EM Forum Presentation — April 11, 2012

ISO Technical Committee 223 on Societal Security Update

Dean R. Larson, PhD, CEM®
Chair, U.S. Technical Advisory Group and Head of Delegation
ISO Technical Committee 223

Orlando P. Hernandez
Sr. Specialist / Emergency Services
National Fire Protection Association

Brian Zawada
Co-founder and Director of Consulting
Avalution Consulting

Amy Sebring
EIIP Moderator

This transcript contains references to slides which can be downloaded from http://www.emforum.org/vforum/ISO/TC223update2012.pdf
A video recording of the live session is available at http://www.emforum.org/pub/eiip/lm120411.wmv
An audio podcast is available at http://www.emforum.org/pub/eiip/lm120411.mp3

[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone and welcome back to EMForum.org. We are very glad you could join us. I am Amy Sebring and will serve as your Moderator today.

We are very happy to welcome you to our new WebEx platform and we will be providing some instructions as we go along so you can relax and participate with us. Since this is our first time, please bear with me!

Now if you were with us last time for the NFPA 1600 update, it was noted that the ISO Technical Committee 223 on Societal security has also been active with related international standards. As noted in our announcement, they published a new standard ISO 22320 on Emergency management -- Requirements for incident response. They are also continuing work in other areas, and we are pleased that we were able to bring you this update today.

[Slide 1]

Now it is my pleasure to introduce today’s guests: First, we are very glad to welcome back Dr. Dean Larson, who first briefed the ISO work for us during late 2008. That program can be found in our archives, and is also linked from today’s Background page. Dean serves as Head of U.S. Delegation to the ISO TC, and is also project lead for the development of the first ISO Standard on exercises and testing. Dean has brought along two of his colleagues today.

Orlando Hernandez serves as Senior Specialist in Emergency Service for the National Fire Protection Association and has many years of experience in fire inspection, fire investigation, emergency management, and incident response.

Brian Zawada is co-founder and the Director of Consulting for Avalution Consulting, and currently serves on the US Technical Advisory Group to TC 223, and previously served on the ASIS International Technical Committee that authored the new American National Standard on business continuity.

Please see today’s Background Page for further biographic detail and links to related resources.

Welcome to all of you gentlemen, and thank you very much for joining us today. I now turn the floor over to Dean to start us off please.


Dean Larson: Thank you very much, Amy. We appreciate the invitation. The three of us are privileged to represent the U.S. Technical Advisory Group to ISO Technical Committee 223 on Societal security. There were 35 professionals who make up the U.S. Technical Advisory Group.

I am very pleased to have two colleagues—Orlando Hernandez who joined NFPA about fifteen months ago coming from emergency management in Bexar County—significant experience there housing many refugees or evacuees from Katrina and Rita.

Brian Zawada is a graduate of the U.S. Air Force Academy. He has joined our team as a trusted colleague on this. I am privileged to have been the head of the delegation for four and a half years. It has been a great learning experience.

[Slide 2]

The technical committee was organized in 2001. I joined the Technical Committee then and it was under the Russian National Standards Body. The name of the technical committee was Civil defense.

This was reorganized in 2005 under the Swedish National Standards Body and they adopted the new name of Societal security. The U.S. delegation attends plenary sessions such as a representative of the National Standards Body of the United States. That is the American National Standards Institute.

We are going to represent ANSI, not our own home organizations. We are planning our next plenary session which will be in Bogota, Colombia. We start May 27 and go through the first of June. It will be the thirteenth plenary session dating back to 2005.

[Slide 3]

Just a bit about the Technical Advisory Group—under ISO, member nations (and ANSI is a member nation of ISO) have mirror committees. The mirror committees reflect the opinion on the business before the Technical Committee to comment and vote on any document.

When we get a document that is in one of the stages of revision we send it to the Technical Advisory Group and ask for their input and invite them to pass it to their colleagues. What we are trying to do is do the best in getting the representation of the United States viewpoint on a particular document.

