ISO 22361:2022
Security and resilience — Crisis management — Guidelines

The UAE operates at the intersection of global commerce, rapid urban development, and complex geopolitical dynamics. Organizations across Dubai, Abu Dhabi, Sharjah, and Ajman face a wide spectrum of crisis scenarios, from reputational events triggered by social media, to regulatory investigations, to supply chain disruptions affecting international operations. In this environment, the ability to manage a crisis at the strategic level is not a theoretical governance requirement. It is a practical business necessity.

ISO 22361:2022 is the internationally recognized standard for crisis management. Published by the International Organization for Standardization, it provides guidance to help organizations plan, establish, maintain, review, and continually improve a strategic crisis management capability. It is designed for top management with strategic responsibilities, and for those who operate under the direction of top management in implementing crisis plans and maintaining associated procedures.

UCS is an accredited ISO certification body headquartered in Ajman, UAE, with operations across Dubai, Abu Dhabi, Sharjah, and the wider region. UCS provides ISO certification and auditing services across all major management system standards.

What Is ISO 22361:2022?

ISO 22361:2022 — Security and Resilience: Crisis Management — Guidelines — is an international standard published by the International Organization for Standardization under Technical Committee ISO/TC 292, Security and Resilience.

ISO 22361:2022 is distinct from emergency management and incident management standards. It is not intended for operational emergency response. It addresses the strategic level of crisis management, covering the decisions, communication, leadership, and organizational capability required to manage events that exceed normal operational procedures and threaten the strategic position of the organization.

Organizations across the UAE increasingly reference ISO 22361:2022 when developing crisis management programs, responding to governance and regulatory requirements, and demonstrating strategic resilience capability to boards, investors, free zone authorities, and government clients.

The standard addresses six interconnected areas of crisis management:

• Context, core concepts, principles, and challenges
• Developing an organization's crisis management capability
• Crisis leadership
• Decision-making challenges and complexities facing a crisis team
• Crisis communication
• Validation, testing, and learning from crises

What ISO 22361:2022 Covers

Context, Core Concepts, and Principles

ISO 22361:2022 establishes the context in which crises occur and the foundational principles that distinguish effective crisis management from reactive response. A crisis is defined as an event or situation that involves a high degree of complexity, instability, and uncertainty, and that can exceed the response capacity or capability of the organization. In the UAE, where organizations operate across multiple jurisdictions, regulatory environments, and cultural contexts, understanding this complexity is the essential starting point for building a credible crisis management capability.

Developing Crisis Management Capability

The standard provides guidance on how organizations establish and sustain a crisis management capability. This includes defining governance arrangements, establishing a crisis management team with clearly assigned roles, developing crisis plans and procedures, and ensuring that the capability is integrated with the organization's broader risk management and business continuity arrangements. The standard is clear that crisis management capability must be developed before a crisis occurs, not improvised during one.

Crisis Leadership

ISO 22361:2022 dedicates specific attention to crisis leadership, recognizing that the quality of leadership during a crisis is often the determining factor in how well an organization manages the event and protects its strategic position. The standard addresses how leaders make decisions under conditions of uncertainty and time pressure, how they maintain situational awareness, and how they demonstrate the authority and composure required to guide their organization through a crisis. In the UAE's high-visibility business environment, leadership credibility during a crisis directly affects stakeholder confidence and organizational reputation.

Decision-Making During a Crisis

Crisis conditions are characterized by incomplete information, time pressure, and rapidly evolving circumstances. ISO 22361:2022 provides guidance on the decision-making challenges facing a crisis team in action. It addresses how to establish a structured decision-making process that remains effective even when information is limited or conflicting, and how to avoid common cognitive failures that undermine crisis response at the strategic level.

Crisis Communication

Effective crisis communication is a strategic function, not a public relations task. ISO 22361:2022 addresses how organizations communicate with internal stakeholders, external parties, regulators, media, and the public during a crisis. In the UAE, where organizations operate in a multilingual, multicultural environment and face simultaneous scrutiny from local regulators, international media, and global investors, structured crisis communication is a critical strategic capability. The standard covers the principles of timely, accurate, and consistent communication, and the importance of maintaining credibility and trust throughout the crisis lifecycle.

