Every organisation faces the possibility of a crisis. A cyberattack that compromises critical data, a product failure that attracts public scrutiny, a workplace incident that escalates beyond operational control, or an external event that disrupts supply chains and stakeholder confidence. In Australia’s interconnected business environment, the ability to manage a crisis at the strategic level is not a contingency plan. It is a core organisational capability.
ISO 22361:2022 is the internationally recognised standard for crisis management. Published by the International Organization for Standardization, it provides guidance to help organisations plan, establish, maintain, review, and continually improve a strategic crisis management capability. It is designed for top management with strategic responsibilities, and for those who operate under the direction of top management in implementing crisis plans and maintaining associated procedures.
UCS is an independent ISO certification body operating across Australia. We conduct impartial conformance audits against ISO management system standards.
What Is ISO 22361:2022?
ISO 22361:2022 — Security and Resilience: Crisis Management — Guidelines — is an international standard published by the International Organization for Standardization under Technical Committee ISO/TC 292, Security and Resilience.
ISO 22361:2022 is distinct from emergency management and incident management standards. It is not intended for operational emergency response. Rather, it addresses the strategic level of crisis management, covering the decisions, communication, leadership, and organisational capability required to manage events that exceed normal operational procedures and threaten the strategic position of the organisation.
Organisations across Australia increasingly reference ISO 22361:2022 when developing crisis management programmes, meeting government and regulatory requirements, and demonstrating strategic resilience governance to boards, investors, and key stakeholders.
The standard addresses six interconnected areas of crisis management:
- Context, core concepts, principles, and challenges
- Developing an organisation’s crisis management capability
- Crisis leadership
- Decision-making challenges and complexities facing a crisis team
- Crisis communication
- Validation, testing, and learning from crises
What ISO 22361:2022 Covers
Context, Core Concepts, and Principles
ISO 22361:2022 begins by establishing the context in which crises occur and the foundational principles that distinguish effective crisis management from reactive response. A crisis is defined as an event or situation that involves a high degree of complexity, instability, and uncertainty, and that can exceed the response capacity or capability of the organisation. Understanding this context is the starting point for building a credible crisis management capability.
Developing Crisis Management Capability
The standard provides guidance on how organisations establish and sustain a crisis management capability. This includes defining governance arrangements, establishing a crisis management team with clearly assigned roles, developing crisis plans and procedures, and ensuring that the capability is integrated with the organisation’s broader risk management and business continuity arrangements. The standard emphasises that crisis management capability must be developed before a crisis occurs, not improvised during one.
Crisis Leadership
ISO 22361:2022 dedicates specific attention to crisis leadership, recognising that the quality of leadership during a crisis is often the determining factor in how well an organisation manages the event and protects its strategic position. The standard addresses how leaders make decisions under conditions of uncertainty and time pressure, how they maintain situational awareness, and how they demonstrate the authority and composure required to guide their organisation through a crisis.
Decision-Making During a Crisis
Crisis conditions are characterised by incomplete information, time pressure, and rapidly evolving circumstances. ISO 22361:2022 provides guidance on the decision-making challenges facing a crisis team in action. It addresses how to establish a structured decision-making process that remains effective even when information is limited or conflicting, and how to avoid common cognitive failures that undermine crisis response at the strategic level.
Crisis Communication
Effective crisis communication is a strategic function, not a public relations task. ISO 22361:2022 addresses how organisations communicate with internal stakeholders, external parties, regulators, media, and the public during a crisis. The standard covers the principles of timely, accurate, and consistent communication, and the importance of maintaining credibility and trust throughout the crisis lifecycle. In Australia’s media environment, where crises attract rapid public and regulatory attention, structured crisis communication is a critical capability.
Validation, Testing, and Learning
ISO 22361:2022 requires organisations to validate their crisis management capability through exercises and simulations, and to learn from both exercises and real crisis events. Post-crisis reviews, lessons-learned processes, and capability assessments are built into the standard’s guidance, ensuring that the organisation’s crisis management capability strengthens over time through structured continual improvement.
