JOnline: An Introduction to Incident Preparedness and Operational Continuity Management Based on ISO/PAS 22399:2007 

Download Article

All organizations face a certain amount of uncertainty and risk. The challenge is to determine how much risk is acceptable and how to cost-effectively manage risk while meeting the organization’s strategic and operational objectives.1

Interested parties and stakeholders require organizations to prepare proactively for potential incidents and disruptions to avoid suspension of critical operations and services or, if operations and services are disrupted, to resume operations and services as rapidly as required by those who depend on them.

Effective incident preparedness and operational (business) continuity management (IPOCM) requires a fundamental cultural change within the organization that includes an acceptance of uncertainty and imperfection. All levels of an organization need to appreciate that risk is inherent in every decision and activity and that a proportion of this risk has the potential to create disruption. People at all levels of an organization, therefore, need to consider how they will manage such disruptions to their activities.2

In 2007, the International Organization for Standardization (ISO) published the first internationally ratified benchmark document addressing incident preparedness and continuity management for organizations in both public and private sectors. ISO/PAS 22399:2007 Societal security—Guideline for incident preparedness and operational continuity management is based on best practices from the national standards of Australia, Israel, Japan, the UK and the US.

The main objective of this article is to provide an introduction to the key elements of IPOCM, based on ISO/PAS 22399:2007. Societal security is defined as the protection of society from and in response to crises caused by intentional and unintentional human acts, natural hazards and technical failures.3 This article is intended to assist board members in fulfilling some of the obligations of their organizations’ social responsibility.

Why an Organization Should Undertake IPOCM

Natural disasters, acts of terror, technology-related accidents and environmental incidents have clearly demonstrated that neither public nor private sectors are immune from crises, either intentionally or unintentionally provoked. This has led to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and potentially devastating incidents.

Organizational resilience requires proactive preparation for potential incidents and disruptions to avoid suspension of critical operations and services or, if operations and services are disrupted, for the resumption of operations and services as rapidly as required by those who depend on them.

ISO/PAS 22399 describes a holistic management process that identifies potential impacts that threaten an organization and provides a framework for minimizing their effects.4

Management’s Role

Managers and owners have the responsibility to maintain the ability of the organization to function without disruption. Organizations constantly make commitments or have a duty to deliver products and services, i.e., they enter into contracts and otherwise raise expectations.5

All organizations have moral and social responsibilities, particularly where they provide an emergency response or a public or voluntary service. In some cases, organizations have statutory or regulatory duties to undertake IPOCM.

All business activity is subject to disruptions, such as technology failure, flooding, utility disruption and terrorism. IPOCM should not be regarded as a costly planning process, but as one that adds value to the organization.

To be effective, an IPOCM program should be an integrated management process driven from the top of the organization and endorsed and promoted by the principal managers and executives. It should be managed at both the operational and organizational levels.

The organization should determine and provide resources and any necessary partnership arrangements essential to the implementation and control of the IPOCM system and continually improve its effectiveness. Resources include human resources (HR) performing work affecting the IPOCM system and specialized skills, infrastructure, technology and financial resources, and information and intelligence. Personnel competence should be based on appropriate education, training, skills and experience.6


The organization should determine its critical operational objectives and activities as identified in strategies; business plans; policy and mission statements; risk management plans; and management tools such as Strengths, Weakness, Opportunities and Threats (SWOT) analysis and balanced scorecard (BSC). Operational critical processes should be identified and documented. This will allow the organization to focus the resources required to operate its critical activities and functions within the context of its economic constraints.

After that, the organization should identify and evaluate potential risks and threats of disruptions and determine the duration of a disruption that is tolerable to its stakeholders. It is essential for the organization to understand its products and services and how these are delivered by activities within its operations.

Hazard, Risk and Threat Identification

Hazard, risk and threat identification should include, but not be limited to:7

  • Naturally occurring hazards that can occur without the influence of people and have potential for direct or indirect impact on the organization’s operations, people, property and/or environment (geological, meteorological and biological hazards)
  • Events caused by people and by technology (accidental and intentional)
  • Business-related events (positive and negative)

Risk identification should be an ongoing activity.

Risk Assessment

An organization should assess potential risks on the basis of reasonable criteria by giving due consideration to all potential risks. The organization should consider elements such as human lives, assets, compensation, profit, credit and natural environment. An organization should analyze information on risks and select those risks that may cause significant consequences and/or those risks whose consequence is hard to be determined in terms of significance.8

The organization should keep information related to its threat, risk and criticality assessments up to date and confidential, as appropriate.

An organization should analyze impacts of disruptions to its operations and identify critical business operations that are given high priority for restoration to set up recovery time objectives (RTOs).

