EN ISO 22361:2022

SLOVENSKI STANDARD
01-januar-2023
Nadomešča:
SIST-TS CEN/TS 17091:2018
Varnost in vzdržljivost - Krizno vodenje - Smernice (ISO 22361:2022)
Security and resilience - Crisis management - Guidelines (ISO 22361:2022)
Sicherheit und Resilienz - Krisenmanagement - Leitlinien für die Entwicklung einer
Strategie (ISO 22361:2022)
Sécurité et résilience - Gestion de crise - Lignes directrices (ISO 22361:2022)
Ta slovenski standard je istoveten z: EN ISO 22361:2022
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN ISO 22361
EUROPEAN STANDARD
NORME EUROPÉENNE
November 2022
EUROPÄISCHE NORM
ICS 03.100.01 Supersedes CEN/TS 17091:2018
English Version
Security and resilience - Crisis management - Guidelines
(ISO 22361:2022)
Sécurité et résilience - Gestion de crise - Lignes Sicherheit und Resilienz - Krisenmanagement -
directrices (ISO 22361:2022) Leitlinien für die Entwicklung einer Strategie (ISO
22361:2022)
This European Standard was approved by CEN on 14 October 2022.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this
European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references
concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN
member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management
Centre has the same status as the official versions.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2022 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN ISO 22361:2022 E
worldwide for CEN national Members.

Contents Page
European foreword . 3

European foreword
This document (EN ISO 22361:2022) has been prepared by Technical Committee ISO/TC 292 "Security
and resilience" in collaboration with Technical Committee CEN/TC 391 “Societal and Citizen Security”
the secretariat of which is held by AFNOR.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2023, and conflicting national standards shall be
withdrawn at the latest by May 2023.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes CEN/TS 17091:2018.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO 22361:2022 has been approved by CEN as EN ISO 22361:2022 without any modification.

INTERNATIONAL ISO
STANDARD 22361
First edition
2022-10
Security and resilience — Crisis
management — Guidelines
Sécurité et résilience — Gestion de crise — Lignes directrices
Reference number
ISO 22361:2022(E)
ISO 22361:2022(E)
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
ISO 22361:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Crisis management — Context, core concepts and principles. 3
4.1 The nature of crises . 3
4.2 Characteristics of a crisis . 3
4.3 Potential origins of crises . 5
4.4 Readiness to respond and recover . 7
4.5 Principles for crisis management . 7
4.5.1 General . 7
4.5.2 Principle A: Governance . 7
4.5.3 Principle B: Strategy . 7
4.5.4 Principle C: Risk management . 7
4.5.5 Principle D: Decision-making . 8
4.5.6 Principle E: Communication . 8
4.5.7 Principle F: Ethics . 8
4.5.8 Principle G: Learning . 8
5 Building a crisis management capability . 8
5.1 General . 8
5.2 Crisis management framework . 9
5.2.1 General . 9
5.2.2 Leadership. 9
5.2.3 Structure . 10
5.2.4 Culture . 10
5.2.5 Competence . 11
5.3 Crisis management process . 11
5.3.1 Anticipation . 11
5.3.2 Assessment . 11
5.3.3 Prevention and mitigation . 11
5.3.4 Preparedness .12
5.3.5 Response . . 16
5.3.6 Recovery . 19
5.3.7 Continual improvement. 19
6 Crisis leadership . .20
6.1 Core leadership skills and attributes . 20
6.1.1 General .20
6.1.2 Role and responsibility of the crisis leader(s) . 21
6.2 Well-being and sustainable crisis response . 22
6.2.1 Crisis management responders . . 22
6.2.2 Wider interested-party impact . 22
7 Strategic crisis decision-making .23
7.1 General .23
7.2 Why decision-making can be challenging . 24
7.3 Dilemmas, decision delay, decision avoidance . 25
7.4 Decision-making issues .25
7.5 Effective crisis decision-making . 25
8 Crisis communication .26
8.1 General . 26
8.2 Pre-crisis preparation. 26
iii
ISO 22361:2022(E)
8.3 Managing relationships and reputation . 27
8.4 Key roles . 27
8.4.1 Communication team . 27
8.4.2 Spokespeople .28
8.4.3 Media relations .28
8.5 Crisis communication strategy .28
8.6 Key principles and activities of crisis communication .29
8.7 Consistency of message . 30
8.8 Barriers to effective communication . 30
8.9 Social media — Opportunities and threats . 31
9 Training, validation and learning from crises .31
9.1 General . 31
9.2 Developing competence . 32
9.3 Training . 32
9.4 Exercising . 33
9.5 Validation .34
9.6 Evaluating and learning .34
Bibliography .36
iv
ISO 22361:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience, in
collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/
TC 391, Societal and Citizen Security, in accordance with the Agreement on technical cooperation
between ISO and CEN (Vienna Agreement).
