In 2007, the U.S. Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) were charged with the management of the Private-Sector Preparedness (PS-Prep) certification process. The overall process for obtaining PS-Prep certification is now established and companies are working to determine their readiness for a PS-Prep third-party audit. The first step in determining readiness is to identify the standard to which your organization should become certified.
There are three standards to choose from: ASIS SPC.1:2009, BS 25999-2: 2006, or NFPA 1600: 2010. Let’s begin by comparing the scope of the three standards.
- ASIS SPC.1:2009 emphasizes resilience, the adaptive capacity of an organization in a complex and changing environment, as well as protection of critical assets.
Primary Objective: Positions an organization to more readily prepare for and respond to all manner of intentional, unintentional, and/or naturally caused disruptive events. (Section 1, Page 2)
- BS 25999-1: 2006specifies requirements for setting up and managing an effective business continuity management system.
Primary Objective: Improve business continuity for organizations of all sizes and operating in various sectors. (Introduction, page 1)
- NFPA 1600: 2010 promotes a common set of criteria for all hazards, disaster/emergency management, and business continuity programs.
Primary Objective: Provides the fundamental criteria to develop, implement, assess, and maintain the program for prevention, mitigation, preparedness, response, continuity, and recovery. (Chapter 1.1 page 1600-5)
The following are some general observations that can be made regarding the standards:
- ASIS SPC.1: 2009 and NFPA 1600 are free. They can be downloaded from the Internet.
- ASIS SPC.1: 2009 and NFPA 1600 have the guidance documents included in the standards themselves. BS 25999-2 is the auditable part of the standard and BS 25999-1: 2007 is the guidance document. They are both available for purchase; however, BCI (www.theBCI.org) has developed Good Practice Guidelines that can assist with the interpretation of the standard and are available on the website.
- ASIS SPC.1: 2009 and BS 25999-2: 2006 are management system standards. If your organization has implemented other management systems such as ISO 9001, 14001, 27001 or others, the implementation of another management system standard can follow the same process.
- ASIS SPC.1: 2009 and BS 25999-2: 2006 use the internationally recognized “standard” approach to standard writing. NFPA 1600: 2010 uses the NFPA approach.
- ASIS SPC.1: 2009 is the basis for the new ISO 22323 standard on organizational resilience, still in draft form.
- BS 25999-2: 2006 is the basis for the new ISO 22301 standard on business continuity management, which has been approved and is set to be released mid-2012.
- NFPA 1600: 2010 is the basis for the new ISO 22320 Standard on Emergency Management – Requirements for Incident Response, published in 2011.
- Each of the standards has a scope for risk identification and risk management that may be larger than most organizations have used for their current business continuity Management (BCM) program.
Next, let’s look at how they compare using the different categories used in the standards. To simplify the process, the comparison will focus on what is different, rather than what is the same. The comparison is not a line-by-line comparison but rather based on key concepts and categories.
|ASIS SPC.1: 2009||BS 25999-2: 2006||NFPA 1600: 2010|
|Scope & Objectives of the System||Requires a “Statement of Applicability” as part of the scope statement that defines the strategic weighting of security management, preparedness, emergency management, disaster management, crisis management, and business continuity management.||Includes a program budget and schedule in the scope statement.|
Scope shall include protecting & preserving the integrity of the organization & its relationship with stakeholders including:
|Scope shall include the key products and services of the organization as tied to the organization’s objectives and obligations.|
|Policy||Has a list of 15 items that must be included in the policy statement.|
|Legal & Other Requirements||Each of the 3 Standards requires the entity to identify its legal, regulatory and other requirements and to document those requirements in the policy and ensure that they are included in the scope of the program.|
|Management Commitment / Commitment of Resources||Requirements range from determining roles & responsibilities to many requirements for “evidence” of management representatives to manage and maintain the system.||Requirement to determine the necessary competencies for the personnel assigned to perform the required tasks.||Focus is on different “titles” or jobs that demonstrate commitment of resources as well as on the financial and administrative framework for the program including short and long term objectives.|
|(Business) Impact Analysis|
Assessment of impacts should include:
A requirement to establish the Maximum Tolerable Period of Disruption (MTPD) for each activity.
