ISO/TS 22330:2018

TECHNICAL ISO/TS
SPECIFICATION 22330
First edition
2018-06
Security and resilience — Business
continuity management systems
— Guidelines for people aspects of
business continuity
Sécurité et résilience — Systèmes de gestion de la poursuite des
activités — Lignes directrices concernant les aspects humains de la
poursuite des activités
Reference number
©
ISO 2018
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 People aspects overview . 2
4.1 General . 2
4.2 The need for a people aspects approach . 3
4.3 Structure . 4
5 Precursors . 4
5.1 General . 4
5.2 Duty of care . 5
5.3 Attributes of the organization . 6
5.4 Team and individual competencies . 7
6 Preparing to respond . 7
6.1 General . 7
6.2 Business impact analysis . 7
6.3 Managing people risks in business continuity. 8
6.4 Including people aspects in business continuity management . 8
6.5 Knowledge, skills and abilities . 8
6.5.1 General. 8
6.5.2 Education . 8
6.5.3 Learning and development . 9
6.5.4 Experience . 9
6.6 Awareness across an organization . 9
7 Delivering the response .10
7.1 General .10
7.2 Respond.11
7.2.1 General .11
7.2.2 Responding to early warning .11
7.2.3 Immediate actions to protect and secure people .11
7.2.4 Incident response organization .15
7.3 Recover .17
7.3.1 General.17
7.3.2 Mobilizing the workforce in adverse conditions .17
7.3.3 Using alternative work sites.18
7.3.4 Working from home .18
7.3.5 People management issues .19
7.4 Restore .20
7.4.1 General.20
7.4.2 Actions for sustainable restoration of operations .21
7.5 People support strategies .21
7.5.1 Managing the needs of families and friends .21
7.5.2 Physical and psychological well-being .22
7.6 Communications .23
7.6.1 General.23
7.6.2 Importance of internal communication .24
7.6.3 Communication systems and pathways .25
7.6.4 External communications .26
7.6.5 Social media .27
7.7 Managing the impact of travel issues .27
7.7.1 General.27
7.7.2 Travel issues .28
7.7.3 Managing a travel incident .28
8 Review and continuous improvement .29
8.1 General .29
8.2 Continuous improvement through exercising .29
8.3 Feedback from the workforce or external agencies .29
8.4 Record-keeping .30
8.5 Risk review .30
Annex A (informative) Psychological response management .31
Annex B (informative) Relatives response team .35
Bibliography .38
iv © ISO 2018 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
Introduction
The purpose of this document is to expand the guidance on managing the people aspects of an
organization’s preparation and response to disruptive events provided in ISO 22301 and ISO 22313. It
assumes that the organization is aware of the principles of business continuity management and has
established, or intends to establish, a business continuity management system (BCMS) aligned to these
standards. The guidance is relevant to all levels of the organization: from top management to individual
members of the workforce; from those organizations with a single site to those with a global presence;
from small-to-medium enterprises (SMEs) to organizations employing thousands of people.
In general, the English words “people” and “human” are frequently interchanged. In this document, the
term “people” is referenced as it puts the focus on the individual person rather than a group intimated
by the term “human”.
People are a key driver of organizational success and, at the same time, are always an interested party
in any activity supporting delivery of organizational objectives. The organization, therefore, should pay
particular attention to people, recognizing the two-way relationship it has with them. This applies to
an organization’s business continuity goals.
This document is relevant to business continuity and human resources professionals, and managers
responsible for organizational resilience, people management and people development. It is not a
definitive guide to managing an incident, but a review of the implications for managing the impacts on
the workforce and others who could be affected.
The guidelines in this document provide a uniform approach to developing the broad range of
knowledge, skills, behaviours and practices required of capable people to deliver effective business
continuity management.
vi © ISO 2018 – All rights reserved

