ISO 22325:2016

INTERNATIONAL ISO
STANDARD 22325
First edition
2016-10-15
Security and resilience — Emergency
management — Guidelines for
capability assessment
Sécurité et résilience — Gestion des situations d’urgence — Lignes
directrices pour l’évaluation de la capacité
Reference number
©
ISO 2016
© ISO 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2016 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Assessment model . 2
5 Indicators . 2
5.1 General . 2
5.2 Leadership . 3
5.3 Resource management . 3
5.4 Information and communication . 4
5.5 Risk management . 5
5.6 Coordination and cooperation. 5
5.7 Emergency management planning . 5
5.8 Exercise programme . 6
5.9 Incident management system . 7
6 Assessment process . 7
6.1 General . 7
6.2 Planning . 8
6.3 Collecting . 8
6.4 Analysing . 9
6.5 Reporting . 9
Annex A (informative) Assessment template .10
Bibliography .11
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is Technical Committee ISO/TC 292, Security and
resilience.
iv © ISO 2016 – All rights reserved

Introduction
This document provides guidelines for an organization in assessing its emergency management
capability by using four maturity levels, eight indicators and an assessment process (see Figure 1).
A capability assessment can be used to:
— ensure regulatory compliance, reduce risk and meet the safety expectations of the population;
— improve organizational processes;
— enhance partnership, coordination and cooperation within an organization and with other agencies
and sectors;
— share best practices;
— promote continual improvement.
A capability assessment can be performed by the organization itself or by an external organization.
Organizations can define their context to allow for an appropriate assessment of its emergency
management capability. This context can be expressed through identifying appropriate activities in
relation to prevention, mitigation, preparedness, response and recovery. While most organizations
deliver all emergency management functions, some organizations can be responsible for only a single
function so not all the indicators will apply.
Figure 1 — Emergency capability assessment
INTERNATIONAL STANDARD ISO 22325:2016(E)
Security and resilience — Emergency management —
Guidelines for capability assessment
1 Scope
This document provides guidelines for an organization in assessing its emergency management
capability. It includes
— an assessment model with a hierarchy of four levels;
— eight indicators;
— an assessment process, explaining how to plan, collect, analyse and report.
This document is intended to be used by organizations responsible and accountable for emergency
management. Each organization’s context can involve a mix of prevention, mitigation, preparedness,
response and recovery activities.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1
context
external and internal factors to be taken into account when undertaking a capability assessment
Note 1 to entry: External context includes the following:
—  cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
—  key drivers and trends having impact on the objectives of the organizations;
—  relationships with, and perceptions and values of external stakeholders.
Note 2 to entry: Internal context includes
—  the organization’s mandate,
—  business sensitivity,
—  governance, organizational structure, roles and accountabilities,
—  resources and knowledge (e.g. capital, time, people, processes, systems and technologies), and
—  organizational culture.
3.2
emergency management capability
overall ability to effectively manage prevention, preparedness, response and recovery before, during
and after potentially destabilizing or disruptive events
4 Assessment model
The organization should use the assessment model with four levels to classify its emergency
management capability (see Figure 2). This is subject to the role, functions, scope and authority of an
organization and the operational context.
Level 1 represents the minimum level of emergency management capability, while Level 4 represents
the highest level of emergency management capability.
Figure 2 — Levels of emergency management capability
At Level 1, an organization performs its emergency management role at a basic level.
At Level 2, an organization has established detailed plans with the goal of achieving a balance between
resource demands and availability. Plans are developed in terms of the knowledge, skills and capabilities
to manage incidents and are updated periodically.
At Level 3, an organization has designed an emergency management process to facilitate appropriate
measurement and assessment which enables the organization to identify opportunities for
improvement. The organization has integrated with other organizations in order to increase the
effectiveness and efficiency.
At Level 4, an organization has reached an optimal level of emergency management capability. Critical
to this level of performance is the ability to demonstrate organizational learning, adaptive capacity
and effective coordination and cooperation with other organizations. It commits to research and best
practice and is able to appropriately use technology.
5 Indicators
5.1 General
The organization should assess emergency management capability using the indicators which reflect
the scope, function and authority of the organization:
a) leadership;
b) resource management;
c) information and communication;
d) risk management;
2 © ISO 2016 – All rights reserved

e) coordination and cooperation;
f) emergency management planning;
g) exercise programme;
h) incident management system.
The indicators in Tables 1 to 8 are described in accordance with the four levels of the assessment model
(see Figure 2).
5.2 Leadership
Effective leadership enables the organization to forge effective communication and collaboration
among organizations. It is important for the leadership to be aware of the organization’s internal and
external context. A clear commitment to the assessment process should be demonstrated.
Table 1 — Indicator for leadership
Level Criteria
Level 1 The roles and responsibilities of the organization have been defined.
An emergency management policy has been approved which includes emergency manage-
ment objectives.
Level 2 The leadership is aware
...