The Players

Close

The players for PS Prep as we have defined them are the players with direct impact on the program and those directly impacted by the program. We have defined the players in the following order:

• DHS with a line out to FEMA
• ANAB
• Certifying Bodies with a line out the auditors of the standards
• Private Sector
• Congress

Close

Department of Homeland Security (DHS)

Close

Role: Congress directed the Department of Homeland Security (DHS) to develop and implement a voluntary program of accreditation and certification of private entities using standards adopted by DHS that promote private sector preparedness, including disaster management, emergency management and business continuity programs.

About DHS:

Before the establishment of the Department of Homeland Security, homeland security activities were spread across more than 40 federal agencies and an estimated 2,000 separate Congressional appropriations accounts.

In February 2001, the U.S. Commission on National Security/21st Century (Hart-Rudman Commission) issued its Phase III Report, recommending significant and comprehensive institutional and procedural changes throughout the executive and legislative branches in order to meet future national security challenges. Among these recommendations was the creation of a new National Homeland Security Agency to consolidate and refine the missions of the different departments and agencies that had a role in U.S. homeland security. Read More

Close

ANAB – ANSI-ASQ National Accreditation Board

Close

Role: DHS engaged ANAB to establish and oversee the development and implementation of the accreditation and certification requirements for the Voluntary Private Sector Preparedness Accreditation and Certification Program.

ANAB will be responsible for carrying out independent accreditations, overseeing the certification process, and monitoring the operations of any third party conducting certifications for disaster/emergency management and business continuity programs.

The ANAB program will assess whether a private sector entity conforms to voluntary preparedness standards. The program will include separate classifications and methods of certification for small business concerns. The program will not involve issuance of any individual professional certifications.

ANAB will accredit certifiers to certify private sector organizations against appropriate standards to be determined. A publicly available list of accredited certification organizations will be maintained by ANAB. The contract is effective for one base year with two additional option years.

More about ANAB – www.anab.org and select the Preparedness link.

The ANSI-ASQ National Accreditation Board (ANAB) is the U.S. accreditation body for management systems. ANAB accredits certification bodies (CBs) for ISO 9001 quality management systems (QMS), ISO 14001 environmental management systems (EMS), ISO 27001 information security management systems, ISO 22000 food safety management systems, ANSI/AIHA Z10 occupational health and safety management systems, and numerous industry-specific requirements. ANAB is a member of the International Accreditation Forum and a signatory of the IAF multilateral cooperative arrangements (MLAs) for QMS and EMS. Through the IAF MLAs and the Multilateral Cooperative Accreditation Arrangement, ANAB cooperates with other accreditation bodies around the world to provide value to its accredited CBs and their clients, ensuring that accredited certificates are recognized nationally and internationally. The global conformity assessment system ensures confidence and reduces risk for customers engaging in trade worldwide.

ANAB will create an Accreditation Rule that will be followed by Certifying bodies for the standards selected by DHS. This rule is currently only a draft. What is not known as of this writing is whether there will be one overall accreditation rule or one for each of the selected standards individually.

Close

Certifying Body

Close

A Certification Body (CB) is an organization that represents a third part audit of an organization to a specific standard. Commonly, these organizations do not consult with their customers. They are there to provide an independent audit or assessment of an organization’s conformity to a specific standard.

A certification body must follow specific standards themselves as defined by ISO:

ISO/IEC 17021-2006 Conformity assessment — Requirements for bodies providing audit and certification of management systems and requirements for third-party certification auditing of management systems — Part 2: Requirements for third party certification auditing of management systems

A certification body is accredited for auditing a standard through organizations such as ANAB and UKAS. For PS-PREP, the accreditation for a CB will be through ANAB, as explained above.

Close

Private Sector

Close

As defined by Answers.com, the Private Sector is that part of an economy in which goods and services are produced by individuals and companies as opposed to the government, which controls the public sector.

As a result of the 9-11 commission report and subsequently PL110-53 recommendation Title IX, the, the private sector was identified to have significant risks in being able to respond and recover from a significant disruption. Therefore, the PS Prep program is designed to build awareness and give businesses of all sizes, the ability to plan, test and recover by having disaster management, emergency management and business continuity programs.

Close

Congress

Close

Since PL-110 53 is a law, any changes to the law need to be ratified by congress.

Note: The House Bill (HR-1) was sponsored by Rep. Bennie G. Thompson, Chair of the Homeland Security Committee. He remains a key supporter

Speaker Nancy Pelosi was also an early supporter and posted the following notice, which is still on her website

“The first order of business for the New Direction Congress, making America safer, was passage of H.R. 1, finally implementing the recommendations of the independent 9/11 Commission. While the Administration’s own National Intelligence Estimate conceded the war in Iraq made us less safe from terrorism, the 9/11 legislation was the long overdue, smart approach to ensuring homeland security.”

