Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More

Digital Technology Needed to Implement ISO 22398


Crisis Management Software

Updated November 10, 2023

Digital Technology Needed to Implement ISO 22398

International standard, ISO 22398 describes the procedures necessary for planning,  implementing, managing, evaluating, reporting, and improving exercises, as well as the testing designs needed to assess the crisis-readiness of an organization.

The genesis of a crisis exercise and testing standard

But why such a standard in the first place?

The pandemic proved conclusively that you can’t just  plan for crises, you have to test plans consistently, under  conditions that best approximate the real-world crisis  scenario. The failure to exercise and test resilience is often  given as a reason for the breakdown of business resilience  processes during critical events.

Of course, the issue predates the pandemic. In the 2018  Deloitte study, Stronger, fitter, better: Crisis management  for the resilient enterprise, 90 per cent of organizations  reported confidence in their crisis management  capabilitiesi. Only 17 per cent of those organizations,  however, had performed simulation exercises.

As a result, the resilience community banded together to develop international standard ISO/DIS 22398, which lays out a best-practice framework for performing resilience testing and exercises.

However, with evidence that some of the gains in crisis management made since the pandemic are ebbingii, we thought it was a good time to reintroduce the crisis exercises and testing standard as well as define the digital capabilities needed to implement ISO 22398.

A deep dive into ISO 22398

So, what’s the standard all about?

The standard itself consists of seven sections, in addition to a forward, introduction, and multiple informative annexes.

The introduction sets up fundamental principles for crisis management exercises and testing, such as the need for performance objectives. Objectives, here, include:


A simulated experience of an expected situation with the intent of increasing awareness of vulnerabilities and the importance of effective action in response to the simulated conditions.


Acquiring knowledge, skills, or abilities by individuals or groups with the goal of mastery of specific competencies.


Providing an opportunity for people to work together to achieve a common end result.


Trying out new methods and/or procedures with the intent of refinement.


Evaluating a method and/or procedure in order to assess which components are sufficiently developed.

Further, the standard argues that organizations should codify specific policies stipulating that exercises, testing,  and implementation procedures should lead to corrective action. To this end, organizations should:

  1. Develop exercise performance objectives to define the direction and scope of exercises and testing.

  2. Implement the procedures that trigger a review based on the critique of an exercise, test, and actual events. Scenarios should reflect the objectives of the exercise.

Establishing the foundation and other key standard sections

Understanding theory is good, what matters, though, is practice. The standard excels in making pragmatic recommendations for tangible actions, too, e.g., what organizations need to do before performing tests and exercises.

In the establishing the foundation section, the standard instructs complying organizations that they need to conduct a needs and gap analysis; the purpose of this analysis is to establish the need for exercises and testing in the first place.

Beyond that, pre-testing analysis effectively signals the role of exercises and testing in managing business risks. The practical import in that is it helps stakeholders (including senior leaders) understand that conducting exercises and testing is needed to manage risks.

What questions might organizations ask to get started with this planning stage of the testing process? Common questions include:

  • Does the exercises and testing plan address requirements for exercises and testing?

  • Can this plan promote consensus with interested parties?

  • Does the plan offer an opportunity to reach and interact with its target group(s) and potentially address their interests?

  • Does this plan provide an opportunity to address multiple issues in depth?

  • Does this plan focus on key issues?

  • Does the plan provide information tailored to the target group(s)?

  • Is this plan practical and relatively easy to implement?

  • Does the plan provide for information transfer at relatively low cost?

  • Is the effectiveness of this plan measurable?

  • Is this plan a good vehicle for education?

  • Is this plan creating a constructive and supportive atmosphere?

  • Is this plan an effective way to get publicity or increase public awareness?

  • Does the plan conform to the organization’s constraints?

Indeed, the genius of the ISO standard, here, is that it enables organizations to move away from generic exercises to a more customized testing program better suited to managing their specific business risks.

From that vantage, the gap analysis not only helps make the case for such a best-practice testing program, but it also indicates what kind of exercise (out of the many available options) that that program should be deploying.

Exercises companies might undertake include:

Alert exercise

The purpose of an alert exercise is to test the organization by alerting the involved participants and getting them to arrive at a designated place within a certain time. It can also be used to test an alert mechanism. This type of exercise is primarily applied to internal staff.

Start exercise

A start exercise usually builds upon the alert exercise, testing how fast the emergency management organization can be activated and start carrying out their tasks. A start exercise is therefore a means to test and develop the ability to get started with crisis management processes.

Staff exercise

A staff exercise is designed to increase the ability to work with internal processes, staff and information routines in order to create a common operational picture and suggest decisions.

Decision exercise

A decision exercise is primarily used to exercise decision making process within an organization, e.g., the ability to take fast and clear decisions on actions and to initiate cooperation between those responsible and stakeholders, under time pressure.

Management exercise

This type of exercise is a combination of alert exercise, start exercise, staff exercise, decision exercise, and system exercise. The focus is often on the roles, organization, SOPs, etc.

Cooperation exercise

A type of exercise where coordination and cooperation between management levels is exercised. A cooperation exercise can be carried out both, in large and small scales.

A cooperation exercise may consist of: “Vertical” coordination (between national, regional, and local levels); “Horizontal” coordination in a sector where public and private stakeholders participate.

Crisis management exercise

A crisis management exercise simulates crisis conditions and gives personnel the opportunity to practice and gain proficiency in their plan roles.

