July 23, 2014

PS-Prep Overview

PS-Prep Overview

ps-prep lead-auditor congress private-sector the-players the-process the-standards standard-selection certification consultant DHS ANAB certifying-body training-accredidation-oraganizations FEMA small-business enterprise CIKR supply-chain RABQSA training-providers
Quicklinks

PS-Prep

    • Private Sector Preparedness, better known as PS-Prep has taken shape over the past several months with the June 2010 announcement by the Department of Homeland Security of the three Standards included in the program.ContinuityCompliance.org has followed the rollout of PS-Prep by providing written comments, speaking to numerous industry organizations about PS Prep and attending many DHS open sessions to provide input.

      One thing that was clear to us at Continuity Compliance was that many organizations remain confused over PS-Prep, the role of DHS and what it all means to them. As creative souls, we began to brainstorm an Information Map that could be used as an informative guide to understand the “infrastructure” of PS-Prep. We have updated as of fall of 2010 an interactive map to help you understand the big picture. This information is only current as of this posting. As a quick refresher, and to keep the context of PS-Prep in mind, the goal of the DHS program is to “promote private sector preparedness, including disaster management, emergency management and business continuity programs.”

      The following timeline and links give the overall steps taken to get to this point today.

      Please note that we have included text directly from the respective organization’s websites or documents to ensure consistency in content. We have noted the links and documents within each section and have included a reference section at the back of the information map.

      There is also much to be done before organizations can prepare to move forward. Talking again about the infrastructure of PS-Prep – here is a quick bullet list of open items.

      • Certifying Bodies to obtain accreditation to one or all of the standards included in PS-Prep
      • Certify Lead Auditors to one or more of the standards
      • Perform Certifications audits on private sector organizations

      At the end of the day, as the preparation for PS-Prep has been completed; DHS, ANAB and the CB’s really take a back seat to the organization getting prepared for certification. This is a VOLUNTARY act by an organization, and DHS has publicly stated that they have no intention on making it a mandatory program, but rather let the market dictate who gets certified. ANAB has indicated that they will create a website where any organization that has certified to PS-PREP will be listed as a way of monitoring the effectiveness of the program. This is really no different than ANAB or any accreditation body listing the name of an organization that holds any certified standard.

      Getting a complete understanding of the Standards and which one would work best for your organization is a key first step. There is no ONE STOP SHOP organization to help you with this. There might be consulting firms that are skilled in some or all of these standards and we are sure they will be posting workshops and information sharing events once the final standards are announced. Refer to the events page on Continuity Compliance for listings of training or webinars near you.

      We encourage you to use this Information Map to help explain the impact of PS-Prep within your organization. Click here to download a PDF version of the PS Prep overview map. We also encourage your feedback, updates and comments.

      Back to PS-Prep Overview Map

      The Players

        • The players for PS Prep — as we have defined them — are the players with direct impact on the program and those directly impacted by the program. We have defined the players in the following order:
          • DHS with a line out to FEMA
          • ANAB
          • Certifying Bodies with a line out the auditors of the standards
          • Private Sector with a number of lines out as follows: Small Business, enterprise, CIKR (Critical Infrastructure Key Resources) and Supply Chain
          • Congress
          • Training Accreditation Organizations

          Back to PS-Prep Overview Map

          Dept. of Homeland Security (DHS)

            • Role: Congress directed the Department of Homeland Security (DHS) to develop and implement a voluntary program of accreditation and certification of private entities using standards adopted by DHS that promote private sector preparedness, including disaster management, emergency management and business continuity programs.

              About DHS:

              Before the establishment of the Department of Homeland Security, homeland security activities were spread across more than 40 federal agencies and an estimated 2,000 separate Congressional appropriations accounts.
              In February 2001, the U.S. Commission on National Security/21st Century (Hart-Rudman Commission) issued its Phase III Report, recommending significant and comprehensive institutional and procedural changes throughout the executive and legislative branches in order to meet future national security challenges. Among these recommendations was the creation of a new National Homeland Security Agency to consolidate and refine the missions of the different departments and agencies that had a role in U.S. homeland security. The Department of Homeland Security was created by the Homeland Security Act of 2002.