CITATION: http://www.house.gov/pelosi/newdirection.html#911

Close

FEMA – Federal Emergency Management Agency

Close

FEMA – An Agency within DHS

Private Sector Preparedness Coordination Council

FEMA Administrator Craig Fugate is the Designated Officer responsible for the accreditation and certification program. The Administrator chairs a Private Sector Preparedness Coordinating Council comprised of department leadership from the Science & Technology Directorate, Office of Infrastructure Protection, and Office of the Private Sector. Once standards are adopted, the Council will focus on the remaining requirements of the law, which include addressing small business considerations, defining and promoting the business case to encourage private sector entities to work toward voluntary certification and overseeing the program’s progress.

Close

Lead Auditor

Close

A certification body uses Lead Auditors to conduct the Stage 1– Documentation Review and Stage 2 – Compliance review to a given standard. Until the comment period has ended and the final standards are selected, a full detail of this process will be pending.

An auditor must possess a certain skill set not only in the standard, but in auditing and practical experience in the focus area of the standard. There is no specific competency requirements issued for PS-Prep as of yet, but we assume that the background of the auditor must have some or all within disaster management, emergency management and business continuity programs. A person wishing to become an auditor or lead auditor must take an accredited ANAB course and pass a competency exam. They must also follow:

ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing

Close

PS-Prep

Close

Private Sector Preparedness, better known as PS-Prep has taken shape over the past several months with the announcement by the Department of Homeland Security of the proposed three Standards under the program. ContinuityCompliance.org has written comments on PS-Prep and attended the first DHS open session in Chicago on November 17. One thing that was clear to us at Continuity Compliance was that there were many organizations confused over PS-Prep, the role of DHS and what it all meant to them. As creative souls, we began to brainstorm an Information Map that could be used as an informative guide to understand the “infrastructure” of PS-Prep. We have prepared the preliminary interactive map to help you understand the big picture. This information is only current as of this posting of January 2010. The open comment period for the three proposed standards closed on January 15, 2010. DHS will review ALL comments and prepare a new statement sometime in the near future.

As a quick refresher and to keep the context of PS-Prep in mind, the goal of the DHS program is to “promote private sector preparedness, including disaster management, emergency management and business continuity programs”

The following timeline and links give the overall steps taken to get to this point today.

Please note that we have included text directly from the respective organizations websites or documents to ensure consistency in content. We have noted the links and documents within each section and have included a reference section at the back of the information map.

There is also much to be done before organizations can prepare to move forward. Talking again about the infrastructure of PS-Prep – here is a quick bullet list of open items.

• Finalize Standards for PS-Prep
• ANAB to create Accreditation Rule for PS-Prep
  • ANAB to create Training for Certification Bodies to accredit to PS –Prep
• Certifying Bodies to accredit themselves to PS-Prep
• Certify Lead Auditors

At the end of the day, once the backend of PS-Prep has been completed, DHS, ANAB and the CB’s really take a back seat to the organization getting prepared for certification. This is currently a VOLUNTARY act by organizations. DHS has indicated that they will create a website where any organization that has certified to PS-PREP will be listed as a way of monitoring the effectiveness of the program. This is really no different than ANAB or any accreditation body listing the name of an organization that holds any certified standard.

Getting a complete understanding of the Standards and which one would work best for your organization is a key first step. There is no ONE STOP SHOP organization to help you with this. There might be consulting firms that are skilled in some or all of these standards and we are sure they will be posting workshops and information sharing events once the final standards are announced. Look back at Continuity Compliance as our team of volunteers will compile a webinar on the selected standards as well.

We encourage you to use this Information Map to help explain the impact of PS-Prep within your organization. Link directly to PS Prep overview map to download a pdf version. We also encourage your feedback, updates and comments.

Close

The Process

Close

The section is intended for the private sector to understand the different processes for:

1. Standard Selection and Implementation of the controls
2. 3rd Party Certification Process by a Certifying Body

It is our goal to help those organizations not familiar with certifying to an ISO standard or other auditable standard, understand

the steps required for success.

An organization may also choose to implement some of the controls of one standard or key element of more than standard and not seek certification by a 3rd party. That is a choice entirely up to the organization. The flow of the following sections is geared more for those organizations who will seek certification. Either way, we hope the information is useful in allowing the organization to make the choice that is best for them.

Close

ASIS SPC.1-2009

Close

Standard: ASIS SPC-1:2009 Organizational Resilience: Security Preparedness, and ContinuityManagement Systems

Written by: American Society for International Security

Summary:

The ANSI/ASIS Organizational Resilience Standard offers a business-friendly, globally

tested and proven method, based on the ISO management system standard model, for organizations to improve their preparedness performance.

