INTERNATIONAL ISO

STANDARD 22316

First edition
2017-03

Security and resilience —

Organizational resilience — Principles
and attributes
Sécurité et résilience — Résilience organisationnelle — Principes et
attributs

Reference number
ISO 22316:2017(E)

© ISO 2017
ISO 22316:2017(E)

COPYRIGHT PROTECTED DOCUMENT

© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part o f this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country o f
the requester.
ISO copyright o ffice
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org

ii © ISO 2017 – All rights reserved

 ISO 22316:2017(E)

Contents Page
Foreword ........................................................................................................................................................................................................................................ iv
Introduction .................................................................................................................................................................................................................................. v
1 Scope ................................................................................................................................................................................................................................. 1
2 Normative references ...................................................................................................................................................................................... 1
3 Terms and definitions ..................................................................................................................................................................................... 1
4 Principles ..................................................................................................................................................................................................................... 2
4.1 General ........................................................................................................................................................................................................... 2
4.2 Coordinated approach ...................................................................................................................................................................... 2
5 Attributes for organizational resilience....................................................................................................................................... 2
5.1 General ........................................................................................................................................................................................................... 2
5.2 Shared vision and clarity o f purpose ................................................................................................................................... 2
5.3 Understanding and influencing context ............................................................................................................................ 3
5.4 Effective and empowered leadership .................................................................................................................................. 3
5.5 A culture supportive of organizational resilience ..................................................................................................... 4
5.6 Shared information and knowledge ..................................................................................................................................... 4
5.7 Availability o f resources .................................................................................................................................................................. 4
5.8 Development and coordination of management disciplines ........................................................................... 5
5.9 Supporting continual improvement ..................................................................................................................................... 5
5.10 Ability to anticipate and managing change .................................................................................................................... 5
6 Evaluating the factors that contribute to resilience ........................................................................................................ 6
6.1
General ........................................................................................................................................................................................................... 6
Organizational requirements ..................................................................................................................................................... 6
6.2
6.2.1 General...................................................................................................................................................................................... 6
6.2.2 Determining gaps ............................................................................................................................................................ 7
6.3 Monitoring and assessment......................................................................................................................................................... 7
6.3.1 Methods and processes .............................................................................................................................................. 7
6.3.2 Review....................................................................................................................................................................................... 7
6.4 Reporting ..................................................................................................................................................................................................... 8
Annex A (informative) Relevant management disciplines ............................................................................................................ 9
Bibliography ............................................................................................................................................................................................................................. 10

© ISO 2017 – All rights reserved iii

ISO 22316:2017(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work o f preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters o f
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
di fferent types o f ISO documents should be noted. This document was dra fted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso .org/directives).
Attention is drawn to the possibility that some o f the elements o f this document may be the subject o f
patent rights. ISO shall not be held responsible for identi fying any or all such patent rights. Details o f
any patent rights identified during the development o f the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso .org/patents).
Any trade name used in this document is in formation given for the convenience o f users and does not
constitute an endorsement.
For an explanation on the voluntary nature o f standards, the meaning o f ISO specific terms and
expressions related to con formity assessment, as well as in formation about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso .org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.

iv © ISO 2017 – All rights reserved

 ISO 22316:2017(E)