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
ISO 22361:2022(E)
Introduction
This document has been developed to aid in the design and ongoing development of an organization’s
crisis management capability. It sets out principles and practices needed by all organizations.
Crises present organizations with complex challenges and, possibly, opportunities that can have
profound and far-reaching consequences. An organization’s crisis management capability and its ability
to manage a changing environment are key factors in determining whether a situation or incident has
the potential to pose a serious or existential threat to the organization and its environment. The crisis
affecting an organization can be part of a broader crisis.
To ensure the crisis management capability has the desired outcome, the organization should provide:
— committed leadership;
— structures (e.g. funding, communications, relationships and linkages, equipment, facilities,
information management, principles, processes and procedures);
— a supportive culture (e.g. values, ethics, code of conduct);
— competent personnel (e.g. knowledge, skills and attitude, flexible thinking).
An organization’s crisis management capability will be influenced by its relationship with other
interdependent areas such as risk management, business continuity, information security, physical
security, safety, civil protection, incident response and emergency management.
The organization should adopt a structured approach to crisis management by applying a set of
principles on which a crisis management framework can be developed. These interrelated principles,
framework and applicable process elements support the implementation of a crisis management
capability in a purposeful, consistent and rigorous manner (see Figure 1).
vi
ISO 22361:2022(E)
Key
principle (see 4.5)
framework (see 5.2)
process (see 5.3)
Figure 1 — Building a crisis management capability — Principles, framework and process
The structure of the document is as follows:
— the core concepts of crisis management are described (see Clause 4);
— then the framework and process for building a crisis management capability are outlined (see
Clause 5).
The clauses that follow provide more detail on:
— crisis leadership (see Clause 6);
— strategic crisis decision-making (see Clause 7);
— crisis communication (see Clause 8);
— training, validation and learning from crises (see Clause 9).
Continual improvement is a component of all elements of this document (see 5.3.7), so that while it is
part of the process, it also addresses all capability elements.
vii
INTERNATIONAL STANDARD ISO 22361:2022(E)
Security and resilience — Crisis management — Guidelines
1 Scope
This document provides guidance on crisis management to help organizations plan, establish, maintain,
review and continually improve a strategic crisis management capability. This guidance can help any
organization to identify and manage a crisis. Elements for consideration include:
— context, core concepts, principles and challenges (see Clause 4);
— developing an organization’s crisis management capability (see Clause 5);
— crisis leadership (see Clause 6);
— the decision-making challenges and complexities facing a crisis team in action (see Clause 7);
— crisis communication (see Clause 8);
— training, validation and learning from crises (see Clause 9).
It is applicable to top management with strategic responsibilities for the delivery of a crisis management
capability in any organization. It can also be used by those who operate under the direction of top
management.
This document acknowledges the relationship and interdependencies with various disciplines but is
distinct from these topics.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
capability
ability to accomplish an undertaking with a defined intended outcome and within specified conditions
Note 1 to entry: An organizational capability depends on the available resources and organizational principles,
framework (leadership, structure, culture, competences) and processes.
ISO 22361:2022(E)
3.2
crisis
abnormal or extraordinary event or situation that threatens an organization (3.13) or community and
requires a strategic, adaptive and timely response in order to preserve its viability and integrity
Note 1 to entry: The event or situation can include a high degree of complexity, instability and uncertainty.
Note 2 to entry: The event or situation can exceed the response capacity or capability (3.1) of the organization.
Note 3 to entry: Given the nature of a crisis, a flexible and dynamic approach is needed in addition to any
rehearsed plans and procedures.