Validation, Testing, and Learning

ISO 22361:2022 requires organizations to validate their crisis management capability through exercises and simulations, and to learn from both exercises and real crisis events. Post-crisis reviews, lessons-learned processes, and capability assessments are built into the standard's guidance, ensuring that the organization's crisis management capability strengthens over time through structured continual improvement.

ISO 22361:2022 in the UAE Context

UAE Vision 2031 and Organizational Resilience

The UAE's national development agenda places significant emphasis on organizational resilience, governance quality, and institutional preparedness across all sectors. ISO 22361:2022 provides organizations with an internationally recognized standard for strategic crisis management capability that directly supports the UAE's broader goals of building a resilient, well-governed, and globally competitive economy.

Regulatory and Free Zone Governance Requirements

Organizations operating across UAE free zones and under federal and emirate-level regulatory authorities are increasingly expected to demonstrate structured governance arrangements for crisis preparedness. Free zone licensing processes, government contract prequalification criteria, and regulatory governance reviews all place growing emphasis on an organization's ability to demonstrate crisis management capability at the board and executive level. ISO 22361:2022 provides the internationally recognized standard that supports these requirements.

NCEMA Compatibility

The National Emergency Crisis and Disaster Management Authority (NCEMA) provides the federal structure for crisis and emergency management across the UAE. ISO 22361:2022 provides organizations with a strategic crisis management capability that is compatible with NCEMA's broader national crisis management structures, supporting effective coordination between organizational crisis management teams and federal and emirate-level authorities during major events.

Reputational Risk in a High-Visibility Environment

The UAE's position as a global business hub means that organizational crises attract rapid and widespread media attention, both regionally and internationally. Organizations that lack structured crisis management capability face significantly greater reputational exposure when a crisis occurs. ISO 22361:2022 provides the communication principles and leadership structures required to manage crisis events in a high-visibility environment where stakeholder confidence is both easily damaged and difficult to restore.

Which Organizations in the UAE Need ISO 22361:2022

ISO 22361:2022 is applicable to any organization, regardless of size, type, or sector. In the UAE, it is particularly relevant to:

Large Private and Multinational Organizations

Major private sector organizations and multinational companies operating in the UAE face crisis scenarios that can affect operations across multiple jurisdictions simultaneously. ISO 22361:2022 provides the strategic crisis management structure required to manage these events at the board and executive level, protecting organizational reputation and stakeholder relationships across complex operating environments.

Government and Semi-Government Entities

Federal and emirate-level government entities, as well as semi-government organizations operating in sectors such as utilities, transport, and public services, face crisis events that attract significant public and media attention. ISO 22361:2022 supports the development of structured crisis management capability that enables government leadership teams to manage these events transparently and effectively.

Financial Services Organizations

Banks, insurance companies, and financial institutions operating in the UAE under Central Bank of the UAE and other regulatory authority requirements face crisis scenarios involving financial market events, regulatory investigations, and data security incidents. ISO 22361:2022 provides the governance structure and communication protocols required to manage these events at the board and executive level.

Oil, Gas, and Energy Organizations

The UAE's energy sector operates in a high-visibility, high-consequence environment where operational incidents, environmental events, and regulatory investigations can rapidly escalate to organizational crises. ISO 22361:2022 provides the strategic crisis management capability that complements existing operational emergency response arrangements, ensuring that leadership teams are equipped to manage major events at the strategic level.

Hospitality, Real Estate, and Events Organizations

Hotels, real estate developers, entertainment venues, and major event organizers across the UAE operate in environments where crises, including safety incidents, reputational events, and regulatory actions, can attract rapid and widespread public attention. ISO 22361:2022 provides the crisis leadership and communication structures required to manage these events effectively and protect organizational reputation.

Healthcare Providers and Medical Networks

Hospitals, clinics, and healthcare networks operating under Dubai Health Authority, Department of Health Abu Dhabi, and Ministry of Health and Prevention requirements face crisis events involving patient safety, regulatory compliance, and public health that carry significant institutional and reputational risk. ISO 22361:2022 supports the development of strategic crisis management capability at the executive and board level of healthcare organizations.

