1、Organizational Resilience: Security, Preparedness, and Continuity Management SystemsRequirements with Guidance for UseA S I S I N T E R N A T I O N A L STANDARDAMERICAN NATIONALASIS SPC.1-2009ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD ASIS SPC.1-2009 an American National Standard for Securi
2、ty ORGANIZATIONAL RESILIENCE: SECURITY, PREPAREDNESS, AND CONTINUITY MANAGEMENT SYSTEMS REQUIREMENTS WITH GUIDANCE FOR USE Approved March 12, 2009 American National Standards Institute, Inc. Abstract A comprehensive management systems approach for security, preparedness, response, mitigation, busine
3、ss/operational continuity, and recovery for disruptive incidents resulting in an emergency, crisis, or disaster. ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD ii NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of persons engaged in th
4、e development and approval of the document at the time it was developed. Consensus does not necessarily mean that there is unanimous agreement among every person participating in the development of this document. ASIS International standards and guideline publications, of which the document containe
5、d herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest in the topic covered by this publication. While ASIS administers the process and establishes rules to promote
6、 fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. ASIS is a voluntary, nonprofit pr
7、ofessional society with no regulatory, licensing or police power over its members. ASIS does not undertake a duty to third parties because it does not have the authority to enforce compliance with its standards. It assumes no duty of care to the general public, because its standards are not obligato
8、ry and because it does not monitor the use of those standards. ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application,
9、 or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any persons or entitys particular purp
10、oses or needs. ASIS does not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or guide. In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on behalf
11、of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable c
12、are in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. ASIS has no power, nor does it undertake to police or
13、enforce compliance with the contents of this document. ASIS has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any pr
14、actices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this docum
15、ent shall not be attributable to ASIS and is solely the responsibility of the certifier or maker of the statement. All rights reserved. Permission is hereby granted to individual users to download this document for their own personal use, with acknowledgement of ASIS International as the source. How
16、ever, this document may not be downloaded for further copying or reproduction nor may it be sold, offered for sale, or otherwise used commercially. Copyright 2009 ASIS International ISBN: 978-1-887056-92-2 ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD iii FOREWORD The information contained in
17、this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requiremen
18、ts necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specifie
19、d for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members worldwide. Founded in 1955, ASIS is ded
20、icated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the
21、public. By providing members and the security community with access to a full range of programs and services, ASIS leads the way for advanced and improved security performance. The work of preparing ASIS Standards is carried out through the ASIS International Standards and Guidelines Commission comm
22、ittees. Each member interested in a subject for which a technical committee has been established has the right to be represented on that committee. The Guidelines Program of ASIS International has received a Designation award under the Support Anti-terrorism by Fostering Effective Technology Act of
23、2002 (the SAFETY Act) from the U.S. Department of Homeland Security. Specifically, the SAFETY Act designation limits ASIS liability for acts arising out of the use of the guidelines in connection with an act of terrorism and precludes claims of third party damages against organizations using the gui
24、delines as a means to prevent or limit the scope of terrorist acts. The ASIS International Organizational Resilience: Security, Preparedness and Continuity Management Systems Standard incorporates the guidance provided in the ASIS International Business Continuity Guideline: A Practical Approach for
25、 Emergency Preparedness, Crisis Management, and Disaster Recovery, 2005. For additional information, the Business Continuity Guideline should be consulted. This best practices standard provides generic auditable criteria and informative guidance on prevention, preparedness (readiness), mitigation, r
26、esponse, continuity, and recovery from disruptive incidents with a potential to escalate into an emergency, crisis, or disaster. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA. Commission Members
27、 Jason L. Brown, Thales Australia Steven K. Bucklin, Glenbrook Security Services, Inc. John C. Cholewa III, CPP, Embarq Corporation Cynthia P. Conlon, CPP, Conlon Consulting Corporation Michael A. Crane, CPP, IPC International Corporation Eugene F. Ferraro, CPP, PCI, CFE, Business Controls Inc. F. M
28、ark Geraci, CPP, Bristol-Myers Squibb Co., Chair Robert W. Jones, Kraft Foods, Inc. Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair John F. Mallon, CPP Marc H. Siegel, Ph.D, ASIS Security Management System Consultant Roger D. Warwick, CPP, Pyramid International ASIS SPC.1-2009, ORGANIZATION
29、AL RESILIENCE STANDARD iv At the time it approved this document, SPC Standards Committee, which is responsible for the development of this Standard, had the following members: Committee Members Committee Chairman: Marc H. Siegel, Ph.D., ASIS Security Management System Consultant Committee Secretaria
