Dateline: New Hampshire
Byline: Don Byrne, CBCP, CDCP, CBRO-M, Lead Auditor
With the selection of three standards for the PS-Prep program by the Department of Homeland Security (DHS), many people are struggling to understand the similarities and differences between these offerings.
The report entitled Framework for Voluntary Preparedness, funded by the Alfred P. Sloan Foundation, provides the most comprehensive comparison of the chosen standards and some others that were not selected. However, for many this is a “data rich but information poor” document. Much of the document’s emphasis is on showing how the various standards align as opposed to providing guidance on which one is appropriate for various businesses. In contrast, the following chart was developed to highlight some of the differences between the various standards. While not completely scientific, this chart does attempt to represent the conventional wisdom on this issue.
|Key Issue||NFPA 1600:2007||BS 25999 Pt.2||ASIS SPC.1: 2009|
|Major Focus||Emergency Management and Tactical Activities||Business Continuity and Operations||Organizational Resiliency and Operations|
|National Standard||Yes – ANSI Standard (U.S.)||Yes – BSI Standard (U.K.)||Yes – ANSI Standard (U.S.)|
|International Perspective||Viewed as an American Standard||Viewed as an International Standard||Unknown – too new for opinions|
|General Acceptance||Popular – primarily in North America||Popular – outside the U.S. with good penetration in Asia/Pacific||Very New Standard – little market penetration|
|ISO Alignment||No – Element-based model. Does not use a Management System.||Yes – Process Model. Uses a Management System (PDCA)||Yes – Process Model. Uses a Management System (PDCA)|
|Supporting Methodology||DRI International: 10 Professional Practices||Business Continuity Institute Professional Practices||No specific methodology alignment|
|Unique Elements||Addresses NIMS and ICS Models for Emergency Planning||Introduces concept of MTPOS and drops RPO metric||Safety Act Approved; Contemplates 1st and 2nd party reviews; Some accommodation for Chain of Custody issues|
|Certification Available||No||Yes, through UKAS accredited CBR’s||No|
Making a Selection
A quick review of the above chart might lead to some of the following conclusions:
|Pick NFPA 1600 if:||Pick BS 25999 if:||Pick SPC.1:2009 if:|
|Emergency Management is your concern||Business Continuity is your major focus||Operational resiliency and business continuity are major concerns|
|Your business and extended supply chain is primarily U.S.-based||Your business and extended supply chain is a mix of U.S. and International businesses||Your business and extended supply chain is a mix of U.S. and International businesses|
|You are not already supporting another ISO Standard (e.g. ISO 9001, 14001, 27001, etc.)||You are already ISO certified||Supply chain concerns are important including 1st and 2nd party declarations and reviews|
|Your staff is unfamiliar with the PDCA methodology or is largely DRII certified.||Your staff is familiar with the PDCA or revised BCI methodology||Chain of Custody issues are important to your business|
|Cost is a major consideration – certification to an element-based model should be a less complicated matter and therefore less costly.||Cost is a consideration but not the driving force for a decision.||Cost is a consideration but not the driving force for a decision.|
In conclusion, the decision of which standard to choose requires some thoughtful analysis. The problem is that all of these standards are so new that few individuals are in a position to act as knowledgeable consultants on this issue. And, as reported elsewhere on this site, there are other standards that are under consideration for ISO status that might provide even more choices in the near future which may complicate things even further.
Stay tuned, the PS-Prep program is still evolving!