ISO 22316 pdf download

ISO 22316 pdf download Security and resilience — Organizational resilience — Principles and attributes
The organization should prioritize and resource the following activities:a)remain aware of situations that are likely to influence change;
b)adapt itself when needed without significant impact to its products and services;
c)commit to protection, performance and adaptation but with the ability to shift focus without
compromising its visions and core values;
d) ensure that the management disciplines are sufficiently robust and effective to respond to changes.
6Evaluating the factors that contribute to resilience
6.1General
Evaluation activities provide intelligence and management information on how strategies andobjectives for organizational resilience continue to meet the needs of the organization, or where thereare opportunities for improvement.
The organization should:
establish processes to allow it to continuously measure and monitor the factors that contribute toorganizational resilience as an aid to management decisions;
target measurement and monitoring activities to the specific attributes of the organization thatenhance its resilience;
evaluate the effectiveness of its resilience approach and objectives against these attributes.6.2Organizational requirements
6.2.1General
Performance measures used in the evaluation process are likely to be selected on the basis of the sectorin which the organization operates, the criteria determined by top management and the organizationalculture.
Most organizations already collect performance data that can be applied to an assessment of theirresilience.Sources may include existing management information and internal audit reports, businessreview processes and project reporting.
Top management should:
– determine the appropriate objectives for organizational resilience;
– develop measurement criteria to be used to monitor and evaluate the status of the organization’s
resilience attributes;
monitor and evaluate the organization’s overall resilience maturity and performance;
identify what needs to be evaluated and monitored,and the methods that will produce valid resultsand a continuous assessment of organizational resilience;
determine the thresholds at which the output from the evaluation will be considered acceptable;decide how evaluation and monitoring arrangements will parallel, support or be integrated intoexisting monitoring processes;
establish how the results from monitoring and measurement will be analysed, evaluated andreported.
6.2.2 Determining gaps
The initial assessment of organizational resilience can be used to inform any work that is requiredurgently,and reinforce the concept of organizational resilience with interested parties.
The organization should:
undertake a review, applying the agreed metrics to determine the organization’s resilience beforeimplementing a monitoring process;
determine if resilience is acceptable to top management or falls short of the organization’srequirements;
– consider appropriate strategies to address any significant gaps that are found in the assessment.
6.3 Monitoring and assessment
6.3.1 Methods and processes
Monitoring and assessing organizational resilience helps to identify the signs of an emerging issue or anopportunity that requires attention.Failure to identify these signs could limit an organization’s abilityto address issues before they have an impact, and could limit the effectiveness and increase the costs ofany mitigating actions.
The organization should:
apply existing monitoring methods and processes to evaluate attributes that contribute to theirresilience;
monitor the effectiveness of initiatives established for the management of risk, including thosemanaged by established management disciplines;
consider the use of employee and customer surveys that provide indicators of resilience within theorganization;
seek to understand what data are required to make an assessment of resilience and ensure there isan evaluation process to support this.
6.3.2 Review
Top management should carry out a periodic review to ensure the organization’s resilience continues tomeet expectations. The review should consider changes in the organization’s context,including:
— changes in organizational vision, strategy or objectives;
— major structural or business model changes, including mergers, acquisitions and divestments;
— new markets or territories that the organization has entered;
— newly introduced products and services;
— significant staff changes, including top management;
— the effectiveness of improvements made since the previous review;