DIN ISO 22361 – Basics for modernized crisis management, in KES 2023#2

The latest issue of KES contains an article by our Managing Director, Dr. Klaus Bockslaff 1, on crisis management in accordance with DIN ISO 22361. Read it here or on the KES website: https://www.kes.info/aktuelles/kes/inhalt

The new DIN ISO 22361 provides a comprehensive text on crisis management, based on a proven standard and intended for organizations of all sizes. The standard distinguishes between crisis and incident management and does not stop at describing the organizational structure. The importance of leadership in a crisis and personal requirements is emphasized. The importance of strategic decision-making in a crisis is also emphasized. However, the requirements that apply to crisis team work in an increasingly digital environment and rules for collaboration across multiple locations are still missing. The new standard also provides the basis for a review of crisis management by the internal audit department or an external auditor.

History of DIN ISO 22361

After years with only a few cases of practical crisis team work, the crisis teams or task forces in many companies have held many meetings since the start of the coronavirus pandemic and the subsequent war in Ukraine. At the same time, ransomware attacks are also on the rise. In some companies, several crises had to be dealt with in parallel. As a result, the staff members have gained a great deal of experience and thus also shaped many procedures. It is now essential to ensure that the post-processing of these findings is analyzed. You are allowed to make mistakes, but you should not fail to learn from them. We were able to make the following observations:
  • The challenges for crisis management during the Ukraine crisis are much more complex than during the coronavirus pandemic
  • Without the previous experience of the coronavirus pandemic, many would have found it difficult or impossible to cope with the Ukraine crisis
  • The status of crisis management in companies has improved significantly as a result of current experience
  • In particular, the importance of a structuring methodology has become much more widely accepted
  • The challenges of “leadership in a crisis” must be clearly distinguished from “leadership in the line”
  • There are many methodological weaknesses and regional differences in the work of the crisis teams
  • There is therefore a need for an internationally recognized crisis management standard that defines the methodological approach and standardizes it internationally
The emphasis of the new DIN ISO 22361 lies in its methodology and in the fundamental question “How do you proceed in a crisis?” If I have nothing left, do I at least have a procedure? Do I then have at least a basic structure? The new standard was published as a DIN standard 2 in February 2023.
The basis of the new standard

The content of this standard does not start from scratch, but builds on existing and familiar content. For example, the “DVGW – Deutscher Verein des Gas- und Wasserfaches e.V.” (German Technical and Scientific Association for Gas and Water) has developed a basic structure for the procedure in the event of a crisis in the energy industry 3 and established a methodical approach.

The Swiss colleagues are far ahead of the Germans with their management rhythm. The management rhythm used there is also applied at army level. Due to the militia system applied in Switzerland, there is a high penetration of the management rhythm and thus a well-structured staff work also at the management level of the private sector.

Another predecessor of the new ISO standard are the BSI standards 200-1, 200-2 and 200-3 of the German “Federal Office for Information Security”. These standards are mainly concerned with “business continuity”, i.e. the continuation of business in the event of an incident. BSI 200-4 also deals briefly with the topic of crisis management. The helpful publications 4 of the ASW Federal Association’s Crisis Management Competence Center provide a further basis for the topic.

A key basis for the new standard comes from CEN/TS 17091 of the BSI (British Standard). The text of the new DIN ISO standard is a heavily revised version of the BSI standard 5.

Contents of DIN ISO 22361

In DIN ISO 22361 we see the classic division of modern ISO standards:

Chapter 1 “Scope of application” defines the scope of validity.

Chapter 2 contains the classic normative references and Chapter 3 the “Terms” and definitions. The terms according to ISO 22300 also apply. This should put an end to the frequently observed conceptual confusion.

Chapter 4 “Crisis management – context, basic ideas and principles” sets out the core concepts and principles of crisis management. Chapter 4.2 with the “Characteristics of a crisis” is particularly valuable here. In a comprehensive table on the “Essential characteristics of emergencies and crises”, the six criteria of “predictability”, “onset”, “urgency and pressure”, “impact”, “assessment by the public, media and other stakeholders” and “controllability through established plans and procedures” are set out in the explanatory texts for each of these characteristics, providing helpful support for distinguishing between emergencies and crises.