              Back to PS-Prep Overview Map

              FEMA – Federal Emergency Management Agency

              • FEMA – An Agency within DHS

                Private Sector Preparedness Coordination Council
                FEMA Administrator Craig Fugate is the Designated Officer responsible for the accreditation and certification program. The Administrator chairs a Private Sector Preparedness Coordinating Council comprised of department leadership from the Science & Technology Directorate, Office of Infrastructure Protection, and Office of the Private Sector.

                Since standards have now been adopted, the Council will focus on the remaining requirements of the law, which include addressing small business considerations, defining and promoting the business case to encourage private sector entities to work toward voluntary certification and overseeing the program’s progress.

                Back to PS-Prep Overview Map

          ANAB – ANSI-ASQ National Accreditation Board

            • Role: DHS engaged ANAB to establish and oversee the development and implementation of the accreditation and certification requirements for the Voluntary Private Sector Preparedness Accreditation and Certification Program.

              ANAB is responsible for carrying out independent accreditations, overseeing the certification process, and monitoring the operations of any third party conducting certifications for disaster/emergency management and business continuity programs.

              The ANAB program will assess whether a private sector entity conforms to voluntary preparedness standards. The program will include separate classifications and methods of certification for small business concerns. The program will not involve issuance of any individual professional certifications.

              ANAB will accredit certifying bodies (registrars) to certify private sector organizations to one of the standards chosen. A publicly available list of accredited certification organizations will be maintained by ANAB. The contract is effective for one base year with two additional option years.

              To Get More Information about ANAB – go to www.anab.org and select the Preparedness link.

              The ANSI-ASQ National Accreditation Board (ANAB) is the U.S. accreditation body for management systems. ANAB accredits certification bodies (CBs) for ISO 9001 quality management systems (QMS), ISO 14001 environmental management systems (EMS), ISO 27001 information security management systems, ISO 22000 food safety management systems, ANSI/AIHA Z10 occupational health and safety management systems, and numerous industry-specific requirements.

              ANAB is a member of the International Accreditation Forum and a signatory of the IAF multilateral cooperative arrangements (MLAs) for QMS and EMS. Through the IAF MLAs and the Multilateral Cooperative Accreditation Arrangement, ANAB cooperates with other accreditation bodies around the world to provide value to its accredited CB’s and their clients, ensuring that accredited certificates are recognized nationally and internationally.

              The global conformity assessment system ensures confidence and reduces risk for customers engaging in trade worldwide.

              ANAB has created and published an Accreditation Rule that will be followed by Certifying Bodies for the standards selected by DHS. There is one overall accreditation rule, however a CB who wishes to be involved in the PS-Prep program, must complete an application for each of the standards they wish to be accredited in. CB accreditation will follow the ISO 17011 requirements set down for management systems.

              Back to PS-Prep Overview Map

          Certifying Body

            • A Certification Body (CB) is an organization that provides an independent third party audit of an organization to a specific standard. Commonly, these organizations do not consult with their customers. They are there to provide an independent audit or assessment of an organization’s conformity to a specific standard.

              A certification body must follow specific standards themselves as defined by ISO: ISO/IEC 17021-2006 Conformity assessment — Requirements for bodies providing audit and certification of management systems and requirements for third-party certification auditing of management systems — Part 2: Requirements for third party certification auditing of management systems.

              A certification body is accredited for auditing a standard through organizations such as ANAB and UKAS. For PS-PREP, the accreditation for a CB will be through ANAB, as explained above.

