ISO/TS 22330:2018

TECHNICAL ISO/TS
SPECIFICATION 22330
First edition
2018-06
Security and resilience — Business
continuity management systems
— Guidelines for people aspects of
business continuity
Sécurité et résilience — Systèmes de gestion de la poursuite des
activités — Lignes directrices concernant les aspects humains de la
poursuite des activités
Reference number
ISO/TS 22330:2018(E)
©
ISO 2018

---------------------- Page: 1 ----------------------
ISO/TS 22330:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/TS 22330:2018(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 People aspects overview . 2
4.1 General . 2
4.2 The need for a people aspects approach . 3
4.3 Structure . 4
5 Precursors . 4
5.1 General . 4
5.2 Duty of care . 5
5.3 Attributes of the organization . 6
5.4 Team and individual competencies . 7
6 Preparing to respond . 7
6.1 General . 7
6.2 Business impact analysis . 7
6.3 Managing people risks in business continuity. 8
6.4 Including people aspects in business continuity management . 8
6.5 Knowledge, skills and abilities . 8
6.5.1 General. 8
6.5.2 Education . 8
6.5.3 Learning and development . 9
6.5.4 Experience . 9
6.6 Awareness across an organization . 9
7 Delivering the response .10
7.1 General .10
7.2 Respond.11
7.2.1 General .11
7.2.2 Responding to early warning .11
7.2.3 Immediate actions to protect and secure people .11
7.2.4 Incident response organization .15
7.3 Recover .17
7.3.1 General.17
7.3.2 Mobilizing the workforce in adverse conditions .17
7.3.3 Using alternative work sites.18
7.3.4 Working from home .18
7.3.5 People management issues .19
7.4 Restore .20
7.4.1 General.20
7.4.2 Actions for sustainable restoration of operations .21
7.5 People support strategies .21
7.5.1 Managing the needs of families and friends .21
7.5.2 Physical and psychological well-being .22
7.6 Communications .23
7.6.1 General.23
7.6.2 Importance of internal communication .24
7.6.3 Communication systems and pathways .25
7.6.4 External communications .26
7.6.5 Social media .27
7.7 Managing the impact of travel issues .27
7.7.1 General.27
© ISO 2018 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/TS 22330:2018(E)

7.7.2 Travel issues .28
7.7.3 Managing a travel incident .28
8 Review and continuous improvement .29
8.1 General .29
8.2 Continuous improvement through exercising .29
8.3 Feedback from the workforce or external agencies .29
8.4 Record-keeping .30
8.5 Risk review .30
Annex A (informative) Psychological response management .31
Annex B (informative) Relatives response team .35
Bibliography .38
iv © ISO 2018 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/TS 22330:2018(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
© ISO 2018 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/TS 22330:2018(E)

Introduction
The purpose of this document is to expand the guidance on managing the people aspects of an
organization’s preparation and response to disruptive events provided in ISO 22301 and ISO 22313. It
assumes that the organization is aware of the principles of business continuity management and has
established, or intends to establish, a business continuity management system (BCMS) aligned to these
standards. The guidance is relevant to all levels of the organization: from top management to individual
members of the workforce; from those organizations with a single site to those with a global presence;
from small-to-medium enterprises (SMEs) to organizations employing thousands of people.
In general, the English words “people” and “human” are frequently interchanged. In this document, the
term “people” is referenced as it puts the focus on the individual person rather than a group intimated
by the term “human”.
People are a key driver of organizational success and, at the same time, are always an interested party
in any activity supporting delivery of organizational objectives. The organization, therefore, should pay
particular attention to people, recognizing the two-way relationship it has with them. This applies to
an organization’s business continuity goals.
This document is relevant to business continuity and human resources professionals, and managers
responsible for organizational resilience, people management and people development. It is not a
definitive guide to managing an incident, but a review of the implications for managing the impacts on
the workforce and others who could be affected.
The guidelines in this document provide a uniform approach to developing the broad range of
knowledge, skills, behaviours and practices required of capable people to deliver effective business
continuity management.
vi © ISO 2018 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL SPECIFICATION ISO/TS 22330:2018(E)
Security and resilience — Business continuity
management systems — Guidelines for people aspects of
business continuity
1 Scope
This document gives guidelines for the planning and development of policies, strategies and procedures
for the preparation and management of people affected by an incident.
This includes:
— preparation through awareness, analysis of needs, and learning and development;
— coping with the immediate effects of the incident (respond);
— managing people during the period of disruption (recover);
— continuing to support the workforce after returning to business as usual (restore).
The management of people relating to civil emergencies or other societal disruption is out of the scope
of this document.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
duty of care
moral or legal obligation to ensure the safety, well-being or interests of others
3.2
employee assistance programme
contracted support service provided to organizations to assist them in addressing productivity issues,
and to assist employees in identifying and resolving personal concerns, including health, marital,
family, financial, alcohol, drug, legal, emotional, stress or other personal issues that could affect job
performance
Note 1 to entry: Adapted from the International Employee Assistance Professionals Association (EAPA).
© ISO 2018 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/TS 22330:2018(E)

