1、 ISO 2017 Security and resilience Organizational resilience Principles and attributes Scurit et rsilience Rsilience organisationnelle Principes et attributs INTERNATIONAL STANDARD ISO 22316 First edition 2017-03 Reference number ISO 22316:2017(E) ISO 22316:2017(E)ii ISO 2017 All rights reserved COPY
2、RIGHT PROTECTED DOCUMENT ISO 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, w
3、ithout prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.
4、iso.org ISO 22316:2017(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Principles . 2 4.1 General . 2 4.2 Coordinated approach 2 5 Attributes for organizational resilience. 2 5.1 General . 2 5.2 Shared vision and clarity of purpose . 2 5.3 Understandi
5、ng and influencing context 3 5.4 Effective and empowered leadership 3 5.5 A culture supportive of organizational resilience . 4 5.6 Shared information and knowledge . 4 5.7 Availability of resources 4 5.8 Development and coordination of management disciplines . 5 5.9 Supporting continual improvement
6、 . 5 5.10 Ability to anticipate and managing change 5 6 Evaluating the factors that contribute to resilience 6 6.1 General . 6 6.2 Organizational requirements . 6 6.2.1 General 6 6.2.2 Determining gaps 7 6.3 Monitoring and assessment . 7 6.3.1 Methods and processes 7 6.3.2 Review . 7 6.4 Reporting .
7、 8 Annex A (informative) Relevant management disciplines 9 Bibliography .10 ISO 2017 All rights reserved iii Contents Page ISO 22316:2017(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of prepa
8、ring International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in l
9、iaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC
10、Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives). Attention is drawn to the possibility
11、 that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of paten
12、t declarations received (see www .iso .org/ patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and expressions related to c
13、onformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: w w w . i s o .org/ iso/ foreword .html. This document was prepared by Technical Committee ISO/TC 292, Security and resil
14、ience.iv ISO 2017 All rights reserved ISO 22316:2017(E) Introduction Organizational resilience is the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper. More resilient organizations can anticipate and respond to
15、 threats and opportunities, arising from sudden or gradual changes in their internal and external context. Enhancing resilience can be a strategic organizational goal, and is the outcome of good business practice and effectively managing risk. An organizations resilience is influenced by a unique in
16、teraction and combination of strategic and operational factors. Organizations can only be more or less resilient; there is no absolute measure or definitive goal. A commitment to enhanced organizational resilience contributes to: an improved ability to anticipate and address risks and vulnerabilitie
17、s; increased coordination and integration of management disciplines to improve coherence and performance; a greater understanding of interested parties and dependencies that support strategic goals, and objectives. There is no single approach to enhance an organizations resilience. There are establi
18、shed management disciplines that contribute towards resilience but, on their own, these disciplines are insufficient to safeguard an organizations resilience. Instead, organizational resilience is the result of the interaction of attributes and activities, and contributions made from other technical
19、 and scientific areas of expertise. These are influenced by the way in which uncertainty is addressed, decisions are made and enacted, and how people work together. This document establishes the principles for organizational resilience. It identifies the attributes and activities that support an org
20、anization in enhancing its resilience. This document includes: principles providing the foundation for enhancing an organizations resilience; attributes describing the characteristics of an organization that allow the principles to be adopted; activities guiding the utilization, evaluation and enhan
21、cement of attributes. ISO 2017 All rights reserved v Security and resilience Organizational resilience Principles and attributes 1 Scope This document provides guidance to enhance organizational resilience for any size or type of organization. It is not specific to any industry or sector. This docum
22、ent can be applied throughout the life of an organization. This document does not promote uniformity in approach across all organizations, as specific objectives and initiatives are tailored to suit an individual organizations needs. 2 Normative references The following documents are referred to in
23、the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300, Societal security Terminology
24、 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: ISO Online browsing platform: available at h t t p :/ www .iso .or
25、g/ obp IEC Electropedia: available at h t t p :/ www .electropedia .org/ 3.1 management coordinated activities to direct and control an organization 3.2 interested party person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity Note 1 to entr
26、y: This can be an individual or group that has an interest in any decision or activity of an organization. 3.3 organizational culture collective beliefs, values, attitudes and behaviour of an organization that contribute to the unique social and psychological environment in which it operates 3.4 org
27、anizational resilience ability of an organization to absorb and adapt in a changing environment 3.5 values beliefs an organization adheres to and the standards that it seeks to observe INTERNATIONAL ST ANDARD ISO 22316:2017(E) ISO 2017 All rights reserved 1 ISO 22316:2017(E) 4 Principles 4.1 General
28、 The principles provide the foundation upon which a framework and strategy to achieve an enhanced state of organizational resilience can be developed, implemented and evaluated. An organizations resilience: a) is enhanced when behaviour is aligned with a shared vision and purpose; b) relies upon an
29、up-to-date understanding of an organizations context; c) relies upon an ability to absorb, adapt and effectively respond to change; d) relies upon good governance and management; e) is supported by a diversity of skills, leadership, knowledge and experience; f) is enhanced by coordination across man