TECHNICAL SPECIFICATION ISO/TS 22330:2018(E)
Security and resilience — Business continuity
management systems — Guidelines for people aspects of
business continuity
1 Scope
This document gives guidelines for the planning and development of policies, strategies and procedures
for the preparation and management of people affected by an incident.
This includes:
— preparation through awareness, analysis of needs, and learning and development;
— coping with the immediate effects of the incident (respond);
— managing people during the period of disruption (recover);
— continuing to support the workforce after returning to business as usual (restore).
The management of people relating to civil emergencies or other societal disruption is out of the scope
of this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
duty of care
moral or legal obligation to ensure the safety, well-being or interests of others
3.2
employee assistance programme
contracted support service provided to organizations to assist them in addressing productivity issues,
and to assist employees in identifying and resolving personal concerns, including health, marital,
family, financial, alcohol, drug, legal, emotional, stress or other personal issues that could affect job
performance
Note 1 to entry: Adapted from the International Employee Assistance Professionals Association (EAPA).
3.3
nominated emergency contact
person nominated by an individual staff member who is their chosen first point of contact in the event
of the organization needing to make contact
Note 1 to entry: This may be the legal next of kin.
3.4
people aspects of business continuity
elements associated with the management of people involved in, or affected by, an incident in order
to minimize distress, maximize productivity and recovery, and achieve the recovery objectives of the
organization’s business continuity programme
3.5
psychological critical incident
event or series of events that could cause significant emotional or physical distress, psychological
impairment or disturbance in people’s usual functioning
Note 1 to entry: Mental health professionals working in this field would normally refer to a “traumatic event” as
a critical psychological incident. The term “critical psychological incident” is preferred as it implies an incident
that may or may not be traumatic to the individual involved. Although there are several definitions of a traumatic
event within the psychiatric and scientific world, critical psychological incident provides a more real world
definition.
3.6
psychological education
provision of advice and guidance relating to psychological well-being
Note 1 to entry: It would usually include an overview of common reactions to distressing events in order to
normalize them, reduce anxiety, provide simple self-help strategies to facilitate recovery in the first few days and
provide where and when to seek further support.
3.7
psychological first aid
temporary, supportive intervention comparable to the concept of physical first aid
Note 1 to entry: Its goals include stabilizing the crisis situation, reducing emotional distress, providing advice
on self-care and psychological education (3.6), identifying people who may need professional assistance and
referring for further assistance, as necessary.
3.8
shelter in place
action to move people to predetermined areas inside the building/site in order to protect them from
external dangers during an incident
Note 1 to entry: This may be referred to as invacuation.
3.9
workforce
anyone engaged in the delivery of the organization’s objectives, including direct employees, agency
staff, contractors and volunteers
4 People aspects overview
4.1 General
This clause identifies the background within which the people aspects of business continuity
management are considered. Whatever the nature of disruption, the common factor is that people will
always be affected.
2 © ISO 2018 – All rights reserved

A business continuity management system (BCMS) considers the resources required for the response
to any disruptive event. People are an essential resource for the entire process and the organization
will depend on their response as individuals to disruptive events and as members of response, recovery
and restoration teams.
The people aspects approach also recognizes that everyone affected by a disruptive event is a potential
casualty in some way, whether physically or psychologically impacted or by being subjected to change
which has a longer-term effect on their daily lives and expectations. This includes people who are
not members of the workforce but are directly affected by consequences of the event, e.g. clients or
workforce family members.
As resources, casualties or both, people are also interested parties in the activities of the organization
with opinions and expectations of their own. The approach recognizes that in the abnormal
circumstances of a disruptive event, the impact of destabilization on an organization will lead to changes
in the expectations of and on individuals. This applies not only to continuity activities in affected parts
of an organization, but also to business as usual operations in apparently unaffected areas.
4.2 The need for a people aspects approach
ISO 22301 establishes the overarching requirements for people aspects of business continuity and
addresses competence, awareness and communication, and the organization’s duty of care.
In considering people aspects, it is important to understand at the outset what is at stake: what happens
if the organization on the one hand, or its people on the other, fails to meet the expectations of the other.
The potential impacts could be damaging to the organization and result from either real or perceived
weaknesses.
— Failure to deliver duty of care in line with people’s needs and expectations.
— Loss of willing, timely support from the workforce if people management is perceived as ineffective.
— Damage to reputation if consideration of people requirements is perceived as being neglected.
— Damage to the organization’s long-term ability to retain, recruit and motivate the workforce.
Failure to manage people aspects could lead to the organization being unable to do the following.
— Prepare: Plans are not fit for purpose due to inadequate provision of competent and available
resources.
— Respond: Immediate response is ineffective due to lack of training, poor understanding or
motivation.
— Recover: Barriers to changes in working arrangements arising from poor understanding, motivation
or capacity prevents successful implementation of recovery strategies.
— Restore: Unable to restore the organization to full capability through insufficient attention to people
related issues.
In all people considerations, at all stages in the BCMS, the organization should consider and understand
events and issues that could adversely impact:
— ongoing safety, security and productivity;
— discretionary effort;
— retention and development of skills and talent;
— recruitment of people;
— engagement and morale.
4.3 Structure
Figure 1 illustrates the structure of the arrangements needed to establish an effective approach to the
management of the people aspects of business continuity. It is divided into two logical sections:
— the precursor steps required to establish the overall approach and capability;
— the detailed processes.
As indicated in the figure, each section is discussed in more detail in clauses that follow in this document.