Note 4 to entry: Threats can impact upon the organization’s ability to function, its reputation, its brand, its
physical, political or intellectual property, its organizational structure and its human, environment and economic
factors.
Note 5 to entry: The term “organization” also includes governmental and non-governmental agencies and
national authorities in the public sector, as well as non-governmental organizations (NGOs) and charities.
3.3
crisis management
coordinated activities to lead, direct and control an organization (3.13) with regard to crisis (3.2)
3.4
crisis management team
CMT
group of individuals functionally responsible for leading the organization's (3.13) crisis management
(3.3) response
3.5
crisis management plan
CMP
document specifying which procedures and associated resources are to be applied by whom and where
in a crisis (3.2)
3.6
incident
event or situation that can be, or could lead to, a disruption, loss, emergency or crisis (3.2)
[SOURCE: ISO 22300:2021, 3.1.122, modified — “or situation” has been added to the definition.]
3.7
interested party
stakeholder
person or organization (3.13) that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
3.8
governance
human-based system by which an organization (3.13) is directed, overseen and held
accountable for achieving its defined purpose
3.9
situation report
summary, either verbal or written, outlining the current state and potential development of an incident
(3.6) or crisis (3.2) and the response to it
3.10
situational awareness
perception of the elements in the environment within a volume of time and space, the comprehension of
their meaning and a projection of their status in the near future
ISO 22361:2022(E)
3.11
top management
person or group of people who directs and controls an organization (3.13) at the highest level
3.12
issue
event or situation that does not currently present, but can develop into, a long-term or significant
negative impact on the strategic objectives, reputation or viability of the organization (3.13)
Note 1 to entry: Effectively responding to emerging issues can result in the successful aversion of a crisis (3.2).
3.13
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.14
crisis communication
communications both internal and external to provide information, updates and instructions to
internal and external interested parties (3.7)
Note 1 to entry: Adequate crisis communication can also protect the organization's (3.13) reputation and brand
and maintain its public image.
4 Crisis management — Context, core concepts and principles
4.1 The nature of crises
Crises can be associated with highly complex issues, the full implications and nature of which can be
unclear at the time. Possible decisions and actions can have severe negative consequences, and decision-
makers at all levels sometimes have to choose the least detrimental solution (see 7.4) and resolve (or
recognize and accept) fundamental strategic dilemmas. This can mean that every choice comes with a
penalty of some kind and there is no ideal solution.
Premature or ill-considered decisions on actions or processes to manage a crisis can have potential to
cause significant consequences and cause additional harm or exacerbate the crisis situation and should
be avoided. If the range of available options being considered can reduce the impact of a crisis yet have
adverse consequences upon other organizational objectives, it can be necessary to choose the option
that has the potential to create the least amount of loss or disruption to the organization
Crises often involve threats to people, the environment, assets (such as property or information) or
reputation.
A crisis can require the organization to review its objectives, opportunities, strategies, policies,
practices or procedures and culture and as part of continual improvement.
A well-managed crisis can demonstrate the positive qualities of an organization and enhance its
reputation
4.2 Characteristics of a crisis
A crisis can be complex and challenging and can also provide opportunities for an organization to
demonstrate core values, effective controls, governance, crisis response, review and learning.
ISO 22361:2022(E)
Although many crises appear to be unique there are often consistent characteristics. Understanding
these characteristics enables the improvement of the crisis management capability by comprehending
their differences.
Often, a crisis is precipitated by an incident. There are some common characteristics found in both an
incident and a crisis. Table 1 highlights some of the differences and Figure 2 shows the relationship
between an incident and a crisis.
Table 1 — Key characteristics between incidents and crises
Characteristics Incidents Crises
Predictability Incidents are generally foreseeable, Crises are typically unique, rare events or
although their specific timing, type and situations. Some crises can be anticipated;
impact are variable. however, timing and impact usually are not
always foreseeable.
Onset Incidents can be no-notice or short-notice Crises can also occur from a no-notice or
disruptive events, or they can emerge short-notice event. They can also emerge
through a gradual failure or loss of control. from an incident that has not been con-
tained, has been managed badly or further
escalates to have reputational conse-
quences, and which requires a crisis-level
response.
