ISO 22301 requires an organization to establish a clear incident response structure with defined roles, responsibilities, and authorities. The internationally recognized best-practice model for this structure, often referred to as the Gold-Silver-Bronze command structure, comprises three distinct management levels. These are:

1. Strategic (Gold): The highest level, consisting of senior management who set the overall strategy, manage corporate reputation, and handle the long-term business implications of the incident.

2. Tactical (Silver): The intermediate level that coordinates the response, manages resources, and implements the strategy defined by the strategic level across various operational teams.

3. Operational (Bronze): The hands-on level where teams execute specific response and recovery tasks at the site of the disruption.

C. Continual: This refers to the principle of continual improvement, a core component of the entire management system (as per ISO 22301, Clause 10), not a specific management level within an incident.

E. Executional: While response activities are executed at the operational level, "Operational" is the standard and formal terminology used in incident management frameworks, making "Executional" an imprecise and non-standard term.

1. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements. Clause 8.4.3, "Incident response structure," mandates the establishment of a structure to ensure an effective response, stating the organization shall "establish a structure, appointing person(s) with the necessary responsibility, authority and competence to manage an incident." The three-tiered model (Strategic, Tactical, Operational) is the globally accepted framework for fulfilling this requirement.

2. British Standards Institution (BSI). (2014). BS 11200:2014 Crisis management — Guidance and good practice. Section 4.4.2, "Structure, roles, responsibilities and authorities," explicitly details the three-tiered structure for crisis response: "The structure should be based on three levels: strategic, tactical and operational." This standard is designed to complement ISO 22301.

3. Hiles, A. (Ed.). (2011). The Definitive Handbook of Business Continuity Management. John Wiley & Sons. In Chapter 23, "Developing and Implementing the Incident and Emergency Management Plans," the text describes the common command and control structure, stating, "The most common structure is a three-tier model... The three tiers are commonly referred to as Strategic, Tactical and Operational." This is a foundational text often used in university-level business continuity courses.

4. Business Continuity Institute (BCI). (2018). Good Practice Guidelines (GPG) 2018 Edition. Section 5.5.2, "Structure," outlines the need for a hierarchical incident management structure, detailing the roles and responsibilities at the Strategic (Gold), Tactical (Silver), and Operational (Bronze) levels as essential for effective incident response.