Skip to content
Menu
menu

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex A

(informative)

A.11 Maturity Model for the Phased Implemenation

Implementation of a management system standard can be a daunting task, especially for small to medium sized enterprises. All organizations face the challenge of managing their risks within the bounds of organizational objectives and available resources. Only through the full implementation, ongoing maintenance, and continual improvement of the ORMS can an organization reach its goal of achieving its objectives. Building the ORMS in a phased approach with documented baselines and achieving benchmarks of maturity provides the organization a link between objectives and its resources.

By using a maturity model for the phased implementation of the ORMS, the organization defines a series of steps designed to help it evaluate where they currently are with regard to security and resilience, and respect for human rights, to set goals for where they want to go, to benchmark where they are relative to those goals, and to plot a business-sensible path to get to full implementation of the ORMS.

Next: Annex B

Table of Contents

ORM Standard Home

Introduction
  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
Leadership
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
Planning
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References

arrow_upward