              Back to PS-Prep Overview Map

              Lead Auditor

              • A certification body uses Lead Auditors to conduct the Stage 1– Documentation Review and Stage 2 – Compliance review to a given standard. An auditor must possess a certain skill set not only in the standard, but in auditing and practical experience in the focus area of the standard. These skills can be learned through a qualified training organization and through on the job training and review of audit skills, as provided by a qualified CB. A person wishing to become an auditor or lead auditor must take an accredited course and pass a competency exam. They must also follow: ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing.

                Back to PS-Prep Overview Map

          Private Sector

            • As defined by Answers.com, the Private Sector is that part of an economy in which goods and services are produced by individuals and companies as opposed to the government, which controls the public sector. DHS also includes not-for-profit organizations in this definition.

              As a result of the 9-11 commission report and subsequently PL110-53 recommendation Title IX, the private sector was identified to have significant risks in being able to respond and recover from a significant disruption.

              Therefore, the PS Prep program is designed to build awareness and give businesses of all sizes, the ability to plan, test and recover by having disaster management, emergency management and business continuity programs. As we see it there are four main areas within the private sector that will continue to evolve over the next couple of years, Small business, the Enterprise, CIKR and the Supply Chain. Explicitly not mentioned here, but nonetheless including is the not-for-profit segment. Included as many of these organizations will fall into small business and the remaining will fall into the enterprise segment.

              Back to PS-Prep Overview Map

          Small Business

            • The United States is made up of an estimated 27.5 million small businesses which employ half of the private sector workforce. (Source: Small Business Administration Office of Advocacy – FAQ)

              In October 2010, DHS submitted to the Federal Register a request for comment on how to include small business into the Ps-Prep program. Recognizing that for many small businesses — of which 52% are home based — getting a formal 3rd party certification to a standard is not possible. DHS in its notice has opened the door to the possibility of 1st party certification or self-assessment.

              We will update you with any new developments in this arena.

              Back to PS-Prep Overview Map

          Enterprise

            • For the purposes of this overview, Enterprise companies are those companies which do not fit the small business category. The path to certification — if a company chooses to get certified — will be by 3rd party certification bodies (CB’s).

              Back to PS-Prep Overview Map

          CIKR

            • Homeland Security Presidential Directive 7 established U.S. policy for enhancing CIKR protection by establishing a framework for NIPP (National Infrastructure Protection Plan) partners to identify, prioritize, and protect the nation’s CIKR from terrorist attacks. 18 sectors have been established as being part of the CIKR group (to read more about these sectors please visit the DHS Resource Page).

              Some of the CIKR sectors have had long established rules and guidelines that dictate what a company needs to do to be in compliance with sector specific business continuity practices. DHS is currently working on how these established practices will be included as part of the PS-Prep program

              Back to PS-Prep Overview Map

          Supply Chain

            • Simply put, a supply chain is a system of organizations, people, technology, activities, information and resources involved in moving a product or service from supplier to customer. No organization operates in a vacuum. We all use suppliers to get our work done, make our widget, etc. This is the one ‘Player’ that could turn a voluntary program into what some may call a mandatory program.

              It’s too early to tell, but large enterprise businesses, and government sectors may decide that they do not wish to ‘do business’ with organizations that are not on the list of certified companies. When/if this happens, a company may now experience a competitive disadvantage if they are not certified. At this point, obtaining certification to PS Prep becomes business as usual for many companies. Developments in this arena will play out over the years to come.

              Back to PS-Prep Overview Map

          Congress

          • Since PL-110 53 is a law, any changes to the law need to be ratified by congress.
            Note: (The House Bill (HR-1) was sponsored by Rep. Bennie G. Thompson, Chair of the Homeland Security Committee. He remains a key supporter.)

            Speaker Nancy Pelosi was also an early supporter and posted the following notice, which is still on her website…

            “The first order of business for the New Direction Congress, making America safer, was passage of H.R. 1, finally implementing the recommendations of the independent 9/11 Commission. While the Administration’s own National Intelligence Estimate conceded the war in Iraq made us less safe from terrorism, the 9/11 legislation was the long overdue, smart approach to ensuring homeland security.”