Figure 1 — Structure to manage people aspects of business continuity
Precursors establish the strategic approach to the people aspects of business continuity as identified
by top management.
The development of the processes makes use of established techniques, including risk assessment,
business impact analysis and preparation of incident management, business continuity and crisis
management plans.
Post-event actions will address the review and continuous improvement activities necessary following
a disruptive event or a near miss. Exercising will validate capability, rehearse people in their required
tasks and identify learning needs to assist in the development or enhancement of competencies.
5 Precursors
5.1 General
Precursors are the arrangements and planning an organization should put in place to frame its approach
and attitude to the people aspects of business continuity. They require top management to:
— analyse its responsibilities with regards to duty of care;
4 © ISO 2018 – All rights reserved

— describe the attributes it sees as important to the organization;
— define the competencies, including technical and not-technical skills and behaviours that individuals
and teams should demonstrate.
Disruptive events place unusual pressures on people affected, either directly or indirectly. Active
development of capabilities, both skills and behaviours, better prepares people as individuals and as
members of a response team to cope with the unexpected.
In turn, a focus on the application and development of management and leadership attributes that deliver
desired skills and behaviours offers additional value by enhancing the reputation of the organization.
5.2 Duty of care
In the response to any disruptive event, as part of its responsibilities, the organization owes a duty of
care to a wide range of people who are interested parties both internal and external to the organization.
EXAMPLE 1 Evacuated workforce members who require a safe, effective procedure to be in place to ensure an
efficient evacuation and proper accounting for people.
EXAMPLE 2 Response team members who require coping mechanisms to counter the stresses of managing
the response.
EXAMPLE 3 Residents adjacent to a site that is on fire who are affected by the smoke and other residue.
Table 1 identifies groups of people who could be affected and their needs, expectations or demands. It
is not an exhaustive list and the organization should identify the communities that could be affected by
any incident.
NOTE Responsibility for care for contractors and visitors will transfer to their parent organization after the
immediate response phase.
Table 1 — Duty of care responsibilities
Group Their needs, expectations and demands
Immediately impacted
a) Immediate physical threat (workforce, — A safe and secure location away from the
customers, visitors) – at risk of harm immediate threat
b) Actual physical harm (workforce, customers, — Medical care, including first aid and prompt transfer
visitors) – injured to medical facilities when required
c) Evacuees/those sheltering in place (workforce, — Practical support (water, shelter, transport, food)
customers, visitors)
— Lines of communication (two-way)
d) Outside site boundary (neighbours) –
— Accurate information and appropriate advice
potentially affected
— Leadership
e) Families
— Psychological education
f) Witnesses to injury, threat or death
Table 1 (continued)
Group Their needs, expectations and demands
Subsequently impacted
a) Same site, unaffected location (workforce, — Accurate information and practical advice
customers, visitors) – not physically
— Direction on requirements and intentions
threatened
— Leadership
b) Rest of organization (other sites)
— Two-way communication
c) Workplace family (close colleagues/friends,
those who had a near miss)
— Psychological education
d) Contractor organizations
e) Visitors’ organizations
f) Other external interested parties where there
is an effect on people (customers, suppliers)
Incident responders
a) First responders: workforce (first aiders, fire — Authority through invocation
marshals, trained responders) and emergency
— Accurate information
services
— Risk assessment
b) Incident management teams: incident
management, communications, relatives
— Objectives and how they change over time
response
— Communication pathways
c) Key workforce members (as identified in the
business continuity plan)
— Resources to deliver response, recovery and
restoration
d) Supporting workforce – facilitating recovery
and restoration
— Psychological education
e) Top management and line management
— Own well-being, including consideration of fatigue,
working hours and critical incident stress
— Feedback on progress and recognition of contribution
involving engagement with senior management
5.3 Attributes of the organization
An organization that recognizes the importance of people aspects of business continuity should
demonstrate the ability to:
— assess identified threats and control resultant risks to people related to disruptive events;
— ensure a safe working environment;
— recognize the role and added value of people in contributing to business continuity;
— promote and embed business continuity management through workforce engagement and
involvement led by top management, supported by line management across the organization;
— make the protection of people on site during a disruptive event a priority;
— recognize the importance of engagement with families of those involved (casualties and responders);
— prepare and encourage individuals and teams to respond to the unexpected;
— commit to exercising and testing response arrangements;
— ensure efficient and effective communication (internally and externally) is a priority.
6 © ISO 2018 – All rights reserved