Again a reminder, as you see on the slide, that one member country has one vote. The sponsor of the U.S. TAG is the National Fire Protection Association. Our organization—I am the chair, Orlando is the coordinator, and Brian who is with us today is the coordinator for Working Group #4. He will cover that in a bit.

[Slide 4]

We have six working groups within the ISO TC 223. I work in Group #1. It is led by the Japanese National Standards Body. Not to be confused—the Swedish Standards Body is the overall lead. They provide the chair and the secretariat. We have working groups and different countries lead the working groups.

The particular working group I work under is the National Standards Body---Japan is the leadership. We have two active projects. One is ISO 22397. Notice the numbers start with the same three digits (223) and then there is a sequential number.

In the title here it may look like there is a problem with capitalization. That is the ISO convention of capitalizing the first letter of "Societal" and "security" would be lowercase. The guidelines to set up a public private partnership—that is led by representatives from the Italian National Standards Body.

They are at the stage of getting ready to publish a draft international standard. We have documents in various stages. It is very stylized. We start with a concept to a committee proposal to a new work item proposal to a committee draft to a draft international standard to a final draft international standard.

The 22397 is getting ready to out as a draft international standard. We will finalize that in Bogota. It is expected to go out shortly after the Bogota meeting. That will be open for five months of comment.

22398 is currently in the draft international status. We have comments closing next month. These will be the first guidelines on exercise and testing. It started out as specific to Societal security but as we realized that ISO did not have an exercise and testing document we have made this more generic and have tried to make it applicable to both testing situations and exercise situations.

As Amy mentioned, I am the project leader on that so the U.S. is leading this development.

[Slide 5]

Working Group #2 is led by the Canadian National Standards Body. They have one completed project. When I say completed project it has gone through the steps I mentioned in the last slide and it has been balloted upon. Every member country in ISO has the right to ballot at the draft international standard and the final draft international standard.

This particular one—Societal security-Terminology—has been part of that and it is the final document on the terminology we use within the technical committee. This is a living document that we will be revising as we go on and add new standards and new requirements for terminology.

[Slide 6]

I mentioned Working Group #5. This is led by the French National Standards Body. This is somewhat different than other documents which are more program documents. This is more of a technical document—ISO 22311—it is a standard for Video surveillance. It is at the final draft international standards stage and is expected to be approved shortly.

[Slide 7]

Orlando Hernandez: Working Group #3 just went through a changing of the name of the working group. Prior to the change the group was named "command and control" and as they started to review the projects that they had been working on, they noticed that the work and projects they were starting to implement and conduct were more geared toward emergency management issues overall.

[Slide 8]

The committee requested a name change. It was in front of the entire TC group and the name changed now to "emergency management" as you see on your slide. One of the projects is emergency management color coded alert. During the eleventh plenary meeting in Berlin, Germany the project team had identified up to seven different colors to use for the alert system.

As they started working through the process they realized some of the colors they had chosen would be very difficult to differentiate on the screen. There was a slight difference in color and the number of different colors and having groups, organizations and individuals try to remember all the different categories of the colors, they decided to scale that down to three colors—red, yellow, and green.

They chose not to use blue because of some issues they may have with the broadcasting of the alerts and the colors they may use. If additional colors are needed they are going to use a green-red continuum. One of the things they have also decided on is for fatal danger they are either going to use black or purple but they have not ruled out maybe using a checkerboard pattern on your screen to show there is fatal danger in your area.

[Slide 9]

Project Team Two is working on a new initiative—Emergency Management Capability Assessment. It is broken into three categories—assessment procedures, development of a maturity model and assessment capability roadmap.

The pivotal starting point for this new project was a presentation by Pete Brewster from Veterans Administration. He presented at the plenary prior to Berlin, Germany and based on that the Chinese National Standard Initiative for the emergency management capability project.

[Slide 10]

In that assessment project, the goals of that assessment procedure are similar to the plan-do-check cycle where you identify what was your target, you identify your capabilities, you check your capabilities and you evaluate. Based on your evaluation of what you have you go toward improving your capabilities.

