Frequently Asked Questions: Differences between BCLE AUD ISO 22301 and BCLE AUD NFPA 1600 audit courses
DRI’s audit courses describe and explain the requirements in the identified international standard. Core competencies – including risk assessment, business impact analysis, continuity strategies, and crisis communications – are addressed in similar ways within both courses. Content specific to NFPA 1600 (such as emergency management, employee assistance and support, and crisis management) is not included, or the content is limited, within the ISO 22301 course. Likewise, content exclusive to ISO 22301 (such as management system and context of the organization) is not covered in the NFPA 1600 course.
Differences in the two standards are outlined here.
Subject Area: Standards Development Histories
- NFPA 1600 is an ANSI-accredited national standard. Its first edition was published in 1995. The 2019 edition is the 8th It was endorsed as the U.S. National Preparedness Standard in PL 110‑53 in 2007. NFPA 1600 also was the basis for the Emergency Management Accreditation Program’s EMAP Standard.
- ISO 22301, 2019 edition is the second edition (2012 edition has been rescinded). BS 25999 was the basis for the original, 2012 edition of ISO 22301.
Subject Area: Global Usage and Adoptions
- Both standards are used extensively around the world.
- NFPA 1600 is predominant in the Western Hemisphere (U.S, Canada, Mexico) and was used as the basis of standards in Canada (Z1600) and several countries in South America. Parts of NFPA 1600 also have been incorporated into or used as the basis for emergency planning regulations in the U.S. NFPA 1600 also is used extensively in the Middle East and East Asia.
- ISO 22301 is predominant in Europe.
Subject Area: Program Standard vs. Management System
- NFPA 1600 is written following a program management, planning, implementation, execution, training/education, exercises/tests, and maintenance/improvement process.
- ISO 22301 is one of many ISO management systems standards. The underlying requirements for the management system are more extensive than program management requirements in NFPA 1600. ISO 22301 aligns with the plan, do, check, act cycle.
Subject Area: Areas of Emphasis
- NFPA 1600 addresses performance objectives based on laws and authorities as well as the results of risk assessment and business impact analysis.
- ISO 22301’s strong emphasis is on the management system with understanding the context of the organization and the needs and expectations of interested parties determining the business continuity management system (BCMS) scope. It emphasizes requirements for top management involvement in the BCMS.
Subject Area: Content EXCLUSIVE to or more prescriptive in NFPA 1600
- Requirements for program coordinator and program committee
- Finance and administration requirements
- Risk assessment (much more prescriptive)
- Resource needs assessment
- Loss prevention strategies
- Hazard mitigation strategies
- Emergency operations/response
- Crisis communications and public information (much more prescriptive than requirements for communications with interested parties)
- Crisis management (strategic not tactical)
- Incident management system
- Employee assistance and support
- Execution (incident response and management)
- Training and education (curriculum and incident management)
Subject Area: Content EXCLUSIVE to or more prescriptive in ISO 22301
- ISO 22301 is one of many ISO management systems standards, and its underlying requirements for the management system are more extensive than program management requirements in NFPA 1600.
- Context of the organization: Understanding the organization as well as needs and expectations of interested parties determining the scope of the business continuity management system
- Management system: determination and continued evaluation of risks and opportunities to the BCMS, as well as top management involvement, other requirements
- Training and education (emphasis on competence for those involved in the BCMS and awareness for all)
- Performance evaluation requirement for internal audit