Overall, Chapter 4 addresses the topic of “crisis” from a very fundamental perspective. There is an overlap here with the “parallel” work of the responsible ISO working group on ISO 22360 6.

The actual operational part of crisis management is contained in chapters 5 to 9 of the standard. Chapter 5 describes the “Development of crisis management capabilities”. The “Elements of crisis management” are described in section 5.2. Chapter 5.3 deals with the “crisis management process”. Section “Composition and responsibilities of the crisis unit (CR)” contains a description of the various functions in the crisis unit, from “Management” to the “Legal” function. This is also where you will find the “Administrative Support”, which is referred to elsewhere as the “Situation Center” or “Assistance Team”.

Section 5.3.5 “Response” is of central importance for the actual work of the crisis unit, i.e. the operational approach of the unit’s work. The core requirement for the approach of a crisis team in the event of an incident is not to allow the dynamics of the situation to drive them into spontaneous reactions, but to design the process in such a way that it is possible to move from reaction to action. This control requires a systematic process based on a clear analysis of the given situation, especially in the initial or chaos phase, which lays the necessary foundation by gathering information and taking immediate action.

The basic requirement is to control the work of the crisis management team in the event of an incident and to provide it with a procedural framework. In a situation in which the staff initially does not have a concrete solution, the necessary individual tasks, which are the basis of regulated staff work, should be run through in helpful steps.

The basic requirements for the response are described in a so-called crisis management cycle.

This graphic is based on the corresponding representation in ISO 22361, but supplemented by level 1 "Alerting" and level 8 "Recovery / completion of staff work"
1 Alerting, start of staff work
  • Informing the crisis team about a possible crisis
  • Decision on further processing
  • On activation of crisis team Info to crisis management team (KMT)
2 Situation (situational awareness) Situation / situation: situational awareness, knowledge of the following factors: What is going on? Impacts, problems, risks Once the alarm has been raised, the crisis team gathers relevant information for an initial situation report and coordinates the necessary ad hoc measures. Based on an impact analysis, the crisis team defines options for the best, worst and most likely course of events.
3 Definition of the general orientation / objectives What is the desired end state? Was ist das Ziel der Krisenreaktion? What overarching values and priorities will serve as a foundation and guide? and then defines the most important goals for crisis management.
4 Options for action Development of options for action, assessment of the options with regard to the desired end state. The crisis team evaluates the possible options for action, including the advantages and disadvantages and the respective challenges. The result should contain a prioritized list of possible measures.
5 Decision Making a decision or choice that should be consistent with the organization’s values and strategic priorities.
6 Commissioning of measures (including documentation) Taking into account the overall objective, the prioritized options and the various functional perspectives, the crisis team defines and commissions the measures required to manage the crisis (including responsibilities and deadlines).
7 Review / Tracking Constant tracking of the implementation and effectiveness of measures, which leads to possible adjustments, completes the crisis management cycle.
8 Restoration / completion of Sabsarbeiet The recovery phase involves overcoming the effects of a crisis and returning to “normality” or adapting to new circumstances, especially if major changes have taken place after the crisis.

Chapter 6 then describes the qualities that someone working in a crisis team should have. This chapter is a central element in the whole discussion about this standard.

Chapter 6.1.1: DIN ISO 22361

The ability to lead effectively in a crisis should not be assumed or taken for granted as a consequence of an individual’s appointment or status (see 5.2.2). Managers reviewing their training and development needs may find crisis management skills useful (see Figure 4). It is important to recognize that some people are not equipped to handle crisis situations and enforce crisis management, which can be identified as part of their training and exercises.

With the explanations in Chapter 6 “Importance of leadership in crises”, the standard addresses a very sensitive point. The success of a team’s work depends to a large extent on the management’s ability to promote the “solution-finding skills” of the entire “team”. What kind of personality does someone need to be able to lead their team to success in a crisis situation, a situation in which they know no solution? That is probably the real art of crisis management. Not just to work through a checklist, but to find a sensible and good solution with the crisis team. Requirements such as “emotional intelligence”, for example, are quite a challenge for an ISO standard. The requirements are listed in detail in the figure above.