3.3
nominated emergency contact
person nominated by an individual staff member who is their chosen first point of contact in the event
of the organization needing to make contact
Note 1 to entry: This may be the legal next of kin.
3.4
people aspects of business continuity
elements associated with the management of people involved in, or affected by, an incident in order
to minimize distress, maximize productivity and recovery, and achieve the recovery objectives of the
organization’s business continuity programme
3.5
psychological critical incident
event or series of events that could cause significant emotional or physical distress, psychological
impairment or disturbance in people’s usual functioning
Note 1 to entry: Mental health professionals working in this field would normally refer to a “traumatic event” as
a critical psychological incident. The term “critical psychological incident” is preferred as it implies an incident
that may or may not be traumatic to the individual involved. Although there are several definitions of a traumatic
event within the psychiatric and scientific world, critical psychological incident provides a more real world
definition.
3.6
psychological education
provision of advice and guidance relating to psychological well-being
Note 1 to entry: It would usually include an overview of common reactions to distressing events in order to
normalize them, reduce anxiety, provide simple self-help strategies to facilitate recovery in the first few days and
provide where and when to seek further support.
3.7
psychological first aid
temporary, supportive intervention comparable to the concept of physical first aid
Note 1 to entry: Its goals include stabilizing the crisis situation, reducing emotional distress, providing advice
on self-care and psychological education (3.6), identifying people who may need professional assistance and
referring for further assistance, as necessary.
3.8
shelter in place
action to move people to predetermined areas inside the building/site in order to protect them from
external dangers during an incident
Note 1 to entry: This may be referred to as invacuation.
3.9
workforce
anyone engaged in the delivery of the organization’s objectives, including direct employees, agency
staff, contractors and volunteers
4 People aspects overview
4.1 General
This clause identifies the background within which the people aspects of business continuity
management are considered. Whatever the nature of disruption, the common factor is that people will
always be affected.
2 © ISO 2018 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/TS 22330:2018(E)

A business continuity management system (BCMS) considers the resources required for the response
to any disruptive event. People are an essential resource for the entire process and the organization
will depend on their response as individuals to disruptive events and as members of response, recovery
and restoration teams.
The people aspects approach also recognizes that everyone affected by a disruptive event is a potential
casualty in some way, whether physically or psychologically impacted or by being subjected to change
which has a longer-term effect on their daily lives and expectations. This includes people who are
not members of the workforce but are directly affected by consequences of the event, e.g. clients or
workforce family members.
As resources, casualties or both, people are also interested parties in the activities of the organization
with opinions and expectations of their own. The approach recognizes that in the abnormal
circumstances of a disruptive event, the impact of destabilization on an organization will lead to changes
in the expectations of and on individuals. This applies not only to continuity activities in affected parts
of an organization, but also to business as usual operations in apparently unaffected areas.
4.2 The need for a people aspects approach
ISO 22301 establishes the overarching requirements for people aspects of business continuity and
addresses competence, awareness and communication, and the organization’s duty of care.
In considering people aspects, it is important to understand at the outset what is at stake: what happens
if the organization on the one hand, or its people on the other, fails to meet the expectations of the other.
The potential impacts could be damaging to the organization and result from either real or perceived
weaknesses.
— Failure to deliver duty of care in line with people’s needs and expectations.
— Loss of willing, timely support from the workforce if people management is perceived as ineffective.
— Damage to reputation if consideration of people requirements is perceived as being neglected.
— Damage to the organization’s long-term ability to retain, recruit and motivate the workforce.
Failure to manage people aspects could lead to the organization being unable to do the following.
— Prepare: Plans are not fit for purpose due to inadequate provision of competent and available
resources.
— Respond: Immediate response is ineffective due to lack of training, poor understanding or
motivation.
— Recover: Barriers to changes in working arrangements arising from poor understanding, motivation
or capacity prevents successful implementation of recovery strategies.
— Restore: Unable to restore the organization to full capability through insufficient attention to people
related issues.
In all people considerations, at all stages in the BCMS, the organization should consider and understand
events and issues that could adversely impact:
— ongoing safety, security and productivity;
— discretionary effort;
— retention and development of skills and talent;
— recruitment of people;
— engagement and morale.
© ISO 2018 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/TS 22330:2018(E)