How ISO 22361:2022 Differs from Related Standards
Understanding how ISO 22361:2022 relates to other ISO resilience standards is important for organisations building a comprehensive organisational resilience programme:
| Standard | Primary Focus |
| ISO 22361:2022 | Strategic crisis management capability and leadership |
| ISO 22320:2018 | Operational incident management and emergency response |
| ISO 22301:2019 | Business continuity management |
| ISO 31000:2018 | Risk management principles and guidelines |
| ISO 45001:2018 | Occupational health and safety management |
ISO 22361:2022 addresses the strategic level of crisis response. ISO 22320:2018 addresses the operational level of incident management. ISO 22301:2019 addresses business continuity and recovery. Together, these three standards form a comprehensive organisational resilience architecture.
Which Organisations Need ISO 22361:2022
ISO 22361:2022 is applicable to any organisation, regardless of size, type, or sector. In the Australian context, it is particularly relevant to:
ASX-Listed and Large Private Organisations
Boards and executive teams of listed companies face significant reputational, regulatory, and financial consequences when a crisis is managed poorly. ISO 22361:2022 provides a recognised international standard against which organisations can evaluate and strengthen their strategic crisis management capability, demonstrating governance maturity to investors, regulators, and the ASX.
Government Departments and Statutory Authorities
Federal and state government departments face public accountability for how they manage crises that affect citizens, public services, and national interests. ISO 22361:2022 supports the development of structured crisis management capability within government agencies that must demonstrate transparent, evidence-based decision-making under pressure.
Critical Infrastructure Operators
Operators of critical infrastructure in Australia, including energy networks, water utilities, telecommunications providers, and transport operators, face crisis scenarios that can affect entire communities. ISO 22361:2022 provides the strategic crisis management structure that ensures these organisations are capable of managing major events at the leadership level, in coordination with government and regulatory authorities.
Healthcare Networks and Aged Care Providers
Healthcare organisations managing hospitals, aged care facilities, and community health services face crisis events that carry significant patient safety, regulatory, and reputational risks. ISO 22361:2022 supports the development of strategic crisis management capability that enables executive leadership teams to manage these events effectively and maintain organisational credibility.
Financial Services and Professional Services Organisations
Banks, insurers, superannuation funds, and professional services firms operating in Australia’s highly regulated financial services environment face crisis scenarios involving data breaches, regulatory investigations, and market-moving events. ISO 22361:2022 provides the governance structure and communication protocols required to manage these events at the board and executive level.
Resources, Construction, and Industrial Companies
Major resources projects and construction operations in Australia carry significant crisis risk, including serious workplace incidents, environmental events, and community relations crises. ISO 22361:2022 supports the development of strategic crisis management capability that complements existing operational incident management procedures.
Core Principles of ISO 22361:2022
Strategic Focus
ISO 22361:2022 is explicitly focused on the strategic level of crisis management. It is not an operational procedure or incident response checklist. It addresses how an organisation’s leadership team makes decisions, communicates, and maintains strategic control during events that threaten the organisation’s fundamental interests and stakeholder relationships.
Preparedness Before the Crisis
The standard is clear that crisis management capability must be developed, tested, and embedded before a crisis occurs. Organisations that attempt to build crisis management capability during a crisis will almost certainly fail to manage it effectively. ISO 22361:2022 provides the guidance required to build genuine preparedness into the organisation’s governance and operating model.
Leadership and Decision-Making Under Uncertainty
ISO 22361:2022 recognises that crises are characterised by uncertainty, incomplete information, and time pressure. It provides guidance on how leaders can structure their decision-making processes to remain effective under these conditions, avoiding cognitive failures that commonly undermine crisis response at the strategic level.
Communication as a Strategic Function
The standard treats crisis communication as a strategic leadership responsibility, not a communications department task. How an organisation communicates during a crisis directly affects its credibility, stakeholder relationships, and long-term reputation. ISO 22361:2022 provides the principles and structure required to manage crisis communication at the level it demands.
Continual Improvement
ISO 22361:2022 requires organisations to learn from both exercises and real crisis events. Structured post-crisis reviews and lessons-learned processes are built into the standard’s guidance, ensuring that crisis management capability is continually strengthened rather than allowed to degrade between events.
Benefits of Implementing ISO 22361:2022
Stronger Board and Executive Governance
ISO 22361:2022 provides a recognised international standard against which boards and executive teams can assess their crisis management governance. Organisations that reference this standard demonstrate to investors, regulators, and insurers that crisis management is embedded in their governance model rather than treated as an ad hoc operational response.