            CITATION: http://pelosi.house.gov/newdirection.html

            Back to PS-Prep Overview Map

      TRAINING ACCREDITATION ORGANIZATIONS

      • Training, particularly for what is called a Lead Auditor, is shaping up to be a contentious area of the PS-Prep program. The 1st word we must stress is that there is no such thing as a PS-Prep Auditor. Rather there will be NFPA 1600 Auditors, SPC.1 Auditors and BS 25999 Auditors. In order to audit in multiple standards an individual will have to be certified to audit to that particular standard.That being said, the world of management systems has had a very well established process for training Lead Auditors for CBs for a long time. It follows ISO 17024:2003 – Conformity Assessment – General Requirements for Bodies Operating Certifications of Persons. The accreditation rule for PS-Prep from ANAB states that Lead Auditors should receive their certification from companies that follow this standard. This provides a CB, who may be hiring a Lead Auditor, the assurance that appropriate training has been obtained by that person.

        There are 2 major organizations that specialize in certifying Lead Auditors: RABQSA and IRCA

        RABQSA International, Inc. was formed 1st January 2005 from the merger of the Registrar Accreditation Board and The Quality Society of Australasia International. All personnel certifications schemes designed by RABQSA utilize a competency based approach involving the measurement and examination of knowledge based competencies and personnel attributes as well as other key measurements.

        IRCA – International Register of Certified Auditors – IRCA is the world’s original and largest international certification body for auditors of management systems. A Lead Auditor class from an IRCA certified training provider runs multiple days on a particular standard, with a heavy emphasis of understanding ISO 19011 and how to audit.

        TRAINING PROVIDERS – Both RABQSA and IRCA certify companies to be training providers. Only classes from an approved training provider who is approved in the standard an auditor wishes to work with, may provide an individual with the training necessary to become a lead auditor. If you are interested in becoming a lead auditor in one or more of the standards, make sure the class you are taking is approved by either IRCA or RABQSA, otherwise you may find yourself with nothing to audit as CB’s will not hire you.
        Back to PS-Prep Overview Map

The Standards


    • ASIS SPC.1-2009

        • Standard: ASIS SPC-1:2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems
          Written by: American Society for International Security

          Summary:

          The ANSI/ASIS Organizational Resilience Standard offers a business-friendly, globally tested and proven method, based on the ISO management system standard model, for organizations to improve their preparedness performance.

          The ANSI/ASIS Organizational Resilience Standard is unique to other preparedness standards in that:

          1. It is the only preparedness standard that takes an enterprise-wide view of risk management, thereby enabling an organization to develop a comprehensive strategy to prevent when possible, prepare for, mitigate, respond to, and recover from a
            disruptive incident.
          2. It is also the only preparedness standard that is 100% compatible with existing ISO management system standards (such as ISO 9000, ISO 14000, ISO27000 and ISO 28000), thus enabling a cost-saving integrated application. www.asisonline.org/guidelines/or.xml

          Back to PS-Prep Overview Map

      BS 25999-2: 2007

        • Standard: BS 25999-2:2007 Business Continuity Management

          Written By: British Standard Institution

          Summary:

          Having continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental requirement for any organization. BS 25999, the world’s first British standard for business continuity management (BCM), has been developed to help you minimize the risk of such disruptions.

          By helping to put the fundamentals of a BCM system in place, the standard is designed to keep your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade.

          BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management.