Assessment of impactsshould consider the following:
Analysis shall include:
Identify intentional, unintentional, and naturally caused hazards and threats that may have an impact on the organization’s operations, functions, and human, intangible, and physical assets, the environment and its stakeholders.
Risk assessment can be limited to the risks to the critical activities identified in the BIA.Focus is on understanding the threats to and the vulnerabilities of its critical activities and supporting resources including suppliers and partners.
Must use the “all hazards” approach including natural, human-caused, and technologically caused.Includes an impact analysis and a vulnerability assessment in addition to the business impact analysis.
|Determining Strategies or Risk Treatment||Focus of strategies is on prevention, mitigation, response, continuity, and recovery.|
Focus of strategies is on an estimate of the resources needed for each activity including:
|Focus is of strategies is on prevention, mitigation, resource management, mutual aid, and employee assistance.|
|Documentation & Records||For both Standards, all elements of the BCM program must be documented and the documents must be controlled and maintained using a records management system.||No requirements on what should be documented but what is documented shall be part of the records management system.|
Procedures to be documented include:
The procedures that make up the program are divided into the:
Procedures to be documented include:
|Awareness & Training: Competence||Each of the 3 Standards stresses the importance of those who are charged with responsibilities in the program to be “competent” to do so. Identification of the training needs and the development of an awareness & training for all employees are also key points.|
|Testing & Exercising||Each of the 3 Standards identifies the importance of testing and exercising at planned intervals, the need for a formal exercise program, to use a variety of scenarios, to evaluate each exercise, and to produce a report that is submitted to management for review.|
|Program Maintenance & Improvement||Both of these Standards require formal maintenance of the plans and management review of the program on a regular basis.||The NFPA Standard does not require an internal audit. The term “program reviews” is used, and the responsibility for completing the reviews is “management”.|
|Review can be conducted through self-assessment or audit at planned intervals.|
|Both Standards require an internal audit program that identifies preventive and correction actions.|
|Management review requires certain inputs and outputs as part of demonstrating continual improvement.|
For those that are still not sure which standard is best for their organization, here are a few more observations:
- ASIS SPC.1: 2009 has a broad scope of coverage, including security, with a strong focus on risk. It is a great tool for program development as it includes a lot of detail and requirements. Some believe that the organizational resilience focus is better for marketing purposes. However, it may be difficult to use with an existing BCM program as it is very specific and leaves little room for flexibility during an audit. It may also require a larger scope for certification than the other two standards.
- BS 25999-2: 2006 is very comprehensive and succinct. If taken with BS 25999-1: 2007 or BCI’s Good Practice Guidelines, it provides a solid framework for program development as well as auditing the program. That said, its conciseness does leave some room for interpretation. It is currently the most widely accepted and utilized standard internationally.
- NFPA 1600: 2010 is aligned with the U.S. federal government and U.S. emergency management programs. It utilizes the incident command system approach, which is highly recognized for its command and control structure. There are many public sector organizations as well as universities who have used the standard as a reference and whose plans are available for review on the Internet. However, application to the private sector may be more difficult as it includes several requirements that most private sector organizations would not need to consider. It is also more focused on disaster response.
The purpose of PS-Prep is to increase the preparedness of the private sector by providing formal recognition of businesses whose processes conform to one or more of the standards. As a voluntary program, organizations are not required to participate but certification provides an independent assessment of an entity’s preparedness to survive, respond to, and recover more effectively from adverse conditions.
Will any of your customers require you to be PS-Prep™ certified? Can you use the certification to reduce the burdens of external audits? Can you use the certification to gain market share?
It’s time to review your program’s audit readiness — get started now!
Lynnda Nelson is the President of The International Consortium for Organizational Resilience (ICOR).