Urgency and pres- In managing an incident, there is usually a A crisis always needs urgent attention as
sure high sense of urgency to act to either pre- the impact can be very high. Given the po-
vent the situation from getting worse or to tential impact and the fact that a crisis has
minimize its impact. more visibility it is common that it places a
high level of pressure on the organization.
Impacts Incidents are events which, although they Crises can disrupt or affect the entire
can take considerable resources to manage, organization, transcending organizational,
rarely threaten the existence of the organi- geographical and sectoral boundaries. As
zation or have a major long-term impact on crises tend to be complex and inherently
its reputation. The impacts are usually local uncertain, the long-term impacts can be dif-
or affect only a part of the organization. ficult to assess. A badly handled crisis can
lead to a catastrophic loss of functionality,
Incidents are generally manageable, and al-
values, trust and reputation. These negative
though the impact on interested parties can
impacts can have a lasting detrimental
be severe, it is manageable and temporary.
effect on the organization. Crisis can lead
to the conclusion that the legal situation
should be adjusted during the crisis.
The size, location and type of an organiza-
tion can make it more susceptible to certain
incidents which can become a crisis.
Scrutiny by public, Effective incident management, where- Crises are likely to result in significant scru-
media and other by adverse events are quickly iden- tiny and interest among interested parties
interested parties tified, impacts rapidly mitigated and including members of the public, product
business-as-usual quickly restored, will and service users, specific groups (such as
probably attract little or no negative media regulators, shareholders or industry bodies)
attention. and the media, including social media.
Where there is adverse publicity, this can The specific parties taking an interest in
be confined to a locality or a specific group. the crisis will depend on the type of event,
However, there is always the possibility of who it threatens, and who it impacts. It is
the adverse publicity growing and spread- very likely that all actions and responses
ing to additional groups, leading to the by the organization will be scrutinized and
event becoming a crisis. any perceived poor decisions, attempts
to avoid responsibility, blaming of others,
poor treatment of victims or attempts to cut
costs on the response can lead to further
sustained criticism and a deepening of the
crisis, or can create new challenges.
ISO 22361:2022(E)
TTabablele 1 1 ((ccoonnttiinnueuedd))
Characteristics Incidents Crises
Manageability Incidents can often be resolved by using Crises, through a combination of their
through established plans which contain incident management novelty, inherent uncertainty and potential
plans and proce- procedures and structures and details of scale and duration of impact, are rarely
dures predetermined solutions and available resolvable through the application of prede-
resources. Top management can potentially fined procedures and plans alone.
be informed or need to provide direction
They demand a flexible, creative, strate-
and supervision
gic and sustained leadership response.
Values and behaviour can be challenged
and amended. The organization will rely on
its crisis management structure, methods,
planning, training and exercising.
Crises challenge the capabilities of the
organization beyond its inherent coping
capacity.
An issue could escalate to an incident, then a crisis. The organization should recognize the change in
the situation and be flexible so it can adjust its response accordingly.
