The majority of U.S. companies have a formal, written plan for emergency preparedness, according to a report released by The Conference Board. But a widely adopted certification standard for such plans does not exist yet.

A “voluntary” certification process for preparedness was adopted as part of the 2007 homeland security legislation (Public Law 110-53). The choice of standards that would permit certification under the law is currently under review. As this report goes to press, it is expected that several different standards may qualify for certification.

“Currently, the most significant finding is that none of the many standards proposed for certification has attained widespread usage in the private sector,” says Thomas Cavanagh, Senior Research Associate, Global Corporate Citizenship, The Conference Board.

The most common standard is the ISO 27001/17799 information security standard, which has been implemented by 23% of the surveyed companies. Following close behind, used by 20% of companies, is NFPA 1600, which was endorsed as the National Preparedness Standard in 2004 by DHS, the U.S. Congress, the 9/11 Commission, and the American National Standards Institute (ANSI). Three other kinds of standards have all been implemented by 12% of companies.

The larger companies are much more likely to have implemented the most widely known standards. At the enterprise level, 30% have adopted the ISO information security standard, compared with 24% of mid-markets and 15% of small businesses.

The most common procedure companies currently have in place for emergency preparedness is the maintenance of an off-site storage of data and documents. Some basic procedures are performed at least annually by a range of companies. Fully 83% of companies regularly update their emergency contact information, and 81% conduct fire and/or evacuation drills at least once a year.