30、t: Sue Carioti, ASIS International Paul H. Aube, CCP, Federation C.J.A. Don Aviv, PSP, CPP, PCI, Interfor Inc. William D. Badertscher, CPP, BMP, Georgetown University Pradeep Bajaj, OSSIM Jay C. Beighley, CPP, Nationwide Insurance Dennis R. Blass, CPP, PSP, Sec Engineers University of Alabama Thomas
31、 Bozek, Bozek Consulting LLC Jerry Brashear, Ph.D., ASME Jerry J. Brennan, Security Management Resources Richard C. Bryant, CBCP, CSE, Verizon Communications Frederick A. Budde, Federal Air Marshal Service Doyle J. Burke, CPP, Delphi Corporation/Securitas Sharon Caudle, Ph.D., Texas A b) Establishin
32、g a policy and objectives to manage risks; c) Implementing and operating controls to manage an organizations risks within the context of the organizations mission; d) Monitoring and reviewing the performance and effectiveness of the OR management system; and e) Continual improvement based on objecti
33、ve measurement. This Standard adopts the “Plan-Do-Check-Act“ (PDCA) model, which is applied to structure the OR management system processes. The PDCA model is sometimes referred to as the APCI (Assess-Protect-Confirm-Improve) Model. Figure 1 illustrates how an OR management system takes as input the
34、 OR management requirements and expectations of the interested parties and through the necessary actions and processes produces risk management outcomes that meet those requirements and expectations. Figure 1 also illustrates the links in the processes presented in clause 4. DoDevise a SolutionDevel
35、op Detailed ActionPlan b) Assure itself of its conformity with its stated OR management policy; c) Demonstrate conformity with this Standard by: i. Making a self-determination and self-declaration; or ii. Seeking confirmation of its conformance by parties having an interest in the organization (such
36、 as customers); or iii. Seeking confirmation of its self-declaration by a party external to the organization; or iv. Seeking certification/registration of its OR management system by an external organization. All the requirements in this Standard are intended to be incorporated into any type of orga
37、nizations OR management system. It provides all the elements required to integrate management, technology, facilities, processes, and people into the resilience culture, risk management, and OR management system of an organization. The extent of the application will depend on factors such as the ris
38、k tolerance and policy of the organization; the nature of its activities, products, and services; and the location where, and the conditions in which, it functions. This Standard provides generic requirements as a framework, applicable to all types of organizations (or parts thereof) regardless of s
39、ize and nature of operation. It provides guidance for organizations to develop their own specific performance criteria, enabling the organization to tailor and implement an OR management system appropriate to its needs and those of its stakeholders. ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDAR
40、D 2 The Standard emphasizes resilience, the adaptive capacity of an organization in a complex and changing environment, as well as protection of critical assets. Applying this Standard positions an organization to more readily prepare for and respond to all manner of intentional, unintentional, and/
41、or naturally-caused disruptive events which, if unmanaged, could escalate into an emergency, crisis, or disaster. It covers all phases of incident management before, during, and after a disruptive event. This Standard enables an organization to: a) Develop a prevention, preparedness, and response/co
42、ntinuity/recovery policy; b) Establish objectives, procedures, and processes to achieve the policy commitments; c) Assure competency, awareness, and training; d) Set metrics to measure performance and demonstrate success; e) Take action as needed to improve performance; f) Demonstrate conformity of
43、the system to the requirements of this Standard; and g) Establish and apply a process for continual improvement. Annex A provides informative guidance on system planning, implementation, testing, maintenance, and improvement. 2. NORMATIVE REFERENCES The following standards contain provisions which,
44、through reference in this text, constitute provisions of this American National Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibi
45、lity of applying the most recent editions of the standards indicated below. The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (includin
46、g any amendments) applies. NOTE: All documents below are available from the International Organization for Standardization. 2.1 General Reference ISO Guide 73:2002, Risk management Vocabulary Guidelines for use in standards. 2.2 Parallel or Integrated Application of a Number of Systems ISO 9001:2000
47、, Quality management systems Requirements. ISO 14001:2004, Environmental management systems Requirements with guidance for use. ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD 3 ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements. I
48、SO 28000:2007, Specification for security management systems for the supply chain. 3. TERMS AND DEFINITIONS An extensive Glossary of terms appears in Annex D. ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD 4 4. ORGANIZATIONAL RESILIENCE (OR) MANAGEMENT SYSTEM REQUIREMENTS Figure 2: Organization
49、al Resilience (OR) Management System Flow Diagram 4.1 General Requirements The organization shall establish, document, implement, maintain, and continually improve an organization resilience (security, preparedness, and continuity) management system in accordance with the requirements of this Standard, and determine how it will fulfill these requirements. ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD 5 4.1.1 Scope of OR Management System The organization shall define and document the scope of its OR management system. In defining the scope, the organizat