Introduction
Organizational resilience is the ability o f an organization to absorb and adapt in a changing environment
to enable it to deliver its objectives and to survive and prosper. More resilient organizations can
anticipate and respond to threats and opportunities, arising from sudden or gradual changes in their
internal and external context. Enhancing resilience can be a strategic organizational goal, and is the
outcome o f good business practice and e ffectively managing risk.
An organization’s resilience is influenced by a unique interaction and combination o f strategic and
operational factors. Organizations can only be more or less resilient; there is no absolute measure or
definitive goal.
A commitment to enhanced organizational resilience contributes to:
— an improved ability to anticipate and address risks and vulnerabilities;
— increased coordination and integration of management disciplines to improve coherence and
per formance;
— a greater understanding of interested parties and dependencies that support strategic goals, and
objectives.
There is no single approach to enhance an organization’s resilience. There are established management
disciplines that contribute towards resilience but, on their own, these disciplines are insu fficient to
safeguard an organization’s resilience. Instead, organizational resilience is the result of the interaction
o f attributes and activities, and contributions made from other technical and scientific areas o f
expertise. These are influenced by the way in which uncertainty is addressed, decisions are made and
enacted, and how people work together.
This document establishes the principles for organizational resilience. It identifies the attributes and
activities that support an organization in enhancing its resilience.
This document includes:
— principles providing the foundation for enhancing an organization’s resilience;
— attributes describing the characteristics o f an organization that allow the principles to be adopted;
— activities guiding the utilization, evaluation and enhancement of attributes.

© ISO 2017 – All rights reserved v

INTERNATIONAL STANDARD ISO 22316:2017(E)

Security and resilience — Organizational resilience —

Principles and attributes

1 Scope
This do c u ment provide s gu idance to en h ance organ i z ationa l re s i l ience for a ny size or typ e of

orga ni z ation . I t i s no t s p e c i fic to any i ndu s tr y or s e c tor. T h i s do c ument c an b e app l ie d th roughout the

life of an organization.
T h i s do c u ment do e s no t promo te un i form ity i n appro ach ac ro s s a l l organ i z ation s , a s s p e ci fic obj e c ti ve s

and initiatives are tailored to suit an individual organization’s needs.

2 Normative references
T he fol lowi ng do c u ments are re ferre d to i n the tex t i n s uch a way th at s ome or a l l o f thei r content

con s titute s re qu i rements o f th i s do c u ment. For date d re ference s , on ly the e d ition cite d appl ie s . For

u ndate d re ference s , the late s t e d ition o f the re ference d do c ument (i nclud i ng a ny amend ments) appl ie s .

ISO 22300, Societal security — Terminology

3 Terms and definitions
For the pu rp o s e s o f th i s do c u ment, the term s and defi n ition s given i n I S O 2 2 3 0 0 and the fol lowi ng apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http://www.iso .org/obp
— IEC Electropedia: available at http://www.electropedia .org/
3.1
management
coordinated activities to direct and control an organization
3.2
interested party
p ers on or organ i z ation that c an a ffe c t, b e a ffe c te d b y, or p erceive its el f to b e a ffe c te d by a de ci s ion or

ac tivity

N o te 1 to entr y: This can be an i nd i vidu a l o r group th at ha s an i ntere s t i n a ny de c i s ion o r ac tivity o f a n

organization.
3.3
organizational culture
collective beliefs, values, attitudes and behaviour of an organization that contribute to the unique social
and p s ycholo gic a l envi ron ment i n wh ich it op erate s

3.4
organizational resilience
abi l ity o f a n orga ni z ation to ab s orb a nd adap t i n a ch angi ng envi ron ment

3.5
values
beliefs an organization adheres to and the standards that it seeks to observe

© ISO 2017 – All rights reserved 1

ISO 22316:2017(E)

4 Principles

4.1 General
T he pri nc iple s provide the foundation up on wh ich a fra mework a nd s trateg y to ach ieve an en h ance d

state of organizational resilience can be developed, implemented and evaluated.

An organization’s resilience:
a) i s en ha nce d when b eh aviou r i s a l igne d with a s ha re d vi s ion and pu r p o s e;

b) rel ie s up on a n up -to - date u nders tand i ng o f an organ i z ation’s conte xt;

c) rel ie s up on a n abi l ity to ab s orb , adap t and e ffe c tively re s p ond to change;

d) rel ie s up on go o d governance and ma nagement;

e) i s s upp or te d b y a d ivers ity o f ski l l s , le aders h ip, knowle dge and e xp erience;

f) i s en hance d b y co ord i nation acro s s management d i s cipl i ne s and contribution s from te ch n ic a l and

s c ienti fic are as o f e xp er ti s e;

g) rel ie s up on e ffe c tively ma nagi ng ri sk.

