ISO 22320:2018 Security and resilience — Emergency management — Guidelines for incident management

Australia’s emergency environment presents operational realities that are among the most demanding in the world. Bushfire events spanning entire states, cyclone impacts along extensive coastlines, widespread inland flooding, and infrastructure failures crossing multiple jurisdictions are not edge-case scenarios. They are recurring, high-consequence incidents that require structured, coordinated, and accountable emergency response.

ISO 22320:2018 is the internationally recognised standard for emergency management and emergency response coordination. It establishes a structure that defines how organisations plan, organise, and execute emergency responses, whether within a single agency, across multiple government departments, or through cross-jurisdictional operations.

UCS is an independent ISO certification body operating across Australia. We conduct impartial conformance audits against ISO management system standards, including those in the emergency management and organisational resilience categories.

What Is ISO 22320:2018?

ISO 22320:2018 — Security and Resilience: Emergency Management — Requirements for Incident Management — is an international standard published by the International Organization for Standardization (ISO).

Organisations across Australia increasingly reference ISO 22320:2018 when documenting emergency preparedness requirements, meeting government contract criteria, and demonstrating resilience programme governance. The standard is compatible with Australia’s established emergency management doctrines and provides a consistent international vocabulary and operational structure for incident response.

The standard is built around three foundational elements:

• Incident management principles, covering the operational, ethical, and strategic values that govern emergency response
• Process and structure, providing a sequential, objective-driven approach to managing incidents from detection through to resolution
• Inter-agency coordination, defining the mechanisms through which separate organisations function as a unified response force

What ISO 22320:2018 Covers

ISO 22320:2018 addresses the complete operational scope of incident response, from the identification of an incident through to its resolution and post-incident review. It is structured around four interconnected operational areas:

Situation Awareness and Information Management

Effective incident response depends on accurate, verified information. ISO 22320 defines how organisations collect, validate, and share situational data across agencies. It introduces the concept of a common operational picture, a shared, continuously updated understanding of incident status, resource availability, and evolving risk conditions. In Australia’s multi-agency emergency environment, maintaining this shared picture is an operational necessity, not a management preference.

Objectives, Planning, and Decision-Making

The standard introduces a structured planning cycle. Responders are required to define clear, prioritised objectives, protecting life first, then the environment, then critical infrastructure and property. From those objectives, action plans are developed, resources allocated, and tasks assigned. This structured cycle prevents reactive, improvised response and ensures all participating agencies pursue consistent, coordinated outcomes.

Command, Control, and Coordination

ISO 22320:2018 defines the three operational pillars that govern how incident response is managed:

• Command refers to the authority to make decisions, set objectives, and direct the deployment of resources. The standard requires that command assignment is defined before incidents occur, not during them.
• Control refers to the operational management of personnel, logistics, and equipment. It ensures that resources are tracked, deployed efficiently, and reallocated as incident conditions evolve.
• Coordination refers to the synchronisation of activities across separate agencies or organisational units. Liaison roles, shared communication platforms, and joint planning processes are central to this function.

Together, these three elements convert independent agency action into a unified response structure, which is a requirement in Australia’s federated emergency management environment.

Roles, Responsibilities, and Resource Management

ISO 22320:2018 requires that roles and responsibilities are defined and documented in advance of any incident. This preparation removes ambiguity during high-pressure response operations. The standard also provides guidance on resource tracking, covering personnel, equipment, and supplies, ensuring accountability, appropriate rotation, and effective deployment throughout an incident.

The All-Hazards Approach and Why It Matters in Australia

ISO 22320:2018 is structured as an all-hazards standard. It is not written for a single category of emergency, and applies equally across:

• Natural disaster events, including bushfires, floods, cyclones, earthquakes, and heatwaves
• Public health emergencies, including pandemic response, mass casualty management, and disease outbreak coordination
• Cyber incidents affecting critical infrastructure, including coordinated attacks on energy, water, and communications systems
• Industrial and hazardous material incidents, including chemical spills, structural failures, and environmental emergencies
• Transportation and infrastructure disruptions affecting road networks, airports, ports, and utilities

This breadth is directly relevant to Australian organisations operating in a genuinely multi-hazard risk environment. A utility provider, a state emergency services authority, and a major construction contractor each face distinct incident types. All share the need for the same structured command, communication, and coordination principles that the standard provides.

Which Organisations Reference ISO 22320:2018

ISO 22320:2018 is relevant to any organisation with legal, contractual, or operational obligations related to emergency preparedness and incident response. In Australia, this typically includes:

State and Federal Government Emergency Agencies

Departments responsible for emergency services coordination, disaster response, and public safety face ongoing scrutiny over response quality and inter-agency communication. ISO 22320:2018 provides a recognised international standard against which these organisations can evaluate and document their internal incident management systems.

Critical Infrastructure Operators

Organisations managing electricity networks, water treatment facilities, gas pipelines, and telecommunications infrastructure are required under Australian law to maintain emergency response plans. ISO 22320:2018 supports the structured development and testing of those plans in a form that withstands regulatory review.