[Slide 11]

The next item is the assessment maturity model. There are four levels. You start at zero where nothing has been done. You have level one which is a functional level where you can see where your capabilities are within your organization. It goes up the scale to level four to your optimal capability. They are pursuing the assessment model in this project.

[Slide 12]

This is a roadmap to review your capabilities. They are looking at your hazard analysis. It isn’t all-encompassing but it is a roadmap to help you figure out what capabilities you have and what improvements you need to do. You have your hazard analysis, your strategic goals, and you also have your training and testing of those goals and capabilities.

Once you have completed training and testing you go through capability review and you see what shortfalls and gaps you may have within that assessment. As part of the plan you go back to address those plans and fill in those short gaps to try to complete your plan so that you are able to have a complete assessment of your jurisdiction’s capabilities.

[Slide 13]

One of the newer groups that just started kicking off is Working Group Six—the Mass Evacuation Working Group. The first meeting was held in March of 2012. The minutes and details of those meetings will be coming. They have not published those. We will get that information out to the committee.

If you are interested the working group is still looking for experts to serve on the committee. Another item that is going to be similarly tied into this work group is the task group currently established that is looking at international disaster aid and relief. They are looking to see some kind of protocols to establish when a country wants to provide assistance to another country for disasters and relief—what protocols they need to follow.

That task group will be meeting in Bogota this year, next month, to finalize the project and take it to the entire committee to see for approval if they want to continue this project.

[Slide 14]

Brian Zawada: Thanks, Orlando and hello, everyone. As Dean indicated, I am coordinating the U.S. representation to Working Group #4. What you see on the slide is Working Group #4—its charter is preparedness and continuity. There are three specific projects this group has worked on or is working on.

The three are listed here with their status. The first that has gotten a tremendous amount of interest and press is ISO 22301, which is the Business continuity management systems-Requirements document. This is the first document from Working Group #4 that has been approved, although it has not yet been published.

The target for this document in terms of publication will likely be before the end of May 2012, approximately seven weeks from now. It is great news that this document has finally reached approval status after a number of years of very hard work by the team.

This is a requirements document. It is written from the perspective of enabling optional audits and certification so it’s got a very black and white approach in terms of how it is written in terms of an organization that elects to adopt this standard and align to this standard. You see a lot of "shall do this" or "shall do that", but again, written from the perspective of optional audit and certification.

There is a companion document to this that is currently being worked on. It is a draft international standard—ISO 22313. It is the Business continuity management systems-Guidance document. If 22301 is the "what to do", this offers some guidance on how to do it. It is currently open for comment as a draft international standard.

Where participants in TC 223 and the experts and citizens from each of the member countries is offering comment on this draft document and thus far a tremendous amount of interest and comment has been collected.

The third project work item is ISO 22323 which is the Organization resilience management system. Unlike the previous two, this is a combination of a requirements document as well as guidance for use. Its status is earlier on—it is still a work group draft. That means there is still a lot of work being done to flush out content even before it is released to a broader audience for comment.

The first one is approved but not published. The other two will be worked on actively in Bogota next month as both Dean and Orlando had indicated.

[Slide 15]

Let’s talk about 22301. As I mentioned before this one if the furthest down the line. It is actually just been recently approved for publication. This is a requirements document that enables auditability and eventually optional certification. It is written from around the concept of a business continuity management system.

The document is organized to enable an organization to set up, operate and continuously improve the business continuity management system. For those that are familiar with management system concepts or the plan-do-check-act model that was initially implemented with the quality initiative in the eighties, this document aligns with the plan-do-check-act model and common management systems concepts.

The way I look at it is that it is very adaptive. In other words, an organization could read this standard, identify processes and capabilities that might work well for them, add value and improve performance and they can plug those into their organization independently to drive continuous improvement.

That is why I call it adaptive. It is designed to enable any organization, public or private sector, large and small, for profit and not for profit to be able to use this standard anywhere in the world. It is also written in a way to enable interoperability. In other words, organizations that work together regardless of geography are able to use this standard to speak a common language and be able to implement a business continuity system that will meet their shared interests in terms of response and recoverability.

