CEN/TC 391 - Societal and Citizen Security

This document provides guidelines for managing and auditing Digital Custody Metadata (DCM), enabling stakeholders to identify and audit custody ownership for CBRNE evidence in the dCoC. It proposes a metadata structure to manage resources assigned to CBRNE evidence and comply with good data governance practices, raising awareness at each custody transfer point.
In addition to considering using the Business Process Model and Notation (BPMN) to specify metadata management processes, therelevance of standard procedures to overcome DCM-related challenges is also addressed. In this domain, the focus is on the metadata structures required to manage digital asset custodians while outlining some of the activities that should be considered when specifying a DCM governance workflow.
This document is the second part of a series of technical specifications for the provision of DCM services for managing data related to the preservation of CBRNE evidence. Please see the first part of this series for a complete understanding of the concepts and stakeholders’ role within the custody transfer lifecycle.

This document provides guidance for technical and non-technical personnel within the organisation, including those responsible for compliance with statuary and regulatory requirements and industry standards. It provides an overview to the concepts related to the custody transfer lifecycle within the dCoC, framing how such personnel can identify and audit the custody ownership of CBRNE evidence; set policies and follow good practices for metadata governance, and conduct digital operations to ensure the integrity of the data at each custody transfer point. In addition to the metadata required to perform audits, the document also aims to provide:
- Unambiguous definitions of the concepts related to the digital log for each custody transfer (i.e., who owns the custody at each transfer point).
- Guidelines for a dCoC data governance process to ensure the integrity of the DCM and situational-awareness at each transfer point within the dCoC.
- Suggestions regarding metadata management policies and compliance with good practices for non-repudiation digital log, ensuring a standard data structure for data management and auditing
This document is the first part of a series of Technical Specifications on the provision of DCM services for the management of datarelated to the custody of CBRNE evidence. It will be complemented by other specific parts, which give more detailed guidelines for related services, such as the specification of BPMN processes for data governance within the dCoC.

This document provides guidance on crisis management to help organizations plan, establish, maintain, review and continually improve a strategic crisis management capability. This guidance can help any organization to identify and manage a crisis. Elements for consideration include:
—    context, core concepts, principles and challenges (see Clause 4);
—    developing an organization’s crisis management capability (see Clause 5);
—    crisis leadership (see Clause 6);
—    the decision-making challenges and complexities facing a crisis team in action (see Clause 7);
—    crisis communication (see Clause 8);
—    training, validation and learning from crises (see Clause 9).
It is applicable to top management with strategic responsibilities for the delivery of a crisis management capability in any organization. It can also be used by those who operate under the direction of top management.
This document acknowledges the relationship and interdependencies with various disciplines but is distinct from these topics.

This document defines terms used in security and resilience standards.

This document contains terms and definitions for CBRNE (chemical, biological, radiological, nuclear, explosive) applications.
Common understanding and communication is important in the implementation of an effective CBRNE response and this communication will be most effective if there is common understanding of the terms used. Many of the terms and definitions listed here have been widely used for many years, while others are the result of cross-cutting experience of areas of CBRNE. The gradual evolution of our understanding of CBRNE and response measures means that CBRNE terminology will continue to develop.
This document is dedicated to first responders, administrative staff, industry representatives and researchers.

This document gives guidance and recommendations for applying the requirements of the business continuity management system (BCMS) given in ISO 22301. The guidance and recommendations are based on good international practice.
This document is applicable to organizations that:
a)   implement, maintain and improve a BCMS;
b)   seek to ensure conformity with stated business continuity policy;
c)   need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
d)   seek to enhance their resilience through the effective application of the BCMS.
The guidance and recommendations are applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization's operating environment and complexity.

This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.
The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.
This document is applicable to all types and sizes of organizations that:
a)   implement, maintain and improve a BCMS;
b)   seek to ensure conformity with stated business continuity policy;
c)   need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption;
d)   seek to enhance their resilience through the effective application of the BCMS.
This document can be used to assess an organization's ability to meet its own business continuity needs and obligations.

