1、Auditing Management Systems: Risk, Resilience, Security, and ContinuityGuidance for ApplicationASIS INTERNATIONAL ANSI/ASIS SPC.2-2014STANDARDThe worldwide leader in security standards and guidelines developmentANSI/ASIS SPC.2-2014 an American National Standard AUDITING MANAGEMENT SYSTEMS: RISK, RES
2、ILIENCE, SECURITY, AND CONTINUITYGUIDANCE FOR APPLICATION Approved March 28, 2014 American National Standards Institute, Inc. ASIS International Abstract This Standard provides guidance for conducting resilience, security, crisis, continuity and other risk based audits within the context of manageme
3、nt systems and includes practical advice on conducting audits. It provides guidance on the management of audit programs, conduct of internal or external audits of risk and resilience based management systems such as security, crisis, continuity, and emergency management, including the competence and
4、 evaluation of auditors. ANSI/ASIS SPC.2-2014 ii NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that ther
5、e is unanimous agreement among the participants in the development of this document. ASIS International standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunte
6、ers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, eval
7、uate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS does n
8、ot accept or undertake a duty to any third party because it does not have the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them. ASIS disclaims liabi
9、lity for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, ex
10、pressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any persons or entitys particular purposes or needs. ASIS does not undertake to guarantee the performance of any individu
11、al manufacturer or sellers products or services by virtue of this standard or guide. In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any pe
12、rson or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covere
13、d by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication. ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no control over whi
14、ch of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its sta
15、ndards. It merely publishes standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document should not be attributable to ASIS and is solely the responsibility of the cert
16、ifier or maker of the statement. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner. Cop
17、yright 2014 ASIS International ISBN: 978-1-934904-55-8 ANSI/ASIS SPC.2-2014 iii FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requirements for an ANS. As such, this Foreword may contain mat
18、erial that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the w
19、ord shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages. This conformity assessment standard
20、provides generic auditable criteria and informative guidance. About ASIS ASIS International (ASIS) is the leading organization for security professionals, with more than 38,000 members worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developi
21、ng educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By
22、 providing members and the security community with access to a full range of programs and services, and by publishing the industrys No. 1 magazine Security Management - ASIS leads the way for advanced and improved security performance. The work of preparing standards and guidelines is carried out th
23、rough the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development Organization (SDO), ASIS actively participates in the International Organization for Standardization. The Mission of the ASIS St
24、andards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membershi
25、p, security professionals, and the global security industry. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA. Commission Members Charles A. Baley, Farmers Insurance Group, Inc. Jason L. Brown, Tha
26、les Australia Michael Bouchard, Sterling Global Operations, Inc. Cynthia P. Conlon, CPP, Conlon Consulting Corporation William J. Daly, Control Risks Security Consulting Lisa DuBrock, Radian Compliance Eugene F. Ferraro, CPP, PCI, CFE, Convercent F. Mark Geraci, CPP, Purdue Pharma L.P. Bernard D. Gr
27、eenawalt, CPP, Securitas Security Services USA, Inc. Robert W. Jones, Socrates Ltd Glen Kitteringham, CPP, Kitteringham Security Group Inc. Michael E. Knoke, CPP, Express Scripts, Inc. Bryan Leadbetter, CPP, CISSP Marc H. Siegel, Ph.D., ASIS International, European Bureau Jose Miguel Sobron, United
28、Nations Roger D. Warwick, Pyramid International ANSI/ASIS SPC.2-2014 iv Allison Wylde, Researcher and Consultant At the time it approved this document, the SPC.2 Standards Committee, which is responsible for the development of this Standard, had the following members: Committee Members Committee Cha
29、ir: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Commission Liaison: Lisa DuBrock, CPA, CBCP, MBCI, Radian Compliance, LLC Committee Secretariat: Susan Carioti, ASIS International Sean Ahrens, M.A., CPP, BSCP, CSC, Aon Risk Services Mitchell Albinski, Blackhall River Securit
30、y Associates Lyle Alexander, CPP, A.R.M Specialists Ltd Kourosh Aliha, CFI, Independent Frank Amoyaw, LandMark Security Limited Dennis Arter, ASQ Fellow, Certified Quality Auditor, American Society for Quality Abrar Ashraf, CPP, PSP, Secure Options Group Paul Aube, CPP, Dessau Mark Baker, CPP, MBake
31、r Security Jay Beighley, CPP, Nationwide Insurance Frank Bellomo, Business Risks International Pty. Limited Gil BevenFlorez Jr., Independent Albert Senior Security Consultant Dennis Blass, CPP, PSP, CFE, CISSP, CHSP, Childrens of Alabama Terry Blevins, Yamana Gold John Boal, CPP, PCI, CFE, Universit