The ANSI/ASIS Organizational Resilience Standard is unique to other preparedness standards in that:

1. It is the only preparedness standard that takes an enterprise-wide view of risk management, thereby enabling an organization to develop a comprehensive strategy to prevent when possible, prepare for, mitigate, respond to, and recover from a

   disruptive incident.

2. It is also the only preparedness standard that is 100% compatible with existing ISO management system standards (such as ISO 9000, ISO 14000, ISO27000 and ISO 28000), thus enabling a cost-saving integrated application. www.asisonline.org/guidelines/or.xml

Close

BS 25999-2: 2007

Close

Standard: BS 25999-2:2007 Business Continuity Management

Written By: British Standard Institution

Summary:

Continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental requirement for any organization. BS 25999, the world’s first British standard for business continuity management (BCM), has been developed to help you minimize the risk of such disruptions.

By helping to put the fundamentals of a BCM system in place, the standard is designed to keep your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade.

BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management.

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of requirements based on BCM best practice and covers the whole BCM lifecycle.

www.bsigroup.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/

Close

NFPA 1600: 2007

Close

NFPA 1600:2007 Standard on Disaster/Emergency Management and Business Continuity Programs

Written by: National Fire Protection Association

Summary:

(Paraphrased directly from the standard) The document continues to be developed in

cooperation and coordination with representatives from FEMA, NEMA, and IAEM. This coordinated effort was reflected in the expansion of the title of the standard for the 2000 edition to include both disaster and emergency management, as well as information on business continuity programs. The 2007 edition incorporates changes to the 2004 edition, expanding the conceptual framework for disaster/emergency management and business continuity programs. Previous editions of the standard focused on the four aspects of mitigation, preparedness, response, and recovery. This edition identifies prevention as a distinct aspect of the program, in addition to the other four. Doing so brings the standard into alignment with related disciplines and practices of risk management, security, and loss prevention. http://www.nfpa.org/AboutTheCodes/AboutTheCodes.asp?DocNum=1600

Close

Standard Selection and Implementation

Close

For the organization to select standards and implement the controls

Once the infrastructure elements have been confirmed with DHS and ANAB, an organization can then begin the conversation to determine what standard of the chosen three will work best for them. Depending on your industry, you may already be subject to regulations, such as banking with the FFIEC. We are hopeful that DHS will provide guidance to organizations where additional regulatory requirements are already in place for disaster management, emergency management and business continuity programs.

TAKE THE TIME TO UNDERSTAND EACH STANDARD

Educate your organization to the benefits of each Standard. Make sure you take into account what you already have in place and see which standard will allow you to leverage your existing plans and processes. The voluntary preparedness program is not intended to be a hardship and does not expect an organization to start all over!

Consider engaging a reputable consultant to provide an overview of each standard ask questions to align your existing business with the standard and perform the initial gap assessment. (Check www.continuitycompliance.org/find-a-consultant/ to request a list of available consultants).

Close

Conformity Assessment

Close

Just as in an ISO audit, the underlying goal of the PS-Prep program is to highlight the areas of conformance between the organization’s policies and activities, and the selected standard. Initially, DHS has directed ANAB to develop rules governing the issuance of third-party certification statements, however discussions of other types of conformity assessments are continuing, including establishing rules around self-assessment (1st party assessment) and assessment by an independent party that is not a certifying body (2nd party assessment).

THIRD PARTY CERTIFICATION

Until the accreditation rule by ANAB is released, this section is solely based on the requirements of ISO 17021 for CB’s.

ENGAGE A REGISTRAR

Once you have done the initial assessment work, you will have a gauge to how long the program will take to develop. This is a good time to get a number of quotes from the Certification Bodies (Registrars) that have been accredited to certify under PS-Prep. The certification process will most likely be a three year cycle, with two initial audits the first year and annual surveillance audits thereafter. (Note: The certification scheme has yet to be published by ANAB).

Once the CB has successfully completed the initial certification audits, they will recommend your organization for certification. Once the certification has been approved, there will usually be an annual surveillance audit performed. Based on the auditor’s recommendation, a surveillance audit may occur semi-annually.

A third party assessment or certification audit (terms used synonymous) is performed by a Lead Auditor contracted by the Certification Body ( Registrar). The fees for certification take into account the number of people within the scope of the audit, the number of processes and the number of locations covered by the certification and onsite audit days and travel.

The initial certification audit is conducted in two stages; Stage 1 and Stage 2.