ISO 22315:2014 provides guidelines for mass evacuation planning in terms of establishing, implementing, monitoring, evaluating, reviewing, and improving preparedness. It establishes a framework for each activity in mass evacuation planning for all identified hazards. It will help organizations to develop plans that are evidence-based and that can be evaluated for effectiveness.
ISO 22315:2014 is intended for use by organizations with responsibility for, or involvement in, part or all of the planning for mass evacuation. It is applicable to all types and sizes of organizations that are involved in the planning for mass evacuation, such as local, regional, and national governments; statutory bodies; international and non-governmental organizations; businesses; and public and social groups.
ISO 22315:2014 covers planning for mass evacuation in order to gain a more effective response during the actual evacuation. It will assist organizations to meet their obligation of saving human life and reducing suffering.
ISO 22315:2014 does not cover activities to stabilize the affected area after an evacuation, protect property, and preserve the environment.

ISO 22397:2014 provides guidelines for establishing partnering arrangements among organizations to manage multiple relationships for events impacting on societal security. It incorporates principles and describes the process for planning, developing, implementing and reviewing partnering arrangements.
ISO 22397:2014 is applicable to all organizations regardless of type, size and nature of activity whether in or between the private, public, or not-for-profit sectors.

This Technical Specification provides guidance for managing security of (high risk) chemical, biological, radioactive, nuclear or Explosive materials, such as those covered by the EU CBRN action plan, that are used within healthcare facilities (HCF); it covers the lifecycle of such materials within a HCF’s span of control. In this Technical Specification these materials are referred to as ‘CBRNE materials’.
It covers the protection of (high risk) CBRNE materials used in healthcare facilities against security threats relating to their deliberate misuse. It covers the protection of people, assets and information related to CBRNE materials.
This Technical Specification also applies to circumstances where healthcare is provided at locations remote from the normal location of the HCF.
This Technical Specification also provides guidance to all stakeholders that are responsible for each step in a lifecycle of CBRNE materials within the HCF such as such as administrator staff, facility management staff, logistics and transport staff, medical staff, waste management staff, domestic staff and security staff as well as visitors and contractors working on the HCF premises.
This Technical Specification can be applied as part of generic management systems such as EN ISO 9001 [2], EN ISO 22301 [3], ISO 22320 [4] and possibly ISO 28001 [5].
It does not apply to occupational health and safety issues deriving from the proper and improper use of such materials.

The standard will specify requirements for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented security management system in healthcare facilities.

ISO 22311:2012 is mainly for societal security purposes and specifies a common output file format that can be extracted from the video-surveillance contents collection systems (stand alone machines or large scale systems) by an exchangeable data storage media or through a network to allow end-users to access digital video-surveillance contents and perform their necessary processing.

This Technical Specification is based on an all-hazards approach, with a specific focus on terrorism and other security related risks. Looking at the combination of threats, vulnerabilities and values to be protected, threats may be terrorist attacks with chemical, explosive and biological agents, or nuclear waste materials, or with conventional means on CBRN plants, causing a similar devastating effect on a potentially large scale. Major CBRN incidents may jeopardise critical infrastructure, while emergency services may have great difficulty performing their response tasks.
The scope excludes the vulnerability assessment of some specific systems that comply, at the European and Member State level, with existing sets of legal measures: network for drinking water distribution, food chain supply and cosmetics and pharmaceutical products production and distribution chains.
The objective of this Technical Specification is to strengthen common understanding and a common frame of reference for all organisations with an interest and involvement in CBRN. It does so by providing a number of considerations and tools that can be used in the development of a semi-quantitative conceptual framework for vulnerability assessment, awareness and management. The vulnerability assessment covers all members of the population at risk including the requirements of children, the elderly and those with disabilities.

This document defines terms used in security and resilience standards.