4.2 Coordinated approach

The organization should develop a coordinated approach that provides:
— a mandate to ensure its leaders and top management are committed to enhance organizational
re s i l ience;

— ade quate re s ou rce s ne e de d to en h ance the organ i z ation’s re s i l ience;

— appropriate governance structures to achieve the effective coordination of organizational resilience

ac tivitie s;

— mechanisms to ensure investments in resilience activities are appropriate to the organization’s

i nterna l a nd ex terna l contex t;

— s ys tem s that s upp or t the e ffe c tive i mplementation o f organ i z ationa l re s i l ience ac tivitie s;

— arra ngements to eva luate a nd en h ance re s i l ience i n s upp or t o f organ i z ationa l re qu i rements;

— effective communications to improve understanding and decision making.

5 Attributes for organizational resilience

5.1 General
An organization that has adopted the resilience principles will demonstrate common attributes
s upp or te d b y ac tivitie s , wh ich gu ide thei r uti l i z ation, eva luation a nd en hancement. Such attribute s

include those described in 5.2 to 5.10.

5.2 Shared vision and clarity of purpose
O rga ni z ationa l re s i l ience i s en h ance d b y a cle arly a r tic u late d and u nders to o d pu r p o s e, vi s ion and

va lue s to provide cla rity to de ci s ion ma ki ng at a l l level s o f the organ i z ation .

2 © ISO 2017 – All rights reserved

 ISO 22316:2017(E)

The organization should prioritize and resource the following activities:

a) articulate its vision, purpose and core values to all interested parties to provide strategic direction,
coherence and clarity i n a l l de c i s ion-ma ki ng;

b) en s u re i nd ividua l go a l s a nd obj e c tive s a re a l igne d with a nd com m itte d to the organ i z ation’s

pu rp o s e, vi s ion a nd va lue s;

c) mon itor a nd review re gu larly the s u itabi l ity o f the organ i z ation’s s trategie s and thei r a l ign ment

with pu rp o s e, vi s ion, core va lue s a nd obj e c tive s;

d) re co gn i ze the ne e d to refle c t on a nd, i f ne ce s s ar y, revi s e the organ i z ation’s pu rp o s e, vi s ion a nd core

va lue s i n re s p on s e to e xterna l and i nterna l cha nge s;

e) s e ek out and promo te new and i n novative ide as to ach ieve and develop its s trate gic obj e c tive s .

5.3 Understanding and influencing context

A comprehensive understanding of the organization’s internal and external environments will help the
organization make more effective strategic decisions about the priorities for resilience.
The organization should demonstrate and enhance the following:
— the abi l ity to th i n k b eyond c u rrent ac tivitie s , s trate g y, a nd organ i z ationa l b ou nda rie s;

— understanding, collaborating and strengthening of relationships with relevant interested parties to

s upp or t the del iver y o f the orga n i z ation’s pu rp o s e a nd vi s ion .

The organization should prioritize and resource the following activities:

a) mon itor a nd eva luate the orga n i z ation’s conte xt, i nclud i ng i nterdep endencie s , p ol itic a l, regu lator y

envi ron ment a nd comp e titor ac tivitie s u nder cha ngi ng ci rc um s tance s;

b) ma i ntai n s trong relation s h ip s with i ntere s te d p ar tie s a nd fo s ter co - op eration at a l l level s;

c) collaborate with interested parties that share the organization’s purpose and vision.
5.4 Effective and empowered leadership
O rgan i z ationa l re s i l ience i s en h ance d by le aders h ip that develop s and encou rage s o thers to le ad under

a range o f cond ition s and c i rc u m s ta nce s , i nclud i ng du ri ng p erio d s o f u ncer tai nty and d i s rup tion s .

