Dear {{ first_name | reader }},
This week's edition works through a question most of you assume you already know the answer to: how much do ISO 22361 (crisis management), ISO 22301 (business continuity) and ISO 31000 (risk management) actually cover once you're managing a real, fast-moving, multi-front crisis?
I spent last week finding out — reading all three standards clause by clause, the way an auditor would, then checking what I found against the crisis communication literature, the COVID-19 record, and the polycrisis research reshaping how this field thinks about risk.
What I found changed how I'll use all three standards going forward. It should change how you use them too.
The standard you're most likely leaning on right now varies wildly from the other two in how seriously it takes communication, and where all three agree, they agree on the wrong things. None has a real plan for infodemics. None mentions AI. And the standard with the deepest guidance is the one you can never actually be certified against.
This edition of Wag The Dog covers the headline findings.
It's also the research base for an eight-part series I'm now publishing weekly on LinkedIn, working through each standard's communication provisions clause by clause. The first instalment (and more) is live now.
WAG THE DOG NEWSLETTER | ISSUE WEEK 29, 2026
KEY TAKEAWAYS
Nine subsections and zero enforceability — that's ISO 22361's crisis communication clause in one line. It's the most detailed treatment of communication across all three standards, and it's guidance-only. The standard you'd most want to build a programme around is the one you can never be certified against.
Score the three standards against what polycrisis conditions actually demand, and the average shortfall lands at 4.2 out of 10. Five of ten communication dimensions come back critical, led by social media and infodemic management and transformative capacity, both at 6.0.
None of the three has a systematic infodemic plan. ISO 22361 gestures at "counteracting incorrect information" in its own definition of crisis communication; ISO 22301 and ISO 31000 don't mention disinformation at all.
Zero — the number of times artificial intelligence appears in any of the three standards' communication provisions. ISO 22361's social media clause predates generative AI's mainstream arrival, and none of the three distinguishes human communication from automated communication.
COVID-19 already ran this stress test, and the standards didn't hold. A 2025 systematic review of public health professionals' pandemic communication experience found difficulty across seven themes that none of the three ISO documents anticipates.
Table of Contents
What I actually compared
Over the past week, I read ISO 22361:2022 (crisis management), ISO 22301:2019 (business continuity), and ISO 31000:2018 (risk management) clause by clause, using ISO's own Online Browsing Platform, pulling out every provision that touches communication.
I checked each one against the crisis communication literature, the COVID-19 record, and ten requirements that polycrisis and permacrisis research says a communication framework now needs.
I also brought in ISO 22320:2018, the emergency management standard, as a complementary reference. This is my own reading of the published standards, cross-referenced as rigorously as I could manage against the literature and the pandemic record. It's now the research base for the LinkedIn series I'm publishing weekly.
The guidance-enforceability gap
ISO 22361 devotes its entire eighth clause – nine subsections – to crisis communication: pre-crisis preparation, relationship and reputation management, key roles, communication strategy, message consistency, barriers, and social media.
It's the most detailed treatment of communication in any ISO document I've found. ISO 22301 covers less ground, mostly in clauses 7.4 and 8.4.3, but it's certifiable — organisations can be audited against it. ISO 22361 and ISO 31000 are both guidance only.
That produces an odd asymmetry. The standard you'd actually want to build a crisis communication programme around, ISO 22361, has no enforcement mechanism behind it.
The standard you can be certified against, ISO 22301, treats communication as a checklist of operational requirements: who to notify, how to record decisions, and how to keep communication channels available during a disruption. Useful, but generic.
ISO 31000 sits furthest back again, with communication and consultation folded into a risk framework broad enough to apply to any organisational decision, crisis or otherwise.
Where the polycrisis math gets ugly
I scored each standard's current communication capability against what polycrisis conditions demand, on a 0–10 scale for ten dimensions, then averaged the gap.
Real-time response capability, ambiguity tolerance, and transformative capacity — the ability to fundamentally reconfigure how an organisation operates once its pre-crisis assumptions stop holding — all sit among the widest gaps.
The average across all ten came out at 4.2 out of 10. Five dimensions scored as critical:
DIMENSION | GAP (out of 10) |
|---|---|
Social media & infodemic management | 6.0 |
Transformative capacity | 6.0 |
Complexity navigation | 5.5 |
Ambiguity tolerance | 5.5 |
Real-time response | 5.0 |
Social media and infodemic management came out worst of all.
The infodemic blind spot
None of the three standards has a systematic answer for what became known during COVID-19 as an infodemic: an overabundance of accurate and inaccurate information severe enough to impair public decision-making.
ISO 22361's crisis communication definition references "counteracting dissemination of incorrect information". There's no protocol behind the phrase, no guidance on distinguishing organic public concern from coordinated amplification, no prebunking framework, nothing on monitoring for coordinated inauthentic activity.
ISO 22301 and ISO 31000 don't mention mis- or disinformation at all.
A 2025 systematic review of qualitative studies, published in PMC, put a number on the scale of the problem: 46% of the UK public had been exposed to fake news about COVID-19, and 40% couldn't reliably distinguish truth from lies in what they'd seen. Response-speed expectations have moved just as fast.