Overall, despite the fact that this is a requirements document and this is something that trips up a lot of people—despite being a requirements document this is not just used for audits and certification. This is a resource, one of many, that is written to drive performance as it related to readiness and preparedness for business continuity.

[Slide 16]

This graphic you are seeing on this slide gives you the way in which ISO 22301 is organized. There are ten sections. The important thing I give as a caveat to this is that this is the requirement document organization that will be common across most ISO standards as they are developed and as they are updated going forward.

In other words, to have a common organization across these standards—I grayed out the first three because these are a lot of background—the scope of the standard is section one, or the normative references—other standards or references you need to know before you use the standard. That is section two. Terms and definitions are section three.

The heart of how to set up, operate and improve a business continuity business management system is the latter seven sections. In section four you determine the context of the organization and what business continuity means and what the business continuity management system means to the organization.

Section five is requirements around leadership. How do you lead the business continuity management system? How do you plan for its implementation in section six? What do you need to support its set up an ongoing operation? That is section seven.

For business continuity practitioners, the heart of a traditional business continuity lifecycle is found in section eight, titled "operations". This is where you’d see things like the business impact analysis, the risk assessment, response and recovery strategy development, references to exercises and testing, training and awareness, and ongoing continuous improvement efforts.

Sections nine and ten really wrap up the business continuity management system where it is evaluating the performance on an ongoing basis through internal audits. Section ten is that continuous improvement which is around management reviews and corrective actions.

ISO 22301 is one of the first standards organized in this new approach and is going to be common approach going forward for most standards. Ultimately, as a business continuity practitioner, the content that will be most familiar to you will be largely in section eight.

[Slide 17]

One of the thing I thought would be important, and I have already mentioned a couple of these, was important to talk about what ISO 22301 isn’t. The first think I mention is that it is not a how-to guide. It does not give prescriptive detail on how to perform common business continuity planning activities. It is designed around how to set up, operate and continuously improve a business continuity management system regardless of type of organization.

The common attributes—we have to remember that all ISO standards are developed based on a consensus based approach that is acceptable to all participants. It is going to offer something that is probably would be viewed by many as higher-level and not the how-to guide. ISO 22313 when it is released in its final form hopefully later this year will be more of the guidance or how-to for implementing the common elements you find in 22301.

This is not all about certification. Standards are first and foremost written to enable performance. ISO 22301 contributes to that goal. For organizations that have a business case and have found business value in obtaining certification, 22301 will eventually enable that objective.

I mentioned already once that ISO 22301 is business agnostic. It is written in a way that large or small organizations could gain value from implementing the processes that are included. You don’t have to be in the public sector or the private sector. You don’t have to be for profit or not for profit. Everyone can gain value from this.

It kind of goes along with the how-to guide point—this is not all things to everyone. Every reader will find something that they find that might be missing. That is based on the consensus based on the approach in that they might look at this and say that it doesn’t have enough information on IT disaster recovery planning or it doesn’t have enough information about risk mitigation or it doesn’t offer some of the jargon I’ve used you may find in some training programs.

That is because it is written to be able to be applied to any organization. You might say it is not the perfect fit but the nice thing about a management system standard is that you can really plug in other regulatory requirements and standards to bridge gaps and bring in other content that does makes it a best fit for your organization.

The last thing—and I think this is really important—is that this is not a jargon packed standard. In fact it was the project team’s objective to eliminate as much jargon as possible to make it readable and value added so that an executive could read it and understand the importance of business continuity and what are some of the common attributes of operating business continuity management systems.

You did not have to be a twenty year veteran of business continuity to read this, understand it and figure out how to use it in your organization. I think that is hugely important and a differentiator with this standard.

[Slide 18]

The value, first and foremost—and I think most people can pick up on this—this is the first business continuity standard issued by ISO. With that, we understand that executive managers and customers have respected ISO standards for years and with that will become a greater level of awareness around business continuity.

The second point is that in ISO 22301 because it is a consensus developed standard and has input from experts around the world, this is a form of benchmarking. Where experts agree that this is the minimum expectations to be able to operate and successfully perform business continuity activity.