5.4 Team and individual competencies
Competencies refer to the skills and behaviours required by teams and individuals to deliver business
continuity. This includes those with specific roles to deliver incident response and recovery, and, more
widely, an awareness of individual responsibilities across the organization. These competencies are
developed through both directed and experiential learning. The steps for this process are:
— organization-wide awareness programme on business continuity objectives and individual roles
and responsibilities;
— identification of specific roles and responsibilities;
— learning needs analysis to identify skills and behaviours required;
— a programme to develop specific competencies;
— validation through exercising and assessment (in terms of quality and quantity acceptability by
interested parties);
— maintenance programmes to ensure retention and continued availability of competencies.
6 Preparing to respond
6.1 General
The precursors provide the foundation from which to build the specific people elements into the
organization’s BCMS. The organization should identify, acquire and develop people with the right
competencies to deliver the capability. The organization should consider the specific locations where
this capability is required and plan for adequate strength and depth in resources for the time when
they are needed.
People aspects should be given in-depth consideration at each stage of the business continuity
management process. The organization should identify whom to involve in these activities and should
aim for a broad participation of those disciplines that bring people-related expertise and insight to the
process that is relevant and accurate:
— top management;
— line management;
— other process owners;
— safety, security and resilience professionals;
— human resources specialists;
— communications teams;
— technical specialists;
— occupational health and welfare departments;
— other interested parties (internal, e.g. legal, compliance, and external, e.g. third-party partners).
6.2 Business impact analysis
A business impact analysis (BIA) compiled in line with good practice should take full account of the
contributions made by different people. Even where key people have been identified, the organization
should be alert to the assumptions made about the ability, capability or even willingness of these people
to respond in accordance with the developed business continuity plan (BCP).
The organization should consider the possible wider impacts of a disruptive event on people who are
not identified as key to maintaining or recovering operations, but to whom the organization owes a duty
of care (see 5.2). This includes appreciating the potential impacts on those people whose perceptions
and opinions in the longer-term could undermine restoration of full operational capability (see 4.2).
6.3 Managing people risks in business continuity
Within an organization’s risk management programme, due attention should be given to identifying and
mitigating the people threats, probability of occurrence, impacts and dependencies identified through
the BIA and risk management process. People responses to a disruptive event are hard to predict and
cannot be taken for granted. Within this context, top management should engage the workforce in the
threat identification process, both to ensure a wide range of views are considered and to build risk
awareness across the organization.
Risk mitigation strategies from the people perspective should take account of all the legal, regulatory,
ethical and moral requirements placed on the organization, including:
— recognizing the risk that there could be casualties following a disruptive event, which establishes
the requirement to prepare for their efficient management, including engagement with affected
families and being prepared to provide long-term psychological support where required;
— managing a changing business environment, which could impact terms of employment and individual
roles and responsibilities, as well as the impact on the availability and individual skills required by
the organization;
— preparing for the impact on the organization’s workforce of external events (e.g. natural disasters,
terrorism, infectious diseases, cyber-attacks, disruption to utilities or transport networks).
6.4 Including people aspects in business continuity management
Business continuity plans should include detailed arrangements to mitigate the impacts arising from the
loss of people who are essential to delivering business objectives. This should be given equal importance
to managing the loss of assets or technology. As well as the established process for succession planning,
this should include plans to address the issues identified above. Detailed approaches to these challenges
are considered in greater detail in Clause 7.
The extent of the commitment by the organization to mitigation strategies for people issues should
depend on the size of the potential impact to delivery and likelihood of disruption to business objectives
arising from the non-availability of the workforce.
6.5 Knowledge, skills and abilities
6.5.1 General
ISO 22301 identifies requirements for competent people to underpin organizational performance.
This concerns the determination of the competencies required, and how these can be achieved and
sustained.
To deliver this, the organization should manage business continuity learning and development
programmes to build business continuity capability through repeat interventions that are delivered
through a blend of formal education and experiential learning.
6.5.2 Education
For individuals with strategic, planning and response team leadership responsibilities, learning that
develops depth of understanding of business continuity and related concepts provides the learner with
8 © ISO 2018 – All rights reserved