Stage 1 audit includes:

(this is an abbreviated list)

• Audit of the documentation as required by the standard selected
• Evaluate location and site specific conditions and discuss organizations readiness for Stage 2
• Review organizations overall understanding of the requirements of the standard
• Evaluate internal audits and management reviews

There is usually at least a 30 day period between the State 1 audit and Stage 2 audit. This allows time to address any issues uncovered during the Stage 1 Process. The accreditation rule will indicate the maximum amount of time allowed between the 2 audits. (Usually no more than 120 days)

Stage 2 audit – purpose is to evaluate the implementation and effectiveness of the program according to the standard selected. This is an onsite audit and includes (this is an abbreviated list)

• Evidence regarding conformity to all requirements of the standard
• Monitoring, measuring and reporting evidence against key objectives
• Internal audits required by the standard and management review

Surveillance Audit

Surveillance audits are a time for the certification auditor to select a number of clauses within the standard to validate conformity and look for major changes against the standard. The auditor does not review the entire standard at each visit. At the close of the three year period, the auditor will have reviewed the entire program against the selected standard at least once.

Look for firms that can provide customer references and that have solid experience with the standards, not just having read them. Firms that also provide education are a good sign that they are striving for keeping up with current markets and trends. There are excellent firms out there, but there are not many that are experienced with some or all of these standards. Ask questions and get references.

Close

Consultant

Close

Consultants can provide constructive assistance for education, project planning and implementation. There are some consultant firms that also assist with internal audit programs if your organization decides not to internalize the internal audit function. It is imperative that you do your homework on these firms. The PS-Prep arena is opening up lots of opportunities for many types of supporting organizations and there will be those that do not belong!

Also note that the CB’s CANNOT Consult. This is viewed as a conflict of interest as stated in section 5.2.5 of ISO 17021 “a CB and any part of the same legal entity shall not offer or provide management system consultancy.

Define the scope for the program/management system. Scope is determined by understanding at a high level the size of the business as well as the risks to the business. The Scope does not need to include the entire organization, but can be for a specific location, division, line of business, etc.

PERFORM AN ASSESSMENT TO SELECTED STANDARD

An organization must determine what they already have in place, what might need to be enhanced, and/or what is totally missing – in regards to the requirements and controls of the selected standard. This is an essential first step and will pay off in the long run to ensure the organization accounts for it current processes and plans.

CREATE A PROGRAM TEAM THAT IS COMMITTED AND KNOWLEDGABLE

Whatever your motivation to comply or certify to one of the Standards, a competent program team is essential to development, implementation and maintenance of your program. Ensuring the team’s competency is required by the standards. This is typically accomplished by ensuring that adequate training, both awareness and domain specific training is in place. Education is especially important if your organization is new to Standards and third party audits. Engaging a competent consultant might be useful to keep the project on tasks and lend guidance in areas where your team might be less skilled.

ENGAGE A REGISTRAR

(Note: At this point in the timeline, if you choose to seek 3rd party certification, then it is appropriate to determine which certifying body will conduct the assessment and begin to create that relationship)

Once you have done the initial assessment work, you will have a gauge to how long the program will take to develop. This is a good time to get a number of quotes from the Certification Bodies (Registrars) that have been accredited to certify under PS-Prep. The certification process will most likely be a three year cycle, with two initial audits the first year and annual surveillance audits thereafter. (Note: The certification scheme has yet to be published by ANAB).

REMEDIATE THE GAPS

With the assessment detailed to show the gaps of the current state to the requirements of the selected standard, the organization is ready to either develop their program or remediate their gaps in their existing program. For those standards with a “Management System”, there is more to implement than just the tactical areas of disaster management, emergency management and business continuity programs. If you already have ISO standards in your organization, then integration of the Management Systems should be explored.

INTERNAL AUDITS

If moving forward with certification, the company may need to create an internal audit program if one does not exist. Training competent individuals outside the area of scope is recommended as they will provide an unbiased assessment of conformity. If the organization does not want to internalize this function, a competent internal auditor can be contracted to perform this role.

For BS 25999 and SPC.1, initial internal audits of the complete management system must be performed prior to the initial certification. Annual or Quarterly audits are then scheduled thereafter. The frequency of the audits is determined by the size of the scope and processes.

OTHER CONSIDERATIONS

Some larger or complex organizations may find that one standard works well with (for example) the delivery of the business and another standard is better suited for the internal requirements of the business. Since SCOPE is an important element in determining the “program”, having more than one certification can be accomplished. This is true for more than one certification of the same standard or certifying different lines of business or processes to different standards. One word of caution if considering more than one standard: The Certifying Body for Standard A might not be able to certify Standard B. You are wise to choose a CB that can handle both standards as that might reduce the cost of the ongoing audits as well as allow you to develop a stronger relationship with one auditor.

Close