I mentioned before the lack of jargon. The value is this offers a common language—something that can be translated or understood throughout the world. We have introduced some concepts with simple language and simple descriptions. Hopefully that will enable collaboration worldwide amongst organizations.

Lastly there is the general understanding with this standard that it is not being perfect right off the bat. All management system standards believe that. The idea here is that the 22301 from a business continuity perspective—it drives engagement throughout the organization and amongst interested parties and it really drives continuous improvement.

[Slide 19]

Things you would need to know—it is going to be published in a few weeks but for those who really want to get a leg up really understand how to prepare, there is not that much difference from other ISO standards. There are some things you might want to learn about to prepare to understand and digest this standard.

The first is understanding what a management system is. There are many standards that have management system concepts. We know one of the most popular—ISO 9001, 14001, 27001—these are some of the common management systems that are introducing value and performance improvements around the world.

For those that use these standards and operate management systems aligned to these standards, talk to people in your organization and talk to experts. There is a lot published on these concepts but understanding governance requirements, the concept of the management review and corrective actions are the tenets of a management system that are there to drive performance improvement.

Another point that I think is valuable for management system concepts in this standard in particular is the concept of products and services as a method of scoping. With products and services that is something tangible that organizations can understand and managers and customers can understand.

We talked about products and services in recovering capabilities to deliver those products and services. This is far more tangible than being able to talk about recovering boxes in the org chart or just all facilities, or applications. It is much more easily understood among parties.

Understanding your products and services that should be within the scope of business continuity can be a way to get a leg up and prepare to use the standard. Another is to be able to understand the scope and objectives you want this standard to apply to with or without certification.

What do you hope to address with business continuity? What is most important to you? What do you hope that your business continuity management system will deliver in terms of objectives and value added work going forward?

Another important point is 22301 is not just responding reactively to disruptive incidents. It is also about working to try to decrease the likelihood of disruption. Getting a read of standards such as ISO 31000 that definitely will give—and 22301 uses a lot of that language—proactive risk treatment. Getting an understanding of those concepts will certainly offer an advance look at some of the concepts in 22301.

Lastly, is just getting familiar with ISO language. Requirements documents will include content that say an organization "shall" do this. To be able to say that you are fully aligned to a standard, "shall" is mandatory. Whereas you’ll see guidance documents use the word "should". That offers an opportunity to trip up some readers but it just gives you an idea.

There is a lot published on how ISO standards are written. With "shall" versus "should" you’ll see "shall" is a 22301 term and "should" is a 22313 term.

[Slide 20]

The ways to prepare—learn more about management systems and determine if management systems as a whole or certain elements might be a fit for you and your organization. If you’re brand new to business continuity, identify an executive sponsor in your organization or maybe even a broader representative steering committee that aligns to the concept of top management as noted in 22301.

Understand who your interested parties are whether those be internal to your organization, your customers, business partners and understand what your obligations are to those interested parties. Getting an understanding and collecting that information will certainly help enable you to implement 22301.

Identify an appropriate program scope as well as the objectives. These are five things that can be done now to enable the use of this standard in your organization at the end of May.

[Slide 21]

One of the things Dean mentioned before is the concept of PS-Prep. There is a lot of interest in this and it has been a program that has been in the works now for a number of years. This is a, for lack of a better term, government sponsored initiative that is part of the 9/11 Commission recommendations. Title IX of that act (Public Law 110-53) details this voluntary private sector preparedness accreditation and certification (PS-Prep).

Ultimately DHS had developed some selection criteria to select standards that an organization can become certified to on a voluntary basis. There were three standards that were initially included in this program—ASIS International SPC.1-2009 which is a standard on organizational resilience similar to 22323 at the present time.

There is the British Standard 25999-2 which is the requirements document very similar to the ISO 22301. Then the National Fire Protection Association’s NFPA1600—there are two instances of that standard—the 2007 variant and the 2010 variant that are included in the program as well.

An organization at the present time can select one of these standards, establish a scope statement and can be certified to one of these standards or more, but typically one standard, and be able to go ahead and market that capability to internal or third-party entities that may be interested. Those were the original three that were selected.

