1、Security and Resilience in Organizations and their Supply ChainsRequirements with GuidanceASIS ORM.1-2017STANDARDThe worldwide leader in security standards and guidelines developmentASIS INTERNATIONAL ANSI/ASIS ORM.1-2017 (Revision, consolidation, redesignation of ASIS SPC.1-2009 and ASIS/BSI BCM.01
2、-2010) an American National Standard SECURITY AND RESILIENCE IN ORGANIZATIONS AND THEIR SUPPLY CHAINS REQUIREMENTS WITH GUIDANCE An integrated risk-based management systems approach to manage risk and enhance resilience in organizations and their supply chains Approved March 20, 2017 American Nation
3、al Standards Institute, Inc. ASIS International Abstract This Standard recognizes the complex risk landscape facing organizations and their supply chains requires an integrated, comprehensive and systematic risk-based approach for managing risks to enhance sustainability, survivability and resilienc
4、e, as well as identify and pursue opportunities for improvements. The Standard emphasizes proactive risk and business management to support a process of prevention, protection, preparedness, readiness, mitigation, response, continuity and recovery from undesirable and disruptive events. This Standar
5、d provides a single integrated management system to eliminate “siloing” of risk, enabling an organization to more efficiently anticipate and plan for naturally, accidentally, or intentionally caused events, using a single management system standard. ANSI/ASIS ORM.1-2017 ii NOTICE AND DISCLAIMER The
6、information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this
7、document. ASIS International standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledg
8、e in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soun
9、dness of any judgments contained in its standards and guideline publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have t
10、he authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them. ASIS disclaims liability for any personal injury, property, or other damages of any nature what
11、soever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information p
12、ublished herein, and disclaims and makes no warranty that the information in this document will fulfill any persons or entitys particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard
13、or guide. In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on h
14、is or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user m
15、ay wish to consult for additional views or information not covered by this publication. ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no control over which of its standards, if any, may be adopted by governmental regulatory agen
16、cies, or over any activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third p
17、arties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document shall not be attributable to ASIS and is solely the responsibility of the certifier or maker of the statement. All rights reserved. No part of this public
18、ation may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner. Copyright 2017 ASIS International ISBN: 978-1-934904-82-4 ANSI/ASIS ORM.1-2017
19、iii FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. I
20、n addition, it does not contain requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory req
21、uirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. This management systems standard provides generic auditable criteria and informative guidance. About ASIS ASIS I
22、nternational (ASIS) is the largest membership organization for security management professionals that crosses industry sectors, embracing every discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is dedicated to increasing the effectiveness of security pro
23、fessionals at all levels. With membership and chapters around the globe, ASIS develops and delivers board certifications and industry standards, hosts networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs, including the Annual Seminar and
24、 Exhibitsthe security industrys most influential event. Whether providing thought leadership through the CSO Roundtable for the industrys most senior executives or advocating before business, government, or the media, ASIS is focused on advancing the profession, and ensuring that the security commun
25、ity has access to intelligence, resources, and technology needed within the business enterprise. www.asisonline.org The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and G
26、uidelines. An ANSI accredited Standards Development Organization (SDO), ASIS actively participates in the International Organization for Standardization (ISO). The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of sta
27、ndards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry. Suggestions for improvement of this document are welc
28、ome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA. Commission Members Charles Baley, Farmers Insurance Group, Inc. Cynthia P. Conlon, CPP, Conlon Consulting Corporation William Daly, Control Risks Security Consulting Lisa DuBrock, Radian Compliance LL
29、C Eugene Ferraro, CPP, PCI, ForensicPathways, Inc. Bernard Greenawalt, CPP, Securitas Security Services USA, Inc., Vice Chair Robert Jones, Socrates Ltd Glen Kitteringham, CPP, Kitteringham Security Group Inc. ANSI/ASIS ORM.1-2017 iv Michael Knoke, CPP, Express Scripts, Inc., Chair Bryan Leadbetter,
30、 CPP, Arconic. Jose Miguel Sobron, United Nations Roger Warwick, CPP, Pyramid International Temi Group Allison Wylde, Cardiff University At the time it approved this document, the ORM.1 Standards Committee, which is responsible for the development of this Standard, had the following members: Committ