The organization should demonstrate and enhance the following:

— e ffe c tive le adersh ip th roughout the organ i z ation that encou rage s a c u ltu re s upp or tive o f re s i l ience;

— le adersh ip that c a n adap t to changi ng c i rc u m s tance s;

— leadership that utilizes a diverse set of skills, knowledge and behaviour within the organization to
ach ieve organ i z ationa l obj e c tive s .

The organization should prioritize and resource the following activities:

a) develop tru s te d and re s p e c te d le aders who ac t with i nte grity and a re com m itte d to a s u s tai ne d

fo c u s on organ i z ationa l re s i l ience;

b) a s s ign role s and re s p on s ibi l itie s for en ha nci ng orga ni z ationa l re s i l ience;

c) encourage the creation and sharing of lessons learned about success and failure and promote the
adop tion o f b e tter prac tice;

d) empower all levels of the organization to make decisions that protect and enhance the resilience of
the organization.
© ISO 2017 – All rights reserved 3
ISO 22316:2017(E)

5.5 A culture supportive of organizational resilience

A culture that is supportive of organizational resilience demonstrates a commitment to, and existence
of, shared beliefs and values, positive attitudes and behaviour.
The organization should prioritize and resource the following activities:
a) de term i ne the b el ie fs , va lue s and b eh aviou r with i n the organ i z ation that defi ne organ i z ationa l

c u ltu re;

b) identi fy core va lue s and b ehaviou r that en h ance organ i z ationa l re s i l ience and e s tab l i s h criteria

th at c an b e appl ie d to a s s e s s i nd ividua l p er forma nce;

c) engage p e ople at a l l level s to promo te the organ i z ation’s va lue s;

d) fo s ter cre ativity a nd i n novation that en ha nce s orga n i z ationa l re s i l ience;

e) emp ower p e ople to identi fy a nd com mu n ic ate th re ats and opp or tun itie s and to ta ke ac tion that

wi l l b enefit the orga ni z ation;

f) mon itor and review orga n i z ationa l c u ltu re to de te c t a ny change s that may i n fluence organ i z ationa l

resilience.
5.6 Shared information and knowledge
O rga ni z ationa l re s i l ience i s en hance d when knowle dge i s widely s hare d where appropri ate and appl ie d .

Learning from experience and learning from each other is encouraged.

The organization should demonstrate and enhance the following:
— i n formation, knowle dge, and le arn i ng i s va lue d;

— learning is drawn from all available sources (uses what it has and learns from others).
The organization should ensure that knowledge and information is:
a) acce s s ible, u nders tandable and ade quate to s upp or t the organ i z ation’s obj e c tive s;

b) e ffe c tively sh are d to enable de c i s ion-ma ki ng;

c) re co gn i z e d a s a c ritic a l re s ou rce o f the organ i z ation;

d) c re ate d, re tai ne d and appl ie d th rough e s tabl i she d s ys tem s a nd pro ce s s e s;

e) s hare d i n a ti mely man ner with a l l relevant i ntere s te d p ar tie s;

f) applied in organizational learning.

5.7 Availability of resources
T he orga n i z ation shou ld develop and a l lo c ate re s ource s , s uch as p e ople, prem i s e s , te ch nolo g y, fi nance

and i n formation, to add re s s vu l nerabi l itie s , provid i ng the abi l ity to adap t to cha ngi ng ci rc um s tance s .

The organization should prioritize and resource the following activities:

a) ta ke appropri ate de c i s ion s on re s ou rc i ng and c ap ac ity, d ivers i fic ation, repl ic ation a nd re du ndanc y

to avoid single points of failure and respond to incidents and change, so that core services are
mai nta i ne d at a n accep table, pre - de term i ne d level;

b) s ele c t and develop employe e s with a d ivers e s e t o f ski l l s , knowle dge and b ehaviou r th at c an

contribute to the organ i z ation’s abi l ity to re s p ond and adap t to ch ange;

4 © ISO 2017 – All rights reserved

 ISO 22316:2017(E)

c) develop an abi l ity to identi fy and re s p ond to cha nge i n a flexible man ner; i nclud i ng mo d i fyi ng

a nd re deployi ng c ap abi l itie s , arra ngements , s tr uc tu re s , ac tivitie s and b ehaviou r to adj u s t to new

cond ition s;

d) routi nely review the s u itabi l ity, avai labi l ity and a l lo c ation o f re s ou rce s , ta ki ng accou nt o f the

i mp ac t o f any change s i n the organ i z ation and its contex t.