          BS25999 provides a basis for understanding, developing and implementing business continuity within your organization utilizing many of the management system requirements and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of requirements based on BCM best practice and covers the whole BCM lifecycle.

          www.bsigroup.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/

          Back to PS-Prep Overview Map

      NFPA 1600: 2007 and 2010

      • NFPA 1600:2007 and 2010 Standard on Disaster/Emergency Management and Business Continuity Programs

        Written by: National Fire Protection Association

        Summary:

        (Paraphrased directly from the standard) “The document continues to be developed in cooperation and coordination with representatives from FEMA, NEMA, and IAEM. This coordinated effort was reflected in the expansion of the title of the standard for the 2000 edition to include disaster and emergency management, as well as information on business continuity programs. The 2007 edition incorporates changes to the 2004 edition, expanding the conceptual framework for disaster/emergency management and business continuity programs. Previous editions of the standard focused on the four aspects of mitigation, preparedness, response, and recovery. This edition identifies prevention as a distinct aspect of the program, in addition to the other four. Doing so brings the standard into alignment with related disciplines and practices of risk management, security, and loss prevention. “
        In June 2010 when DHS Secretary Napolitano formally adopted the 3 basic standards, ASIS SPC.1, BS-25999 and NFPA 1600, she also included NFPA 1600:2010 as a standard. This newly released update to NFPA 1600:2007 more closely aligns the standard to management system requirements. This development goes a long way in getting the CB’s (who are management system centric in their auditing practices) to apply for the accreditation to perform audits for clients who wish to follow NFPA 1600.

        Back to PS-Prep Overview Map

The Process

  • This section is intended for the private sector to understand the different processes for:
    1. Standard Selection and Implementation of the controls
    2. 3rd Party Certification Process by a Certifying Body

    It is our goal to help those organizations not familiar with certifying to an ISO standard or other auditable standard, understand the steps required for success.

    An organization may also choose to implement some of the controls of one standard or key element of more than one standard and not seek certification by a 3rd party.

    That is a choice entirely up to the organization. The flow of the following sections is geared more for those organizations who will seek certification. Either way, we hope the information is useful in allowing the organization to make the choice that is best for them.

    Back to PS-Prep Overview Map

    Standard Selection and Implementation

      • For the organization to select standards and implement the controls

        An organization should begin their conversations on compliance to standards by determining which standard of the adopted three will work best for them. Depending on your industry, you may already be subject to regulations, such as banking with the FFIEC. We are hopeful that DHS will provide guidance to organizations where additional regulatory requirements are already in place for disaster management, emergency management and business continuity programs.

        TAKE THE TIME TO UNDERSTAND EACH STANDARD

        Educate your organization to the benefits of each Standard. Make sure you take into account what you already have in place and see which standard will allow you to leverage your existing plans and processes. The voluntary preparedness program is not intended to be a hardship and does not expect an organization to start all over!

        Consider engaging a reputable consultant to provide an overview of each standard ask questions to align your existing business with the standard and perform the initial gap assessment. (Check www.continuitycompliance.org/find-a-consultant/ to request a list of available consultants).

        Back to PS-Prep Overview Map

        Consultant

        • Consultants can provide constructive assistance for education, project planning and implementation. There are some consultant firms that also assist with internal audit programs if your organization decides not to internalize the internal audit function. It is imperative that you do your homework on these firms. The PS-Prep arena is opening up lots of opportunities for many types of supporting organizations and there will be those that do not belong! Buyer Beware!

          Also note that the CB’s CANNOT Consult. This is viewed as a conflict of interest as stated in section 5.2.5 of ISO 17021 “a CB and any part of the same legal entity shall not offer or provide management system consultancy.

          DEFINE THE SCOPE FOR THE PROGRAM MANAGEMENT SYSTEM

          Scope is determined by understanding at a high level the size of the business as well as the risks to the business. Depending on the standard chosen, the Scope does not need to include the entire organization, but can be for a specific location, division, line of business, etc.

          PERFORM AN ASSESSMENT TO SELECTED STANDARD

          An organization must determine what they already have in place, what might need to be enhanced, and/or what is totally missing – in regards to the requirements and controls of the selected standard. This is an essential first step and will pay off in the long run to ensure the organization accounts for its current processes and plans.