32、y of Akron Kevin Brear, MBCI, MEPS, MICPEM, Independent Colin Brown, MA, PGC, De Beers Group Hart Brown, Rent-A-Center Michael Brzozowski, PSP, CPP, Symcor Dirk Buerhaus, Fachkaufmann fr Organisation, KOETTER GmbH therefore, this Standard provides competence criteria for auditors conducting conformi
33、ty assessment of a management system to a risk and resilience based management systems standard. Auditors understand much of their activities involve interactions between people, therefore there is a need to build rapport, trust, and confidence while avoiding the creation of an adversarial atmospher
34、e. An audit is a positive experience if the people being audited feel the audit adds value and may lead to opportunities for improvement. Good auditing techniques lead to a positive audit experience. This Standard provides generic concepts of auditing a risk and resilience based management system. O
35、rganizations should adapt this guidance to fit the specific needs, size, nature and level of maturity of their risk and resilience based management system. This Standard can be used by anybody involved in the conformity assessment of a risk and resilience based management system. 0.2 Risk and Resili
36、ence Based Management System Audits A management system audit determines if the organization is conforming to the relevant requirements, including standards, regulations, contracts, policies, procedures, controls, and specifications. A management system audit is a documented process to impartially c
37、ollect, examine, and evaluate pertinent evidence. The process determines if all the elements of a management system standard have been developed, documented, implemented, and tested in accordance with defined requirements and are effectively meeting their prescribed objectives. An audit should provi
38、de the management of an organization unbiased empirically-based information necessary to: a) Determine effectiveness of the management system, its elements, and how the management system supports the objectives of the organization; b) Identify inefficiencies, deficiencies, and weaknesses in the mana
39、gement system; ANSI/ASIS SPC.2-2014 xii c) Provide awareness of actual and potential risks; d) Assess training effectiveness; e) Promote risk and resilience awareness; f) Evaluate and communicate practices relative to accepted industry practices; and g) Identify opportunities for improvement. The au
40、dit should assess conformance to the management system by determining if and how it is adhering to the requirements as articulated in the organizations policies, procedures, task specifications, and/or work instructions. A management system audit is not simply a checklist of evidence of the existenc
41、e of elements of the management system. The audit confirms that the organization is indeed doing what it says by evaluating the effectiveness, efficiency, performance, and intended outcomes of its implementation of the management system. An auditor should have the necessary and relevant professional
42、 knowledge, skills, and qualifications relative to the specific standard being audited as well as types of risks and organization being audited. Therefore, to conduct an audit the auditor should understand: a) The requirements of the relevant standard(s); b) Principles of a risk and resilience based
43、 management systems approach and auditing; c) Legal and other requirements applicable to the organization and its operations; d) Risk from a business, operational, and organizational perspective; e) Industry and business specific information pertinent to the organization; and f) Concepts of risk and
44、 resilience based management. In determining the conformance to the management system standard, the auditor will verify if the requirements of the standard are being properly implemented by the management system. An effective audit is non-adversarial and conducted from the perspective of assessing w
45、hat the organization is doing effectively and identifying opportunities for improvement. The audit should add value to the organization by identifying areas where management system elements are not being effectively implemented and providing an understanding of the reasons why. The auditor collects
46、objective evidence to establish whether conformance is achieved. The audit evaluates if the process and the individual activities are effective, and provides a basis to identify opportunities to improve the effectiveness and efficiency. 0.3 Audits versus Inspections As defined in the ISO 17000:2006
47、Conformity assessment Vocabulary and general principles an audit is: A systematic, independent, documented process for obtaining records, statements of fact or other relevant information and assessing them objectively to determine the extent to which specified requirements are fulfilled. NOTE: Whils
48、t “audit” applies to management systems, “assessment” applies to conformity assessment bodies as well as more generally. ANSI/ASIS SPC.2-2014 xiii An inspection is defined as: An examination of a product design, product, process or installation and determination of its conformity with specific requi
49、rements or, on the basis of professional judgement, with general requirements. NOTE: Inspection of a process may include inspection of persons, facilities, technology and methodology. Table 1: Differences between audits and inspections. Audits Inspections x Systematic, independent, documented process for obtaining records, statements of fact or other relevant information and assessing them objectively to determine the extent to which specified requirements are fulfilled. (Source: ISO 17000:2004) x Examination of a product design, product, process or installation and det