Incident Response and Recovery

Figure 1The organization should plan for incident response and recovery, taking into account core activities, contractual obligations, employee and neighboring community necessities, operational continuity, and environmental remediation. Organizations have different approaches to managing crises. Regardless of the approach, there are three generic and interrelated management response steps, shown in figure 1, that require preemptive planning and implementation in case of a disruptive incident:9

  • Emergency response—The initial response to a disruptive incident usually involves the protection of people and property from immediate harm. An initial reaction by management may form part of the organization’s first response.
  • Continuity response—Processes, controls and resources are made available to ensure that the organization continues to meet its critical operational objectives.
  • Recovery response—Processes, resources and capabilities of the organization are reestablished to meet ongoing operational requirements. This will often include the introduction of significant organizational improvements, even to the extent of refocusing strategic or operational objectives.

Testing and Exercises

An exercise program should be consistent with the objectives of the organization and the regulatory regimes to which it is subject. Exercises may include tests that anticipate a predetermined outcome, tabletops, simulations and full operational exercises. Exercises should be based on realistic scenarios that are carefully planned with and agreed upon by stakeholders so that there is minimum risk of disruption to operational processes.

Corrective and Preventive Action

The organization should establish, implement and maintain corrective procedures for dealing with actual and potential program shortfalls and for taking corrective action and preventive action. The procedures should define criteria for:10

  • Identifying and correcting program shortfalls and taking actions to mitigate their impacts
  • Investigating program shortfalls, determining their causes and taking actions to avoid their recurrence
  • Evaluating the need for actions to prevent program shortfalls and implementing appropriate actions designed to avoid their occurrence
  • Recording the results of corrective and preventive actions
  • Reviewing the effectiveness of corrective and preventive actions

The organization should also ensure that internal audits and self-assessments of the IPOCM system are conducted at planned intervals to determine whether the IPOCM system conforms to planned arrangements for IPOCM and that the IPOCM program has been properly implemented and maintained.


In most organizations, the processes that deliver products and services depend on information and communication technology (ICT). Disruptions to ICT can, therefore, constitute a strategic risk, damaging the organization’s ability to operate and undermining its reputation. The consequences of a disruptive incident vary and can be far-reaching, and they may not be immediately obvious at the time of the incident.

The organization sets out its IPOCM priorities, and within that context, ICT continuity activities should be considered. ICT continuity should ensure that required ICT services are resilient and can be recovered to the predetermined levels within the time frame required and agreed upon by top management. Thus, effective IPOCM depends on ICT continuity to ensure that the organization can meet its objectives at all times, particularly during times of disruption.


Organizations of all sizes and types have become increasingly aware of the need to achieve and demonstrate proactive security performance related to their physical facilities, services, activities, products, supply chains and operational continuity. They do so within the context of increasing security risks and threats, more stringent legislation and regulation, heightened awareness of the need for adequate emergency response and remediation planning, concerns of interested and affected parties, and the need to assure operational continuity.

An organization’s response to risks, which aims at minimizing the impacts of risks and reducing social loss, should be promoted and recognized as its social responsibility.

To be successful, IPOCM should be owned by everyone within an organization. Building, promoting and embedding an IPOCM culture within an organization ensures that it becomes part of the organization’s core values and corporate governance. When effectively established, it instills confidence with stakeholders in the ability of the organization to cope with major disruptions.


1 Tangen, Stefan; Marc Siegel; “ISO/PAS 22399 Provides International Best Practice for Preparedness and Continuity Management,” special report, ISO Management Systems, January-February 2008,
2 International Organization for Standardization, ISO/ PAS 22399:2007 Societal security—Guideline for incident preparedness and operational continuity management, Switzerland, 2007
3 ISO, “Societal Security,” Glossary of Terms and Abbreviations,
4 Op cit, ISO, ISO/PAS 22399:2007
5 British Standards Institution (BSI), BS 25999-1:2006 Business Continuity Management:  Code of Practice, UK, 2008
6 Op cit, ISO, ISO/PAS 22399:2007
7 Ibid.
8 Ibid.
9 Ibid.
10 Ibid.

Haris Hamidovic, CIA, ISMS IA, ITIL-F, IT Project+
is chief information security officer (CISO) at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North American Treaty Organization (NATO)-led Stabilization Force (SFOR) in Bosnia and Herzegovina. He is the author of five books and more than 60 articles for business and IT-related publications. Hamidovic is a certified IT expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina and the Federal Ministry of Physical Planning of Bosnia and Herzegovina and is a doctoral candidate in critical information infrastructure protection from the Faculty of Information Technology (FIT), University “Dzemal Bijedic,” in Mostar, Bosnia and Herzegovina.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.