ISO PAS 22399-2007 PDF

Full title and description

ISO/PAS 22399:2007 — Societal security — Guideline for incident preparedness and operational continuity management. This Publicly Available Specification provides guidance for public, private and nongovernmental organizations to develop incident preparedness and operational continuity capabilities, and to design a management approach to plan for, respond to and recover from disruptive incidents.

Abstract

ISO/PAS 22399:2007 offers a generic framework and best-practice controls for incident preparedness and operational (business) continuity management. It helps organisations understand their context, identify and prioritise critical objectives, assess risks and impacts, develop incident response and continuity plans, define roles and responsibilities, coordinate with first responders and stakeholders, and measure resilience in a consistent manner. The specification is intentionally generic so it can be applied across sectors, sizes and geographic contexts.

General information

• Status: Withdrawn (historical/PAS document).
• Publication date: December 2007 (2007-12).
• Publisher: International Organization for Standardization (ISO).
• ICS / categories: 03.100.01 (Company organization and management in general / Societal security).
• Edition / version: Edition 1 (ISO/PAS 22399:2007).
• Number of pages: 31 pages (official ISO record).

Scope

Provides general guidance for organisations of any size or sector to develop incident preparedness and operational continuity management (IPOCM). It covers the IPOCM lifecycle — understanding context, impact analysis, risk assessment, planning for continuity and recovery, incident response arrangements, roles and responsibilities, exercising and maintenance — while excluding direct operational emergency response activities that are the remit of public-sector responders, though coordination with those activities is emphasised.

Key topics and requirements

• Principles and terminology for incident preparedness and operational continuity management.
• Context analysis and identification of critical functions, services and stakeholders.
• Impact and risk analysis to prioritise continuity requirements and acceptable downtime.
• Development of incident management, continuity and recovery plans (incident management plan, operational continuity plan).
• Assignment of roles, responsibilities and governance for continuity and incident response.
• Mutual aid, coordination with first responders, communication and media interface.
• Exercising, training, maintenance and continual improvement of the IPOCM programme.

Typical use and users

Intended for directors, executives, continuity managers, emergency planners and operational leads in public, private and non‑governmental organisations. Useful for single-site operations through multinational enterprises, and for organisations seeking to establish or mature incident preparedness, continuity planning and resilience measurement practices. It is primarily guidance (PAS) rather than a certifiable requirements standard.

Related standards

ISO/PAS 22399 informed the development of later ISO societal security and business continuity standards. Related documents include ISO 22301 (business continuity management systems — requirements), ISO 22313 (guidance for ISO 22301), ISO/TR 22312 and other ISO 22300-series standards covering emergency management and resilience topics. National documents and sector standards such as NFPA 1600 and earlier British standards (e.g., BS 25999) are also part of the historical context that contributed to ISO/PAS 22399 and the ISO 22300 family.

Keywords

incident preparedness, operational continuity, business continuity, IPOCM, resilience, incident management, continuity planning, impact analysis, mutual aid, emergency coordination.

FAQ

Q: What is this standard?

A: ISO/PAS 22399:2007 is a Publicly Available Specification that provided guidance on incident preparedness and operational continuity management for organisations across sectors. It was published by ISO in December 2007.

Q: What does it cover?

A: It covers the IPOCM lifecycle: context and impact analysis, risk assessment and mitigation, development of incident management and continuity plans, roles and governance, coordination with responders and stakeholders, exercising, and programme maintenance and improvement. It is guidance-focused and does not specify certification requirements.

Q: Who typically uses it?

A: Executives, continuity and resilience practitioners, emergency planners, risk managers and operational leaders in public, private and NGO sectors seeking to establish or improve incident preparedness and continuity arrangements.

Q: Is it current or superseded?

A: ISO/PAS 22399:2007 is listed as withdrawn. Its guidance contributed to the later ISO business continuity family (notably ISO 22301 and ISO 22313) and the broader ISO 22300 series; organisations seeking current, certifiable requirements should refer to the later ISO 22301 editions and supporting guidance.

Q: Is it part of a series?

A: Yes — it sits historically within the ISO 22300 "Societal security" package of documents and influenced subsequent ISO standards on business continuity, emergency management and societal security. The ISO 22300-series (including ISO 22301, ISO 22313, ISO/TR 22312 and others) provides the current family of standards in this domain.

Q: What are the key keywords?

A: incident preparedness, operational continuity, business continuity, resilience, incident management, continuity planning, impact analysis, mutual aid.