Preparedness, LLC
info@preparednessllc.com
781.784.0672
International Standards
NFPA 1660, NFPA 1660 & ISO 22301
Standards are valuable tools.
Two leading international standards define the development, implementation, execution, evaluation, and maintenance of emergency management, business continuity, and crisis management programs.
Standards should guide the development of, and provide the criteria for assessment of, programs to protect life, property, operations, and the organization’s reputation, relationships with stakeholders, and finances.
Introduction to Standards
There are many “standards” for emergency management, business continuity, and crisis management. Codes, standards, recommended or professional practices, and guides provide valuable information. Some are mandatory, and many are advisory if not adopted by an enforcing authority.
A code is “a standard that is an extensive compilation of provisions covering broad subject matter or that is suitable for adoption into law independently of other codes and standards.” [NFPA] The National Electrical Code and Life Safety Code® are examples.
“A standard is a document, which is in a form generally suitable for adoption into law or adoption by a public or private organization. Mandatory provisions are located in the body of the document, and nonmandatory provisions and explanatory material are located in an annex, appendix, footnote, or fine-print note.” [NFPA]
“A standard is a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.” [ISO]
Many laws and regulations incorporate standards by referencing them. For example, many Occupational Safety and Health Administration regulations incorporate fire protection and life safety requirements by referencing standards published by the NFPA. Many states and other political jurisdictions incorporate model codes and standards such as those published by ASTM International, the International Code Council, or NFPA into their building, life safety, and fire prevention codes. Referenced codes and standards then become legal requirements subject to any amendments within the regulation or statutory relief within the enabling legislation.
Professional practices such as DRI International’s “Professional Practices for Business Continuity Management” is a “body of knowledge designed to assist in the development, implementation, and maintenance of business continuity programs. It also is intended to serve as a tool for conducting assessments of existing programs.” The Good Practice Guidelines published by The Business Continuity Institute “describes not just what practitioners should do but provides information about why and how to do it.” Both DRI and BCI utilize their respective documents for professional certification of individual practitioners.
A “guide” document “provides comprehensive information and recommendations to assist users in understanding and implementing best practices.” [NFPA] Guides are not mandatory and do not establish enforceable requirements.
Donald L. Schmidt, CEO of Preparedness, LLC was a contributing author and reviewer of the 2012, 2017, and 2023 editions of the
Professional Practices,
and he is an instructor of DRI professional
certification courses.
NFPA 1600 & NFPA 1660
NFPA 1600, first promulgated in 1995, is the most mature international standard of its kind in the world. It addresses business continuity, emergency management, crisis management, and crisis communications.
NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” is published by the National Fire Protection Association (NFPA). First promulgated in 1995, the 8th and latest edition was published in 2019 and is still available.
NFPA 1600, NFPA 1616, “Standard on Mass Evacuation, Sheltering, and Re-entry Programs,” 2020 edition, and NFPA 1620, “Standard for Pre-Incident Planning” 2020 edition were consolidated into the first edition of NFPA 1660. NFPA 1660 “Standard for Emergency, Continuity, and Crisis Management: Preparedness, Response, and Recovery” was published by NFPA with a cover edition of 2024.
NFPA 1600 2019 edition chapters 4 through 10 are almost without change within the new NFPA 1660 and have retained their numbering. NFPA 1660’s Chapter 1, “Administration” has been expanded to encompass the broader scope, purpose, and application of the three formerly separate standards. An expanded list of publications can be found in Chapter 2, and a much longer list of definitions can be found in Chapter 3. A new section 4.1 “Administration” encompasses the scope, purpose, and application from 1600-2019 requiring subsections to be renumbered 4.2 through 4.9. Otherwise, there are no significant changes to the text from chapters 4-10 of NFPA 1600-2019.
NFPA 1600 “establishes a common set of criteria for all-hazards disaster/crisis/disaster/emergency management and business continuity/continuity of operations programs, hereinafter referred to as program.”
NFPA 1600 and NFPA 1660 define the elements of, and the connectivity of elements within, the “program.” Chapter 4, “Program Management” includes requirements for leadership, the “coordinator” assigned responsibility for the program, a program committee, laws and authorities, administration, financing, and records management. Planning including risk assessment, business impact analysis, and resource needs assessment are located in chapter 5.
