Organizational Resilience: Security, Preparedness, and Continuity Management Systems–Requirements with Guidance for Use
|Publication Date:||1 January 2009|
This Standard specifies requirements for an organizational resilience (OR) management system to enable an organization to develop and implement policies, objectives, and programs taking into account legal requirements and other requirements to which the organization subscribes, information about significant hazards and threats that may have an impact on it (and its stakeholders'), and protection of critical assets (physical, intangible, environmental, and human). This Standard applies to risks and/or their impacts that the organization identifies as those it can control, influence, or reduce. It does not itself state specific performance criteria.
This Standard is applicable to any organization that wishes to:
a) Establish, implement, maintain, and improve an OR management system;
b) Assure itself of its conformity with its stated OR management policy;
c) Demonstrate conformity with this Standard by:
i. Making a self-determination and self-declaration; or
ii. Seeking confirmation of its conformance by parties having an interest in the organization (such as customers); or
iii. Seeking confirmation of its self-declaration by a party external to the organization; or
iv. Seeking certification/regist
All the requirements in this Standard are intended to be incorporated into any type of organization's OR management system. It provides all the elements required to integrate management, technology, facilities, processes, and people into the resilience culture, risk management, and OR management system of an organization. The extent of the application will depend on factors such as the risk tolerance and policy of the organization; the nature of its activities, products, and services; and the location where, and the conditions in which, it functions.
This Standard provides generic requirements as a framework, applicable to all types of organizations (or parts thereof) regardless of size and nature of operation. It provides guidance for organizations to develop their own specific performance criteria, enabling the organization to tailor and implement an OR management system appropriate to its needs and those of its stakeholders.
The Standard emphasizes resilience, the adaptive capacity of an organization in a complex and changing environment, as well as protection of critical assets. Applying this Standard positions an organization to more readily prepare for and respond to all manner of intentional, unintentional, and/or naturally-caused disruptive events - which, if unmanaged, could escalate into an emergency, crisis, or disaster. It covers all phases of incident management before, during, and after a disruptive event.
This Standard enables an organization to:
a) Develop a prevention, preparedness, and
b) Establish objectives, procedures, and processes to achieve the policy commitments;
c) Assure competency, awareness, and training;
d) Set metrics to measure performance and demonstrate success;
e) Take action as needed to improve performance;
f) Demonstrate conformity of the system to the requirements of this Standard; and
g) Establish and apply a process for continual improvement.
Annex A provides informative guidance on system planning, implementation, testing, maintenance, and improvement.