4.3 Structure
Figure 1 illustrates the structure of the arrangements needed to establish an effective approach to the
management of the people aspects of business continuity. It is divided into two logical sections:
— the precursor steps required to establish the overall approach and capability;
— the detailed processes.
As indicated in the figure, each section is discussed in more detail in clauses that follow in this document.

Figure 1 — Structure to manage people aspects of business continuity
Precursors establish the strategic approach to the people aspects of business continuity as identified
by top management.
The development of the processes makes use of established techniques, including risk assessment,
business impact analysis and preparation of incident management, business continuity and crisis
management plans.
Post-event actions will address the review and continuous improvement activities necessary following
a disruptive event or a near miss. Exercising will validate capability, rehearse people in their required
tasks and identify learning needs to assist in the development or enhancement of competencies.
5 Precursors
5.1 General
Precursors are the arrangements and planning an organization should put in place to frame its approach
and attitude to the people aspects of business continuity. They require top management to:
— analyse its responsibilities with regards to duty of care;
4 © ISO 2018 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/TS 22330:2018(E)

— describe the attributes it sees as important to the organization;
— define the competencies, including technical and not-technical skills and behaviours that individuals
and teams should demonstrate.
Disruptive events place unusual pressures on people affected, either directly or indirectly. Active
development of capabilities, both skills and behaviours, better prepares people as individuals and as
members of a response team to cope with the unexpected.
In turn, a focus on the application and development of management and leadership attributes that deliver
desired skills and behaviours offers additional value by enhancing the reputation of the organization.
5.2 Duty of care
In the response to any disruptive event, as part of its responsibilities, the organization owes a duty of
care to a wide range of people who are interested parties both internal and external to the organization.
EXAMPLE 1 Evacuated workforce members who require a safe, effective procedure to be in place to ensure an
efficient evacuation and proper accounting for people.
EXAMPLE 2 Response team members who require coping mechanisms to counter the stresses of managing
the response.
EXAMPLE 3 Residents adjacent to a site that is on fire who are affected by the smoke and other residue.
Table 1 identifies groups of people who could be affected and their needs, expectations or demands. It
is not an exhaustive list and the organization should identify the communities that could be affected by
any incident.
NOTE Responsibility for care for contractors and visitors will transfer to their parent organization after the
immediate response phase.
Table 1 — Duty of care responsibilities
Group Their needs, expectations and demands
Immediately impacted
a) Immediate physical threat (workforce, — A safe and secure location away from the
customers, visitors) – at risk of harm immediate threat
b) Actual physical harm (workforce, customers, — Medical care, including first aid and prompt transfer
visitors) – injured to medical facilities when required
c) Evacuees/those sheltering in place (workforce, — Practical support (water, shelter, transport, food)
customers, visitors)
— Lines of communication (two-way)
d) Outside site boundary (neighbours) –
— Accurate information and appropriate advice
potentially affected
— Leadership
e) Families
— Psychological education
f) Witnesses to injury, threat or death
© ISO 2018 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/TS 22330:2018(E)

Table 1 (continued)
Group Their needs, expectations and demands
Subsequently impacted
a) Same site, unaffected location (workforce, — Accurate information and practical advice
customers, visitors) – not physically
— Direction on requirements and intentions
threatened
— Leadership
b) Rest of organization (other sites)
— Two-way communication
c) Workplace family (close colleagues/friends,
those who had a near miss)
— Psychological education
d) Contra
...