DHS adopts ASIS standard to improve business preparedness


I subscribe to the Department of Homeland Security's media alert list and most of the time I get news about Secretary Napolitano's travels or budget requests - nothing too exciting or newsworthy. But, yesterday I received a press release regarding DHS's adoption of an ASIS International standard for its Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep). This standard, as you may have guessed, is largely about encouraging private businesses to develop and implement business continuity plans (and now receive certification for it) a duty which comes largely under the responsibility of the security department.

"Private organizations across the country—from businesses to universities to non-profit organizations—have a vital role to play in bolstering our disaster preparedness and response capabilities," said Secretary Napolitano. "These new standards will provide our private sector partners with the tools they need to enhance the readiness and resiliency of our nation."

In a press release from ASIS International, the standard (officially called the ASIS Organizational Resilience Standard) "provides a framework for businesses to assess the risks of disruptive events, develop a proactive strategy for prevention, response and recovery, establish performance criteria, and evaluate opportunities for improvement."

Here are some of the bullet points for what the standard can offer:
* Create a balanced strategy for both likelihood and consequence reduction for incident
prevention and management.
* Establish, implement, maintain and improve an organizational resilience
management system.
* Demonstrate resiliency and continuity for supply chain and contractual agreements.
* Assure conformance with stated organizational resilience management policy.
* Implement a maturity model approach to cost-effectively enhance
resilience performance.
* Make a self-determination and self-declaration of conformance with
* Seek certification/registration of its organizational resilience management system by
an accredited third-party certification body.
* Leverage an existing investment in other ISO management system standards (e.g.
ISO 9001, ISO 14001, ISO 27001, ISO 28000) to improve security, preparedness
and continuity performance.
* Integrate plans for managing the risks of disruptive events into their
enterprise-wide risk management programs, consistent with the ISO 31000 for
risk management.

If you're not really sure how to implement such a standard, ASIS is offering a two-and-a-half-day class on Organizational Resilience: Implementing and Auditing the ANSI/ASIS American National Standard. With all the craziness happening in the world these days, frankly, businesses can't afford not to have strong continuity plans in place.