Sprout Social's 2023 research found that 40% of consumers expect a brand to respond on social media within an hour of a crisis breaking, and other research puts the share expecting real-time communication once a crisis is underway at 70%.
None of the three standards' communication provisions were written with that clock running.
AI isn't in any of these documents yet
ISO 22361's social media clause predates the mainstream adoption of generative AI. None of the three standards distinguishes human communication from automated communication, addresses AI-generated misinformation, or accounts for AI-assisted monitoring as a capability a communication team might actually have.
Most crisis frameworks are behind on this, ISO included. It still means the standards you're likely building your plan around have nothing to say about deepfakes, AI chatbots handling emergency updates, or algorithmic amplification deciding which version of your crisis reaches people first.
What COVID-19 already proved
The pandemic is the closest thing this field has to a live stress test, and it already told us where the gaps bite. The same 2025 PMC review behind the fake-news numbers above found practitioners reporting difficulty across seven themes: pandemic communication itself, the infodemic, and partnership friction within and beyond public health.
Community engagement, broader communication effectiveness, burnout, and an unmet need to train dedicated specialists rounded out the list. The review's own conclusion was blunt — crisis communication strategies and guidelines need updating to close the gap between existing frameworks and what a live digital crisis actually demands.
Read against the three ISO standards specifically, five of those pressures map onto gaps none of them closes. Stakeholder audiences multiply and shift mid-crisis instead of staying fixed. Narratives now have to run across several platforms at once, each with its own norms and its own audience.
Genuine scientific uncertainty has to be communicated without losing credibility. Coordination across organisations has to hold under sustained pressure. And burnout — the pandemic showed it to be a sustainability problem no standard budgets for.
This isn't an argument to abandon the standards
None of this means ISO 22361, 22301 or 31000 are worth throwing out. ISO 22361 remains the best structural starting point I've found for organising a communication function, and ISO 22301's certifiability creates real accountability that guidance alone doesn't.
The honest reading is narrower: these standards were built for a slower, more bounded kind of crisis than the one most of us are now managing. Closing that gap is down to practitioners now. ISO's revision cycle runs on years; this can't wait that long.
What to actually do with this
Three moves, in order of how quickly you can make them.
1) Check whether your own plan treats ISO 22361's guidance as if it were audited.
If your crisis communication programme leans on clause 8 for structure, make sure leadership understands that "ISO-aligned" doesn't mean "certified" and that the accountability has to come from somewhere else – a named owner, a tested exercise cadence, or a real audit trail.
2) Write your own misinformation and disinformation protocol.
None of these standards will hand you one. The distinctions between mis-, dis- and malinformation are well established in the counter-disinformation field; borrow the structure from there rather than inventing your own taxonomy. At minimum, name who monitors for coordinated amplification versus organic concern and what triggers a correction or prebunking response.
3) Add AI explicitly to your crisis communication plan, even as a placeholder section.
Name how your team will handle AI-generated misinformation and deepfakes, whether any part of your monitoring or response is automated, and who owns the decision when an AI system flags something. It gives the next revision somewhere to start, and it gives you an answer the day someone asks for one.
I'll be working through each standard in more depth over the next two months, one a week, starting with ISO 22361's crisis communication clause 8. That series is running on LinkedIn now, and I'll link each instalment here as it goes live.
As always, feedback and comments are more than welcome!
FOOTNOTES/REFERENCES
PMC (2025). "Experiences of Public Health Professionals Regarding Crisis Communication During the COVID-19 Pandemic: Systematic Review of Qualitative Studies." — https://pmc.ncbi.nlm.nih.gov/articles/PMC11953600/
VMA Group, "Crisis Communication in the Social Media Era" — https://vmagroup.com/crisis-communication-in-the-social-media-era/
Sprout Social, Q2 2026 Pulse Survey — response-speed and crisis-response findings — https://sproutsocial.com/insights/press/social-media-is-now-the-primary-channel-for-brand-crisis-response-new-research-finds/
Worth Attending + A Gift For You
I have a gift for you.
Free tickets to the Natural Disasters Expo USA
October 14–15, George R. Brown Convention Center, Houston – exclusively for Wag the Dog readers.
This isn't a generic trade show. It's where the people responsible for keeping communities safe come to work through the hardest problems: climate change, ageing infrastructure, extreme weather events, and population growth. Government, emergency leaders, and private-sector innovators are in one room, focused on building resilience before the next disaster hits.
NEW CRISIS SCENARIO

THE RADAR: WHAT I’M TRACKING
LET’S MEET
🇦🇺 JUL 14-15 | MELBOURNE
🇪🇸 OCT 8-9 | BARCELONA
🇦🇪 MAY 10-14 | ABU DHABI
How valuable was the strategic insight in this edition?
Transparency & Disclosures
AI Transparency: In alignment with EU AI Act requirements, please note that AI technology was used in the research, drafting, and/or image generation for this edition. All strategic analysis, professional opinions, and final editorial oversight are conducted exclusively by the author. Affiliate Disclosure: Some links in this briefing may be affiliate links. I only recommend tools and services I use personally or have vetted for professional efficacy. Professional Advice: This newsletter is for educational and informational purposes only and does not constitute legal or professional crisis management advice. © 2026 RiskComms FZCO. All rights reserved.
