Professional Documents
Culture Documents
Iso 22316-2017
Iso 22316-2017
STANDARD 22316
First edition
2017-03
Reference number
ISO 22316:2017(E)
© ISO 2017
ISO 22316:2017(E)
Contents Page
Foreword ........................................................................................................................................................................................................................................ iv
Introduction .................................................................................................................................................................................................................................. v
1 Scope ................................................................................................................................................................................................................................. 1
2 Normative references ...................................................................................................................................................................................... 1
3 Terms and definitions ..................................................................................................................................................................................... 1
4 Principles ..................................................................................................................................................................................................................... 2
4.1 General ........................................................................................................................................................................................................... 2
4.2 Coordinated approach ...................................................................................................................................................................... 2
5 Attributes for organizational resilience....................................................................................................................................... 2
5.1 General ........................................................................................................................................................................................................... 2
5.2 Shared vision and clarity o f purpose ................................................................................................................................... 2
5.3 Understanding and influencing context ............................................................................................................................ 3
5.4 Effective and empowered leadership .................................................................................................................................. 3
5.5 A culture supportive of organizational resilience ..................................................................................................... 4
5.6 Shared information and knowledge ..................................................................................................................................... 4
5.7 Availability o f resources .................................................................................................................................................................. 4
5.8 Development and coordination of management disciplines ........................................................................... 5
5.9 Supporting continual improvement ..................................................................................................................................... 5
5.10 Ability to anticipate and managing change .................................................................................................................... 5
6 Evaluating the factors that contribute to resilience ........................................................................................................ 6
6.1
General ........................................................................................................................................................................................................... 6
Organizational requirements ..................................................................................................................................................... 6
6.2
6.2.1 General...................................................................................................................................................................................... 6
6.2.2 Determining gaps ............................................................................................................................................................ 7
6.3 Monitoring and assessment......................................................................................................................................................... 7
6.3.1 Methods and processes .............................................................................................................................................. 7
6.3.2 Review....................................................................................................................................................................................... 7
6.4 Reporting ..................................................................................................................................................................................................... 8
Annex A (informative) Relevant management disciplines ............................................................................................................ 9
Bibliography ............................................................................................................................................................................................................................. 10
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work o f preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters o f
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
di fferent types o f ISO documents should be noted. This document was dra fted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso .org/directives).
Attention is drawn to the possibility that some o f the elements o f this document may be the subject o f
patent rights. ISO shall not be held responsible for identi fying any or all such patent rights. Details o f
any patent rights identified during the development o f the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso .org/patents).
Any trade name used in this document is in formation given for the convenience o f users and does not
constitute an endorsement.
For an explanation on the voluntary nature o f standards, the meaning o f ISO specific terms and
expressions related to con formity assessment, as well as in formation about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
Introduction
Organizational resilience is the ability o f an organization to absorb and adapt in a changing environment
to enable it to deliver its objectives and to survive and prosper. More resilient organizations can
anticipate and respond to threats and opportunities, arising from sudden or gradual changes in their
internal and external context. Enhancing resilience can be a strategic organizational goal, and is the
outcome o f good business practice and e ffectively managing risk.
An organization’s resilience is influenced by a unique interaction and combination o f strategic and
operational factors. Organizations can only be more or less resilient; there is no absolute measure or
definitive goal.
A commitment to enhanced organizational resilience contributes to:
— an improved ability to anticipate and address risks and vulnerabilities;
— increased coordination and integration of management disciplines to improve coherence and
per formance;
— a greater understanding of interested parties and dependencies that support strategic goals, and
objectives.
There is no single approach to enhance an organization’s resilience. There are established management
disciplines that contribute towards resilience but, on their own, these disciplines are insu fficient to
safeguard an organization’s resilience. Instead, organizational resilience is the result of the interaction
o f attributes and activities, and contributions made from other technical and scientific areas o f
expertise. These are influenced by the way in which uncertainty is addressed, decisions are made and
enacted, and how people work together.
This document establishes the principles for organizational resilience. It identifies the attributes and
activities that support an organization in enhancing its resilience.