The requirements shown in the diagram can be found in this or a similar form in management literature on the topic of “Leadership in crises ” 7. The treatment of this topic is strongly influenced by experience in aviation, which has shown that overly authoritarian leadership in the person of the flight captain has led to a number of accidents that could have been avoided with different, participatory leadership behavior. The concept of “crew resource management ” 8 developed in aviation is originally a training course for aircraft crews, which is intended to train and improve non-technical skills in order to prevent flight accidents caused by human error. This involves cooperation, situational awareness, leadership behavior and decision-making as well as the associated communication 9.

The particular merit of Chapter 6 on leadership in crises is that it describes procedures and requirements that are necessary for successful crisis management on the one hand, but which must be distinguished from classic line management on the other. A self-critical view of one’s own behavior in similar situations could lead to the conclusion that one (myself included) did not always meet the requirements set there. The text of the standard sets a high standard here, e.g. in Chapter 6.1.1 Section 4:

Leadership requires excellent interpersonal skills such as consensus building, teamwork, flexibility, communication and the ability to find options within existing time constraints. Managers must be able to deal with the uncertainties that crises bring and be able to lead an organization coherently through very confusing situations.

Chapter 7 of the standard describes strategic decision-making in the event of a crisis. The standard repeats the six elements from Chapter 5.3.5 “Response”, particularly in Figure 5 “Strategic decision-making in a crisis”.

Critically, it could be noted that Figure 5 would actually fit better in Chapter 5.3.5 10. The particular value of chapter 7, however, lies in the clear emphasis on the difficulties of decision-making. Not only the factors “why decision making can be challenging” are named, but also the “dilemmas” (section 7.3), “problems in decision making” (section 7.4) and “effective decision making” (section 7.5) are listed. This is intended to ensure that

The organization (should) make decision-makers aware of the challenges they face and the tools and techniques available to them to deal with uncertainty and reduce the potential for individual or collective decision-making errors.

The process shown confirms the specifications of the various existing procedures. It is to be expected that the anchoring of this procedure in an ISO[1] standard will also put an end to the discussions at international level as to whether and, if so, whether such a procedure should be defined.

The crisis team is a body that has to make a strategic decision in an unclear situation, usually on the basis of incomplete information. Surprisingly, the decisions that a crisis team has to make on the basis of little information are often better than waiting hours for missing information. The element of intuition therefore plays a role in such situations that should not be underestimated.

Not surprisingly, the topic of Chapter 8 “Crisis communication” is also an important one. The explanations in the new ISO standard are to be understood as state-of-the-art, but they are not very progressive compared to the rest of the content. The core statement in section 8.1 is that

effective communication is a key component of successful crisis management and an essential part of the organization’s response to crises. It comprises internal and external communication, which is developed and used to support the crisis management function.

Crisis communication positions the organization as a central source of information, conveys that it has the situation under control and gives those involved security.

The final chapter (Chapter 9) deals with training, validation and learning from crises. This is the classic PDCA cycle (Plan Do Check Act), based on the basic structures of modern ISO standards.

Conclusion and critical comment on the current status

It is to be hoped that this standard will find widespread acceptance. But this will probably not happen without friction. This is because the new standard shifts the focus of consideration away from the question of organizational structure and towards process organization.

In summary, the new DIN ISO 22361 is a comprehensive text on crisis management based on a proven British standard and whose standards can be applied to organizations of all sizes.

The standard makes a clear distinction between crisis and incident management and does not stop at describing the organizational structure. In our consulting practice, we often find that internal hierarchical discussions make it difficult to introduce or improve a crisis management system. In the current situation, which is characterized by the experiences with staff work during the corona crisis, the subsequent supply chain crisis and finally the Ukraine crisis, practical experience with method-oriented staff work has prevailed in many cases. Good management structures have proven to be particularly successful.

The new DIN ISO 22361 standard strongly emphasizes the importance of leadership in a crisis and personal requirements. The importance of strategic decision-making in a crisis is also emphasized in the new standard. The principles of decision-making laid down there correspond closely with the management rhythm.

However, the new standard also leaves open areas for action. A particular strength of crisis management is the possibility of using a procedure in an unknown and very demanding situation. The aspect of “finding solutions in an unknown situation” is hinted at in the standard, but could be emphasized even more in the challenges.

