scope:

This Publicly Available Specification specifies requirements for a resilience management system in the supply chain to enable an organization to develop and implement policies, objectives, and programs, taking into account

a) legal, regulatory and other requirements to which the organization subscribes,

b) information about significant risks, hazards and threats that may have consequences to the organization, its stakeholders, and on its supply chain,

c) protection of its assets and processes, and

d) management of disruptive incidents.

This Publicly Available Specification applies to risks that the organization identifies as those it can control, influence, or reduce, as well as those it cannot anticipate. It does not itself state specific performance criteria.

This Publicly Available Specification is applicable to any organization that wishes to

a) establish, implement, maintain, and improve a resilience management system for the organization and its supply chain,

b) assure itself of its conformity with its stated resilience management policy, and

c) demonstrate their management system contains a well-developed resilience management policy by

- making a self-determination and self-declaration, or

- seeking confirmation of its conformance by parties having an interest in the organization (such as customers), or ⎯ seeking confirmation of its self-declaration by a party external to the organization, or

- seeking certification/registration of its resilience management system by an external organization.

All the requirements in this Publicly Available Specification are intended to be incorporated into any type of the organization's management system that is based on the PDCA (plan-do-check-act) model. This Publicly Available Specification provides the elements (including those addressing technology, facilities, processes, and people) required for this incorporation. The extent of the application of this Publicly Available Specification will depend on factors such as the risk tolerance and policy of the organization; the nature and scale of its activities, products, and services; and the location where, and the conditions in which, the organization functions.

This Publicly Available Specification provides generic requirements as a framework, applicable to all types of organizations (or parts thereof) regardless of size and function in the supply chain. This Publicly Available Specification provides guidance for organizations to develop their own specific performance criteria, enabling the organization to tailor and implement a resilience management system appropriate to its needs and those of its stakeholders

This Publicly Available Specification emphasizes resilience, the adaptive capacity of an organization in a complex and changing environment, as well as protection of critical supply chain assets and processes. Applying this Publicly Available Specification positions an organization to more readily prevent if possible, prepare for, and respond to all manner of intentional, unintentional, and/or naturally caused disruptive events, which, if unmanaged, could escalate into an emergency, crisis, or disaster. This Publicly Available Specification covers all phases of incident management before, during, and after a disruptive event.

This Publicly Available Specification provides a framework for an organization to

i) develop a prevention, protection, preparedness, mitigation and response/continuity/recovery policy,

ii) establish objectives, procedures, and processes to achieve the policy commitments,

iii) assure competency, awareness, and training,

iv) set metrics to measure performance and demonstrate success,

v) take action as needed to improve performance,

vi) demonstrate conformity of the system to the requirements of this Publicly Available Specification, and

vii) establish and apply a process for continual improvement.

Annex A provides informative guidance on system planning, implementation, testing, maintenance, and improvement.