May 9, 2008—The majority of US companies have a formal, written plan for emergency preparedness, according to a report released recently by The Conference Board. But a widely adopted certification standard for such plans does not exist yet.
Three-quarters of the 302 senior corporate executives surveyed in mid-2007 said that an emergency preparedness plan exists in their companies. The analysis was sponsored by the US Department of Homeland Security as part of an ongoing research project to assess the effectiveness of security in American companies.
The survey sample was intended to reflect the characteristics of American businesses as defined by size and industry. The sample was divided into three strata: small business (companies with $5 million to $50 million in annual sales); mid-market ($50 million to $1 billion in sales); and enterprise ($1 billion or more in sales). Within these groups of companies, the survey polled executives with responsibility for security, business continuity, crisis management, and emergency response efforts.
A “voluntary” certification process for preparedness was adopted as part of the 2007 homeland security legislation (Public Law 110-53). The choice of standards that would permit certification under the law is currently under review. As this report goes to press, it is expected that several different standards may qualify for certification.
The most common standard is the ISO 27001/17799 information security standard, which has been implemented by 23% of the surveyed companies. Following close behind, used by 20% of companies, is NFPA 1600, which was endorsed as the National Preparedness Standard in 2004 by DHS, the U.S. Congress, the 9/11 Commission, and the American National Standards Institute (ANSI). Three other kinds of standards have all been implemented by 12% of companies.
The larger companies are much more likely to have implemented the most widely known standards, the survey found. At the enterprise level, 30% have adopted the ISO information security standard, compared with 24% of mid-markets and 15% of small businesses. Despite its high visibility as the National Preparedness Standard, NFPA 1600 has been implemented by 29% of large companies and less than 18% of those below the enterprise level. NIMS (the National Incident Management System) has been adopted by 19% of enterprise-level firms, compared to 10% of mid-markets and only 4% of small companies.
For more information, see the Web site of The Conference Board.
