The accreditation criterion, “Crisis Management and Incident Recovery”, aims to minimize the impact created by disasters or security incidents through managing crisis and recovery, and requires a company to set up a complete contingency plan.

A contingency plan generally includes the followings: identifying possible disasters, developing respective counter measures, defining the division of labour and the chain of command during disasters, reviewing after-the-fact for improvements and conducting routine disaster drills.

The company usually forms a crisis response team composed of department supervisors and led by senior management. The team shall regularly assess potential security risks and hazards within its operations, such as illegal intrusion of premises, malicious destruction of data, hijacking of conveyance, discovery of suspicious mail, terrorist attacks, etc. And develop respective contingency plans and measures including an immediate response guidance for disasters, emergency communication channels for information, the division of labour and the chain of command during crisis, and a guidance for notifying the law enforcement agencies and the public.

After each incident or routine disaster drill, the crisis response team shall appoint a designated staff to record, investigate, and submit a report with recommendations. The team shall examine the report, confirm and execute justified recommendations to improve daily operations or the contingency plan.

At last, the company shall perform routine disaster drills to ensure its staff are familiar with various contingency measures.