Reduced Reputational and Financial Exposure
Poorly managed crises destroy reputational capital and shareholder value. Organisations with structured, tested crisis management capability recover more quickly, communicate more effectively, and demonstrate the leadership composure that stakeholders expect. ISO 22361:2022 provides the structure that makes this possible.
Improved Decision-Making Under Pressure
The standard’s guidance on crisis decision-making equips leadership teams with structured processes that remain effective even when information is incomplete and time is limited. Organisations that have embedded this guidance into their crisis management capability make better decisions faster, reducing the duration and impact of crisis events.
Stronger Regulatory and Stakeholder Confidence
Australian regulators, including ASIC, APRA, and the ACCC, pay close attention to how organisations manage crisis events. Organisations that demonstrate structured, documented crisis management capability are better positioned in regulatory interactions, investigations, and enforcement proceedings. ISO 22361:2022 provides the governance evidence required to support these interactions.
A Complete Organisational Resilience Architecture
ISO 22361:2022 complements ISO 22320:2018 for operational incident management and ISO 22301:2019 for business continuity management. Organisations that implement all three create a complete resilience architecture covering strategic crisis management, operational incident response, and business continuity recovery. UCS provides ISO certification and auditing services for all certifiable standards in this resilience category.
UCS Certification Process
For organisations seeking ISO certification with UCS, our certification process follows a structured six-stage pathway:
- Application — Submit your certification inquiry and define the scope of the management system to be assessed.
- Certification Agreement — UCS prepares and issues a formal certification agreement for your review and signature prior to audit commencement.
- Stage 1 Audit — A structured review of your documented management system to assess readiness for Stage 2.
- Stage 1 Audit Report — UCS provides a formal report detailing findings and any observations to be addressed before Stage 2 proceeds.
- Stage 2 Audit — An on-site or remote assessment of your system’s implementation, operational effectiveness, and conformance with the relevant standard. Following Stage 2, the recommendation goes to the certification committee for review and approval.
- Final Report and Certification Issuance — UCS issues the Stage 2 audit report. Following resolution of any findings, your ISO certificate is formally issued within 2 working days.
Certificates issued by UCS are valid for three years and are subject to annual surveillance audits to confirm ongoing compliance and system effectiveness.
For the official standard documentation, visit the View Official ISO 22361 Standard on ISO.org
Begin Your ISO Certification with UCS
UCS delivers independent ISO certification audits across Australia, covering all states and territories.
Contact UCS today to submit your inquiry and begin your certification journey.
What is ISO 22361:2022 and what does it cover?
ISO 22361:2022 — Security and Resilience: Crisis Management — Guidelines — is an international standard that provides guidance to help organisations plan, establish, maintain, review, and continually improve a strategic crisis management capability. It covers six key areas: context and principles, developing crisis management capability, crisis leadership, decision-making under pressure, crisis communication, and validation and learning from crises. It is applicable to top management with strategic responsibilities in any organisation, regardless of size or sector.
How is ISO 22361:2022 different from ISO 22320:2018?
ISO 22361:2022 and ISO 22320:2018 address different levels of organisational response. ISO 22361:2022 addresses the strategic level, covering how leadership teams manage crises that threaten the fundamental interests and reputation of the organisation. ISO 22320:2018 addresses the operational level, covering incident management, command and control, and inter-agency coordination during emergency response. The two standards are complementary and are often referenced together as part of a broader organisational resilience programme.
Which Australian organisations are most likely to reference ISO 22361:2022?
ISO 22361:2022 is relevant to any organisation that faces significant reputational, regulatory, or operational crisis risk. In Australia, this includes ASX-listed and large private organisations, government departments and statutory authorities, critical infrastructure operators, healthcare networks, financial services organisations, and major resources and construction companies. Any organisation whose board or executive team has strategic responsibility for crisis preparedness will benefit from referencing this standard.
How does ISO 22361:2022 relate to ISO 22301:2019 for business continuity?
ISO 22361:2022 and ISO 22301:2019 address different but complementary phases of organisational resilience. ISO 22361:2022 addresses the strategic crisis management capability required to manage events that threaten the organisation’s fundamental interests. ISO 22301:2019 addresses the business continuity management system required to maintain and restore critical functions following a disruption. Many Australian organisations reference both standards as part of a complete resilience programme. UCS provides ISO certification and auditing services for ISO 22301:2019 and all other certifiable ISO management system standards.