Strategic exercise

Strategic exercise refers to comprehensive exercise activities at strategic level (e.g., inter-ministerial crisis staff, political-administrative staff, cross-sector and cross-departmental management staff, crisis management organization of corporate management).

Aims include improving the integrated crisis reaction ability in exceptional threat and danger situations (crisis situations) and developing a comprehensive coordination and decision culture.

Exercise campaign


An exercise campaign is a series of recurrent exercises with a common generic organizational structure.


The standard offers even more room for exercise customization than that. Besides type, exercises themselves can be broken down into discussion or operations based. The former helps participants familiarize themselves with existing plans, policies, agreements, and procedures.

Operations-based exercises, on the other hand, help stakeholders validate plans, policies, agreements, and procedures. They also allow for the clarification of roles and responsibilities as well as the identification of resource gaps in an operational environment.

Of course, even these two categories include multiple sub-categories, examples of which include:





Also called “dilemma exercises,” serve to familiarize participants with current plans, policies, agreements, and procedures.

Validate plans, policies, agreements, and procedures; clarify roles and responsibilities;

and identify resource gaps in an operational



  • Seminar. An informal discussion method, designed to orient participants to new or updated plans, policies, or procedures.  simulation of events and are facilitated by an experienced presenter. Organizations may use seminars as an initial organizing point when plans or programs are being revised or developed (e.g., a seminar to review and revised a procedure that proved difficult to implement during a recent disruptive event).

  • Workshop. Workshops resemble seminars is increased, and the focus is on achieving or building a product, such as new standard operating procedures, emergency operations plans, multi-year plans, or improvement plans.

  • Tabletop exercise (TTX). A tabletop exercise will include key personnel discussing simulated scenarios that involve disruptive events in an informal setting (around a table). Tabletop exercises can be a tool to build competence and support for a revised plan or procedure; or, review plans, policies, and procedures; or to assess the systems needed to respond to undesired situations. Participants are expected to discuss the issues that result from the simulated events and develop decisions through paced problem solving. Tabletop exercises can be timed with expected rapid decision making or untimed allowing for in depth discussion and development of solutions. Usually, untimed tabletop exercises are used first and timed second.

  • Games. A simulation of operations that often involves two or more teams, usually in a competitive environment, using rules, data, and procedures designed to depict an actual or assumed real-life situation.




  • Drill. A coordinated, supervised activity usually employed to test a single specific operation or function in a single entity or multi-organization team (e.g., a fire department conducts a decontamination drill or an EOC team conducts a communications drill).

  • Functional exercise (FE). A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers (e.g., emergency operation center, joint field office, etc.). A functional exercise simulates the real operating environment using complex and realistic problems that require rapid and effective responses. Functional exercises are used to assess trained personnel in a stressful, time-dependent mode.

  • Full-scale exercises (FSE). A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional (e.g., joint field office, emergency operation centers, etc.) and live action response (e.g., fire fighters decontaminating mock victims). The FSE is the most complex method of exercise. FSEs are conducted in real time, creating a stressful, time-constrained environment that closely mirrors real events.


Digital exercise management capabilities needed to implement ISO 22398

How, then, to set up a crisis testing and exercise capability efficiently in compliance with ISO 22398?

Organizations that haven’t yet should seek out integrated business resilience software. Using the new digital transformation technologies of analytics and workflows, these platforms help businesses to (1) better anticipate and identify trends, (2) prevent situations that may generate an interruption, and (3) respond more efficiently to disruptions that do arise.

They also work to better fuse the planning and exercise management competencies together within the greater business continuity and resilience management program.

How so?

Well, the platforms in question function as plans. That means when customers need to develop their continuity and resilience plans, all the data they have previously entered seamlessly comes together. This way continuity and resilience managers don’t have to go sifting through documents to find the data they need, eliminating the risk of someone referencing an out-of-date plan during a crisis.

What’s more, because the plan is in the platform, multiple stakeholders can collaborate on the development and updating of the plan, which enables better engagement. All data associated with building plan is managed centrally, in a controlled way. And data points only need be captured once and updated, which reduces the risk of duplication.

The platform as plan approach leads to more efficient exercise management, as does the platform’s own enhanced exercise management functionality.

What are they?

For starters, exercise dashboards navigate users and their teams through each phase of an exercise, ensuring everyone understands what needs to be completed and when. From there, the platform’s automation capabilities ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.

Once the exercise is activated, all users can easily see what type of exercise is being completed. And based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.

Built-in communication and collaboration tools, e.g., chat, email, SMS, and voice messages, then, make it easy to collaborate in real time, better coordinate responses, and keep everyone informed.

Finally, the platforms provide the capability to record meetings, minutes, and action items. This is a mirror of the platform’s incident management functionality, designed as such to ensure a consistent user experiment. Which gives practitioners the benefit of familiarity in the event of a crisis.

What does it all mean?

COVID pointed up systemic gaps in exercise management; and post-COVID survey data suggest that those gaps have yet to be closed. In fact, they might be opening up again as gains are reversed.

Best-practice exercise management standards, such as ISO 22398, will get companies part of the way there – but not entirely. Developing a best-practice exercise management program for the full lifecycle of crisis management and resilience testing will take purpose-built software, like Noggin. These platforms fuse planning and exercising together, improving the user experience of each, all the while strengthening resilience.


  1. Peter Dent, Roda Woo, and Rick Cudworth, Deloitte Insight: Stronger, fitter, better: Crisis management for the resilient enterprise.

  2. BCI: BCI Crisis Management Report 2023. Available at
New call-to-action