In recent crises, companies have been able to gain a lot of experience with digital crisis management. The modern requirements for digital crisis management and remote operation have not yet been taken into account. They should be taken into account in the further development of the standard. What opportunities and difficulties arise from the digitalization of crisis management?

Another challenge is the internationalization of crisis management. Rules must be created for how collaboration is to take place at multiple locations. What needs to be regulated locally or coordinated centrally? Are there procedures for this and how can they be defined?

Next steps

Over the past few months, the draft of ISO DIS 22361 has been discussed in the responsible committees of the various countries, comments and suggestions for changes have been collected, discussed in the WG 9 working group, and changes have been voted on. The final version of the text is now available and it can be expected that the standard will be adopted in the coming months.

The crisis management working group of the RMA (Risk Management & Rating Association e.V.) is currently drawing up guidelines for the implementation of ISO 22361. In this compendium, the practical requirements for each paragraph of the standard are then broken down into three levels. The current situation can then be mirrored against the standard for revision.

As there is more than just black and white in an evaluation, we have borrowed the maturity level analysis from IT. This allows you to define a maturity level for each requirement. As the standard has not yet been adopted, it is of course not yet possible to audit it, but there is already a great deal of interest in the pre-audits.


The following points are relevant for the review of the current situation:

  1. The challenges for the crisis management of an organization during the Ukraine crisis are much more complex than during the Corona crisis.
  2. Without the experiences/learnings from the coronavirus crisis, the challenges posed by the Ukraine crisis would have hit companies much harder.
  3. The importance of crisis management in companies and organizations has improved significantly as a result of this experience.
  4. In particular, the importance of a structuring methodology has become established.
  5. The challenges of “leadership in a crisis” must be clearly distinguished from “leadership in the line”.
  6. Es gibt noch ein Leben im Unternehmen/Organisation außerhalb des Krisenraumes und nach der Krise.

In the future, crisis management systems are expected to be aligned with the requirements of ISO 22361. The experience with the current crises in these turbulent times will provide the basis for the leadership methodology to prevail and to be adequately supported in suitable manuals.

Modern crisis management tools will use the possibilities of digitalization beyond alerting solutions and will be linked in a “network of systems”. This creates the basis for meeting the requirements of modern crisis management with its enormous challenges.

Finally, the new ISO 22361 standard offers the opportunity to measure and audit the degree of implementation of its requirements against an internationally recognized standard. The discussion with the argument that “we have everything” could thus be ended.

1 Dr. jur. Klaus Bockslaff LL.M. (Ind.) is an experienced risk and crisis manager and Managing Director of Verismo GmbH, Küsnacht and Verismo Consulting GmbH, Mannheim. As a “designated expert” of the SNV (Swiss Association for Standardization), he took part in the ISO negotiations on the development of the new standard for crisis management DIN ISO 22361. He also heads the RMA’s crisis management working group. This working group is currently working on a guideline for implementing ISO 22361.

2 The text of the German standard can be found at: https://www.beuth.de/de/norm/din-en-iso-22361/357117954

3 These are the following standards:

  • Safety in the power supply, S 1001
  • Safety in the gas supply – Organization and management in the event of a crisis DVGW G 1002
  • Safety in the drinking water supply DVGW W 1001

4 https://www.asw-bundesverband.de/kompetenzen/krisenmanagement/

5 Mr. Kev Brear, Convenor of the responsible ISO working group, presented the background and current status in a very interesting interview entitled “Crisis 2030: Are we ready?”.

6 Discussions are currently focusing on how to preserve the content of ISO 22360 and avoid overlaps with ISO 22361.

7 Reference is made here only to: Laurent F. Carrel, Leadership in Crises, Wiesbaden 2010; Rolf Wunderer, Führung
and Cooperation, Cologne 2009; Margot Morrell, Stephanie Capparell, Shackleton’s Art of Leadership, Hamburg

8 Barbara Kanki, Jose Anca, Thomas Chidester, Crew Resource Management, 3. Auflage, 2019

9 https://de.wikipedia.org/wiki/Crew_Resource_Management

10 This was also suggested during the negotiations of the ISO working group, but was ultimately rejected.