          CREATE A PROGRAM TEAM THAT IS COMMITTED AND KNOWLEDGABLE

          Whatever your motivation to comply or certify to one of the Standards, a competent program team is essential to development, implementation and maintenance of your program. Ensuring the team’s competency is required by the standards. This is typically accomplished by ensuring that adequate training, both awareness and domain specific training is in place. Education is especially important if your organization is new to Standards and third party audits. Engaging a competent consultant might be useful to keep the project on tasks and lend guidance in areas where your team might be less skilled.

          ENGAGE A REGISTRAR

          (Note: At this point in the timeline, if you choose to seek 3rd party certification, then it is appropriate to determine which certifying body will conduct the assessment and begin to create that relationship.)

          Once you have done the initial assessment work, you will have a gauge to how long the program will take to develop. This is a good time to get a number of quotes from the Certification Bodies (Registrars) that have been accredited to certify under PS-Prep. The certification process will most likely be a three year cycle, with two initial audits the first year and annual surveillance audits thereafter. (Note: The certification scheme has yet to be published by ANAB).

          REMEDIATE THE GAPS

          With the assessment detailed to show the gaps of the current state to the requirements of the selected standard, the organization is ready to either develop their program or remediate their gaps in their existing program.

          For those standards with a “Management System”, there is more to implement than just the tactical areas of disaster management, emergency management and business continuity programs. If you already have ISO standards in your organization, then integration of the Management Systems should be explored.

          INTERNAL AUDITS

          If moving forward with certification, the company may need to create an internal audit program if one does not exist. Training competent individuals outside the area of scope is recommended as they will provide an unbiased assessment of conformity. If the organization does not want to internalize this function, a competent internal auditor can be contracted to perform this role.

          For BS 25999 and SPC.1, initial internal audits of the complete management system must be performed prior to the initial certification. Annual or Quarterly audits are then scheduled thereafter. The frequency of the audits is determined by the size of the scope and processes.

          OTHER CONSIDERATIONS

          Some larger or complex organizations may find that one standard works well with (for example) the delivery of the business and another standard is better suited for the internal requirements of the business.

          Since SCOPE is an important element in determining the “program”, having more than one certification can be accomplished. This is true for more than one certification of the same standard or certifying different lines of business or processes to different standards.

          One word of caution, however, if considering more than one standard: The Certifying Body for Standard A might not be able to certify Standard B. You are wise to choose a CB that can handle both standards as that might reduce the cost of the ongoing audits as well as allow you to develop a stronger relationship with one auditor.

          Back to PS-Prep Overview Map

    Conformity Assessment

    • Just as in an ISO audit, the underlying goal of the PS-Prep program is to highlight the areas of conformance between the organization’s policies and activities, and the selected standard. Initially, DHS has directed ANAB to develop rules governing the issuance of third-party certification statements, however discussions of other types of conformity assessments are continuing, including establishing rules around self-assessment (1st party assessment) and assessment by an independent party that is not a certifying body (2nd party assessment).

      FIRST PARTY CERTIFICATION

      The ability to self-certify is being promoted as an option for the small business. This would allow a small business to align with one of the standards and then perform a self assessment to that standard. A self-assessment for a small business would allow that business to not incur the costs of a third party CB. In October 2010 a Federal Register Notice was released requesting comment on what would be fair to small business. Stay tuned for more updates in this area.

      SECOND PARTY CERTIFICATION

      This is the ability for an organization to hire an outside party that is not a CB to perform an audit to a standard. It is also a way for organizations that wish to implement strong business continuity or emergency management controls into their supply chain. Second party auditing has been popular in the world of information security over the last few years, but has recently been starting to lose favor, in favor of third party certification. Second party certification may become very costly to tier 2 and tier 3 suppliers that have multiple customers who wish to conduct second party audits to a standard. No doubt the role of second party certification will continue to evolve with time.

      THIRD PARTY CERTIFICATION

      With the recent release of the accreditation rule by ANAB, this section is solely based on the requirements of ISO 17021 for CB’s.