5.8 Development and coordination of management disciplines

The design, development and coordination of management disciplines and their alignment with the
orga ni z ation’s s trategic obj e c tive s are fu ndamenta l to en ha nci ng orga ni z ationa l re s i l ience .

NOTE Annex A provides a sample list of management disciplines.

The organization should demonstrate and enhance the following:
— the management d i s cipl i ne s are co ord i nate d s o that they i nd i vidua l ly and col le c tively contribute to

the orga n i z ation’s pu rp o s e a nd the pro te c tion o f what it va lue s;

— the orga ni z ation manage s the e ffe c t o f u ncer tai nty on its obj e c tive s ac ro s s ma nagement d i s cipl i ne s .

The organization should prioritize and resource the following activities:

a) identi fy a nd de s ign ma nagement d i s cipl i ne s that contribute toward the orga n i z ation’s re s i l ience;

b) re gu l arly as s e s s how e ach ma nagement d i s c ipl i ne contribute s to the overa l l re s i l ience o f the

organ i z ation, a nd add re s s we a kne s s e s where the s e a re fou nd;

c) b u i ld fle xib i l i t y i nto the m a n age me nt d i s c ip l i ne s s o th at the o rga n i z atio n c a n ab s o rb a nd ad ap t

to ch a n ge;

d) enhance communication, coordination, and cooperation between management disciplines of the

organization to build a coherent approach.
5.9 Supporting continual improvement
O rgan i z ationa l re s i l ience is i mprove d when organ i z ation s conti nua l ly mon itor thei r p er formance

against pre-determined criteria to learn and improve from experience and take advantage of
opportunities. Organizations create and encourage a culture of continual improvement across all
employe e s .

The organization should demonstrate and enhance the following:

— a c u lture o f conti nua l i mprovement th at en s ure s organ i z ationa l obj e c ti ve s , s trate gie s and pro ce du re s

c a n b e kep t releva nt a nd appropriate i n s upp or ti ng the cha ngi ng ne e d s o f the orga ni z ation;

— a com m itment to va l idate a nd conti nua l ly i mprove organ i z ationa l re s i l ience ac tivitie s a nd

capabilities.
The organization should prioritize and resource the following activities:
a) i mplement p er formance mon itori ng a nd eva luation me ch an i s m s to s upp or t conti nua l i mprovement;

b) ensure that performance management criteria are responsive to changes that impact on
organ i z ationa l obj e c tive s .

5.10 Ability to anticipate and managing change

O rgan i z ationa l re s i l ience i s en h ance d when a n organ i z ation ha s the abi l ity to anticip ate, pl an, a nd

respond to change.

© ISO 2017 – All rights reserved 5

ISO 22316:2017(E)

The organization should demonstrate and enhance the following:

— the abi l ity to del iver con s i s tently on its com m itments u nder changi ng ci rc u m s ta nce s a nd adap ti ng

its op eration s accord i ngly;

— the abi l ity to ab s orb a nd adap t to the i mp ac ts o f s udden and u nexp e c te d i nc idents;

— prep aration to re s p ond to cha nge, or i n fluence cha nge i f ne ce s s a r y.

The organization should prioritize and resource the following activities:

a) remai n aware o f s ituation s th at are l i kely to i n fluence change;

b) adap t its el f when ne e de d without s ign i fica nt i mp ac t to its pro duc ts and s er vice s;

c) com m it to pro te c tion, p er formance a nd adap tation but with the abi l ity to s h i ft fo c u s without

comprom i s i ng its vi s ion s a nd core va lue s;

d) en s u re that the management d i s c ipl i ne s a re s u ffic iently robu s t and e ffe c tive to re s p ond to change s .