This document provides an outline of crisis concepts and the principles that inform and support contemporary thinking on the circumstances and conditions under which crises can develop.
It specifies:
—     concepts and principles, governing crises;
—     the social-ecological system (SES) framework in which crises develop;
—     factors that contribute to crises;
—     the progression and evolution of a crisis;
—     a structure for classifying crises;
—     the relationship between issues, incidents, emergencies, disasters, and crises;
—     a crisis taxonomy for the systematic development of policies, strategies, and standards, relevant to crisis management (see Annex A).
This document does not provide guidance on how organizations can:
—     manage physiological or psychological aspects of human reactions to personal crises;
—     manage personal health or public health crisis affecting individuals, communities, or having broader impacts on society;
—     design, develop or implement crisis management programs or plans;
—     develop a strategic capability for crisis management;
—     apply crisis management techniques to specific crisis situations.
This document is applicable to all organizations. It can also be applied by standards users and standards writers and educators. It encourages a better understanding of crisis concepts and the interconnected characteristics of factors that contribute to crises through referencing the crisis controls and effects social-ecological system model. The application of the principles described in this document can encourage consistency in the use of crises related terms and definitions and complements other ISO standards for crisis management.

ISO 22319:2017 provides guidelines for planning the involvement of spontaneous volunteers (SVs) in incident response and recovery. It is intended to help organizations to establish a plan to consider whether, how and when SVs can provide relief to a coordinated response and recovery for all identified hazards. It helps identify issues to ensure the plan is risk-based and can be shown to prioritize the safety of SVs, the public they seek to assist and incident response staff.
ISO 22319:2017 is intended for use by organizations with responsibility for, or involvement in, part or all of the planning for working with SVs. It is applicable to all types and sizes of organizations that are involved in the planning for, and management of, SVs (e.g. local, regional, and national governments, statutory bodies, international and non-governmental organizations, businesses and public and community groups).
The range of tasks performed by SVs can require only basic planning (e.g. for people who are first on the scene), or a plan that is more complex (e.g. for people who travel to the affected area to volunteer).
Coordinating the participation of volunteers who are affiliated to voluntary or professional organizations to provide relief is not within the scope of this document.

This document provides guidance on good practice for crisis management to help the strategic decision makers of an organization to plan, implement, establish, operate, monitor, review, maintain and continually improve a crisis management capability. It is intended for any organization regardless of location, size, type, industry, structure, or sector. While it is important to be aware of human and cultural factors as they can cause stress when working as individuals and as part of groups, it is not the purpose of this document to examine aspects of these areas in detail.
This document provides guidance for:
- understanding the context and challenges of crisis management;
- developing an organization’s crisis management capability through preparedness (see 5.5);
- recognizing the complexities facing a crisis team in action;
- communicating successfully during a crisis; and
- reviewing and learning.
NOTE 1 For further information on organizational resilience, see ISO 22316.
This technical specification is intended for management with strategic responsibilities for the delivery of a crisis management capability. It is for those who operate under the direction and within policy of top management in:
- implementing the crisis plans and structures; and
- maintaining and assuring the procedures associated with the capability.
It is not intended for emergency and incident response - these require the application of operational procedures whereas crisis management relies on an adaptive, agile, and flexible strategic response (see 4.3).
It does not cover interoperability or command and control or business continuity management systems.
NOTE 2 For more information on interoperability and command and control, see ISO 22320. For more information on business continuity management systems, please see EN ISO 22301.

ISO 22300:2018 defines terms used in security and resilience standards.

ISO 22313:2012 for business continuity management systems provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise.
It is not the intent of ISO 22313:2012 to imply uniformity in the structure of a BCMS but for an organization to design a BCMS that is appropriate to its needs and that meets the requirements of its interested parties. These needs are shaped by legal, regulatory, organizational and industry requirements, the products and services, the processes employed, the environment in which it operates, the size and structure of the organization and the requirements of its interested parties.
ISO 22313 is generic and applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors that wish to:
establish, implement, maintain and improve a BCMS;
ensure conformance with the organization's business continuity policy; or
make a self-determination and self-declaration of compliance with this International Standard.

ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.

ISO 22300:2012 contains terms and definitions applicable to societal security to establish a common understanding so that consistent terms are used.