30、agement disciplines and contributions from technical and scientific areas of expertise; g) relies upon effectively managing risk. 4.2 Coordinated approach The organization should develop a coordinated approach that provides: a mandate to ensure its leaders and top management are committed to enhance
31、 organizational resilience; adequate resources needed to enhance the organizations resilience; appropriate governance structures to achieve the effective coordination of organizational resilience activities; mechanisms to ensure investments in resilience activities are appropriate to the organizatio
32、ns internal and external context; systems that support the effective implementation of organizational resilience activities; arrangements to evaluate and enhance resilience in support of organizational requirements; effective communications to improve understanding and decision making. 5 Attributes
33、for organizational resilience 5.1 General An organization that has adopted the resilience principles will demonstrate common attributes supported by activities, which guide their utilization, evaluation and enhancement. Such attributes include those described in 5.2 to 5.10. 5.2 Shared vision and cl
34、arity of purpose Organizational resilience is enhanced by a clearly articulated and understood purpose, vision and values to provide clarity to decision making at all levels of the organization.2 ISO 2017 All rights reserved ISO 22316:2017(E) The organization should prioritize and resource the follo
35、wing activities: a) articulate its vision, purpose and core values to all interested parties to provide strategic direction, coherence and clarity in all decision-making; b) ensure individual goals and objectives are aligned with and committed to the organizations purpose, vision and values; c) moni
36、tor and review regularly the suitability of the organizations strategies and their alignment with purpose, vision, core values and objectives; d) recognize the need to reflect on and, if necessary, revise the organizations purpose, vision and core values in response to external and internal changes;
37、 e) seek out and promote new and innovative ideas to achieve and develop its strategic objectives. 5.3 Understanding and influencing c ont e xt A comprehensive understanding of the organizations internal and external environments will help the organization make more effective strategic decisions abo
38、ut the priorities for resilience. The organization should demonstrate and enhance the following: the ability to think beyond current activities, strategy, and organizational boundaries; understanding, collaborating and strengthening of relationships with relevant interested parties to support the de
39、livery of the organizations purpose and vision. The organization should prioritize and resource the following activities: a) monitor and evaluate the organizations context, including interdependencies, political, regulatory environment and competitor activities under changing circumstances; b) maint
40、ain strong relationships with interested parties and foster co-operation at all levels; c) collaborate with interested parties that share the organizations purpose and vision. 5.4 Effective and empowered leadership Organizational resilience is enhanced by leadership that develops and encourages othe
41、rs to lead under a range of conditions and circumstances, including during periods of uncertainty and disruptions. The organization should demonstrate and enhance the following: effective leadership throughout the organization that encourages a culture supportive of resilience; leadership that can a
42、dapt to changing circumstances; leadership that utilizes a diverse set of skills, knowledge and behaviour within the organization to achieve organizational objectives. The organization should prioritize and resource the following activities: a) develop trusted and respected leaders who act with inte
43、grity and are committed to a sustained focus on organizational resilience; b) assign roles and responsibilities for enhancing organizational resilience; c) encourage the creation and sharing of lessons learned about success and failure and promote the adoption of better practice; d) empower all leve
44、ls of the organization to make decisions that protect and enhance the resilience of the organization. ISO 2017 All rights reserved 3 ISO 22316:2017(E) 5.5 A culture supportive of organizational resilience A culture that is supportive of organizational resilience demonstrates a commitment to, and exi
45、stence of, shared beliefs and values, positive attitudes and behaviour. The organization should prioritize and resource the following activities: a) determine the beliefs, values and behaviour within the organization that define organizational culture; b) identify core values and behaviour that enha
46、nce organizational resilience and establish criteria that can be applied to assess individual performance; c) engage people at all levels to promote the organizations values; d) foster creativity and innovation that enhances organizational resilience; e) empower people to identify and communicate th
47、reats and opportunities and to take action that will benefit the organization; f) monitor and review organizational culture to detect any changes that may influence organizational resilience. 5.6 Shared information and knowledge Organizational resilience is enhanced when knowledge is widely shared w
48、here appropriate and applied. Learning from experience and learning from each other is encouraged. The organization should demonstrate and enhance the following: information, knowledge, and learning is valued; learning is drawn from all available sources (uses what it has and learns from others). Th
49、e organization should ensure that knowledge and information is: a) accessible, understandable and adequate to support the organizations objectives; b) effectively shared to enable decision-making; c) recognized as a critical resource of the organization; d) created, retained and applied through established systems and processes; e) shared in a timely manner with all relevant interested parties; f) applied in organizational learning. 5.7 Availability of resources The organization