Large Construction and Resources Companies

Major project sites, particularly in remote or high-risk environments, require incident command structures that can be activated quickly and coordinated with external emergency services. ISO 22320:2018 provides the operational structure for those systems.

Healthcare and Aged Care Providers

Hospitals, aged care facilities, and healthcare networks must maintain mass casualty and emergency evacuation protocols. The coordination requirements of ISO 22320:2018 directly support the multi-team, time-critical demands of healthcare emergency management.

Logistics and Supply Chain Operators

Businesses managing warehousing, distribution, and freight operations at scale face significant disruption risk from natural disasters and infrastructure failures. ISO 22320:2018 supports the development of structured response protocols that protect personnel and reduce operational downtime.

Core Principles of ISO 22320:2018

The standard is built on operational principles that remain constant regardless of incident type or scale. These are not aspirational values, they are functional requirements that shape how incident management structures are built, activated, and tested.

Unity of Command

Every responder within an incident management structure reports to a single supervisor. This principle removes conflicting instructions, reduces decision-making delays, and ensures accountability is traceable from the frontline back to the incident commander.

Common Operational Picture

All agencies involved in an incident must have access to the same verified situational data. ISO 22320:2018 establishes the information-sharing protocols required to achieve this, ensuring that no agency operates on assumptions or outdated information.

Modular Scalability

The incident management structure must be capable of rapid expansion or contraction based on incident scope. ISO 22320:2018’s modular design allows organisations to activate only the components their situation requires, without imposing unnecessary overhead for minor events or insufficient structure for major ones.

Continual Improvement

ISO 22320:2018 requires organisations to review and strengthen their incident management capabilities following exercises and real-world events. Post-incident analysis, lessons-learned reviews, and capability assessments are built into the standard, ensuring the system advances over time rather than remaining static.

ISO 22320:2018 and Related International Standards

The table below shows where ISO 22320 sits within the broader landscape of ISO resilience and security standards, a useful reference for organisations building comprehensive risk and emergency management systems:

Organisations with emergency management obligations frequently reference ISO 22320:2018 alongside certifiable standards such as ISO 22301:2019 for business continuity or ISO 45001:2018 for occupational health and safety. UCS provides ISO certification and auditing services for all certifiable standards in this category.

Benefits of Implementing ISO 22320:2018

Organisations that structure their incident management systems against ISO 22320:2018 gain operational, regulatory, and reputational advantages that extend well beyond the emergency response function

Faster Response Activation Through Pre-Defined Structures

Incidents escalate rapidly when command structures are improvised under pressure. Organisations with pre-defined roles, communication protocols, and resource management systems based on ISO 22320:2018 activate their response structures faster, reducing the time between incident identification and coordinated action.

Improved Interoperability with External Agencies

ISO 22320:2018 provides a common operational vocabulary and structural model. When an organisation’s incident management system mirrors the same principles applied by emergency services, defence, and government agencies, joint operations become significantly more effective and less prone to coordination failures.

Stronger Tender and Procurement Positioning

Government and major private sector contracts increasingly require evidence of structured emergency preparedness capability. Documented conformance with ISO 22320:2018, particularly when embedded within a certified ISO 22301:2019 business continuity management system, strengthens tender submissions and supplier prequalification applications.

Reduced Operational Disruption During Incidents

Unstructured emergency response wastes time, duplicates effort, and creates dangerous resource gaps. The command, control, and coordination model established by ISO 22320:2018 eliminates that waste, reducing the duration and operational impact of incidents across the organisation.

A Foundation for Organisational Resilience

Incident management does not exist in isolation. ISO 22320:2018 forms a natural operational foundation for broader resilience programmes, providing the response layer that connects risk management planning with business continuity recovery. Organisations that embed this standard into their operations build a more complete and durable resilience architecture.

UCS Certification Process

UCS provides ISO certification and auditing services for all certifiable management system standards referenced alongside ISO 22320:2018, including ISO 22301:2019, ISO 45001:2018, and ISO/IEC 27001:2022.

For organisations seeking ISO certification with UCS, our certification process follows a structured six-stage pathway:

1. Application — Submit your certification inquiry and define the scope of the management system to be assessed.
2. Certification Agreement — UCS prepares and issues a formal certification agreement for your review and signature prior to audit commencement.
3. Stage 1 Audit — A structured review of your documented management system to assess readiness for Stage 2.
4. Stage 1 Audit Report — UCS provides a formal report detailing findings and any observations to be addressed before Stage 2 proceeds.
5. Stage 2 Audit — An on-site or remote assessment of your system’s implementation, operational effectiveness, and conformance with the relevant standard.
6. Final Report and Certification Issuance — UCS issues the Stage 2 audit report. Following resolution of any findings, your ISO certificate is formally issued.

Certificates issued by UCS are valid for three years and are subject to annual surveillance audits to confirm ongoing compliance and system effectiveness.

For the official standard documentation, visit the View Official ISO 22320 Standard on ISO.org.

Begin Your ISO Certification with UCS

UCS delivers independent ISO certification audits across Australia, covering all states and territories.

Contact UCS today to submit your inquiry and begin your certification journey.