Figure 2 — Relationships and characteristics between an issue, incident and crisis
4.3 Potential origins of crises
Crises can be caused in a number of ways, including:
a) disruptive incidents that have immediate and strategic implications: these can arise from acts of
malice, misconduct or negligence, or a failure (perceived or actual) to deliver products or services
that meet the expected standards or legal requirements of quality or safety, unpopular (political)
decisions or actions, rumours and false information;
ISO 22361:2022(E)
b) operating fluctuations such as changes in the public reporting in the market, and interested parties’
preferences, technological development, changes in laws and regulations, competitions and threats
of takeover;
c) poorly managed incidents and the emergence of latent and hidden issues with unacceptable
consequences for trust in an organization’s reputation and brand; such issues can “incubate” over
time, typically as a result of:
1) inadequate governance allowing for gradual and incremental slippages in standards of quality,
reliability, safety or management control to go unchecked and become accepted as a normal
way of working;
2) convenient, but unofficial, “workaround” strategies becoming the routine, due, for example,
to overcomplicated processes, unrealistic schedules, chronic personnel shortages and relaxed
supervision;
3) flaws in supervision and process monitoring, which promote an expectation of “getting away
with” undesirable behaviours or being able to survive minor failures without reporting them,
or over-reliance on controls to catch all errors, rather than an expectation of quality checks
that catch only occasional issues;
4) blame cultures that encourage risk and issue cover-ups and the lack of a shared sense of
mission and purpose, which generates a defensive (if not hostile) “them and us” attitude
between personnel and management, between different parts of the organization and between
the organization and external interested parties;
5) poor behaviour (or what is perceived to be poor behaviour) by the organization’s executives,
a single executive or the organization as a whole (such as lying, misrepresenting services or
products and results, failure to revise decisions or recall products when knowing they pose
a danger to their purchaser or the public, actions which are in conflict with the organization’s
values, illegal activity or willingly breaching regulations);
6) poor training and development of personnel and managers, or incremental loss of skills and
knowledge;
7) human factors including fatigue, stress, personal issues and working in unfamiliar
circumstances;
8) ineffective human resource management (such as failure to learn from historical events,
unrealistic schedules, chronic personnel shortages and relaxed supervision);
9) external factors that can impact the organization’s people, operations, reputation, technology
and assets, both tangible and intangible, such as extreme weather events, and incidents
triggered by critical vendors or data loss;
10) inadequate preparation (plans, procedures and organization) for dealing with incidents;
11) failure to escalate appropriately due to ability, choice or culture.
Crises invariably have multiple contributing factors, which can originate from inside or outside the
organization. These can interact in a complex manner, making them difficult to identify and manage,
resulting in the need for flexible planning approaches. While the origin of an incident can seem simple
at the onset, further review can expose systemic weakness in how the organization is managed. If an
incident is not managed effectively, it can escalate into a crisis.
Crisis management strategies and actions should reflect the organization’s objectives and values.
Failure to adhere to its core values can make the situation worse.
ISO 22361:2022(E)
4.4 Readiness to respond and recover
The uncertainty of crisis situations demands that crisis roles and responsibilities are understood, and
actions clearly and methodically overseen and directed. Decisions should be intrinsically linked to the
core values of the organization. The organization should prepare to face difficult decision-making and
emphasize the importance of clear and coherent actions and communications during the crisis.
The organization should determine ways to mobilize its crisis management resources and activate the
associated processes. Timely response to a crisis is critical. Denial, complacency or delay among strategic
decision-makers can increase the impact and the organization’s vulnerability, hamper response, and
degrade capacity to recover. Crises can be so extraordinarily demanding that no assumptions should
be made about the ability of personnel (of any seniority, grade or experience) to manage them and steer
the organization out of a crisis.
Successful crisis management requires flexibility and creativity. It can involve stepping outside the
normal “rules” of the organization or its business environment and being prepared to defend or justify
its actions. For the organization’s leaders, this requires clarity of thought, strategic vision, decisiveness
and the ability to act in ways that reflect the core values of the organization. In particular, leaders should
behave with compassion toward those affected by the crisis and expect and encourage this behaviour
across the whole organization.
4.5 Principles for crisis management
4.5.1 General
The principles given in 4.5.2 to 4.5.8 are the foundation for establishing and building the organization’s
crisis management capability that is underpinned by operational capability.
4.5.2 Principle A: Governance
Crisis management is dependent upon effective governance at all levels of the organization.
A crisis management capability is dependent upon clearly understood structures, roles, responsibilities
and competence.
The capacity of employees to respond to a crisis is impacted by their understanding of their roles and
responsibilities, being adequately trained to competently and confidently meet the demands of the
crisis.
4.5.3 Principle B: Strategy
Crisis management is a strategic capability.
Building and maintaining a crisis management capability is dependent upon leadership communicating
its value and importance to the organization, setting objectives and allocating resources to achieve
these.
The crisis management capability is guided by the core values, priorities of the organization, and the
potential consequences and impact of the crisis.
4.5.4 Principle C: Risk management
The crisis management capability is dynamic and is founded upon the management of risk.
Adaptive and timely crisis management is dependent upon situational and risk awareness, enabling
the organization to actively monitor its internal and external environments and assess its potential
vulnerabilities and opportunities.
ISO 22361:2022(E)
Effectively managing change,
...