Although there has been no announcement there certainly has been a lot of beginning discussion and lobbying—it is likely there will be additional standards that will be included in the program in the future. ISO 22323 on emergency management and 22301 on business continuity could be added if the Department of Homeland Security deems they meet the selection criteria that has been published.

No decision has been made on that but it is certainly possible that a number of standards from TC 223 could be added to the mix and expanding upon these three. You could see some of these three eliminated from the program if they were withdrawn. That is all to be determined.

This program is in its infancy. It has just been recently launched to be perfectly honest. There has been a lot of work to be able to establish selection criteria, picking standards, establishing training programs, identifying certification bodies that would perform the audits, making sure these certification bodies are appropriately resourced and trained.

The first organization with the PS-Prep logo was an element of AT&T which selected British Standard 25999 and successfully achieved PS-Prep certification just a number of weeks ago. The program today is alive. It is these three standards. Those that would be interested can visit the DHS-FEMA website.

The organization that is managing this effort, ANAB, has a website as well. Being able to search the PS-Prep vehicle you will find the information to be able to direct you to how to participate or at least how to evaluate the value of this program.

[Slide 22]

I would like to offer a few conclusions. My conclusions will probably bridge across the comments made by Dean as well as Orlando. The standards we talked about today across all six workgroups, every project initiative—all of these are designed to help affect performance around a whole host of societal security related topics, not just business continuity.

There has been a lot written about the first international standard of business continuity, 22301, because it has just been approved. It should be available within the next two months. Hopefully that will help drive common dialog and discussion and capabilities around preparedness as it relates to disruptive incidents.

Again, PS-Prep is a voluntary certification program. If your organization finds value in being able to publish alignment to a specific standard that demonstrates an appropriate level of preparedness it might be something to look into. It is a program that is alive today, be it four standards, 25999, ASIS SPC.1 or two versions of NFPA 1600. There may be a time in the near future where additional standards, perhaps from TC 223, may become available.

[Slide 23]

Those are my concluding comments. I’d like to turn this back to Amy to manage our Q&A process. Thank you very much.

Amy Sebring: Thank you very much gentlemen. Now, to proceed to our Q&A and audience comments.

[Audience Questions & Answers]

Joyce Shroka: Will Dean, Orlando or Brian be taking 22301 to DHS for possible inclusion in PS-Prep?

Brian Zawada: I have heard in offline discussions with a number of individuals that have advocated that 22301 be included. Keep in mind it hasn’t been published yet so this is pretty early on. I think that is a prerequisite to even being considered.

When we take a look at a comparison of ISO 22301 to BS 25999-2 that was one of the major inputs into that standard. It wasn’t the only one but it was a major one. If we conclude that DHS’s selection criteria led to the inclusion of BS 25999 it is probably logical that this would be a good candidate for inclusion as well.

There are people who have taken this to the government to begin the process of this consideration but I don’t think we’ll be seeing too much of that actively until it is published later in May.

Daryl Spiewak: How do we get a copy of the standards?

Dean Larson: These are all copyright documents in terms of—they are available through the ISO website. As far as documents are in process, if you contact me I can provide copies to those that we are collecting comments on. We are collecting comments from people in the United States that put them together as a draft. I emphasize they are not the final version. The final versions are copyright at the ISO website.

Amy Sebring: There is a link to the TC 223 on our background page and that will take you to the published standards. They cost some money. The purpose of that money is to support the work of ISO committees, is it not?

Dean Larson: Yes it is, although as far as support basically the majority of people who participate are either funded by their own organizations or they are privately funded. As far as money coming back, I have mentioned that NFPA has responsibility for this technical committee and some other technical committees, as are other organizations, have the responsibility to support.

NFPA provides at least for a technical advisory group all the staff work and that is how Orlando is coordinator and he is also an active participant.

Amy Sebring: You talked about the various documents that are in draft and in the comments phase. In the comments phase, are comments solicited from the public at large or just through the organizational members?

Dean Larson: Each one of our technical advisory group members are invited to go out to their colleagues. It is not published out in a public website. It goes to members of the technical advisory group to people who would want to add in comments.