This document includes:
— principles providing the foundation for enhancing an organization’s resilience;
— attributes describing the characteristics o f an organization that allow the principles to be adopted;
— activities guiding the utilization, evaluation and enhancement of attributes.
1 Scope
This do c u ment provide s gu idance to en h ance organ i z ationa l re s i l ience for a ny size or typ e of
orga ni z ation . I t i s no t s p e c i fic to any i ndu s tr y or s e c tor. T h i s do c ument c an b e app l ie d th roughout the
life of an organization.
T h i s do c u ment do e s no t promo te un i form ity i n appro ach ac ro s s a l l organ i z ation s , a s s p e ci fic obj e c ti ve s
con s titute s re qu i rements o f th i s do c u ment. For date d re ference s , on ly the e d ition cite d appl ie s . For
u ndate d re ference s , the late s t e d ition o f the re ference d do c ument (i nclud i ng a ny amend ments) appl ie s .
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http://www.iso .org/obp
— IEC Electropedia: available at http://www.electropedia .org/
3.1
management
coordinated activities to direct and control an organization
3.2
interested party
p ers on or organ i z ation that c an a ffe c t, b e a ffe c te d b y, or p erceive its el f to b e a ffe c te d by a de ci s ion or
ac tivity
organization.
3.3
organizational culture
collective beliefs, values, attitudes and behaviour of an organization that contribute to the unique social
and p s ycholo gic a l envi ron ment i n wh ich it op erate s
3.4
organizational resilience
abi l ity o f a n orga ni z ation to ab s orb a nd adap t i n a ch angi ng envi ron ment
3.5
values
beliefs an organization adheres to and the standards that it seeks to observe
4 Principles
4.1 General
T he pri nc iple s provide the foundation up on wh ich a fra mework a nd s trateg y to ach ieve an en h ance d
c) rel ie s up on a n abi l ity to ab s orb , adap t and e ffe c tively re s p ond to change;
e) i s s upp or te d b y a d ivers ity o f ski l l s , le aders h ip, knowle dge and e xp erience;
f) i s en hance d b y co ord i nation acro s s management d i s cipl i ne s and contribution s from te ch n ic a l and
— s ys tem s that s upp or t the e ffe c tive i mplementation o f organ i z ationa l re s i l ience ac tivitie s;
— arra ngements to eva luate a nd en h ance re s i l ience i n s upp or t o f organ i z ationa l re qu i rements;
5.1 General
An organization that has adopted the resilience principles will demonstrate common attributes
s upp or te d b y ac tivitie s , wh ich gu ide thei r uti l i z ation, eva luation a nd en hancement. Such attribute s
b) en s u re i nd ividua l go a l s a nd obj e c tive s a re a l igne d with a nd com m itte d to the organ i z ation’s
pu rp o s e, vi s ion a nd va lue s;
c) mon itor a nd review re gu larly the s u itabi l ity o f the organ i z ation’s s trategie s and thei r a l ign ment
e) s e ek out and promo te new and i n novative ide as to ach ieve and develop its s trate gic obj e c tive s .
envi ron ment a nd comp e titor ac tivitie s u nder cha ngi ng ci rc um s tance s;
c) collaborate with interested parties that share the organization’s purpose and vision.
5.4 Effective and empowered leadership
O rgan i z ationa l re s i l ience i s en h ance d by le aders h ip that develop s and encou rage s o thers to le ad under
a range o f cond ition s and c i rc u m s ta nce s , i nclud i ng du ri ng p erio d s o f u ncer tai nty and d i s rup tion s .
— leadership that utilizes a diverse set of skills, knowledge and behaviour within the organization to
ach ieve organ i z ationa l obj e c tive s .
b) a s s ign role s and re s p on s ibi l itie s for en ha nci ng orga ni z ationa l re s i l ience;
c) encourage the creation and sharing of lessons learned about success and failure and promote the
adop tion o f b e tter prac tice;
d) empower all levels of the organization to make decisions that protect and enhance the resilience of
the organization.