a more holistic approach that supports the application of background knowledge and skills in managing
different types of scenarios. These could include:
— academic study to achieve a professional qualification in business continuity and to develop
knowledge of business continuity and related subjects;
— leadership and development programmes that build desired skills and behaviours;
— participation in professional learning or communities of practice networks.
6.5.3 Learning and development
For individuals across the business continuity and response team organization, learning interventions
aim to deliver increased proficiency and ultimately performance, through a focus on developing the
required skills and behaviours of individuals or teams. These could include:
— role-specific development to develop the individual’s understanding of and ability to deliver their
own business continuity responsibilities in the context of wider team and organizational objectives;
— team-specific development to improve collaboration within continuity response teams to enhance
team performance in meeting response objectives;
— exercising (from table top to live play), which is scenario-based experiential learning to allow
individual and team practice and feedback in a realistic and safe environment (see ISO 22398);
— game play, which develops desired behaviours and decision-making skills through virtual or
physical business continuity scenarios that engage and motivate learners through competition,
challenge and reward;
— responder and line manager development on the management of the possible psychological impacts
of a disruptive event. The tools include early intervention techniques to support colleagues (see
Annex A) and promote personal resilience to support health and well-being.
Learning outcomes should be observed, measured or assessed against learning objectives. Both positive
and negative outcomes add value.
Learning tools and materials should be continually reviewed to ensure they recognize good practice
and developments in learning techniques and technology.
6.5.4 Experience
Developing (and recording) the hands-on experience of individuals creates a larger and accessible
pool of people with relevant knowledge, skills and abilities to manage a business continuity event.
Approaches to this include:
— sharing experience and peer review of incidents;
— mentoring to support individual development;
— shared knowledge and collaboration using internal social networks.
6.6 Awareness across an organization
Everyone has a role to play in business continuity, but unless the organization makes people aware of
what it entails and why it is important, the efforts of business continuity managers risk being diluted
to the detriment of the organization. Business continuity managers could collaborate with top and line
management, human resources and communications colleagues in three areas.
— Ownership: Clarify how individuals contribute to managing risks and delivering business continuity
by integrating requirements into job roles and objectives.
— Involvement: Get people involved in the development and improvement of their departmental
business continuity plans and get them to think about how an incident would affect them and their
role. Seek participation in exercises from support roles and share results of exercises and steps
being taken to improve.
— Communication: Develop organizational awareness programmes on the business continuity policy
and response plans using multiple communication tools. This could be reinforced using branded,
portable business continuity cards, with instructions for immediate action in the event of an
incident.
7 Delivering the response
7.1 General
Previous clauses of this document have outlined the aspects that should be considered to establish the
needs and expectations of the organization, its workforce and other interested parties for which the
organization has a duty of care.
This clause considers the delivery of the response to a disruptive incident to meet the identified duty of
care and the processes that will assist the organization in making the decisions that ensure its people
continue to be available to deliver the organization’s objectives.
The response depends on the nature of each disruptive event. These guidelines focus on people
considerations that allow organizations to develop flexible arrangements that may be adapted and
applied irrespective of the cause of disruption. The purpose is to amplify, not replace, the general
arrangements for incident response described in ISO 22313.
Figure 2 provides an overview of the subject areas included in Clause 7 and provides a signpost to
the user to the relevant subclause. Subjects are generally organized in line with the evolution of a
disruptive event. The exceptions are people support strategies (7.5) and communications (7.6). Both
are continuous activities throughout any disruptive event and are treated as such in this document.

Figure 2 — Subject areas in Clause 7
10 © ISO 2018 – All rights reserved

7.2 Respond
7.2.1 General
The initial response is crucial to laying the foundations for managing the people aspects of business
continuity across the duration of a disruptive event. The organization has an opportunity to identify and
respond quickly to people needs and expectations from the outset. Failure to do this could undermine
efforts further down the line and, in turn, will demand greater effort to catch up later to recover from
early oversights.
It is important to recognize that the approach to managing people issues will develop as the extent
and complexity of the event becomes known, which means that leaders should keep early decisions
under review.
This clause, therefore, considers the people aspects of core elements applicable in almost every
circumstance for which response is required to limit the impacts of negative outcomes.
People support strategies and communications are addressed separately in 7.5 and 7.6.
7.2.2 Responding to early warning
In some situations, an early warning of an imminent event can be detected or received, either through
internal threat monitoring processes (from formal reviews to individual vigilance) or from external
agencies. Warning allows the organization to mobilize necessary resources in advance and to prepare
the workforce for the likely response.
EXAMPLE 1 IT system breach or failure which has a potential to escalate.
EXAMPLE 2 Cyber threat alert arising from another organization that has already been attacked.
EXAMPLE 3 Severe weather warning: hurrican
...