Core Principles of ISO 22361:2022

Strategic Focus

ISO 22361:2022 is explicitly focused on the strategic level of crisis management. It is not an operational procedure or incident response checklist. It addresses how an organization's leadership team makes decisions, communicates, and maintains strategic control during events that threaten the organization's fundamental interests and stakeholder relationships.

Preparedness Before the Crisis

The standard is clear that crisis management capability must be developed, tested, and embedded before a crisis occurs. Organizations that attempt to build crisis management capability during a crisis will almost certainly fail to manage it effectively. ISO 22361:2022 provides the guidance required to build genuine preparedness into the organization's governance and operating model.

Leadership and Decision-Making Under Uncertainty

ISO 22361:2022 recognizes that crises are characterized by uncertainty, incomplete information, and time pressure. It provides guidance on how leaders can structure their decision-making processes to remain effective under these conditions, avoiding cognitive failures that commonly undermine crisis response at the strategic level.

Communication as a Strategic Function

The standard treats crisis communication as a strategic leadership responsibility. How an organization communicates during a crisis directly affects its credibility, stakeholder relationships, and long-term reputation. ISO 22361:2022 provides the principles and structure required to manage crisis communication at the level it demands, particularly relevant in the UAE's multilingual and multicultural operating environment.

Continual Improvement

ISO 22361:2022 requires organizations to learn from both exercises and real crisis events. Structured post-crisis reviews and lessons-learned processes are built into the standard's guidance, ensuring that crisis management capability is continually strengthened rather than allowed to degrade between events.

Benefits of Implementing ISO 22361:2022 for UAE Organizations

Stronger Board and Executive Governance

ISO 22361:2022 provides a recognized international standard against which boards and executive teams can assess their crisis management governance. Organizations in the UAE that reference this standard demonstrate to free zone authorities, government clients, investors, and regulators that crisis management is embedded in their governance model.

Reduced Reputational and Commercial Exposure

Poorly managed crises destroy organizational reputation and commercial relationships in the UAE's competitive business environment. Organizations with structured, tested crisis management capability recover more quickly, communicate more effectively, and demonstrate the leadership composure that stakeholders expect. ISO 22361:2022 provides the structure that makes this possible.

Better Regulatory and Government Relations

UAE regulators and government authorities expect organizations to demonstrate structured crisis management governance, particularly in sectors such as financial services, healthcare, and energy. Organizations that reference ISO 22361:2022 are better positioned in regulatory interactions, government contract processes, and free zone governance reviews.

Stronger Positioning in Government and Private Sector Tenders

Government and major private sector procurement processes in the UAE increasingly require evidence of structured crisis management and organizational resilience capability. Organizations that reference ISO 22361:2022 alongside certifiable standards such as ISO 22301:2019 and ISO 45001:2018 present a more complete and credible resilience profile in tender submissions and supplier prequalification processes.

A Complete Organizational Resilience Architecture

ISO 22361:2022 complements ISO 22320:2018 for operational incident management and ISO 22301:2019 for business continuity management. Organizations that implement all three create a complete resilience architecture covering strategic crisis management, operational incident response, and business continuity recovery. UCS provides ISO certification and auditing services for all certifiable standards in this resilience category.

UCS Certification Process

For organizations seeking ISO certification with UCS, our certification process follows a structured six-stage pathway:

1. Application — Submit your certification inquiry and define the scope of the management system to be assessed.
2. Certification Agreement — UCS prepares and issues a formal certification agreement for your review and signature prior to audit commencement.
3. Stage 1 Audit — A structured review of your documented management system to assess readiness for Stage 2.
4. Stage 1 Audit Report — UCS provides a formal report detailing findings and any observations to be addressed before Stage 2 proceeds.
5. Stage 2 Audit — An on-site or remote assessment of your system's implementation, operational effectiveness, and conformance with the relevant standard. Following Stage 2, the recommendation goes to the certification committee for review and approval.
6. Final Report and Certification Issuance — UCS issues the Stage 2 audit report. Following resolution of any findings, your ISO certificate is formally issued within 2 working days.

Certificates issued by UCS are valid for three years and are subject to annual surveillance audits to confirm ongoing compliance and system effectiveness.