI Accredited training course and has been taken by ANAB and the certifying bodies.
- BCM 4050: Business Continuity Maturity Model (BCMM) Assessor’s Training. This two day ANSI accredited course prepares BC professionals to use the BCMM® as an internal audit tool for both benchmarking and PS-Prep certification preparation.
Now is a good time to learn more about the three standards, talk to senior management and your auditing leadership about PS-Prep, and determine how your organization might benefit from PS-Prep certification. For more information, visit www.fema.gov/privatesector/preparedness.
Lynnda M. Nelson, President of The International Consortium for Organizational Resilience (ICOR), manages the day-to-day operations of ICOR’s education program. Lynnda is also a professor for Norwich University’s Masters of Business Continuity Degree Program (MSBC). Lynnda can be contacted at Lynnda@theicor.org.