Dateline: Washington, DC – 20 January 2010
Byline: Don Byrne, CBCP CDCP CBRO-M Lead Auditor
With the closing of the comment period for the PS-Prep program, the Department of Homeland Security (DHS) is poised to declare that for general business, the three standards nominated in the Federal Register of 16 October, 2009; will officially be part of the PS-Prep program.
These three join a number of other standards and mandatory procedures that are part of the regulatory framework of the eighteen Critical Infrastructure, Key Resource (CIKR) sectors. Because of their importance to the country, these industry sectors will be allowed to follow the preparedness practices overseen by non-governmental groups such as the Joint Commission on Accreditation (hospitals), the North American Electric Reliability Corporation (electrical transmission grids), and the Nuclear Regulatory Commission (nuclear power production plants and facilities). You can find more information on these sectors at http://www.dhs.gov/files/programs/gc_1189168948944.shtm.
The Question Is Settled, or Not!
With this announcement by DHS, one would assume that the question of which standards will form the basis of the PS-Prep program has been settled – but that would be wrong!
There are a number of PS-Prep issues that that remain open. For example, what requirements will be placed on Small Businesses and what other standards might be added to the current mix?
The Small Business Challenge
DHS has given little in the way of useful guidance on the question of how small businesses will participate in the PS-Prep program. There is much discussion around using first and second party declarations as a low cost option for these organizations but nothing has been decided. ANAB, who is chartered with developing and monitoring the audit certification process has set a goal of addressing this issue within six month, but that is a goal, not a commitment.
Update or Replacement?
The issue of adding or replacing standards is one that has not been widely discussed yet this is a very likely development of the program. For instance, the National Fire Protection Association (NFPA) has already indicated that it will lobby to have the 2010 version of NFPA 1600 replace the current selected 2007 version.
Also, the British Standards Institute is collaborating with ASIS on development of a fourth document which they have agreed to promote to the International Organization for Standardization (ISO) as the primary business continuity standard.
BCM.1 – a New PS-Prep Option?
Known as BCM.1 this proposed standard is about to be released for public comment. If BCM.1 is successful in attaining ISO standing then it is almost unthinkable that DHS wouldn’t add it to the list of approved standards. Does this mean that a fourth standard will be selected? Would one of the others be “retired?” Time will tell but there remains one last twist to this story.
The ASIS sponsored BCM.1 standard is not the only contender being positioned as the ISO standard. At least one other already developed standard is under consideration.
Enter ISO/PAS 223XX
ISO/PAS 22399: 2007, Societal Security – Guideline for Incident Preparedness and Operational Continuity Management is an existing specification that has been languishing for quite a while. Considered to be rather general in its tone, questions have been raised as to its value as an auditable standard. DHS has publically announced that before selection of the three current standards. “approximately twenty-five candidate standards” were reviewed. Given the through job performed by the Homeland Security Institute, the “think tank” that actually advised DHS on standard selection, it is clear that ISO/PAS 22399 and its related document in this series ISO/PAS 22301 Societal Security – Preparedness and Continuity Management Systems- Requirements were part of the review process. However, with pressure mounting to converge on a single ISO standard in this area, the stage is set for a competition.
How Will It End?
Will the ultimate victor be the new BCM.1 specification or the more developed but less comprehensive ISO/PAS 223XX standard? And, regardless of which of these emerges as the designated international standard for business continuity and preparedness, will DHS add a fourth standard to the mix or replace one or more of the already announced specifications? Remember, that in 2008, DHS published a list of what they considered to be the target criteria for any comprehensive standard for the PS-Prep program (Federal Register Vol. 73, No. 248 pages 79146 and 79147). To date, none of the proposed standards meet all of the target criteria. So, the search goes on and while businesses wait for decisions to be announced, it seems we all just keep getting more choices.