© ISO 2017 – All rights reserved 3
ISO 22316:2017(E)
c u ltu re;
b) identi fy core va lue s and b ehaviou r that en h ance organ i z ationa l re s i l ience and e s tab l i s h criteria
e) emp ower p e ople to identi fy a nd com mu n ic ate th re ats and opp or tun itie s and to ta ke ac tion that
f) mon itor and review orga n i z ationa l c u ltu re to de te c t a ny change s that may i n fluence organ i z ationa l
resilience.
5.6 Shared information and knowledge
O rga ni z ationa l re s i l ience i s en hance d when knowle dge i s widely s hare d where appropri ate and appl ie d .
— learning is drawn from all available sources (uses what it has and learns from others).
The organization should ensure that knowledge and information is:
a) acce s s ible, u nders tandable and ade quate to s upp or t the organ i z ation’s obj e c tive s;
and i n formation, to add re s s vu l nerabi l itie s , provid i ng the abi l ity to adap t to cha ngi ng ci rc um s tance s .
to avoid single points of failure and respond to incidents and change, so that core services are
mai nta i ne d at a n accep table, pre - de term i ne d level;
b) s ele c t and develop employe e s with a d ivers e s e t o f ski l l s , knowle dge and b ehaviou r th at c an
contribute to the organ i z ation’s abi l ity to re s p ond and adap t to ch ange;
c) develop an abi l ity to identi fy and re s p ond to cha nge i n a flexible man ner; i nclud i ng mo d i fyi ng
a nd re deployi ng c ap abi l itie s , arra ngements , s tr uc tu re s , ac tivitie s and b ehaviou r to adj u s t to new
cond ition s;
d) routi nely review the s u itabi l ity, avai labi l ity and a l lo c ation o f re s ou rce s , ta ki ng accou nt o f the
— the orga ni z ation manage s the e ffe c t o f u ncer tai nty on its obj e c tive s ac ro s s ma nagement d i s cipl i ne s .
b) re gu l arly as s e s s how e ach ma nagement d i s c ipl i ne contribute s to the overa l l re s i l ience o f the
to ch a n ge;
against pre-determined criteria to learn and improve from experience and take advantage of
opportunities. Organizations create and encourage a culture of continual improvement across all
employe e s .
c a n b e kep t releva nt a nd appropriate i n s upp or ti ng the cha ngi ng ne e d s o f the orga ni z ation;
— a com m itment to va l idate a nd conti nua l ly i mprove organ i z ationa l re s i l ience ac tivitie s a nd
capabilities.
The organization should prioritize and resource the following activities:
a) i mplement p er formance mon itori ng a nd eva luation me ch an i s m s to s upp or t conti nua l i mprovement;
b) ensure that performance management criteria are responsive to changes that impact on
organ i z ationa l obj e c tive s .
respond to change.
— the abi l ity to ab s orb a nd adap t to the i mp ac ts o f s udden and u nexp e c te d i nc idents;
b) adap t its el f when ne e de d without s ign i fica nt i mp ac t to its pro duc ts and s er vice s;
c) com m it to pro te c tion, p er formance a nd adap tation but with the abi l ity to s h i ft fo c u s without
d) en s u re that the management d i s c ipl i ne s a re s u ffic iently robu s t and e ffe c tive to re s p ond to change s .
6.1 General
Evaluation activities provide intelligence and management information on how strategies and
f
obj e c tive s f
or organ i z ationa l re s i l ience conti nue to me e t the ne e d s o the organ i z ation, or where there
— ta rge t me a s u rement a nd mon itori ng ac tivitie s to the s p e ci fic attribute s o f the orga n i z ation that
— eva luate the e ffe c tivene s s o f its re s i l ience appro ach and obj e c tive s aga i n s t the s e attribute s .
6.2.1 General
Per formance me as u re s us e d i n the eva luation pro ce s s are l i kely to b e s ele c te d on the b as i s o f the s e c tor
i n wh ich the organ i z ation op erate s , the c riteri a de term i ne d b y top management a nd the organ i z ationa l
culture.