      ENGAGE A REGISTRAR

      Once you have done the initial assessment work, you will have a gauge to how long the program will take to develop. This is a good time to get a number of quotes from the Certification Bodies (Registrars) that have been accredited to certify under PS-Prep. The certification process will most likely be a three year cycle, with two initial audits the first year and annual surveillance audits thereafter. (Note: The certification scheme has yet to be published by ANAB).

      Once the CB has successfully completed the initial certification audits, they will recommend your organization for certification. Once the certification has been approved, there will usually be an annual surveillance audit performed. Based on the auditor’s recommendation, a surveillance audit may occur semi-annually.

      A third party assessment or certification audit (terms used synonymous) is performed by a Lead Auditor contracted by the Certification Body (Registrar).

      The fees for certification take into account the number of people within the scope of the audit, the number of processes and the number of locations covered by the certification and onsite audit days and travel.

      The initial certification audit is conducted in two stages; Stage 1 and Stage 2.

      Stage 1 audit includes:

      (this is an abbreviated list)

      • Audit of the documentation as required by the standard selected
      • Evaluate location and site specific conditions and discuss organizations readiness for Stage 2
      • Review organizations overall understanding of the requirements of the standard
      • Evaluate internal audits and management reviews

      There is usually at least a 30 day period between the State 1 audit and Stage 2 audit.

      This allows time to address any issues uncovered during the Stage 1 Process.

      The accreditation rule will indicate the maximum amount of time allowed between the 2 audits. (Usually no more than 120 days)

      Stage 2 audit – purpose is to evaluate the implementation and effectiveness of the program according to the standard selected. This is an onsite audit and includes (this is an abbreviated list):

      • Evidence regarding conformity to all requirements of the standard
      • Monitoring, measuring and reporting evidence against key objectives
      • Internal audits required by the standard and management review

      Surveillance Audit

      Surveillance audits are a time for the certification auditor to select a number of clauses within the standard to validate conformity and look for major changes against the standard. The auditor does not review the entire standard at each visit. At the close of the three year period, the auditor will have reviewed the entire program against the selected standard at least once.

      Look for firms that can provide customer references and that have solid experience with the standards, not just having read them. Firms that also provide education are a good sign that they are striving for keeping up with current markets and trends. There are excellent firms out there, but there are not many that are experienced with some or all of these standards. Ask questions and get references.

      Back to PS-Prep Overview Map

QUICK LINKS

www.gpoaccess.gov/911/index.html
www.nctc.gov/docs/ir-of-the-9-11-comm-act-of-2007.pdf
www.fema.gov/news/newsrelease.fema?id=45280
www.dhs.gov/ynews/releases/pr_1255621627246.shtm
www.fema.gov/news/newsrelease.fema?id=49867
www.fema.gov/privatesector/preparedness/index.htm
www.dhs.gov/xlibrary/assets/rief_documentary_history_of_dhs_2001_2008.pdf
www.anab.org
www.house.gov/pelosi/newdirection.html#911
DHS PS –Prep web site
Framework for Voluntary Preparedness
www.asisonline.org/guidelines/or.xml
www.bsigroup.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/
www.nfpa.org/AboutTheCodes/AboutTheCodes.asp?DocNum=1600

Back to PS-Prep Overview Map

TIMELINE

To Download a Copy of the PS-Prep Timeline, Click Here.

November 27, 2002
National Commission on Terrorist Attacks Upon the United States (Public
Law 107-306,) commission to create the 9/11 commission and issue report

July 22, 2004 9/11 commission report

August 3, 2007 PL-110 53 Title 9

July 2008 ANAB selected

October 15, 2009 – DHS announces standards to be considered under PS Prep for certification

November 17 – December 14 – DHS Open meetings for comments

January 15, 2010 – Comment period extended
Review the comments on the Federal Register, Docket # FEMA-2008-0017

Back to PS-Prep Overview Map