6 Evaluating the factors that contribute to resilience

6.1 General
Evaluation activities provide intelligence and management information on how strategies and
f
obj e c tive s f
or organ i z ationa l re s i l ience conti nue to me e t the ne e d s o the organ i z ation, or where there

are opportunities for improvement.

The organization should:
— e s tabl i sh pro ce s s e s to a l low it to conti nuou sly me a s u re a nd monitor the fac tors that contribute to

orga n i z ationa l re s i l ience a s an aid to ma nagement de c i s ion s;

— ta rge t me a s u rement a nd mon itori ng ac tivitie s to the s p e ci fic attribute s o f the orga n i z ation that

en hance its re s i l ience;

— eva luate the e ffe c tivene s s o f its re s i l ience appro ach and obj e c tive s aga i n s t the s e attribute s .

6.2 Organizational requirements

6.2.1 General

Per formance me as u re s us e d i n the eva luation pro ce s s are l i kely to b e s ele c te d on the b as i s o f the s e c tor

i n wh ich the organ i z ation op erate s , the c riteri a de term i ne d b y top management a nd the organ i z ationa l

culture.
M o s t organ i z ation s a l re ady col le c t p er forma nce data that c a n b e appl ie d to an a s s e s s ment o f thei r

re s i l ience . S ou rce s may i nclude e xi s ti ng management i n formation and i nterna l aud it rep or ts , bu s i ne s s

review pro ce s s e s a nd proj e c t rep or ti ng.

Top management should:

— de term i ne the appropri ate obj e c tive s for organ i z ationa l re s i l ience;

— develop measurement criteria to be used to monitor and evaluate the status of the organization‘s
re s i l ience attribute s;

— mon itor a nd eva luate the orga ni z ation’s overa l l re s i l ience matu rity a nd p er forma nce;

— identi fy wh at ne e d s to b e eva luate d a nd mon itore d, a nd the me tho d s that wi l l pro duce va l id re s u lts

and a conti nuou s as s e s s ment o f orga n i z ationa l re s i l ience;

6 © ISO 2017 – All rights reserved

 ISO 22316:2017(E)

— de term i ne the th re shold s at wh ich the output from the eva luation wi l l b e con s idere d accep table;

— decide how evaluation and monitoring arrangements will parallel, support or be integrated into
e xi s ti ng mon itori ng pro ce s s e s;

— e s tabl i s h how the re s u lts from mon itori ng and me as u rement wi l l be a na lys e d, eva luate d a nd

reported.
6.2.2 Determining gaps

T he i n iti a l as s e s s ment o f organ i z ationa l re s i l ience c an b e u s e d to i n form any work th at i s re qu i re d

u rgently, and rei n force the concep t o f organ i z ationa l re s i l ience with i ntere s te d p ar tie s .

The organization should:

— u nder ta ke a review, applyi ng the agre e d me trics to de term i ne the organ i z ation’s re s i l ience b e fore

i mplementi ng a mon itori ng pro ce s s;

— determine if resilience is acceptable to top management or falls short of the organization‘s

re qu i rements;

— con s ider appropriate s trategie s to add re s s any s igni fic a nt gap s th at are fou nd i n the a s s e s s ment.

6.3 Monitoring and assessment

6.3.1 Methods and processes

M on itori ng and as s e s s i ng organ i z ationa l re s i l ience help s to identi fy the s ign s o f an emergi ng i s s ue or an

opp or tu nity that re qu i re s attention . Fa i lu re to identi fy the s e s ign s cou ld l i m it an organ i z ation‘s abi l ity

to add re s s i s s ue s b e fore they have a n i mp ac t, a nd cou ld l i m it the e ffe c tivene s s and i ncre a s e the co s ts o f

any m itigati ng ac tion s .