Implementation (Chapter 6) includes planning requirements and specific requirements for plans and strategies—prevention, mitigation, crisis management, crisis communications, emergency response, continuity and recovery, incident management, and employee assistance and support. Chapter 7, “Execution” prescribes requirements for incident reporting, plan activation, and ongoing incident management. Chapters 8, Training & Education, and Chapter 9, Exercises & Tests follow. The last chapter is Chapter 10, Program maintenance and improvement. Annex A provides explanations for asterisked text with the standard, and it is followed by annexes providing related information.
All editions of NFPA 1600 are still in force and can be viewed for free online and purchased from
NFPA.
Preparedness, LLC's
Emergency Management, Business Continuity, & Crisis Management Self-Assessment Checklist, based on NFPA 1600/NFPA 1660 can be downloaded from the hyperlink at the bottom of this page.
Donald L. Schmidt, CEO of Preparedness, LLC is the Past Chair of the NFPA 1600 committee. He joined the committee in 1994; has been involved in every edition of NFPA 1600 and NFPA 1660; and served as chair for the 2010, 2013, and 2016 editions. Mr. Schmidt is the editor of “Implementing NFPA 1600 National Preparedness Standard” published by NFPA.
ISO 22301
ISO 22301 was first promulgated in 2012 and its most recent edition is 2019. ISO 22301 is the first in a series of ISO standards on the topics of emergency management, business continuity, and crisis management.
ISO 22301 “Security and resilience — Business continuity management systems — Requirements,” 2019 edition is the second edition of the standard. The 2012 edition has been rescinded. BS 25999 Part 1 “Business Continuity Management Code of Practice,” published in 2006 and “Business Continuity Management Specification,” published in 2007 were the basis for the original, 2012, edition of ISO 22301.
Ten clauses prescribe requirements for the business continuity management system (BCMS) beginning with clauses 1 (scope), 2 (references), and 3 (definitions).
Clause 4, “Context of the organization” requires identification of issues relevant to the organization's objectives, identification of interested parties (e.g., customers) and their interests, and legal and regulatory requirements. Establishment, and determination of, the scope of the business continuity management system (BCMS) concludes Clause 4.
Leadership, BC policy, roles, responsibilities, and authorities are the focus of Clause 5. Clause 6, Planning, requires determining and addressing risks and opportunities, a common theme of the standard. It includes establishing business continuity objectives, and planning changes to the BCMS.
Clause 7, Support, addresses resources including competence of those involved in business continuity, business continuity awareness for employees, internal and external communications, and documented information required by the standard.
Clause 8, “Operation” contains the most specific business continuity (BC) requirements. Planning and control, business impact analysis (BIA), risk assessment, BC strategies and solutions, BC plans and procedures, response structure, exercise program, and evaluation of documentation and capabilities.
Performance evaluation is the subject of Clause 9 with requirements for monitoring, measurement, analysis, and evaluation of the BCMS as well as internal audits. Management review rounds out the clause. Improvement is the title of Clause 10, and it includes addressing nonconformity and taking corrective action as well as continual improvement.
ISO 22301 can be purchased online. Preparedness, LLC’s Self-Assessment Checklist for Auditing Business Continuity Management Systems, based on ISO 22301, can be downloaded from the bottom of this page.
Donald L. Schmidt, CEO of Preparedness, LLC is a member of the USA Technical Advisory Group (“TAG”) to the ISO 292, Security and Resilience Committee, that is responsible for ISO 22301 and related standards.
Comparing NFPA & ISO Standards
Consistent with its title, ISO 22301 is a business continuity standard with robust requirements for business continuity planning and for communications with interested parties central to crisis communications. The core of this standard is the requirements of the organization to “establish, implement, maintain, and continually improve a business continuity management system (BCMS), including the processes needed and their interactions.”
NFPA 1600 prescribes an “all-hazards approach,” and it requires development of strategies, and plans for “prevention, mitigation, preparedness, response, continuity, and recovery that address a full range of threats and hazards, including natural, human-caused, and technology-caused.”
… Click to read the full Preparedness Bulletin comparing ISO 22301 and NFPA 1600/NFPA 1660.
Numerous other standards and professional practices could find a productive place in your toolbox. Links to these standards can be found in our “Links to Preparedness Resources” page.
Free Resources
Click to access the checklist based on NFPA 1600/NFPA 1660 (left), ISO 22301 (middle), and our Preparedness Bulletin (right). Check out all Preparedness Bulletins and our compilation of links to internet resources.
Chek out our
Preparedness Bulletins, they offer in-depth guidance into the development, implementation, and evaluation of emergency management, business continuity, and crisis management programs.