31、ee Members Committee Chairman: Marc H. Siegel, Ph.D., M. Siegel Associates Commission Liaison: Lisa DuBrock, Radian Compliance Committee Secretariat: Aivelis Opicka, ASIS International Colin Ackroyd, Colin Ackroyd and Associates Mark Baker, CPP, Macatoma Security Inc. Mark Beaudry, CPP John Bennett,
32、 Hospital Network Ventures, LLC Dennis Blass, CPP, PSP, Childrens of Alabama Bruce Braes, CPP, CSyP, Optimal Risk Management Hart Brown, HUB International Herbert Calderon, CPP, PCI, PSP, Gloria Group Werner Cooreman, CPP, PSP, Solvay Britt Corra, Microsoft Steven Dawson, Owens Corning David Dodge,
33、CPP, PCI, Temi Group, South Africa Larry Dodson, CPP, University of Kansas Jack Dowling, CPP, PSP, J. D. Security Consultants James Drymiller, CPP Eduard Emde, CPP, ESA European Space Agency Thomas Frank, CPP, AbbVie Shaun Fynes, CPP, PCI, PSP, Government Security Office (B.C.) Francis Gallagher, PS
34、P, Good Harbor Techmark Jeffrey Gambrell, CPP, Absolute Software Tareq Ghosheh, PalSafe Robert Grieman, CPP, Securitas Security Services, USA Andrew Griffiths, PCI, CEVA Logistics Uk Limited Carlos Guzman, CPP, Security 101 Michael Heath, Diamond Security b) Building a capacity for proactive risk ma
35、nagement which identifies indicators of opportunities, change and adversity to enable an organization to take pre-emptive measures to pursue positive outcomes and minimize negative outcomes; c) An agility and flexibility capacity in risk and business management processes aligned with time dependenci
36、es and needs for change; ANSI/ASIS ORM.1-2017 xi d) An absorptive, resistive and carrying capacity to resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event; e) The capability of a system to ma
37、intain its functions and structure in the face of internal and external change in order to pursue opportunities and/or to manage degradation of activities and functions when it must; f) Proactively planning to reduce the magnitude and/or duration of undesirable and disruptive events by enhancing its
38、 ability to anticipate, absorb, adapt to, and/or rapidly recover from events; g) Empower people to respond to change, opportunities, or adversity in an informed manner; and h) Viewing the organization from a multidimensional, multi-disciplinary systems approach to optimize its management of interact
39、ions within its risk environment. 0.2 Proactive Management of Risk to Build Resilience Resilience takes a forward-looking view of risk, fully integrating business and risk management into the organizations system of management. Risk is viewed as inevitable and having the potential for positive outco
40、mes. People in a resilient organization ask themselves: “what are the positive changes we can make to strengthen the organization?” This means better understanding where you are to assist in knowing where you are going. It also means acknowledging weaknesses and threats in order to build strengths a
41、nd opportunities. Risk is the effect of uncertainty on the achievement of strategic, operational, tactical, and reputational objectives (ANSI/ASIS/RIMS RA.1-2015). All activities involve a certain amount of uncertainty. Uncertainty is the state where outcomes are unknown, undetermined, or undefined;
42、 or where there is a lack of sufficient information. Outcomes may be positive, negative, or neutral. Individuals, organizations, and communities must decide how much risk and uncertainty they are willing to accept or take in order to achieve their objectives and desired outcomes. Objectives may incl
43、ude short and long term strategic goals related to the whole or parts of the organization and its value chain (including its supply chains), as well as operational and tactical issues at all levels of the organization. The management of risks is a function of the organizations objectives, appetite f
44、or risk, and its desire to exploit an opportunity or minimize a potential negative consequence. There is no simple formula or standardized approach to managing risk and building resilience. It must be tailored to the organization and it context. Resilience promotes a perspective of enterprise-wide a
45、gility and adaptability in a dynamic and uncertain environment. Resilient organizations fully integrate a holistic and proactive risk management perspective into good business management practice to enhance their buffering and adaptive capacity. Resilience requires both the convergence of risk disci
46、plines as well as the elimination of and/or collaboration among organizational siloes to have a coordinated plan for managing risk throughout the enterprise. Resilience is not something that is inherent to an organization but develops as organizations mature, learn from successes and mistakes, impro
47、ve their management and decision making ANSI/ASIS ORM.1-2017 xii skills, and gain better insights and more knowledge about the internal and external factors that may impact performance. Resilience also comes from supportive relationships, cultural perspectives, and individuals ability to cope with s
48、tress and adversity. Therefore, resilience is a function of a variety of behaviours, thoughts, and actions that can be learned and developed over time. Resilience in organizations is similar to resilience in people in that it is not a trait but rather a perspective of living with risk. Resilient org
49、anizations: a) Recognize that change is constant; b) Consider the organizations dependencies and interdependencies in assessing risk to the organization and its risks on others; c) Integrate proactive risk management into all their decision-making processes; d) Position the organization to identify and exploit opportunities emphasizing that adaption before a potential event provides efficiencies; e) Promote situational awareness and monitoring with an emphasis on identifying indicators of change; f) Develop a process of managing adversity to pre-emptively adapt, bette