The organization should:

— apply exi s ti ng monitori ng me tho d s a nd pro ce s s e s to eva luate attribute s that contribute to thei r

re s i l ience;

— monitor the effectiveness of initiatives established for the management of risk, including those
ma nage d b y e s tabl i s he d management d i s cipl i ne s;

— con s ider the u s e o f employe e a nd c u s tomer s u r veys that provide i nd ic ators o f re s i l ience with i n the

organ i z ation;

— seek to understand what data are required to make an assessment of resilience and ensure there is
an evaluation process to support this.
6.3.2 Review

Top ma nagement shou ld c arr y out a p erio d ic review to en s u re the orga n i z ation’s re s i l ience conti nue s to

meet expectations. The review should consider changes in the organization’s context, including:
— change s i n orga n i z ationa l vi s ion, s trateg y or obj e c tive s;

— maj or s tr uc tu ra l or bu s i ne s s mo del ch ange s , i nclud i ng mergers , acqui s ition s and d ive s tments;

— new m arke ts or territorie s that the organ i z ation ha s entere d;

— newly i ntro duce d pro duc ts a nd s er vice s;

— s ign i fic ant s ta ff change s , i nclud i ng top ma nagement;

— the e ffe c tivene s s o f i mprovements made s i nce the previou s review;

© ISO 2017 – All rights reserved 7

ISO 22316:2017(E)

— fe e db ack on the e ffe c tivene s s o f the orga n i z ation’s re s i l ience;

— change in risks that need to be addressed.

Top management should:
— compare the outputs from the organizational resilience evaluation process against other related
review pro ce s s e s , s uch as the re s u lts from relate d i nterna l aud its , i nc ident debrie fs , s trateg y

pla n ni ng , ne ar m i s s e s and regu lator y compl ia nce;

— con fi rm that monitori ng arra ngements are appropri ate a nd provide i nput to the identi fic ation and

tre atment o f i s s ue s b e fore thei r i mp ac ts b e come to o da magi ng or a n opp or tu nity i s m i s s e d .

6.4 Reporting
T he outputs from mon itori ng orga ni z ationa l re s i l ience may i nclude s u m mar y rep or ti ng , givi ng top

management an assessment of resilience against the attributes most relevant to the organization.
Top management should:
— use on-going monitoring reports to track trends in the data that have been used to evaluate
orga n i z ationa l re s i l ience;

— con fi rm that c u rrent i n formation ma nagement s ys tem s provide e s s enti a l data to s upp or t the i nput

re qui re d for an organ i z ation’s re s i l ience mon itori ng;

— use the output of the reporting process to develop action plans to enhance organizational resilience.

8 © ISO 2017 – All rights reserved

 ISO 22316:2017(E)

Annex A
(informative)
Relevant management disciplines

Management disciplines that can support the guidance given in 5.8 include the following:
— a s s e t management;

— bu s i ne s s conti nu ity management;

— c ri s i s management;

— c yb er s e c u rity ma nagement;

— com mu n ication s management;

— emergenc y ma nagement;

— envi ronmenta l ma nagement;

— faci l itie s management;

— fi na nci a l control;

— fraud control;

— governance;

— he a lth and s a fe ty ma nagement;

— hu man re s ou rce s management;

— i n formation s e c urity ma nagement;

— i n formation, com mu n ic ation s and te ch nolo g y;

— phys ic a l s e c urity management;

— qua l ity ma nagement;

— ri s k management;

— s upply chai n ma nagement;

— strategic planning.

© ISO 2017 – All rights reserved 9

ISO 22316:2017(E)

Bibliography

[1] ISO 22301, Societal security — Business continuity management systems --- Requirements
[2] ISO 22398, Societal security — Guidelines for exercises
[3] ISO 31000, Risk management — Principles and guidelines
[4] ISO/IEC 38500, Information technology — Governance of IT for the organization
[5] ISO Guide 73, Risk management — Vocabulary

10 © ISO 2017 – All rights reserved

ISO 22316:2017(E)

ICS 03.100.01
Price based on 10 pages
© ISO 2017 – All rights reserved