Then all the comments are collated and we put those together as the U.S. comment that we then send to ANSI. ANSI sends it to ISO. We are doing this in the name of ANSI so we have to coordinate it. Individuals can put in comments but they would not be reflected as U.S. comments.

Elysa Jones: Can you speak a bit about the status of 22322 - Public Warning System Guidelines and Requirements?

Orlando Hernandez: That is one of the projects of Working Group Three that we are working on. They are in the process of finalizing that draft so they can send it out for comments. They continue that work in Bogota which they are kind of finalizing. They are anticipating they will get it completed in this plenary session.

Dean Larson: Elysa, you may want to make sure you get that is to contact me and we can have you apply and be part of the technical advisory group so you’ll get those comments. What we do is send out all the documents to the technical advisory group people and we ask them to comment or tell us no comment. You are welcome to join. Drop me an email and I will get you moving forward in that direction.

Isabel McCurdy: How were countries formatted into these work groups?

Dean Larson: First of all, we started with Work Group #1. We had started with different countries including the U.S. along the way. When the leadership of Work Group #1 came open, the entire technical committee said, "Is there any of the countries that would like to take on the leadership of Work Group #1?" The Japanese applied and they were approved to do that.

As far as the leadership, it is something that the national standard body, in this case of Japan said they were willing to take it on. Working Group #2 was led by the U.K. and the U.K. has now relinquished that and it was taken over by the Canadians.

The Germans have had Working Group #3 from the beginning. The Dutch have had Working Group #4 from the beginning. Working Group #5 has been the French and #6 is now the U.K. The Canadian National Standards Body will put you in touch with their committee.

Amy Sebring: How does the 22301 standard relate to what we understand in government as "Continuity of Operations Planning" and do you see that being incorporated in COOP programs in the future?

Brian Zawada: I think there will be places where there will be terminology differences. No doubt about it. I mentioned before as one of the preparatory areas that before a standard is released it is understanding the conflict around products and services.

Government does products and services every day, internal and external and into their entity. There will be terminology and requirements you see in various government standards around COOP and they will not all be referenced there, but the spirit and intent of each one will be there in terms of understanding unique objectives and scope and the resources needed to be able to deliver products and services.

You won’t see some of the jargon or terminology but that additional detail could be plugged into 22301. It is very likely that this standard will be referenced by organizations large and small and in the public and private sector and it will be able to be used very effectively to meet a whole host of different objectives.

Rex Brooks: I came into the presentation a bit late, so I may have missed this, but is 22322 the outcome of work on the TSO, Tactical Situation Object?

Orlando Hernandez: I’m not too sure. Right now it is still in the committee draft and it was approved for registration as a draft international standard. That was done December 28, 2011. I can get back to Rex by email and research that and get him the exact answer.

Dean Lawson: Let me comment on that. That work was originally put in through Lloyd Bokman into the additional considerations for 22322 but Orlando will give you an update on where we stand on that.

Amy Sebring: Dean or Orlando I wonder if you can address in a high level way how the ISO standard for emergency management incident requirements relates to the NFPA 1600? How does the Incident management ISO standard compare to the NFPA 1600 standard.

Orlando Hernandez: As far as looking at the 1600 it has a high level view of incident management and business continuity. We try not to be too specific in that document. As far as incident management there are some similarities but there are some differences as far as how you address certain areas.


Amy Sebring: Time to wrap for today. On behalf of Avagene and myself and all our participants today, thank you very much gentlemen for taking time to share this information with us today. We wish you the best as you move forward with this effort.

Before you go, PLEASE take a moment to do the rating/review! Note: We are asking you to rate the relevance of the information, and this will assist us in our future programming. Also, we would like to hear your comments regarding the WebEx platform.

Again, if you are not on our mailing list, please go to our home page to subscribe to get our announcements. You can also find us on Twitter and Facebook.

Our next program is scheduled for Wed., April 25th. Please mark your calendar and plan to be with us.

In the meantime, thanks to everyone for participating today. Have a great afternoon. We are adjourned.