M o s t organ i z ation s a l re ady col le c t p er forma nce data that c a n b e appl ie d to an a s s e s s ment o f thei r
re s i l ience . S ou rce s may i nclude e xi s ti ng management i n formation and i nterna l aud it rep or ts , bu s i ne s s
— develop measurement criteria to be used to monitor and evaluate the status of the organization‘s
re s i l ience attribute s;
— mon itor a nd eva luate the orga ni z ation’s overa l l re s i l ience matu rity a nd p er forma nce;
— identi fy wh at ne e d s to b e eva luate d a nd mon itore d, a nd the me tho d s that wi l l pro duce va l id re s u lts
— de term i ne the th re shold s at wh ich the output from the eva luation wi l l b e con s idere d accep table;
— decide how evaluation and monitoring arrangements will parallel, support or be integrated into
e xi s ti ng mon itori ng pro ce s s e s;
— e s tabl i s h how the re s u lts from mon itori ng and me as u rement wi l l be a na lys e d, eva luate d a nd
reported.
6.2.2 Determining gaps
u rgently, and rei n force the concep t o f organ i z ationa l re s i l ience with i ntere s te d p ar tie s .
— con s ider appropriate s trategie s to add re s s any s igni fic a nt gap s th at are fou nd i n the a s s e s s ment.
M on itori ng and as s e s s i ng organ i z ationa l re s i l ience help s to identi fy the s ign s o f an emergi ng i s s ue or an
opp or tu nity that re qu i re s attention . Fa i lu re to identi fy the s e s ign s cou ld l i m it an organ i z ation‘s abi l ity
to add re s s i s s ue s b e fore they have a n i mp ac t, a nd cou ld l i m it the e ffe c tivene s s and i ncre a s e the co s ts o f
re s i l ience;
— monitor the effectiveness of initiatives established for the management of risk, including those
ma nage d b y e s tabl i s he d management d i s cipl i ne s;
— con s ider the u s e o f employe e a nd c u s tomer s u r veys that provide i nd ic ators o f re s i l ience with i n the
organ i z ation;
— seek to understand what data are required to make an assessment of resilience and ensure there is
an evaluation process to support this.
6.3.2 Review
Top ma nagement shou ld c arr y out a p erio d ic review to en s u re the orga n i z ation’s re s i l ience conti nue s to
meet expectations. The review should consider changes in the organization’s context, including:
— change s i n orga n i z ationa l vi s ion, s trateg y or obj e c tive s;
— maj or s tr uc tu ra l or bu s i ne s s mo del ch ange s , i nclud i ng mergers , acqui s ition s and d ive s tments;
— con fi rm that monitori ng arra ngements are appropri ate a nd provide i nput to the identi fic ation and
6.4 Reporting
T he outputs from mon itori ng orga ni z ationa l re s i l ience may i nclude s u m mar y rep or ti ng , givi ng top
management an assessment of resilience against the attributes most relevant to the organization.
Top management should:
— use on-going monitoring reports to track trends in the data that have been used to evaluate
orga n i z ationa l re s i l ience;
— con fi rm that c u rrent i n formation ma nagement s ys tem s provide e s s enti a l data to s upp or t the i nput
— use the output of the reporting process to develop action plans to enhance organizational resilience.
Annex A
(informative)
Relevant management disciplines
Management disciplines that can support the guidance given in 5.8 include the following:
— a s s e t management;
— c ri s i s management;
— c yb er s e c u rity ma nagement;
— emergenc y ma nagement;
— fi na nci a l control;
— fraud control;
— governance;
— ri s k management;
— strategic planning.
Bibliography
[1] ISO 22301, Societal security — Business continuity management systems --- Requirements
[2] ISO 22398, Societal security — Guidelines for exercises
[3] ISO 31000, Risk management — Principles and guidelines
[4] ISO/IEC 38500, Information technology — Governance of IT for the organization
[5] ISO Guide 73, Risk management — Vocabulary
ICS 03.100.01
Price based on 10 pages
© ISO 2017 – All rights reserved