Guidelines for Incident Management
What ISO 22320 Covers
ISO 22320:2018 provides guidelines for incident management, covering the principles that give incident response its value, the basic components of the process and structure, and how organizations work together through joint direction and cooperation.
The standard sits within the ISO 22300 family for business continuity and societal resilience. It is applicable to any organization involved in responding to incidents of any type and scale · natural hazards, technological failures, cyber events, public-safety emergencies, or supply-chain disruptions. It supports both single-organization response and multi-agency coordination.
Who Should Be Certified to ISO 22320
Certify that your incident-management arrangements meet the international benchmark for principles, structure, and joint working under ISO 22320:2018.
Emergency-services organizations
Fire, ambulance, search-and-rescue, and civil-defence agencies that need a common command-and-control language across mutual-aid boundaries.
Critical infrastructure operators
Utilities, telecoms, transport, and energy operators whose incident-response arrangements are scrutinized by regulators and insurers.
Large private-sector organizations
Manufacturers, logistics providers, banks, and technology firms integrating incident management with their business continuity program.
Public safety & municipal authorities
Local, regional, and national bodies with statutory responsibility for emergency preparedness and public communication.
Healthcare systems
Hospital networks and public-health agencies coordinating mass-casualty, outbreak, and continuity-of-care responses.
Security & resilience consultancies
Firms delivering incident-management design, exercises, and audits for public and private clients.
Common Reasons Organizations Pursue ISO 22320 Certification
- Regulator, insurer, or client requirement to demonstrate a recognized incident-management framework
- Post-incident lessons that expose weaknesses in command, coordination, or communication
- Multi-agency or multi-site operations that need a shared operating picture
- Integration of a new site, subsidiary, or capability into the corporate incident-management arrangements
- Refresh of a business continuity or resilience program under ISO 22301
Key Benefits
Clear command & control structure
A defined Incident Commander role with documented authority, delegation, and escalation, mapped to the ISO 22320 model.
Effective joint working
Common principles that make cross-organization, cross-sector, and cross-border cooperation faster and less ambiguous.
Continuity of critical services
Incident-management arrangements that support the continuity of the services your customers, regulators, and community rely on.
Demonstrable due diligence
A third-party certificate that shows regulators, insurers, and boards that your incident arrangements meet an international standard.
Integration with ISO 22301 & ISO 31000
Fits alongside business continuity and risk management systems you may already have · one aligned resilience program.
The USQC ISO 22320 Certification Journey
Application & Scope Confirmation
Kick-off, confirmation of the incident-management arrangements in scope, sites and functions covered, and issuance of the USQC certification agreement.
Stage 1 · Readiness Review
Documentation review of your incident-management policy, roles and responsibilities, plans, and exercise records. A written gap list is issued to your team.
Stage 2 · Certification Audit
Assessment of the arrangements in operation · principles, process, structure, command and control, coordination, information and communication, and cooperation with external parties.
Independent Technical Review
A separate USQC reviewer examines the audit file and makes the certification decision. The audit team does not decide · impartiality is preserved by design.
Certificate Issuance & Registration
The certificate is issued with a unique serial number, listed in the online USQC verification registry, and available for regulator submissions or tenders.
Certification Timeline
For organizations with reasonably mature procedures, initial certification is typically completed in four to six weeks depending on readiness and scheduling.
| Phase | Typical Duration |
|---|---|
| Kick-off & agreement | Days 1 to 3 |
| Stage 1 readiness review | Week 1 to 2 |
| Gap closure by client | Week 2 to 3 |
| Stage 2 certification audit | Week 3 to 5 |
| Technical review & certificate issuance | Week 5 to 6 |
Certifying Body You Can Rely On
- Auditors familiar with the ISO 22300 family · ISO 22301, ISO 22320, ISO 22361 · and their interactions
- Clear separation between certification and consulting · impartiality preserved end to end
- Digitally verifiable certificate, listed at www.usqc.us as soon as the decision is made
- Remote and hybrid audits for multi-site organizations and international operations
FAQ
Is ISO 22320 a management system standard?
It is a guidelines standard, not a management system standard in the ISO/IEC 17021-1 sense. USQC's certification confirms that your organization's incident-management arrangements are designed, documented, and exercised in line with the ISO 22320 principles and components.
How does ISO 22320 relate to ISO 22301?
ISO 22301 covers the management system for business continuity. ISO 22320 covers the operational incident-management response. Many organizations hold both and audit them together.
Can we integrate certification with ISO 22301, ISO 27001, or ISO 31000?
Yes. Integrated audits reduce duplication and total audit days. USQC will map the shared clauses and audit them once.
How long does the certificate remain valid?
Three years, subject to annual surveillance audits. Recertification is scheduled before the end of the three-year cycle.
Ready to Get Certified?
Request a certification proposal tailored to your organization. Our team will confirm scope, timeline, and fees within one working day.
Request a Proposal
